The agreement Thursday between European data protection officials and Microsoft to alter the .Net Passport service and better protect users' personal data is more show than substance, according to privacy experts and analysts familiar with the terms of the agreement.
"I think this is a case of Microsoft's self interest and the European Union's (EU) interest in protecting its citizens being happily aligned," said Dwight Davis, vice president of Summit Strategies Inc.
Despite blustery statements from European officials about wringing "substantial changes" to .Net Passport out of Microsoft, the modifications agreed to are "minor tweaks" to the .Net Passport service, Davis said.
Those changes include giving users finer control of what information they share with Passport, a summary of key information about privacy policies within the EU, a link to the European Commission's (EC) site on data protection laws and a tool for creating secure passwords.
Users will be able to take advantage of the features through the addition of a prompt that will ask users to designate themselves as European Union (EU) residents.
"Microsoft told me that they've been planning these features all along and that they presented them to the EU," Davis said.
Not on the table in Microsoft's negotiations with the EU were more substantial changes, such as separating .Net Passport from the Windows XP operating system or Microsoft applications and services, said John Pescatore, an Internet security analyst at Gartner Inc.
"Almost everyone who buys a new computer right now is buying Windows XP, and it's nearly impossible to start up new Windows PCs without getting a new Passport account," Pescatore said.
Changes that would allow organizations other than Microsoft to own Passport user identity information in a so-called "federated network" were also not part of negotiations with the EU. However, those changes may be coming anyway, with or without EU intervention, Davis said.
Microsoft indicated that it is developing a federated version of the .Net Passport technology. The main alternative to .Net Passport, the open source Liberty Alliance platform, operates on a federated identity model and was not singled out for any changes.
Mandating substantive changes in the way Passport stores user information or is tied to applications or services like MSN accounts would have been much harder for Microsoft to comply with and could have given the rival Liberty Alliance companies a head start in Europe, according to Pescatore.
The absence of such mandates should be interpreted as a victory for Microsoft, Pescatore said.
Although the U.S. government's Federal Trade Commission (FTC) reviewed and mandated changes to Passport in August, the U.S. government has had little to say about privacy concerns stemming from Passport since then.
Microsoft claimed that it does not know of -- and thus cannot link to -- a similar U.S. government site that would summarize U.S. data protection laws like the site sponsored by the EC, according to Davis.
Unlike the EU, the U.S. does not have clear and overreaching laws concerning the protection of personal data.
"There is very little in the way of privacy law in (the U.S.). You have the financial arena with strict regulation and healthcare. Outside of those arenas, there's not much," said Mark Grossman, chair of technology law group of Becker & Poliakoff in Miami, Florida.
In the absence of such laws and with little indication from the Bush administration that strengthening consumer data privacy is a priority, residents in the U.S. and other countries are more likely to have personal information shared or used in ways that they do not approve of than their counterparts in the EU, according to Grossman.