Microsoft puts more privacy in Passport

Microsoft Corp. last week offered another small concession to critics of its upcoming products, this time altering plans for its Passport authentication service.

The technical changes come as pressure mounts in the nation's capitol to bring a speedy conclusion to Microsoft's ongoing legal battle with the U.S. government. Members of the U.S. House of Representatives urged a quick settlement Thursday in a letter to Microsoft and the plaintiffs in the case, while Friday the Department of Justice (DOJ) and 18 states filed papers with an Appeals Court to deny Microsoft's request to delay the case as it awaits review by the Supreme Court.

Microsoft said it will make some changes to the information users are required to provide it when signing up for its Passport service, which is designed to let users visit multiple sites on the Web without having to enter their personal information each time. Passport is a key element of Microsoft Internet strategy known as .Net.

Passport is used by many of Microsoft's Web properties, such as its free e-mail service, Hotmail, as well as by a growing list of partners including Inc. and Inc. The authentication service stores as many as 13 items of basic user information -- ranging from ZIP codes to a street address -- and also includes an "electronic wallet" component that stores information for making online purchases, such as a billing address and credit card number.

Criticism of Passport has mounted from some privacy advocacy groups, who last month filed a complaint with the Federal Trade Commission (FTC) over concerns about how the service collects data from users and how that personal information might be used in future. Hoping to ease some of that opposition, Microsoft said it will now require a user to enter only an e-mail address and password to open a new Passport account"We're saying partners will have the flexibility to decide what they ask (users) for," said Adam Sohn, a product manager in Microsoft's .Net platform group. That could range from the required e-mail and password, to more than 13 pieces of personal data. Previously, Microsoft required all Passport users to submit more thorough information about themselves.

"It's possible for folks to ask customers to give them more data, but we will make it very clear what information goes to Passport and what goes to the partners," said Sohn. He also stressed that despite noise from some critics, Microsoft makes no secondary use of the data. "We don't share it, we don't rent it, we don't publish it, we don't mine it and we don't market to it," he said.

The changes Microsoft is set to make will also affect one of Passport's add-on services, called "Passport Wallet," which automatically inserts the information required from a user to buy goods online, such as a credit card number. The wallet technology now in Passport will be broken out into a different service the company will provide in its set of 12 planned Hailstorm Web services, called My Wallet, Sohn confirmed.

The gestures to ease privacy concerns in Passport haven't changed the minds of some of Microsoft's harshest critics. Measures to reduce the information Passport collects about its subscribers don't go far enough, according to Jason Catlett, president of Junkbusters Inc., a privacy advocacy group involved with last month's FTC filing. Microsoft is still requiring users to provide an e-mail address, which will allow Microsoft to gain personally identifiable information, he argued.

While Microsoft won't be able to collect as much information about a users' behavior on the Web, it will still be able to track users' activity and combine that with personal information they collect by other methods, Catlett said. "They can still see which sites you are authenticating at, and, if they own the site, then they are getting your personal information through those records," he said.

Microsoft also said this week that Passport will support an emerging industry standard for enhancing privacy on the Internet called P3P (Platform for Privacy Preferences). The technology allows users to better manage what information Web sites can collect about them. P3P identifies Web sites that use "cookies," or pieces of code that Web sites can attach to a user's browser and use to track his or her movements on the Web.

Currently under consideration by the World Wide Web Consortium (W3C), a standards body, Microsoft is now advocating P3P for use in all of its Internet services and Web properties, Sohn said. The company is set to launch its latest Internet Explorer Web browser Oct. 25, which will include support for P3P. Partner Web sites that want to use Passport will also be required to support P3P, Microsoft said this week. Any site using P3P must attach an XML (Extensible Markup Language) document to their cookies that describes the site's privacy policy. Users are expected to be able to set controls for what level of privacy they will accept from a Web site, and block those Web sites that don't meet a users' privacy requirements.

"(The addition of P3P) is completely non-responsive to the specific allegations of illegal behavior that we charged Microsoft with," Catlett said. "They are replying with an answer, but the answer has nothing to do with the concerns."

Competitors ranging from AOL Time Warner Inc. to open source developer groups are working on other systems for single sign-on authentication. Many Internet companies are banking on the widespread adoption of such authentication services to make it easier to do business on the Web. But like earlier electronic business innovations, Junkbusters' Catlett isn't convinced it will live up to industry hype.

"I'm not sure it's (Passport) going to fly, but in case it does we have to try to protect the privacy of the people who use it," Catlett said. "It could end up being the largest surveillance mechanism in history."

Separately Thursday, 122 members of the U.S. House of Representatives backed a letter delivered to Microsoft and anti-trust regulators urging all of the parties involved to bring the pending antitrust case to a quick close. It was drafted by two members of Congress from Microsoft's home state of Washington -- Jennifer Dunn, a Republican, and Democrat Jay Inslee, representatives for the Seattle area. In the letter, House members urged the Department of Justice and the 18 states who are plaintiffs in the case to bring the case to a just conclusion.

"The best thing for consumers and our economy is a quick settlement of this costly litigation," Dunn wrote in a statement Thursday. "At a time when the economy is struggling, our government should not be putting a chill on the innovative forces that drive the new economy,"The House is showing bipartisan support for a settlement in the case. The letter said House members lauded ongoing negotiations between top Microsoft officials and the government, and encouraged "these discussions with the hope that a settlement can be reached at the earliest possible date and on reasonable terms."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AOLBuy.comDepartment of JusticeDOJFederal Trade CommissionFTCMicrosoftOfficeMaxTime WarnerW3CWorld Wide Web Consortium

Show Comments