HellStorm Brewing

By eweek  |  Posted 2001-04-16 Print this article Print

HellStorm Brewing

To understand the controversy surrounding HailStorm, its necessary to grasp Microsofts .Net vision of the future.

The goal of .Net — besides profit — is to coax personal computing away from the desktop and encourage it to happen anywhere, everywhere, from cell phones to televisions, watches to cars. The computing is to happen in the background, without a person sitting in a room staring at a screen and pecking at a keyboard. The crux of all of this behind-the-scenes communication is a platform permitting machines to talk with one another.

If Microsoft has its way, .Net will be that platform. Announced last summer, the services are being built on self-contained applications that can be anything from a simple request to send data from point A to point B to complicated business processes.

The Web services, Microsoft says, are intended to serve as software building blocks that may be used by other applications or called upon and combined with other Web services. Instead of writing those building blocks themselves, developers can save time and trouble by licensing them from Microsoft and other .Net developers. The glue that binds these building blocks is eXtensible Markup Language (XML), a "meta language" developed through the World Wide Web Consortium for sharing data and exchanging messages across programming languages, computing platforms and devices.

The easiest way to understand how XML Web services work, Microsoft says, is to compare them to Lego blocks; just like Lego blocks are designed to snap together, so will Web services using XML. "When you snap together XML Web services, you build a software solution that performs a particular task," Microsoft wrote in a White Paper describing .Net. "And just as you can use the same Lego blocks as part of many different objects, you can use a single XML Web service in many different groups, as part of the solution to many different tasks."

In March, Bill Gates announced a set of .Net Web services that he said are designed to provide compelling new ways for consumers to manage their personal information. Code-named HailStorm, these Web services will store personal data in so-called "schemas" that can be accessed by Web sites and services on "behalf" of consumers. Among the schemas already trademarked by Microsoft are myCalendar, myContacts, myDocuments, myNotifications, myProfile and myWallet.

The idea, Gates said, is that consumers store their personal information once. That information can then be accessed by Web services and sites — as long as the consumer has given permission. A customer purchasing an airline ticket on Expedias Web site, for instance, could allow the HailStorm-certified travel service to automatically check his or her calendar to determine the best flight times. The customer could also grant Expedia access to his notification preferences so the travel service can alert him — via e-mail, instant messenger, cell phone, personal digital assistant or pager if the flight is delayed.

Or a HailStorm-certified Web music service could notify a consumer — again based on stored preferences about favorite bands, concert venues and seating preferences — when concert tickets to a local event go on sale.

"On the Internet today, one of the problems were addressing here is that as you interact with these different sites, as you give out your ZIP code or your preferences or as you work with [numerous] devices . . . theres all this disconnection taking place," Gates said during HailStorms introduction at Microsoft headquarters last month. "Stitching these islands together is about having a standard schema — in fact, a very rich schema — where all this information is stored, and letting all the applications and devices have access to the degree you give them permission to use and update that information."

But theres a caveat. "This whole vision of having multiple devices can only work if, magically, behind the scenes, the information is moving between those devices without the user having to get directly involved," Gates said.

Its this little detail that has alarmed so many analysts and privacy advocates.

For Microsofts .Net "magic" to work, consumer data needs to be stored centrally so it can be accessed by all the HailStorm-certified Web services. Microsoft casts itself as the gatekeeper for all that consumer data, saying it will store personal information for a monthly subscription fee at HailStorm data centers it plans to operate.

"Microsoft holds all the data: Thats part of operating the service platform," said Ruth Anne Lorenzen, director of division marketing for .Net. Its only with the data residing in the "cloud" at HailStorm data centers, she said, that the .Net vision can work. She acknowledged that numerous issues regarding how consumer permissions will be handled have yet to be addressed. For instance, how will consumers know if the site to which they are handing over data has a stringent privacy policy and offers high-level security?

The only thing that seems certain is that anyone who plays in the HailStorm world will have to sign on to a Microsoft licensing agreement.

"People who call the HailStorm platform — site operators, developers — will have to have a license relationship with us and have to be certified," Lorenzen said. "They will have to have architected their solution in a way that meets" Microsofts privacy and security standards.

But industry analysts, privacy experts and even some Microsoft supporters question whether Microsoft is capable of offering privacy guarantees, given the lack of any clear-cut laws surrounding privacy and the companys own antiprivacy legislation stance.

"Why are they being hypocritical?" asked John McCarthy, a group director at Forrester and a privacy expert. "They themselves are waving the flag for privacy, "Were good citizens, we treat everyone with respect." Yet they have joined the industry alliance to slow down privacy legislation. That strikes me as hypocritical."

Purcell would not say whether the company would support legislation, offering only that it would never back "bad legislation."

"This is really, really hard stuff — there can be strong, unintended consequences,— Purcell said. "Law tries to nail this down and build a box around it so it doesnt move that much. We dont feel that friendly towards any effort that will try to halt or contain innovations."

Meanwhile, Microsofts chief rival juggernaut, America Online, does support baseline federal legislation girding privacy.

Online players should be backing legislation, said Ari Schwartz, a senior policy analyst at the Center for Democracy and Technology, a Washington, D.C., civil liberties organization that last year received a $150,000 contribution from Microsoft. A good law, he said, could turn into a distinct advantage for cyberspace.

"Instead of putting it in terms of, Regulation will bog down the Internet, " Schwartz said, a good law would allow online companies to say: "Your privacy is protected more on the Internet than offline. You should shop online because you have the basis in law to know you are protected."

Besides questioning Microsofts position on legislation, privacy and security experts also ask whether the company can create the highly secure environment needed to be the gatekeeper of consumers data — and if the idea of having any one company serve as the steward of personal information for online users is a good idea at all.

"I, personally, would not buy into that kind of service," said Bob Lewin, president and CEO of Truste, a 4-year-old organization that grants its seal of approval to sites that disclose their data collection practices. Microsoft is a "premier" sponsor of Truste, contributing $100,000 per year to its operation.

Although Lewin believes Microsoft has been responsive to consumer complaints over its privacy and security problems, the idea of creating a single online repository for personal data has too many risks. "I believe in distributed knowledge, for want of a better term," Lewin said. "When you collect material like that — whether its a Microsoft or someone else — no matter how well you protect it, theres always ways to get into it. And if you put it into one spot, once you get in there, youve got keys to the kingdom.

Some people might feel the types of services made possible by .Net are "convenient," Lewin said, "but the price for the convenience is the risk. It really boils down to convenience and the level of risk theyre willing to take. From our point of view, putting it all together is not the best idea."

With a centralized database, "there is no way you can be 100 percent sure this data will not get away from you. Its an accident waiting to happen," said Deborah Pierce, a staff attorney specializing in privacy at the Electronic Frontier Foundation.

"I think this is really awful," she said. "This is all of your personal information. You might have doctors appointments, prescriptions you take. It could subject the consumer to all sorts of problems if it got out, from identify theft to job discrimination. I think its a bad idea."

Others worry that governments could easily gain access to the vast concentration of personal information.

"They advertise [.Net] as one-stop shopping for the consumer, but it could turn into one-stop shopping for the cops," said Peter Swire, the Clinton administrations privacy czar, who now is a law professor. "The Fourth Amendment was designed to protect your home and your papers and effects. Your papers and effects used to be locked in your homes. What HailStorm does is put all of your papers and effects in somebody elses hands. The Fourth Amendment does not apply to records you have given to somebody else."

Fourth Amendment jurisprudence "starts from the proposition that if you trust information to a third party, you have lost control of it," said Stewart Baker, the former general counsel at the National Security Agency who is partner at Washington, D.C., law firm Steptoe & Johnson.

While the status of Fourth Amendment law in cyberspace is in its infancy and is constantly being tested, Baker predicted that in the end, "what the courts are likely to say in most of these cases is if you trust somebody else, you have to put your fate in their hands. If you wanted to protect all of the information people were storing on Microsofts servers as though it were the hard drive of the user, it would require new legislation. Even Microsoft cant give you an assurance."

Microsofts Purcell said the company is aware of the Fourth Amendment implications for .Net. There are "lots of interesting legal questions around this," he said, noting that Microsoft executives are "engaged with the government in discussions" around the Fourth Amendment and cyberspace.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel