Passport Under Fire

Privacy, consumer groups petition FTC over services, XP.

Microsoft Corp. is scrambling to allay fears about the privacy and security issues around its Passport and HailStorm initiatives amid increasing complaints from industry and user groups.

Last week, a cadre of 13 privacy organizations and industry groups filed an amended complaint with the Federal Trade Commission, alleging that the changes Microsoft has made to its Passport authentication service and its forthcoming Windows XP product—changes that the groups themselves had demanded—were not satisfactory. The complaint asks the FTC to open an investigation into the matter and order further changes to the services.

In addition to the privacy concerns, critics of Passport point out that security experts have already identified a vulnerability in the authentication system that enables an attacker to hijack a users cookie, thereby gaining access to personal information.

In the face of this criticism, Microsoft is standing its ground, maintaining that it has made every effort to address privacy and security in Passport and the forthcoming Extensible Markup Language Web services, dubbed HailStorm. Some of Microsofts own partners, however, said they have concerns about Passports companion services, such as the Wallet express-payment option.

"We had a lot, a lot of discussions with them about all of this," said Doug Cavit, CIO at Corp., a Sunnyvale, Calif., anti-virus vendor and one of the partner sites in the Passport network. "I give them credit for what theyve done and for knowing what they dont know and asking the right questions. Were looking at the Wallet, but were going to let that mature before we make a decision on it. There are too many questions."

Other partners contend that Microsoft will have a hard time persuading users to buy into the service.

"Microsoft has a history of trying to get customers to sign up for wallets, but our experience is that they havent been very effective," said Jim McCarthy, senior vice president of the eVisa division at Visa USA, in Charlotte, N.C.

Passport, an authentication system for Web services, has been in use at Microsoft sites such as Hotmail and The Microsoft Network for years but has drawn increased attention recently thanks to its inclusion in the Windows XP operating system due this fall.

The service is meant to make it easier for users to browse the Web and purchase goods by eliminating the need to re-enter a user name and password at each site. A companion service, called Wallet, enables users to save credit card data and recall it at the touch of a button.

That concept is what has privacy groups worried.

"Given our concern with online privacy and the potential impact of all of the information theyre collecting, we believe theres a need for action," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington and one of Passports harshest critics.

EPIC and its allies are calling on the FTC to investigate Microsofts data collection techniques and to order the Redmond, Wash., software maker to revise the XP registration process, block the sharing of information among Microsoft properties without user consent and integrate techniques to allow users to use non-Microsoft online payment services.

Microsoft officials said they have done as much as possible to guarantee user privacy.

"The user must choose to share any data," said Brian Arbogast, vice president of the personal services and devices group at Microsoft. "To make it very clear: There is zero sharing of data without user consent."

However, some users worry that Passports lax security could be worse than any data sharing scenarios. "The scary thing is, I can create a Passport account for anyone, and it doesnt matter whether I use a valid e-mail address," said Tim Butterfield, a senior software developer whose company uses Passport for some projects. "The primary problem is the security issue."