Sign Out of Passport!

• Palladium |
• Newsa Items |
• FTC and EU Complaint Docket Page |
• Studies and Papers |
• FAQ

"For a successful technology, reality must take precedence
over public relations, for nature cannot be fooled."
--Richard Feynman

News Items

• Microsoft promises 'substantial' .NET changes, Euractiv.com, January 30, 2003.
• EU says Microsoft will alter Passport, CNET, January 30, 2003.
• Settling With F.T.C., Microsoft Agrees to Privacy Safeguards, New York Times, August 9, 2002.
• Microsoft Settles FTC Charges Alleging False Security and Privacy Promises, FTC Press Release, August 8, 2002.
• Microsoft settles Passport privacy case, CNN.com, August 8, 2002.
• MS Passport Takes on Credit Cards, ZDNet, July 8, 2002.
• Microsoft Agrees to Alter a Special Service for Children, New York Times, June 27, 2002.
• Industry Allies Seek to Limit Microsoft Drive Into New Fields, New York Times, June 3, 2002.
• Microsoft Faces European Commission Inquiry on Privacy Concerns, New York Times (Bloomberg), May 28, 2002.
  
• MS privacy policies under EU probe, Reuters, May 26, 2002.
• Microsoft Opts-In Hotmail Users, Slashdot, May 16, 2002.
• Soft Talk: Hotmail pushes for revenue, Eastside Journal, May 16, 2002.
• Soft Talk: New Hotmail settings might share your info, addresses, Eastside Journal, May 14, 2002.
• Microsoft Denies Changing Passport Users' Privacy Settings, Newsbytes, May 14, 2002.
• Where Everybody Knows Your Name, Yahoo News, May 10, 2002.
• Dark Side of Cyberlife, CNET News.com, May 2, 2002.
• Study: Customers wary of online IDs, CNET News.com, April 26, 2002.
• Gates says states' remedy "impossible," CNET News.com, April 22, 2002. "...Schmidtlein introduced an internal document outlining Microsoft's consumer Web services strategy. That document in part described Microsoft's goal as being to create "the largest and most extensive database of profiles on the planet."
• Survey: Passport required--not appealing, CNET News.com, April 17, 2002.
• Microsoft Has Shelved Its Internet 'Persona' Service, New York Times, April 11, 2002.
• Hotmail Users Stuck in Spam Net, ZDNet News, March 21, 2002.
• The Problem With .NET, Yahoo News, March 20, 2002.
• Hacker Claims Web Worm Meant to Combat Sexism, New York Times, March 5, 2002.
• Serious Privacy Problems in Windows Media Player for Windows XP, Computerbytesman, February 20, 2002.
• Microsoft Player Logs User Info, Washington Post (AP), February 20, 2002.
• Hackers Shortcut Hotmail Password Reset Protections, Newsbytes, February 11, 2002.
  
• Check the Fine Print, Infoworld, February 11, 2002.
• Best Not to Send Errors to Microsoft, Toledo Blade, February 9, 2002.
• Microsoft: We're Patching the MSN Hole, ZDNet, February 8, 2002.
• Major privacy hole in Windows/MSN Messenger, The Register, February 5, 2002.
• Microsoft: Fix Privacy At All Costs, eWeek, February 1, 2002.
• Drum roll: Here comes Microsoft CRM, CC News, February 2002.
• Microsoft Passport Melts Down At The Zone, Newsbytes, January 29, 2002.
• Gates: Security Over Features, eWeek, January 21, 2002.
• Technology: Microsoft chairman announces strategy shift to emphasize security, privacy, Nando Times (AP), January 17, 2002.
• Internet Explorer SuperCookies bypass P3P and cookie controls, Computerbytesman, January 16, 2002.
• .Net breakdown: More to come?, News.com, January 15, 2002.
• IE privacy flaw still causing leaks, ZDNet, January 15, 2002.
• Security Flaws May Be Microsoft's Undoing, Slashdot, January 15, 2002.
• Security Flaws May Be Pitfall for Microsoft, Los Angeles Times, January 14, 2002.
• Which Little Piggy? Microsoft's is the better program. But do you trust it with the intimate details of your financial affairs?, Fortune Magazine.
  
• Worst Products of the Year, Fortune Magazine, December 24, 2001.
• Windows Vulnerable to Hack Attacks, Washington Post, December 20, 2001.
  
• MS rolls out security obscurity bribe program, The Register, December 13, 2001.
• Web Users Pass On Passport-Style ID Services - Gartner, Newsbytes, December 4, 2001.
• Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions, Assessment 01-028, National Infrastructure Protection Center, November 29, 2001.
• Stealing MS Passport's Wallet, Wired, November 2, 2001.
• Big Brother Award nomination for WPA, Passport pains MS, The Register, October 25, 2001.
• Privacy groups slam Windows XP, ZDNet (Reuters), October 23, 2001.
• Commentary: The Threat Of Microsoftís .Net, by Whitfield Diffie and Susan Landau.
• New Hotmail Hack Evades Filters. Newsbytes, September 10, 2001.
• Hailstorm Promise and Threat Remain Distant. CNET, August 30, 2001.
• Expert hacks Hotmail in 1 line of code; Security pro reveals new world of 'very, very bad scenarios'. USA Today, August 30, 2001.
• Microsoft.Net: A New Monopoly? CNET, August 29, 2001.
• Windows 2000 Port Invites Intruders, Newsbytes, August 26, 2001.
• Poll: Many Distrust AOL, Washington Post, August 24, 2001.
• Report: Consumers Nix Microsoft Passport, Yahoo News, August 23, 2001.
• Commentary: Passport needs better privacy, CNET (Gartner), August 23, 2001.
• Lobbyists Tied to Microsoft Wrote Citizens' Letters, Los Angeles Times, August 23, 2001.
• Microsoft defends Passport in Washington, CNET, August 22, 2001.
• Heading MS Off at the Passport, Wired News, August 22, 2001.
• The trouble with Hotmail, Salon, August 21, 2001.
• Hackers Discover Hotmail Hole, Tech TV, August 20, 2001.
• Hotmail Hacked, Slashdot, August 20, 2001.
• Microsoft's One-ID Plan Again Draws Fire Over Privacy, Washington Post, August 16, 2001.
• MS Passport: Straight to the FTC, Wired, August 16, 2001.
• U.K. Resident To Name Microsoft In FTC Privacy Complaint, Newsbytes, August 16, 2001.
• Groups Ask FTC To Probe Microsoft Passport, XP Features, Newsbytes, August 15, 2001.
• Groups expand XP privacy complaint, USA Today (Reuters), August 15, 2001.
• Microsoft Fields New Complaints on Server, XP Security, Yahoo News, August 15, 2001.
• Privacy group attacks Windows XP, Passport, CNET News.com, August 15, 2001.
• Groups to detail privacy complaints about Windows XP to FTC, Mercury News, August 14, 2001.
• PluggedIn: Last-Minute Changes to Windows XP, Yahoo News, August 14, 2001.
• Privacy dispute threatens XP launch, The Times, August 13, 2001.
• Microsoft to alter Passport, MSNBC (WSJ), August 10, 2001.
• Microsoft Doesn't Satisfy Critics With Changes to Passport System, Wall Street Journal, August 10, 2001.
• Coming: The E-Wallet Wars, Why you need Microsoft to buy Starbucks online, Time Magazine, August 6, 2001.
• Not So Fast, Washington Post, August 4, 2001.
• Government should block XP release, Mercury News, August 2, 2001.
• Microsoft drops eleventh hour app blocking into WinXP, The Register, August 2, 2001.
• AOL Might Join 'Identity Service' Battle, Washington Post, July 26, 2001.
• Privacy advocates take aim at Windows XP, CNET, July 25, 2001.
• EPIC Makes Privacy Case Against Windows XP To FTC, Slashdot, July 26, 2001.
• Microsoft Ignores Those XP Tacklers, Businessweek, July 26, 2001.
• Privacy Group Is Taking Issue With Microsoft, New York Times, July 25, 2001.
• Microsoft Refutes Privacy Concerns Surrounding XP, Newsbytes, July 25, 2001.
• Senate Judiciary Committee to Hold Hearings on Microsoft, Tech Law Journal Daily Report, July 25, 2001.
• The Monopoly Has Just Begun: Insidiously, incrementally, Microsoft is getting more and more of me. That has me worried, Fortune, July 23, 2001.
• Microsoft's Window into Your Personal Life, Businessweek, July 2, 2001.
• Privacy terms revised for Microsoft Passport, CNET, April 4, 2001.
• All your data (and biz plans) are belong to Microsoft, The Register, March 30, 2001.

Studies and Papers

• Passport Hacking Revisited, Chris Shiflett, August 15, 2002.
• Passport Hacking, Chris Shiflett, 2600: The Hacker Quarterly 18.3 (2001): 11-13.
• Microsoft Passport Account Hijack Attack, Eye on Security.
• Passport to Monopoly: Windows XP, Passport, and the Emerging World of Distributed Applications (PDF), The Project to Promote Competition and Innovation in the Digital Age.
• Risks of the Passport Single Signon Protocol, Avi Rubin & Dave Kormann, AT&T Research Labs.
• Response to Kormann & Rubin Document, Microsoft Passport Press Page.
• Passport Q&A for Businesses, Microsoft Passport Page.
• Passport Q&A for Consumers, Microsoft Passport Page.
• Privacy and Security Still Challenge Microsoft Passport, Gartner Group.

FAQ on Microsoft Passport and Windows XP

• What is Passport?
  • Passport is an online identification and authentication system operated by the Microsoft Corporation. Passport employs a single-signon system to facilitate e-commerce and browsing among different web sites that require a user to identify oneself.

    Once a user signs on to Passport, other affiliated sites visited by the user receive information about the user. Passport stores user information in a central database. Microsoft claims that there are over 200 million Passport accounts.

    The Passport service is intended to give Microsoft and Passport affiliates the ability to send unsolicited commercial email to Internet users and to profile their activities.

• What information is stored in Passport?
  • To register for Passport, a user must submit an e-mail address. Users can also submit their real name, city/locale, gender, age, occupation, marital status, personal statement, hobbies and interest, favorite quote, favorite things ("Name your favorite books, artists, places, gizmos, or gadgets"), a personal photo ("include a photo of yourself, a loved one, or a favorite place, thing or pet"), and a home page.
    
    
• What is Kids Passport?
  • Microsoft Kids Passport allows parents to consent to the collection, use and sharing of their children's information with Microsoft and with participating Passport Web sites that have agreed to utilize Kids Passport as their parental consent process. Information contained in the Kids Passport is disclosed to Passport-affiliated sites that children visit.
    
    
• How does Kids Passport Endanger Privacy?
  • Kids Passport places the burden upon parents to review each affiliated site privacy policy. There is no central summary of the privacy policies from Kids Passport sites. Under COPPA, where consent is given to a series of web sites, a summary of all the relevant privacy policies must be provided to the parent.

    The Kids Passport privacy policy only requires one parental verification process. Participating Passport websites will not have to obtain "verifiable parental consent" if the user enters the site through Kids Passport because the participating websites will have already agreed to utilize Kids Passport as their parental consent process. Thus if a participating website changes its existing privacy policy after the parent has gone through the verification process and the changed policy conflicts with the parent's level of consent, the participating site will not have to obtain parental consent a second time. The burden will be on the parent to ensure that previously-given consent is consistent with participating websites' privacy policies at all times.

• What is Microsoft XP?
  • Microsoft XP is the newest version of the Windows operating system. It is expected to become the primary means by which individuals access the Internet.
    
    
• What is .NET?
  • .NET is the platform on which Microsoft will develop and deliver centralized web services. Systems such as .NET, which provide services from a central server, are dependent on user identification and authentication. If unchecked, Microsoft's .NET platform will result in users being required to identify themselves to merely surf the Internet.
    
    
• What is Hailstorm?
  • Hailstorm is a group of services that Microsoft intended to provide from central servers. The Hailstorm services' future is currently uncertain. The company announced in April that it was not going to proceed with the development of certain services. Originally, the company planned to create services that included MyAddress, MyProfile, MyContacts, MyNotifications, MyInbox, MyCalendar, MyDocuments, MyApplicationSettings, MyWallet, MyUsage, and MyLocation.

    An extraordinary range of consumer information would have been collected and subsequently disclosed by means of HailStorm. This information includes a person's home telephone number, office telephone number, fax number, home address, business address, and geographic locations; a person's actual name, nickname, birthdate, anniversary, other special dates, and personal photograph; a complete list of all names of all contacts contained in an electronic datebook, including names, addresses, contact dates, and personal details for all friends and associates; information concerning location and contact information; all forms of incoming mail, including voicemail, electronic mail, and fax mail; tracking information; personal and business documents; favorite websites and other identifiers; receipts, payment instruments, coupons and other transaction records, devices settings and capabilities across all platforms, including PC, PDA, and telephones; and detailed usage reports for each one of these services.

• What is Windows Product Activation?
  • Windows Product Activation (WPA) is an anti-piracy system embedded in Microsoft Windows XP, Office XP, and other Microsoft products. The WPA system scans the hardware components of users' systems and links the hardware setup to the license key for the software. If the user later attempts to install a WPA protected program on another computer, the license key will not match and the software will not work. In addition, if the user changes hardware in their computer, WPA may disable the software.
    
    
• What's Wrong with WPA?
  • Through WPA and program registration, Microsoft can actually match users to their personal computers. Although Microsoft represents to users that the product activation process preserves anonymity, users cannot receive software support anonymously for the product that they activate and are forced to register for Microsoft Passport.
    
    
• What is driver blocking?
  • Driver blocking is a newly-enabled system in Windows XP. Through requiring driver blocking, Microsoft can stop the use of programs that are not specifically written for Windows XP. Driver blocking will prevent users from employing software such as Black Ice and Zone Alarm, regardless of whether the programs actually work on the operating system. As a result, XP will reduce users' privacy and security.

    Driver blocking can also be used to require programmers to include Digital Rights Management (DRM) technology in files. DRM technology is privacy invasive, and results in restricting user control.

• What is Digital Rights Management (DRM)?
  • DRM is a series of technologies that attempt to limit access, copying, printing, altering, sharing, and saving of files. DRM can exist at the hardware or software level, and acts to prevent the user from taking certain actions with files.

    DRM technologies have been developed with little regard for privacy protection. DRM technology usually requires the user to reveal his or her identity and rights to access the file. Upon authentication of identity and rights to the file, the user can access the content.

    These systems prevent anonymous consumption of content, and could be employed to profile users' preferences or to limit access to digital books, music, or programs.

• What is Hotmail?
  • Hotmail is a free web mail service owned by Microsoft. In 2001, Microsoft populated the Passport database by giving all Hotmail users a Passport account. When users log into Hotmail, they also sign on Passport.

    Passport will track Hotmail users as they visit other MSN sites, and provide users' personal information to those sites, unless the users click on a small "Sign-Out" button on the page each time they wish to move to a different MSN site.

    Passport tracks the behavior and divulges the personal information of Hotmail customers who neither have been notified of their Passport accounts, nor have granted permission for such use of their information. If a user visits the MSN homepage, a Passport "Sign-in" button will appear. If the user who did not come from Hotmail or another MSN site clicks this button, information on Passport will appear, along with an invitation to join the Passport system. However, if a Hotmail user who did not click the Passport "Sign-Out" button before exiting Hotmail visits the MSN homepage and clicks the same button, the MSN page will reload, with a message greeting the user by name.

    Hotmail has been plagued by serious security flaws in recent years. For example, in August 1999, when Passport was combined with Hotmail, a defect was discovered in Hotmail that allowed "anyone to read the private correspondence of about 50 million subscribers."

• What security issues are raised?
  • Microsoft is aware of significant risks that users will have their personal information, including their credit card numbers, disclosed to others when the Passport service is used at a shared or public terminal, which could include a computer in a library, community center, workplace, or airport lounge. Microsoft advises: You should always sign out of Passport when you are finished browsing the web to ensure that others cannot access your Passport profile or wallet.

    In February 1999, Microsoft was found to be quietly creating "a vast data base of personal information about computer users. "The online privacy seal organization TRUSTe subsequently found that Microsoft had compromised "consumer trust and privacy." Defects in Microsoft's software are routinely discovered that allow intruders unauthorized access to files, most recently a defect in Microsoft's IIS Web server software that has allows the "Code Red" virus to compromise an estimated 300,000 computers, including some of Microsoft's own servers.

• Did the changes that Microsoft made to Passport in 2001 address privacy issues?
  • No. Although the modifications were a step in the right direction, they still ultimately fail to address the underlying issues raised in the complaint and supplementary material.
    
    
• Does Passport comply with Safe Harbor provisions and other UK data regulations?
  • Currently, no.
    
    
• If I sign up for Passport, can I control my personal data?
  • To a certain extent, yes. Users can edit their personal information and make some decisions about how much information to share beyond the required minimum. Additionally, Microsoft now allows users to "close" their Passport account. Information for closing an account is online at Closing Your .Net Account.
    
    
• Are other companies creating services similar to Passport?
  • Yes. America Online (AOL) is developing a single-signon service that will store user information in a similar fashion to Passport. This service is called "Magic Carpet," and is still under development. In addition, Sun Microsystems has developed a service to compete with Passport called Project Liberty.
    
    
• What do the experts say?
  • Walter S. Mossberg, a widely regarded commentator on the computer industry who writes a regular column for the Wall Street Journal, wrote:

    "Windows will keep monitoring your setup to check that it's still running on the same machine. If you make major hardware changes, the system could disable Windows and force you to check in with Microsoft in the mistaken belief the program has been transferred to another computer. One journalist reported that his copy of Office XP suddenly went into "reduced functionality mode" and insisted he activate again while he was using it on an airplaneÖ

    "Microsoft has chosen a method of enforcing its policy that smacks of an invasion of privacy. The company says its database of PC configurations won't contain any personal information, and will be encrypted so that nobody can misuse it. But Microsoft's bully-boy behavior in the marketplace hardly inspires confidence that it won't somehow exploit this information.

    Stewart Alsop, a widely regarded commentator on the computer industry who writes a regular column for Fortune Magazine, wrote:

    "Microsoft is going to collect more and more information about what I buy and what I do. I don't really have a choice. It is very nearly impossible to use any computer without using Microsoft's software, and increasingly that means that it is very nearly impossible to avoid handing over your personal information to the company. And this situation is just going to get worse, because Microsoft does have a monopoly, and it is using that monopoly to aggressively expand its dominance of computers--personal computers, office servers, handheld computers, even set-top boxes--and its dominance of the Web and Web services delivered through its Internet Explorer browser.

    Esther Dyson, a widely regarded computer industry expert and chairman of EDVenture Holding, wrote:

    "I don't want the government, or Microsoft, asking me for my ID. I find it kind of amazing. You sit and think, 'Can they actually do this? Is it believable?' One hopes not."

• What have the 15 groups done?
  • The organizations listed above have joined a complaint to the Federal Trade Commission (FTC) alleging that Microsoft is engaging in unfair and deceptive trade practices. Under section 5 of the Federal Trade Commission Act, the FTC has authority to investigate and bring actions against entities that engage in unfair or deceptive trade acts in commerce. Recent developments in the investigation are covered on the Passport Investigation Docket Page.
    
    
• What is in the supplemental material that did not appear in the original complaint?
  • The supplemental material contained new information on Passport security flaws, Digital Rights Management, and the Children's Online Privacy Protection Act (COPPA).
    
    
• What remedies have the groups requested?
  • The groups have requested a series of remedies to protect consumers from the privacy and security risks presented by Microsoft Passport and by Windows XP. Specifically, the groups request:

    An investigation into the information collection practices of Microsoft through Passport and associated services.

    A revision to the XP registration procedures so that purchasers of Microsoft XP are clearly informed that they need not register for Passport to obtain access to the Internet.

    An order to block the sharing of personal information among Microsoft areas provided by a user under the Passport registration procedures absent explicit consent

    An order to incorporate techniques for anonymity and pseudo-anonymity that would allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity

    An order to incorporate techniques that would enable users of Windows XP to easily integrate services provided by non-Microsoft companies for online payment, electronic commerce, and other Internet-based commercial activity

    An investigation to determine whether Passport complies with the requirements of the Children's Online Privacy Protection Act.

    And other relief as the Commission finds necessary to redress injury to consumers resulting from Microsoft's practices.
    

• What can I do?
  • Be sure not to sign up for Passport. A Passport account is not necessary to access the Internet.

    You can also help by demanding that software companies such as Microsoft offer true Privacy Enhancing Technologies that provide anonymity and pseudo-anonymity.