MS Passport: "All Your Bits Are Belong To Us"

Apologies for the AYB title, but that's just what everyone is calling it. Passport is the central repository for your passwords and "personal information" I've looked over the Passport Terms of Use and tried to give them the benefit of the doubt. But I can't read it any other way than this. By "inputting data ... or engaging in any other form of communication with or through the Passport Web Site" -- or any of its "associated services" -- you grant Microsoft the rights to "use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such communication" and -- just when you were thinking it couldn't get any worse -- "exploit any proprietary rights in such communication, including but not limited to rights under copyright, trademark, service mark or patent laws." Am I wrong? Is that not what it means? And, is Hotmail affected by this?

One of the key questions is what Microsoft means by "associated services." The terms of use agreement applies to "the Microsoft Passport Web Site" which they redefine in the first sentence to mean "a Web site and its associated services."

Later in the terms, they explicitly say:

"The Passport Web Site may contain bulletin board services, chat areas, news groups, forums, communities, personal web pages, group calendars, electronic mail postings and/or other message or communication facilities designed to enable you to communicate with the public at large or with a group (collectively, 'Communication Services')..."

That doesn't sound like a simple site for password- and personal-data-storage to me.

The really big thing that everyone seems to be worried about is, how is Hotmail email affected by this? Here's the Hotmail Terms of Use. So is Hotmail an "associated service"? How would we know? Passport is listed as one of Hotmail's "additional Microsoft web sites and/or services"; what does that mean? If Hotmail is associated with Passport, does that mean Passport is associated with Hotmail? (Is "association" associative?)

And the fact that any access of www.hotmail.com redirects me to a machine at hotmail.passport.com worries me a lot. How could these sites not be considered "associated"?

Some more tidbits...

Don't forget that Passport is a TRUSTe licensee. TRUSTe stands 100% behind their privacy statement, so you can really, really trust that All Your Bits Are Belong To Us. (The joke is that TRUSTe doesn't actually guarantee you any privacy. It supposedly guarantees that, if you can wade through the legal mumbo-jumbo, you'll find yourself being screwed in precisely the way that the lawyers tell you you're being screwed.)

Here's a directory of the sites that use Passport for single-sign-in or purchasing.

You read it here first. Slashdot predicted this eight months ago. "Microsoft Passport And Your Privacy," July 29, 2000: "...I'm sure Microsoft uses it as a user-tracking system more than anything else." Go read Joel's article, from eight months ago, in which he explains how Passport "eliminates the last line of defense protecting your privacy" and how Microsoft will "create a massive consumer information database."

An article in the Daily Aardvark points out that Netscape users have a hard time reading Passport Q&A.

Bryan Smith has a thoughtful rant about what this would mean for open-source software. Dual copyright? Hmmmm. Here's your link, Bryan: "Dual-copyright/licensing" of your IP withOUT your permission.

A RISKS submitter calls it "highway robbery."

Don't forget that Passport is the website for which Microsoft forgot to pay its $35 domain registration fee, back around Christmas '99. This is the company you want to entrust your passwords to?

And finally, All Your Bits may be hard to retrieve once they Belong To Us. jasonjwwilliams writes "After reading about the new Hailstorm.net initiative by Microsoft, and how once integrated with Passport.com, any communcations sent in conjuction with the service in any manner becomes the property of Microsoft, I asked Passport.com to remove me. The response: we don't do that, wait 12 months to be auto-removed. After three e-mails here's the bottom line I received:

"Due to security reasons we do not allow nor do we have a feature to delete Passport accounts. Rest assured that if you do not access your account within 12 months our system will automatically delete your account."

"I don't know about anyone else, but I think this is a completely lame response and as far as I understand against the law. Anyone know who to get a hold of? This is arrogance gone too far."

Passport Removal by phone works.

[strredwolf]

Call Microsoft by phone and ask for immediate removal. Tell them that information being transferred through the Hotmail/Passport portal is secure information and is covered by a third-party NDA. If they give you the "Wait 3 months" line, ask for a manager, you got a clueless frontline support idiot.

And yes, I did this a few years ago. It works.

--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";

Old News

[LoCoPuff]

You know, I read the TOS too, and it's pretty clear that they're talking about forum posts and the like:

The Passport Web Site may contain bulletin board services, chat areas, news groups, forums, communities, personal web pages, group calendars, electronic mail postings and/or other message or communication facilities designed to enable you to communicate with the public at large or with a group collectively, ("Communication Services"), you agree to use the Communication Services only to post, send and receive messages and material that are proper and related to the particular Communication Service.
conspicuously absent from the list are communications between individuals.

One issue often overlooked in these things is the problem that plagues some publishers and causes them to reject unsolicited submissions: what the hell do you do when somebody hands you the outline for something very similar to a project you have under development? If you accept it, then you risk accusations later that you're a thief. ("Man, I said last year they oughta' put spellcheck into Explorer! Them bastards stole my idea!") Alternatively, if you simply state that you can use any ideas posted in the forum, then you've covered that possibility and maybe avoided a nuisance suit.

Now if the Reg had bothered to go to Hotmail itself, they might have found this:

It is Hotmail's policy to respect the privacy of its users. Therefore, Hotmail will not monitor, edit, or disclose the contents of a user's private communications unless required to do so by law or in the good faith belief that such action is necessary to: (1) conform to the edicts of the law or comply with legal process served on Hotmail; (2) protect and defend the rights or property of Hotmail; or (3) act under exigent circumstances to protect the personal safety of its users or the public.
not ironclad, but probably as good as the ISP through whom they're being accessed.

Re:Old News

[Palin+Majere]

Now if the Reg had bothered to go to Hotmail itself, they might have found this:

And they might also have found _this_:

"Click on the link below for the terms and conditions which govern these additional Microsoft web sites and/or services:"

Guess what's in the list of links... You got it. "Microsoft Passport". This means that your spiffy Hotmail "account" isn't actually actually a Hotmail account. It's a Passport account that allows you access to the Hotmail "service". What's the impact here? That you are agreeing to the Passport TOS when you sign up for Hotmail.

Perhaps you should read your own quote when you say that they're "talking about forum posts and the like". "electronic mail postings" certainly aren't forum postings, and "other message or communication facilities designed to enable you to communicate with the public at large or with a group" sure as heck covers a _vast_ amount of territory. It's not "just" forums, folks.

And, you should look at the Hotmail TOS itself for evidence contrary to your claim that Hotmail prohibits that sort of behaviour:

Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any MSN Site/Service or its associated services for review by the general public (each a "Submission" and collectively "Submissions"). However, by posting, uploading, inputting, providing or submitting your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission."

Of course "Hotmail" _says_ it would never invade your privacy in those manners. The problem is, they're not. You're explicitly giving up your privacy to Microsoft as part of this agreement. There's no such thing as "a user's private communications" on Hotmail, because you've already agreed to give up your rights to that information twice. Once when you signed up for the Passport account, and again when you used the Hotmail service to send it out.

Oops. As the Privacy Nazi might say... "NO PRIVACY FOR YOU!"

Re:Old News

[Royster]

The pertinant part being:
Hotmail will not monitor, edit, or disclose the contents of a user's private communications unless required to do so by law or in the good faith belief that such action is necessary to: ... (2) protect and defend the rights or property of Hotmail

If they think your patch is their property or a right they posess, they will defend that right as they see fit.

Re:Concerns on LKML

[Gromer]

Not true. The Hotmail user who recieved the mail is the one who agreed to the Hotmail TOS. The Linux developers never made any agreement with Hotmail. Thus, MS would have no grounds to appropriate IP belonging to the kernel developers. Even if the TOS gave them that right, the person who agreed to the TOS had no authority to grant them that right, anymore than I can sign a paper authorizing you to give away free copies of Windows.

Similarly, if a kernel-dev mail came from a Hotmail account, even under the craziest readings of the Hotmail TOS, the only IP which MS could appropriate is that belonging to person who sent it through Hotmail, not the entire kernel, because the sender doesn't own the rights to the entire kernel. Still, unraveling a mess like that could be ugly.

Personal and non-commercial use only

[banky]

While I do understand the implications of MS's move to own all our bases, the license everyone is so upset about specifically states, "personal and non-commerical use only". So, at worst, doesn't that mean MS will know I'm going to Cancun, my girlfriend's name is Sarah, and we aren't renting a car?

I guess my major disconnect here is I can't imagine anyone in their right mind trusting their company to an open service like this. It baffles me.

Re:Personal and non-commercial use only

[rjamestaylor]

So, at worst, doesn't that mean MS will know I'm going to Cancun, my girlfriend's name is Sarah, and we aren't renting a car?

Well, just explain that to your wife when she gets a little note from Passport Information Services...

A humble solution (and a silver lining)

[FreeUser]

I must say, the number of apologist posts downplaying what is an obvious mass grab of other peoples intellectual property on the part of Microsoft is downright amusing. The amount of spin being put on this is worthy of the finest Clinton or Busch media machines.

Anyone reading the plane English of this license cannot help but see that, very clearly, the end user is required to grant Microsoft any and every right to their ideas, their work, even their patents, just by processing their information through a piece of software which happens to use Passport as an authentication mechanism. This could, in the future, include any document written by Micosoft Word (using passport to authenticate the author or encrypt the file as a new feature, etc.), sent through a Microsoft mail server, or served from a Microsoft Web server.

Microsoft has a well documented history of stealing other peoples work (and getting sued for it, and being required by the court to make appropriate reparations to the aggrieved parties). This isnt about avoiding frivolous lawsuits, this is about legalizing a reprehensible tactic they already engage in: theft from their customers, their competitors, and anyone else whose idea they like.

There is, however, a silver lining to this dark cloud. Two states have already, very foolishly, passed UCITA legislation, giving this sort of EULA the force of law. One would hope the courts would overturn such an onerous condition, particularly in light of the fact that nearly every party to this agreement has no idea what theyve agreed to, but one cannot assume reason will always prevail.

If it doesnt, it wouldnt be too terribly difficult for the authors of Apache, sendmail, various USENET and chat servers, and so forth, to add a clause to their respective licenses reading something like this:

By inputting data or engaging in any other form of communication with or through this software, or any of its associated services, you grant the Free Software Community and the world at large the rights to use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such communication and exploit any proprietary rights in such communication, including but not limited to rights under copyright, trademark, service mark or patent laws.

This would be a potent weapon indeed for the Free Software community to strike a possibly leathal blow to copyright and patent law, once and for all (until such a time as another court rethinks this kind of thing, or a law is passed making such onerous and unreasonable property grabs illegal). Much of the very infrastructure of the Internet is powered by free software of one sort or another. If the courts should uphold this kind of behavior, we as a Community are in a position to use it in liberating far more knowledge and intellectual property, doing the Copyright and Patent Barons far more damage (and correspondingly far more good for free science and free software) than they could ever do to us. We arent compelled to use their software, but if they are using the internet at all, they are almost certainly using ours.

Concerns on LKML

[Royster]

Someone posted a message to the Linux Kernel Mailing List telling people not to use Hotmail for patches to the kernel.

It may be an overreaction, but it's probably still a good idea. It would be a messy court fight if it ever came to that.

SLASHDOT HAS THE SAME T.O.S.!!!

[fixion]

All your base are belong to Slash!!!

Check out the TOS from the Open Source Development Network, the Slashdot parent owned by VA Linux. The TOS is available at http://www.osdn.com/terms.shtml.

Of particular interest would be the clause in Section 4 of the OSDN Terms of Service: "the submitting user grants OSDN the royalty-free, perpetual, irrevocable, non-exclusive and fully sublicensable right and license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed"!

Slashdot owns my intellectual property! Oh, the horror!!

Sigh.

So what should we learn from this? We should learn to put our paranoia in check and consult a lawyer before we open our mouths.

This clause is in virtually every TOS for any web service and is designed to protect service providers from litigious jerks who do things like sue service providers because their web page appeared in a marketing brochure for the service provider or (even worse) litigious twits who do dumb things like claim "They've infringed upon my copyright because they're keeping a 'copy' of my work on their servers!!"

These standard clauses are NOT designed (nor would they legally allow) the service provider to claim legal ownership of the content in question.

This same old tired shit hit the fan a year ago when Yahoo bought Geocities and someone noticed a clause in the TOS (that had been probably been there before but just not gotten any press). See the Wired story, the Wired follow-up, and the obligatory Slashdot reference from last year.

Yahoo caved to the PR blitz and rampant public ignorance and slightly modified their TOS to make it more clear. Microsoft probably won't . . . simply because they're Microsoft and they don't need to.

Maybe the angry hordes ought to jump down OSDN/Slashdot's throat now, eh? I bet they could get OSDN to cave and change their TOS, right?

Or maybe they should just take a deep breath, get a grip, and wise up.

Re:Arg!

[Wariac]

Sir, I would like to give you "props" for such a poignant and thought provoking post. I am about to re-read it, at which time I shall retire to my study to mull over your musings and perhaps come back and add my thoughts to your statements.

Kudos sir!

Never mind Hotmail and Passport, beware XP!

[retrosteve]

Okay, maybe I didn't make myself clear.
Boycott XP or be assimilated...

You don't have to use Hotmail or Passport to have MS own EVERYTHING you do. You just have to use Windows XP, which is claiming to be Microsoft's next "gotta have it" OS.

From the Microsoft White Paper on Hailstorm

Windows XP will integrate the Windows authentication system with the Passport authentication system, so a user can log onto Windows XP a single time and also be logged onto Passport and therefore be able to receive HailStorm services without an additional logon process. The release will also incorporate support for programmatic notifications, which means users of the HailStorm myNotifications service can easily opt to have their notifications delivered to their Windows XP-powered PC.

So talk all you want about using other mail and password services, Micro$oft plans to own all XP users too!

Wow, the Reg guys were right.

[Tridus]

Slashdot really does hate linking to The Register, even though they broke this story last week and have been credited in every other article about it I've seen. They even used the All your Base reference in their original story. There is no mention of any of that here at all.

Geez.

All Your Plagiarism Are Belong To Jaimie

[szcx]

This is suprisingly similar to The Register article titled All your data (and biz plans) are belong to Microsoft.

Not that I'd ever accuse a slashdot editor of plagiarism.

Here's Microsoft's response

[legLess]

First (gotta get this off my chest):

2001-03-30 22:34:02 Microsoft Passport: we 0wn j00 (yro,microsoft) (rejected)

Second, following is an email a friend and I both got after we complained:

Thank you for your message to Passport Privacy.

We appreciate your concerns related to the Microsoft Passport Terms of Use. This issue has recently come under review, and will be addressed soon with an updated Microsoft Passport Terms of Use. You will be able to view the updated Microsoft Passport Terms of Use at http://www.passport.com/Consumer/TermsOfUse.asp as soon as it is posted.

We apologize for any inconvenience that this may have caused you.

Sincerely,

Passport Privacy

Christ, I've gotten used to M$ software being beta - but even their TOS are beta?? Bastards.

question: is control controlled by its need to control?
answer: yes

All Your Genetic Makeup Are Belong To Us

[StoryMan]

Due to security reasons we do not allow nor do we have a feature to delete Passport accounts. Rest assured that if you do not access your account within 12 months our system will automatically delete your account

LOL. I hadn't thought of this excuse.

Look, due to security reasons I must backwards engineer your code. I can't explain it, but it's a part of my private genetic makeup. I'll be glad to supply you with my public genetic key, but, as you know, the private key must stay with me.

I must backwards engineer CSS.

I must hack BlueMatter.

I must attempt to thwart the latest SDMI watermarking scheme.

Rest assured (and this means you, Hilary, and you too, Jack Valenti -- even though, yeah, you're getting up there in years) that if I do not release my version of your encryption schemes, they will be deleted from my hard and from my memory banks. But, as you know, for security reasons, there's no way I can delete them manually. Nor is there any way that you -- Hilary or Jack or you spooks at the NSA -- can compel me to delete them sooner.

I'm sorry, but that's just the way it is. It's for security. You understand. I know you do.

"All your gene makeup are belong to us."

Re:All Your Genetic Makeup Are Belong To Us

[dlkf]

I can just see MS using this more and more in the future.

"Due to security reasons we do not allow nor do we have a feature to delete Microsoft Windows from your system. Rest assured that if you do not access your computer within 12 months your hard drive will automatically be reformatted."

Why use Passport at all?

[don_carnage]

I'm sorry if this sounds like a flame, but why would anyone want a website to hold on to all of your passwords? I mean, we all know that it's insecure to submit passwords in open text anyways.

I don't even trust IE to hold on to my /. password! You never know when Bill Gates may want to hi-jack my account and burn my karma away by posting anti-Linux hate speech!
--

Re:Why use Passport at all?

[/dev/urandom]

> I'm sorry if this sounds like a flame, but why would anyone want a website to hold on to all of your passwords? I mean, we all know that it's insecure to submit passwords in open text anyways.

"We all know." *WE* do. We, the savvy users of the net know that. But does Joe Blow Internet User know? Nope. The average web surfer doesn't know one wit about security, not even the simplest idea like not giving out your passwords. Hell, these are the people that write their work login on a sticky note and put it on their monitor.

This is exactly how companies like Microsoft, AOL, etc. can get away with their predatory and irresponsible practices. They target the 90% of the computer world that is totally clueless about how to protect themselves and their data. All they see in things like Passport is a very nice, pretty service that makes their life a bit easier. They don't know or think about the (in)security side of it.

And another problem is, this sort of knowledge really only circulates among people like us, who hang out on Slashdot and other techie sites. This kind of information needs to be put in places where the average user will see it, like in PC Magazine and such. I'd say it also needs to be put on the front pages of the main portals (like Yahoo, and so forth). But then again, a lot of those portals are run by companies guilty of these practices, so...

I am sure

[Alien54]

This has probably been submitted dozens of times since the Reg posted it week. Granted that this is probably the most elaborate of the submissions, with lots of supporting links, etc.

Microsoft should probably put in etraordinarily clear armor plated language that this does not license them to theft of corporate secrets, not that this has never stopped them before.

That said, If it wasn't news last week, why is it news now?

(People moan about news items around here being old if they saw it twelve hours ago, but the age on this seems a little extreme)

Heck, it could have made a wonderful story for April Fools day, the one legit story that would have looked like a fake.

Check out the Vinny the Vampire comic strip

IF we protest, they will change

[erroneus]

This adds fuel to the first of the Microsoft Antitrust appeal doesn't it?

So yeah, let's all talk about it, raise awareness and show what we think of their heavy-handed and likely unlawful approach to being more than commoncarrier service.

I wonder though... if they were to buy a big chunk of the internet, could they do the same thing? "If your traffic passes through our routers, we will sniff it and steal anything we like!"??

These people need to be stopped.

This just in...

[slcdb]

Chinese Prime Minister Jiang Zemin, avid Microsoft enthusiast and regular user of Microsoft Passport, was said to have been greatly angered by the recent uncovering of the oppressive Microsoft Passport license agreement. The official Xinhua news agency quoted him as saying, "All your top-secret spy plane are belong to us."