Microsoft Defends Passport To Privacy Group

securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."

Aggregation is a bigger concern

[coyote-san]

Information leaking from one site is annoying, esp. if it's something like a credit card number, but it's nothing compared to aggregated information being leaked.

As a silly example, let's say you buy rat poison. No big thing, people buy it all the time.

Let's say you buy a book about "perfect murders... and how they were caught." No big deal, people buy true crime books all the time.

Now let's say you recently bought a bunch of lingerie. And had it delivered. But not to your home address. You're having an affair, sleazy, but not unheard of.

Now finally let's toss in the fact that you just consulted a lawyer. A divorce lawyer. One who specializes in breaking prenuptial agreements.

Suddenly things are much more interesting.

Most of us aren't planning to murder our spouse, or even to look like we're thinking about it. But it's certainly possible for mindless data aggregation to cause people to jump to the wrong conclusion. E.g., you bought a couple books on alcoholism, and a few cases of wine? You obviously have a problem, don't you. (Nope, the wnie is a gift to newlyweds and the book is to help me understand if my nephew needs help.) Etc and so forth.

Even with all of this information centralized with Microsoft (and make no mistake that the Passport/Hailstorm system will not collect this information), my biggest concern isn't that it will be leaked. My concern is that it will have bogus information feed into it. There's a nice market opportunity for nasty companies to put bad information into these records, then offer to clean it up for you. For a modest price, of course. All of the potential damage of a credit report, but with none of the legal safeguards.

Of course, that same problem exists today with the aggregated data provided by from credit card companies, but again it isn't a *single* point of failure. Even if you crack Citibank (still the largest CC issuer?), it does nothing about the hundreds of millions of people who don't have Citibank cards. But crack Hailstorm and you'll have information on almost everyone online.