EPIC Urges State AGs to Pursue Microsoft Passport

An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."

Straw Poll

[alnapp]

Quick Question

Which state attorneys generals do you think will go for M$?

and which won't

Education and awareness

[gandalf_grey]

I feel the key to success in these matters is to educate the legislators, and other relevant "law talking dudes". Misconception, ignorance and fear are the cause of most of the legal setbacks in the electronic information age. I applaude EPIC on a good attempt to bring light into the prevailing darkness.

Holy cow

[AT+Tappman]

The letter says that Microsoft has 200 million passport registrations already. That must mean 200 million Hotmail accounts, or something like that, and of those I'm willing to bet that a good number of them are unused or were used once to gain access to something else. Like MSN Messenger, which requires you to sign up for a Hotmail account.

Hopefully most of those accounts aren't tied to active users, because of this. But if they do really already have 200 million users, all of whom are active, then that really is scary. That's around 3% of the world's population. (If I knew what percentage of the world's population used computers on the internet regularly, this would be more meaningful, but I'll take a guess and say 33%. Then 10% of users online would have active Passport accounts!)

Re:Holy cow

[Zocalo]

You need a damn passport to get almost anything out of Microsoft now. Mailing list? Passport please! Email? Passport please! IM? Passport please! Plus the damn thing doesn't work properly if you've tweaked your security settings from the defaults (even with IE).

At least three of those passports are (were) mine. I signed up for some mailing lists, got a passport and I have no idea what random crap I pasted into the password field, deleted the crap it dumped to my hard drive and moved on. Ditto when I realised I'd missed a mailing list off the subscriptions. Plus my first attempt that barfed because my IE security settings had been customised from one of the preset defaults.

They might have 200m registrations, but how many of those became permanantly dormant the same day they were created?

Re:Holy cow

[guttentag]

The Washington Post ran an article about two years ago on a study of internet usage in major metropolitan areas in the U.S. It claimed that the Washington, DC area was the most "wired" region in the country, with about 50% of adults having some access to the Internet.

IIRC, the expected techie cities followed, but the percentages quickly dropped below 30%. Outside those areas, the percentage of adults who have internet access was much lower than that.

In industrialized nations with relatively strong economies, the average internet access rate is probably below 20%. China and India each have populations around 1 billion, but what miniscule fraction of a percentage of their citizens have internet access. Most of the world's population doesn't even have electricity.

I think the percentage of people who (1) have electricity, (2) can afford a computer, (3) have the training to use a computer, (4) and have access to the Internet is probably less than 5%. In fact, I suspect it's closer to 1%.

Still, I think Microsoft's 200 million figure is exaggerated... the result of convenient accounting. Personally, I have at least a dozen Passport accounts that MS automatically gave me when I signed up for Hotmail accounts I only used once. I have never given MS my credit card number or even my real zip code, and I never will, yet I am over a dozen Passport users. Heck, my imaginary dog has two Hotmail accounts (he complained that the first one was full of spam, so I signed him up for a second account).

Aside from users like me (and my imaginary dog), I had a friend who wrote a commercial script to log into Hotmail. To test it, he wrote another script that created thousands of Hotmail (and Passport) accounts. He did the same thing with Yahoo, and apparently this phenomenon is common enough that Yahoo now requires new users to use "Word Verification" to "prevent automated registrations."

Similarity

[mirko]

In addition to the unwarranted collection of consumer data, Microsoft offers no method to delete a Passport registration. Microsoft claims
that Passport gives users control of their personal information. However, the most basic aspect of control--the right to take back one's
personal information--is not accommodated by the Passport system.

Note that one can't delete his Slashdot account either. which could actually be the source of some trouble as if he suddenly changes his mind about whichever opinion or way to express it he has, there'd be a way to track his former behaviour if the account he opened was named like him and we know for sure how much we change over the time (maybe from the pro-patent to anti-patent or from the extremist to the moderate).

Though I dislike to add such disclaimer in my Slashdot post, I'd like to point out that I don't want this comment to be considered as a troll neither it is off-topic.

This is just a way to point out that we should ensure that noone may reproach us with the sam ethings that are being reproached to Microsoft or whoever else.

Back to the article, now: what sort of effect does such a letter have?

Passport Roach Motel

[Alderete]

I once signed up for a Passport account, because Microsoft was giving me 20% off the price of a TiVo (or any electronics item at 800.com) if I paid for it with Passport (then called something else).

Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.

Go to the Passport site (http://www.passport.com) and look; there's no FAQ or other document that tells you how to cancel your account. Nor is there any e-mail address of anyone who might be able to help you do it manually.

So, when you hear Passport adoption statistics, subtract at least one. I've never used my Passport a second time, but can't get rid of it, after trying for weeks.

Re:Passport Roach Motel

[toriver]

Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.

Sure, just wait for a quantum event, like this one (from their agreement):

"Microsoft reserves the right, in its sole discretion, to terminate your access to the Passport Services or any portion thereof at any time, without notice."

But you're correct that the agreement doesn't open for you, the consumer, to end the contract. Surely that must be against some contract law somewhere?

Re:Passport Roach Motel

[Ldir]

I'm in the same boat, almost exactly. I also signed up with Passport just to get their 20% discount. I used it exactly twice, at Mercata (R.I.P.) on a Tivo and a Philips Pronto remote. This was before Passport was revealed to be part of Microsoft's own-the-Internet strategy, though it wasn't too hard even then to see that MS hoped to turn it into something big.

I've never been back, and I certainly don't plan to go back if I can avoid it. I hope the credit card number I used has expired by now. I wonder how many millions more Passport "users" are really just people like us, who couldn't pass up a "free" 20% gift. It's classic Microsoft, using deep pockets to buy a market.

That's the great little gotcha for Passport, once it becomes entrenched as an effective monopoly. MS can begin charging a "nominal annual fee" to maintain our Passport accounts.

All your dollars/Euros are belong to us.

Future tense

[_ganja_]

To me, you average geek, most of the letter refers to what Microsoft could possibly do in the future. I could possibly go out and rob a bank in the next week but does this mean the police should arrest me? Actually, isn't that what the homeland (fatherland) security acts is all about, I digress.

I'm on EPIC's side and I agree with most of the point of the *potential* problems with Passport but if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.

Kids Passport? *shiver*.

EPIC Letter needs a proof reader

[RonMcMahon]

Perhaps the reason why the FTC hasn't acted is because of the horrendous writing style and inadequate proof-reading of the EPIC authors. While I will never present myself as an accomplished speller or grammar fanatic, even I see poor use of our language in this document. Perhaps the most galling is the line: "over 100 hundred of the largest online retailers" (which can be found in the third paragraph). So, is that 100 or 100,000? These guys at EPIC are complaining that Microsoft doesn't pay enough attention to the details (which is true), while putting out this grade-school effort in communication.

Re:Customer's Information

[at_18]

Yes several countries in Europe have this already. The problem is, if you don't check that box you ain't gonna get the service. So this remedy is not a right to privacy, but a right to inform you you don't have it.

Well, this is not correct. In at least one country (Italy), the law acts in a way that you have TWO separate agreements: one for the service, and one for spreading out your personal data. Both have the "no" option checked by default.

You have to check on the first "yes" to have the service activated, and nothing else. Checking the second "yes" will grant permission to the service provider to use your data for ads, statistics etc. Using your data without this specific agreement can cause big penalties for the companies.

Everything is explained on every form, and it's so common that everyone knows that they must check only the first answer.

remember: When giving private info

[bluGill]

You are born in 1998, your zip code is 82312, your gender is none of their buisness (and if they instist use a coin to decide). Nor is your race, religion, or the type of car you drive their buisness.

Reasons for the above: In the US only minors have privacy protection, so by putting down a birthdate of 1998 you are under those laws as far as they know. Your physical address is none of their buisness, unless you are buying something from them. (and so far I've never had a problem with the venders who I buy from though there are bad apples out there). Your gender, race, religion, etc is none of their buiseness, on the net nobody knows you are a dog! Refuse to answer, or anser randomly. Randomly means sometimes you give the right answer, because if you always gave the wrong answer that in itself would be a clue.

Remember invalid data that they have is less valiuable then not having data at all in many cases.

Re:Customer's Information

[reemul]

What I'd like is some 'Personal Privacy License' to be drawn up. It would lay out in extremely explicit and legally binding terms the permitted usages of a given person's data. When I go to a website using the license, it is formally acknowledged that I'm not *giving* the site my data, I am instead *licensing* them to use my data under strict limits which may not be changed without my formal permission in advance. It would say so right on the page where I fill in the blanks. My data remains mine, forever.

If a site that got my data under the license gives it out to someone else, it isn't a regrettable incident that might possibly get a brief mention on Wired or C:net, it's a legally actionable event under the same draconian IP laws that all those media companies have spent millions of dollars lobbying for. Selling a database won't just get you a bunch of angry emails from /. regulars, it would be the basis for a class action with thousands of easily identified persons in the class. (Just look them up from the database.) And as a capper, if your data was ever sold, you could use that fact as the basis for discovery motions to every other bastard in the personal data trade, demanding to know exactly who gave them their data and under what circumstances, to make sure none of them had any of the *tainted* data. Think the EFF and the ACLU would be willing to help out? Yeah, me too.

Oh, and for the folks that would want to stick a "Gnu" in the name of the license - sorry. The whole point is that my data remains proprietary, with myself as the owner. Not all data wants to be free, my personal info likes its dark little box just fine, thank you.

-reemul

Re:Privacy for dummies. Chapter 1.

[Unfallen]

Quick update on how passport seems to work - there is a "Reset my password" link, in case you've forgotten your password, obviously, but also to be used if someone else were to sign you up, I guess. This works fine - it took a while longer to come through than the "Welcome to MSN Passport" e-mail did, but it got there.

This is great if someone just signs you up and leaves it at that. However, the same e-mail verification process (get the sign-up statistics first, ask for validation later...) is used if you want to change your e-mail. So by the time they confirm the password reset, they're told that the account is not registered at all! If they then don't register with passport.com, there is nothing AFAICS to stop the account being pointed back at that e-mail, starting the fun and games from scratch again.

I also assume (subject to further tests) that the same mechanism is still in place for subscribing to e-mail lists and the like. We shall see...

Oh, Come On!

[ClubStew]

Does everything Microsoft does have to be under scrutiny? Personally, I think AOL/Time/Warner(/US Gov't) is more evil by far. The only reason no one ever gives them crap is because the government is a secret part of that merger!

Microsoft Passport is a good idea. Sun et. al. think so. They are coming up with Liberty, their answer to Passport.

Does Passport need work? Yes, I don't deny that. But does Passport store *everything* on the server? NO! A site that implements Passport is responsible for keeping track of their own consumer's information. This is outlined in the .NET Framework and Passport SDKs. Currently, there is no way for a site to pass infomration back to the central Passport database. The only thing Passport could know about you in that case is that you go to that site.

Get off their backs. I'm a big linux and open-source supporter but I also realize that Microsoft has better integration as a whole system. I'm getting really tired of the crap everyone on this site gives them. You could point fingers at a lot of other companies, too, not just Microsoft. For instance, anyone read the other post today? Linus is being a pain in the butt. Maybe you should scrutinize him for a while!

Weak authentication makes a strong counterpoint

[GodLived]

I searched this discussion for "Auth", and found no sufficient discussion of authentication in Microsoft .NET Passport. So I feel compelled to write, since I hold that the claims of the letter are false.

As part of an evaluation study, I decided to create a few Passports to understand what level of authentication Microsoft was performing to bind the Passport to the user, also called 'principal.' In the security community, there are three kinds of principal authenticators, specifically, (1) something you have, (2) something you know, or (3) something you are. An "authentication factor" refers to how many of these authenticators you possess. A driver's license is a two-factor authentication system as it authenticates based on something you have (the license) and something you are (your photo). Digital signature certificates used with signing software authenticate on something you have (the private key) and something you know (the password to use the key), and are also two-factor authentication. Biometric systems can effect 3-factor authentication. There are many other examples.

Obviously, the more factors you have, the more strong the binding is between your claimed identity and your actual self.

Microsoft Passport, by experimental determination, is a single factor authentication system (knowledge of username and associated password). This, in general, is not good when it comes to things like online purchases, but it is excellent if the idea is to maintain anonymity of the principal.

Try it out. You can go to www.passport.com, and sign up for a password using a ficticious e-mail account. The e-mail address does not have to match any actual address, it just has to be in the "foo@bar.com" format. So, even though Microsoft claims to authenticate to an e-mail account, which in turn would defer authentication to the maintainer of the account (bar.com supposedly knows who user 'foo' is), it really does not. I could register a Passport in the name BGates@msn.com if I wanted to. MS would never send any note to BGates@msn.com and ask, "is this your Passport?"

Why didn't this point come up in the open letter? Well, for one, it could be that the authors did not actually experiment with Passport prior to writing; all of the Microsoft literature leads one to believe that the e-mail address is authenticated. [There are numerous e-mail authentication examples in use; join any mailing list, and you will often get an e-mail, "reply to this and you'll be added". That is at least some authentication that you can access the e-mail account that you claim is yours.] Paperware analysis could lead the authors to wrongly conclude that the e-mail is actually authenticated.

A different, more sinister and self-serving reason is that it would refute the claims of the open letter! If Microsoft does not authenticate e-mails, then one can pick any identity when registering for a Passport. If the identity on the Passport is meaningless, then the identity of the holder is meaningless, and it therefore follows that there aren't any privacy or protection issues at all. MS would essentially be tracking the surfing habits of some unknown user.

In conclusion, the issue of my post is not that Passport is evil or Microsoft is vying for a monopoly. The issue is that there is an unfounded fear and paranoia about security, privacy, tracing surfing habits, selling information and e-mail spam related to .NET Passport that really does not exist... because Microsoft does not authenticate the e-mail address used to register the Passport. Never. Nada.