Slashdot Mirror
EPIC Urges State AGs to Pursue Microsoft Passport
An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."
...named Passport and Windows. ^_^
From the letter: "Microsoft's failure to make public known security risks in Windows XP and Passport and provide a reasonable degree of control of personal information violates state law that prohibits unfair deceptive trade practices. In light of the FTC's reluctance to address this clear violation of Section 5 of the FTC Act even after the widely disclosed security flaws, we urge you to investigate the privacy and security risks of Microsoft Passport."
If that's deceptive, how about those ads claiming that Windows servers run unattended?
Hopefully most of those accounts aren't tied to active users, because of this. But if they do really already have 200 million users, all of whom are active, then that really is scary. That's around 3% of the world's population. (If I knew what percentage of the world's population used computers on the internet regularly, this would be more meaningful, but I'll take a guess and say 33%. Then 10% of users online would have active Passport accounts!)
I yearn for you tragically
AT Tappman,
Chaplain, US Army
In addition to the unwarranted collection of consumer data, Microsoft offers no method to delete a Passport registration. Microsoft claims
that Passport gives users control of their personal information. However, the most basic aspect of control--the right to take back one's
personal information--is not accommodated by the Passport system.
Note that one can't delete his Slashdot account either. which could actually be the source of some trouble as if he suddenly changes his mind about whichever opinion or way to express it he has, there'd be a way to track his former behaviour if the account he opened was named like him and we know for sure how much we change over the time (maybe from the pro-patent to anti-patent or from the extremist to the moderate).
Though I dislike to add such disclaimer in my Slashdot post, I'd like to point out that I don't want this comment to be considered as a troll neither it is off-topic.
This is just a way to point out that we should ensure that noone may reproach us with the sam ethings that are being reproached to Microsoft or whoever else.
Back to the article, now: what sort of effect does such a letter have?
Trolling using another account since 2005.
Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.
Go to the Passport site (http://www.passport.com) and look; there's no FAQ or other document that tells you how to cancel your account. Nor is there any e-mail address of anyone who might be able to help you do it manually.
So, when you hear Passport adoption statistics, subtract at least one. I've never used my Passport a second time, but can't get rid of it, after trying for weeks.
I'm on EPIC's side and I agree with most of the point of the *potential* problems with Passport but if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.
Kids Passport? *shiver*.
A journey of a thousand miles starts with a brutal anal raping at airport security
The real problem here is not that Passport is evil, but that they do not trust Microsoft to be the sole Passport providers, and to not do 'unreasonable' things with the data that they could potentially collect.
.net though). He first said that the Passport protocol should be implementable by any provider who wants to provide this service, so it need not be Microsoft authenticating details.
I recently went to a seminar with MS's senior systems architect (UK) talking about Passport (mainly
Even if you do not believe this, he made an excellent demonstration of the problems of trust. A member of the audience (anti MS - he was heckling throughout the seminar) raised a similar concern. I paraphrase the conversation here:
Man: 'I don't trust MS's servers to keep my data safe and not abuse it'
MS: 'Well, whose servers do you trust'
Man: [thinks] 'Mine'
MS: 'Everybody raise their hands if you trust your data on this man's server'
I thought it was a nice example anyway.
"We have repeatedly urged the Federal Trade Commission to investigate this matter in two separate filings, but the Commission has failed to act. We therefore urge you now to initiate an investigation under your statutory authority."
Ok, so what they are saying is, the FCC didn't care, so we are going to attack at a lower level. While I admire their determination/wish them luck, how much will this knowledge that the FCC didn't do anything affect them? Food for thought this AM....
Sent from your iPad.
Should anybody ask "How is this a bad thing?", send them to read Privacy and Power: Computer Databases and Metaphors for Information Privacy (linked to here) by Daniel Solove. I personally think it is worth reading the whole thing, but it's kinda long, so maybe this NY Times article is a better suggestion.
It basically says, "You may think Big Brother isn't interested in you, and you may be right, but there is a Big Unknown gathering so much information about you, she could come after you once you become a nuisance to her!", only in a less conspiracy-theoretical way...This is easy enough to see in the case of spammers and mailing list types who want to assume that you want to get their junk unless you "opt-out". With thousands of advertisers, this quickly becomes unworkable.
Now we come to MS and Passport. With the fact of Monopoly, it is possible to enforce the sale and or acceptance of other "products" because they are "part of the whole package" I beleive that in certain states, for Certain industries, you cannot enforce the sale of product number 2 as a prerequisite to purchasing product numbr one. This varies by the product. Of course, you can always say "included free" but some things that are free are not worth the price.
In the case of a monopoly, you can enforce the acceptance of items which would not otherwise be desired, and which may be a mixed blessing to the consumer at best. I am extraorinarily wary of Paspport and the all in one wonderful world of Microsoft Productivity that it promises for people.
Stepford Nation, indeed.
"It is a greater offense to steal men's labor, than their clothes"
Let us now put this into the context of the passport scheme - the EPIC letter states "Microsoft has indicated that the company's goal is to have every Internet user possess a Passport account", which I deem a fair summary of the situation (although, ideally, everybody would also use a Hotmail account too). Trundle along to, say, http://www.passport.com and look! See how you can sign up with ease! Get it now! Calooh! Callay!
Now let us try to pull the same trick that was pulled on me, and that I have fortunately not seen on any well-organised mailing list outside of Redmond. Enter an e-mail address, any e-mail address (excepting MS-specific ones such as Hotmail) - even make one up that obviosuly doesn't exist, and then... Carry On! Yes! There's still no security! At least, I guess, an e-mail gets sent to the e-mail address asking you to verify it, but this seems to be purely for service embellishment:
Using the new obviously-fake account, I can save settings, edit my MSN etc etc much as I may or may not want to. That is not the issue. What we have here is clearly a case of theft of privacy - without even trying, anyone is able to sign up anybody else's e-mail account for a passport. Who knows what havoc this could/will cause! Not being particularly au fait with MSN, I have only circumspection, but Microsoft have an epic journey to go before they reach "Trustworthy Computing [tm]" if they fail to understand the basics of privacy and intrusion, as highlighted here.
To conclude, I say get out there, fight it from the other end - the end that consumers will understand. Sign up as many fake and real accounts as you like to demonstrate just how fallible the system is. I'm off to see if they prevent scripting...
" I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already. "
As you are from the UK, you might be interested in the things covered by the Data Protection Act (DPA). The DPA can be used in the UK to protect yourself from people misusing your personal information. A quick guide can be found here Companies can be quized as to how they use the information and what information they hold on you. For as little as £10
In addition you have the right to sue the company for any loss resulting from faulty information they use, and you can have data removed / corrected as approriate (see here for details)
As passport is based in the US I'm doubt you have any rights covered by this act (although you might as they are providing the service in this country). However I think this is a step in the right direction, in the UK this covers most companies and data including credit ratings. This is a brilliant set forward and offers hope to all those people who are screwed because of faulty information, or just pissed off with companies sending them letters ;)
For certain types "sensitive" of information a company will have to get your explicit permission before using your information eg. race, religion etc.
I am intending to write to the Information Commisioner to ask about Microsofts information gathering activities in this country and if they can be stopped / modified to ensure that they conform to the DPA. Maybe if enough people do this we can get a result for the UK.
If you ever drop your keys into a river of molten lava, let'em go, because, man, they're gone.
The FCC is the Federal Communications Commission. If you are involved in a dispute that is, in any way, commercial, they will not involve themselves. You have to talk to the FTC. This can be a bit of a bitch if you're small time and buying spectrum, or the like, and got ripped off, because it is the FCC who actually knows what is going on, but since it is a service dispute they won't get involved.
The FTC is the Federal Trade Commission. They are a very different animal - for one thing, they are a hugely more powerful institution. They are the people you have to talk to if you want a dispute (like, say, MS Passport is mysteriously billing you for services you didn't buy) resolved without involving the courts; even if you are going to go to court you generally have to talk to the FTC first.
It is, perhaps unfortunately, very difficult to get the FTC's attention. I assume that the state attorneys general know this. Also, major decisions at the FTC are made by political appointees; the Bush administration has been seen by many attorneys general as being soft on MS.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Yes several countries in Europe have this already. The problem is, if you don't check that box you ain't gonna get the service. So this remedy is not a right to privacy, but a right to inform you you don't have it.
Well, this is not correct. In at least one country (Italy), the law acts in a way that you have TWO separate agreements: one for the service, and one for spreading out your personal data. Both have the "no" option checked by default.
You have to check on the first "yes" to have the service activated, and nothing else. Checking the second "yes" will grant permission to the service provider to use your data for ads, statistics etc. Using your data without this specific agreement can cause big penalties for the companies.
Everything is explained on every form, and it's so common that everyone knows that they must check only the first answer.
You are born in 1998, your zip code is 82312, your gender is none of their buisness (and if they instist use a coin to decide). Nor is your race, religion, or the type of car you drive their buisness.
Reasons for the above: In the US only minors have privacy protection, so by putting down a birthdate of 1998 you are under those laws as far as they know. Your physical address is none of their buisness, unless you are buying something from them. (and so far I've never had a problem with the venders who I buy from though there are bad apples out there). Your gender, race, religion, etc is none of their buiseness, on the net nobody knows you are a dog! Refuse to answer, or anser randomly. Randomly means sometimes you give the right answer, because if you always gave the wrong answer that in itself would be a clue.
Remember invalid data that they have is less valiuable then not having data at all in many cases.
What I'd like is some 'Personal Privacy License' to be drawn up. It would lay out in extremely explicit and legally binding terms the permitted usages of a given person's data. When I go to a website using the license, it is formally acknowledged that I'm not *giving* the site my data, I am instead *licensing* them to use my data under strict limits which may not be changed without my formal permission in advance. It would say so right on the page where I fill in the blanks. My data remains mine, forever.
/. regulars, it would be the basis for a class action with thousands of easily identified persons in the class. (Just look them up from the database.) And as a capper, if your data was ever sold, you could use that fact as the basis for discovery motions to every other bastard in the personal data trade, demanding to know exactly who gave them their data and under what circumstances, to make sure none of them had any of the *tainted* data. Think the EFF and the ACLU would be willing to help out? Yeah, me too.
If a site that got my data under the license gives it out to someone else, it isn't a regrettable incident that might possibly get a brief mention on Wired or C:net, it's a legally actionable event under the same draconian IP laws that all those media companies have spent millions of dollars lobbying for. Selling a database won't just get you a bunch of angry emails from
Oh, and for the folks that would want to stick a "Gnu" in the name of the license - sorry. The whole point is that my data remains proprietary, with myself as the owner. Not all data wants to be free, my personal info likes its dark little box just fine, thank you.
-reemul
You're just jealous 'cuz the voices talk to *me*
Regardless of whether Microsoft has been proven to abuse the power, there are laws which make it illegal to posess the ability to abuse the power. The idea comes from a legal term: "conflict of interest."
When a person offers a service to another person in the financial/legal/medical world they are acting as an agent on behalf of the customer. Legally, that arragement has an implied "fiduciary responsibility" to the customer. That means if someone gives you the key to their account and you do something they wouldn't have agreed to, you are wrong and subject to criminal and civil liability. In the case of finances, there are EXTRA laws that say you are not even allowed to ofer such services to people if you have an interest in ripping them off (like other competing customers).
Bill Gates comes from a long line of lawyers: his family is a lawyer family. He knows he can flout the law wherever there is grey area because he has the money to risk. If he manages to win some small legal challenge, he has stretched the law to allow more exploitation and the windfall revenue that goes with.
When you (the US) have a big dog, you put a pinch (or shock) collar on him, and you jerk it hard (or shock him) when he *starts* to get out of line. You can let up a little, but only when he has a compelling fear of disproportionate retribution. Corporations are less like people who deserve rights, and more like dangerous, powerful animals that must be attended to with preemptive stewardship. Emotions, values, and ethics are not present in the brains of reptiles or boardrooms.
--- Nothing clever here: move along now...
I bet that fellow who paid M$'s lapsed domain registration a few years ago on Passport.com is really kicking himself now!
(Spudley Strikes Again!)
It can be done. I managed to get my Passport Account cancelled. It was not easy, but here's how I did it.
Send e-mail to the following address requesting the removal of the passport account and the information associated with it:
passport@css.one.microsoft.com
Be sure to word it strongly or you may not get a response. I ended up getting to the point where I was using curse words and basically spamming this address. I also reported this incident to my local news media (who did nothing. surprise surprise) and informed Microsoft of this.
My big beef on this whole Passport thing was that I was signed up because I am Microsoft Certified. I NEVER requested it, I never checked a box saying I wanted information or anything else from them. So I paid $100 to take a test that allowed MS to harass me.
BTW once you have a response from the above e-mail you will get a number. Be sure to include it in every e-mail you send. Go to the MS support site and start spamming them as well. Eventually they will listen. At least they did for me.
A last note. It did take me a couple weeks to rid myself of the PASSPORT, so be patient and persistent.
Good luck!!!
If Darwin was right, you'd be dead by now.
The reason why no-one is going after AOL/TimeWarner is because they don't own 90+% of the desktop which they could use to leverage their other products.. this is all about not having a choice.. MSN is tightly integrated in XP. The browser is prominently on the desktop as is the MSN messenger software. Opening Outlook Express starts a signup session with Hotmail, etc. etc. etc... Creating a Passport account is almost done automatically if you do not know better then to use what MS prescribes.
Now, í'm not a MS basher in the way most people do.. i am however VERY concerned about their growing stranglehold on consumer choice. Ever so slightly people are lured into a total MS dominance...
Ah well.. i'll keep on dreaming of the old days...