Microsoft Launches Passport

Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...

The Top 5 Reasons this is a Horrible Idea

[mosch]

5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".

4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!

1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.

Ah well, such is life in corporate America.

Oh, great.

[Black+Parrot]

Now an e-mail attachment can spend all your money. I truly feel sorry for the people who are going to get burned, burned, burned by this.

But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.

p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Alternate Press Release - N in a series of M

[K.]

Hey you!

Yeah, you there, the guy using the mouse as a foot
pedal!

Do you hate having to type in a shipping address
every time you order on the Internet? Or worse,
are you having trouble remembering your own
address?

NO PROBLEM! Microsoft is here to help! We'll take
care of all those pesky details for you. Our new
Passport software is your ticket to a stress-free
junk-filled life. The next version will even wax
and declaw your cat for you!

How much would you pay for this amazing piece
of ultra-modern technology? $50? $100? $1000?
Well, hold on to your hat! Microsoft are giving
away Passport for absolutely nothing!

That's right! In exchange for a complete personal
profile, including address information, and credit
history, which as we all know is worth absolutely
nothing to anybody, Microsoft will give you
Passport, a passport, if you will, to a future
of black velvet elvis paintings at knockdown
prices.

Worried about security? Don't be. Your most
private personal details will be stored in
the most secure form known to science, a
"hard disk". This revolutionary device encodes
information using the science of magneticism
in a form far too small for the human eye to
read. If a hacker were to gain access to this
"hard disk", he or she would never be able
to read the information it contained, even with
a high-powered magnifying glass!

Just remember, Big Brother is watching you, and
he cares!

[Insert standard EULA and disclaimers here, in
really small writing so the suckers won't bother
reading it, haha! - BG3]

K.
-

It's all marketing....

[Ledge+Kindred]

Microsoft already has the upper hand with this and I can forsee it becoming VERY popular. Think about this perfectly reasonable scenario:

Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.

"Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"

The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.

It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.

-=-=-=-=-

A little reality check...

[radish]

OK we seem to have a typical /. inferno going on here. Maybe a little pause for thought is called for?

I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.

So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).

Now lets evaluate ...

In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.

But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:

* How is the link from MS->Vendor secured?

And I want details!!

* Who will be liable in the event of dispute?
This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!

* Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?

* Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.


So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.

Adam.