X
Business
Home Business Companies Microsoft

MS takes up Passport defense

Microsoft swoops down on Washington to campaign for its Passport authentication service. The company will meet with a consumer advocacy group to try to allay privacy and security fears about the software.
Written by Joe Wilcox, Contributor
WASHINGTON--Microsoft on Wednesday descended on the nation's capital, trying to quell concerns its Passport authentication service poses a threat to consumers' privacy or security.

The Redmond, Wash.-based company is here at the behest of the Center for Democracy & Technology (CDT), a consumer advocacy group that wishes to hear directly from the software maker on its plans, said Adam Sohn, Microsoft's manager for U.S.-.Net platform strategy. The software giant may use the opportunity to talk with other groups or even some legislators. But Sohn, who spoke with this publication late Tuesday, said he did not know the day's itinerary.

Microsoft may have a lot of ground to cover. Last week, nearly 15 privacy and consumer groups amended a July 26 complaint filed with the Federal Trade Commission charging that Microsoft by offering Passport and associated services is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act.

Passport is Microsoft's online authentication system, using a single sign-in to access multiple Web services. The idea behind Passport is simple: one secure ID and password rather than the many needed to access the wide range of Web sites and services consumers use every day. Microsoft uses Passport authentication for its MSN Messenger and Hotmail e-mail services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings.

Passport also is the authentication for HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's forthcoming .Net software-as-a-service strategy.

But the privacy groups have questioned whether Passport collects too much information and lacks the basic security features required to protect basic information. Some industry analysts, however, question the validity of those claims.

"There's nothing I've seen in how Passport collects information that's any different from other Web sites," said Guernsey Research analyst Chris LeTocq.

The groups, which include the Electronic Privacy Information Center (EPIC) and Junkbusters, faulted Microsoft for collecting, among other things, e-mail addresses during the Passport sign-up process.

But this collecting of e-mail addresses is "commonplace" on the Web, LeTocq said.

For its part, the CDT wants to get information directly from Microsoft rather than relying on third parties.

"There is a lot of discussion among security experts and privacy groups about Passport, HailStorm, Windows XP and where it's headed," Schwartz said. "We just wanted to get a briefing on the practical aside and ask some of the questions directly to Microsoft. That's the way we work. We like to talk to the company whenever an issue like this arises, work on some of the details and see where they're headed."

The CDT has gathered a number of local privacy and security experts for the Microsoft meeting. Schwartz said that at least in the CDT's briefing, no legislators would be present, nor representatives from the groups that filed the FTC complaints.

The CDT's stated mission "is to develop and implement public policies to protect and advance individual liberty and democratic values in new digital media," according to the organization's Web site.

Sohn said Microsoft's objectives for the Passport briefings are clear: "To set the record on stuff that is out there and is misrepresenting our intent. We want to give the future of where we're going, both in the near term with technologies like Passport and longer term with stuff like .Net and HailStorm."

Sohn emphasized that Microsoft is "very concerned about privacy. And we want to have a dialogue where we're at and where we are going forward."

Still, controversy over Passport could hound Microsoft, despite recent changes designed to beef up privacy.

Several key features of Windows XP require a Passport account, causing some privacy groups, competitors and even trustbusters to cry foul. Windows Messenger--Microsoft's communications console delivering instant messaging and videoconferencing, among other features--uses Passport authentication. This has raised concerns from privacy groups and others that Microsoft plans to use Windows XP as a mechanism to drive new Passport sign-ups.

But Brian Arbogast, vice president of Microsoft's personal services and devices group, dismisses this. "In no way is Passport required to use Windows XP," he said.

Only communications features such as instant messaging and videoconferencing require Passport, Arbogast said. "Those systems only work unless you have the concept of an authentication system. There needs to be a way to know users are who they say they are."

One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so.

"There is plenty of good password-cracking software out there," LeTocq said.

Microsoft is addressing this by offering additional security features for partner Web sites, such as banks, asking for additional information or a four-digit PIN (personal identification number) as a second level of authentication.

Joe Wilcox reported from Washington, and Stefanie Olsen reported from San Francisco. WASHINGTON--Microsoft on Wednesday descended on the nation's capital, trying to quell concerns its Passport authentication service poses a threat to consumers' privacy or security.

The Redmond, Wash.-based company is here at the behest of the Center for Democracy & Technology (CDT), a consumer advocacy group that wishes to hear directly from the software maker on its plans, said Adam Sohn, Microsoft's manager for U.S.-.Net platform strategy. The software giant may use the opportunity to talk with other groups or even some legislators. But Sohn, who spoke with this publication late Tuesday, said he did not know the day's itinerary.

Microsoft may have a lot of ground to cover. Last week, nearly 15 privacy and consumer groups amended a July 26 complaint filed with the Federal Trade Commission charging that Microsoft by offering Passport and associated services is engaging in unfair and deceptive trade practices in violation of Section 5 of the FTC act.

Passport is Microsoft's online authentication system, using a single sign-in to access multiple Web services. The idea behind Passport is simple: one secure ID and password rather than the many needed to access the wide range of Web sites and services consumers use every day. Microsoft uses Passport authentication for its MSN Messenger and Hotmail e-mail services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings.

Passport also is the authentication for HailStorm, which has been billed as a way for subscribers to access their e-mail, personal contact list, schedule and other Web services--such as shopping, banking and entertainment--through a variety of devices, such as PCs, cell phones and handhelds, from any location. HailStorm is part of Microsoft's forthcoming .Net software-as-a-service strategy.

But the privacy groups have questioned whether Passport collects too much information and lacks the basic security features required to protect basic information. Some industry analysts, however, question the validity of those claims.

"There's nothing I've seen in how Passport collects information that's any different from other Web sites," said Guernsey Research analyst Chris LeTocq.

The groups, which include the Electronic Privacy Information Center (EPIC) and Junkbusters, faulted Microsoft for collecting, among other things, e-mail addresses during the Passport sign-up process.

But this collecting of e-mail addresses is "commonplace" on the Web, LeTocq said.

For its part, the CDT wants to get information directly from Microsoft rather than relying on third parties.

"There is a lot of discussion among security experts and privacy groups about Passport, HailStorm, Windows XP and where it's headed," Schwartz said. "We just wanted to get a briefing on the practical aside and ask some of the questions directly to Microsoft. That's the way we work. We like to talk to the company whenever an issue like this arises, work on some of the details and see where they're headed."

The CDT has gathered a number of local privacy and security experts for the Microsoft meeting. Schwartz said that at least in the CDT's briefing, no legislators would be present, nor representatives from the groups that filed the FTC complaints.

The CDT's stated mission "is to develop and implement public policies to protect and advance individual liberty and democratic values in new digital media," according to the organization's Web site.

Sohn said Microsoft's objectives for the Passport briefings are clear: "To set the record on stuff that is out there and is misrepresenting our intent. We want to give the future of where we're going, both in the near term with technologies like Passport and longer term with stuff like .Net and HailStorm."

Sohn emphasized that Microsoft is "very concerned about privacy. And we want to have a dialogue where we're at and where we are going forward."

Still, controversy over Passport could hound Microsoft, despite recent changes designed to beef up privacy.

Several key features of Windows XP require a Passport account, causing some privacy groups, competitors and even trustbusters to cry foul. Windows Messenger--Microsoft's communications console delivering instant messaging and videoconferencing, among other features--uses Passport authentication. This has raised concerns from privacy groups and others that Microsoft plans to use Windows XP as a mechanism to drive new Passport sign-ups.

But Brian Arbogast, vice president of Microsoft's personal services and devices group, dismisses this. "In no way is Passport required to use Windows XP," he said.

Only communications features such as instant messaging and videoconferencing require Passport, Arbogast said. "Those systems only work unless you have the concept of an authentication system. There needs to be a way to know users are who they say they are."

One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so.

"There is plenty of good password-cracking software out there," LeTocq said.

Microsoft is addressing this by offering additional security features for partner Web sites, such as banks, asking for additional information or a four-digit PIN (personal identification number) as a second level of authentication.

Joe Wilcox reported from Washington, and Stefanie Olsen reported from San Francisco.

Editorial standards
Show Comments

Related

asus-zenbook-14-main

The work laptop I recommend to most people is not made by Apple or Lenovo

Microsoft Copilot

7 reasons I use Copilot instead of ChatGPT

Placeholder product image alt text

The best AI image generators to try right now