Rights groups call for ID tracking laws

In the wake of Microsoft Corp.'s decision to revamp its Windows registration process to prevent users' personal information from being transmitted without their consent, Internet and privacy watchdog groups are calling for legislation to protect rights of users -- both on and offline.

"This is another example of how technology that allows for the collection and transfer of data is quickly outstripping any protections that we are granted by law," said Barry Steinhardt, associate director of the American Civil Liberties Union on Monday. It was revealed over the weekend that Microsoft's registration program collected a "unique identifier" from user's computers and software, a number, without asking permission. Theoretically, Microsoft could couple the user's registration information with his or her computer's ID numbers -- a potent technology for tracking movements over the Internet.

While still investigating this issue, the company said it will modify Windows to fix the registration process so that it no longer sends the system's hardware ID number when a user requests that such information not be sent. In a letter to its customers on Monday, Microsoft downplayed the issue. The letter said only that "there are hypothetical scenarios in which this number could be used to learn something about the user's system without his or her knowledge."

Privacy advocates, however, noted this was the second company in as many months trying to play "pin the number on a user." Last month it was revealed that Intel's Pentium III chip carries potential personal identification information. Ari Schwartz, a policy analyst with the Washington, D.C.-based Internet watchdog Centre for Technology and Democracy, said the problem is that there is no "baseline legislation that guarantees rights." He noted that what the industry wants to do with these technologies is authenticate information -- whether it's for protecting software from piracy or guaranteeing a transaction is real on the Internet.

To date, that has been equated with identifying the user in order to hold someone responsible. "In the real world, transactions are authenticated with cash, not with your identity," said Schwartz, adding that a similar method should be used in cyberspace. "We would like privacy and authentication to cohabitate."

But some people who are on Intel and Microsoft's side of this issue are bristling at the attention that privacy issues have been receiving in recent days. "Is fraud or ID theft a greater social concern than privacy?" asked Chet Dalzell, spokesman for the Direct Marketing Association. "The answer to that question will guide companies that bring this technology to market."

Already, some guidance is coming from Congress. This year, Senator Conrad Burns, R-Mont., introduced the Online Privacy Protection Act of 1999, which will guarantee users some rights when online. "The bill will mainly deal with what information a company can get access to with and without your permission," said Matt Raymond, a spokesman for Burns. But analysts say the draft legislation does not go far enough. "It could address some of the issues," said CDT's Schwartz, "but it will not answer the main questions about authentication."

It's been several weeks after PC chip maker Intel outlined its controversial scheme to add a unique serial number to each of its new Pentium III chips, as first reported by ZDNN. The serial number uniquely identifies each processor and is accessible through software. A week after Intel announced the feature, Scott McNealy, president and CEO of server and software maker Sun Microsystems, told attendees at the company's Jini product launch that they "have no privacy" and to "get over it."

That statement and Sun's membership in the Online Privacy Alliance has given rights watchers reason to question the industry's commitment to self-regulation. "I think that was a terrible mistake on Scott's part," said Richard M. Smith, president of development tools creator Phar Lap Software Inc. -- and the first person to point out the dangers of Microsoft's collection of hardware IDs. "This is just another brick in the wall, more than anything else."