Privacy groups to take on Microsoft?

Privacy firm Junkbuster.com may take up the topic of Microsoft's recently outed ID numbers with the Federal Trade Commission.
Written by ZDNet Staff, Contributor

In a letter to Microsoft managers Tuesday, Junkbuster.com President Jason Catlett said a formal complaint over privacy concerns with Microsoft's statements regarding two identifiers in Windows and its applications remained an "option."

"While I have had informal discussions on this topic with FTC staff ... we have not yet filed a formal complaint alleging false claims or deceptive practices ... This remains an option for Junkbusters and others," Catlett said.

On Monday, Microsoft responded to e-mails from Richard M. Smith, president of development tools maker Phar Lap Software, and press reports claiming that the two identifiers could endanger user privacy. The Washington software giant posted an open letter on its site claiming that the hardware ID (used by tech support to reference a customer's machine) and the global unique identifier or GUID (originally intended to link documents together on a corporate network) pose no privacy threat to users. In addition, the company outlined steps it would take to head off any potential problems in the future.

According to Catlett, some statements regarding the controversial GUID are misleading. In particular, Microsoft's statement that "there is no way to identify the originator of an Office 97 document by examining the unique number generated for that document without intimate knowledge of the originating PC network configuration, which is available only to the owner of that machine" is untrue, he said.

Microsoft's public relations firm said the company was aware of Catlett's letter. In a revised letter, Microsoft said Tuesday it intends to post one patch, Office 97 Unique Identifier Patch, that will prevent Office applications from generating a GUID and a utility, Office 97 Unique Identifier Removal Tool, that will remove existing GUIDs from Office documents.

Catlett was not available Tuesday evening to comment on whether Microsoft's revisions satisfied Junkbusters' privacy concerns. However, the statement with which Catlett took issue in his letter remained essentially unchanged. Others may be interested in pursuing the complaint as well. "If Microsoft has in fact released false statements, then they can be nailed by the FTC," said Dave Banisar, staff counsel at the Electronic Privacy Information Centre, who added that the group was evaluating the issue.

Deirdre Mulligan, staff counsel with the Centre for Democracy and Technology, pointed out that Microsoft is a good example of the dangers posed by the collection of ID numbers, even if inadvertent. The Windows registration process collected users' hardware IDs without their knowledge and gathered them into a support database equating the numbers with personal data. But Steve Sinofsky, vice president of Microsoft's Office group, said the software giant was not keeping a database of GUIDs. "In Office 97, we added a feature using Windows that generates random numbers. There is no database of these numbers. It was done purely for the physical layer of networking," Sinofsky said. "We did this so Web and file system administrators could find documents via hyperlinks. We're going to take the [offending] feature out of Office 2000."

The situation seems very similar to privacy groups war against chip giant Intel's processor ID scheme. Currently, CDT -- with Junkbusters, EPIC and several other privacy groups -- has filed a co-ordinated complaint to the FTC, attacking the policies of Intel. As first reported by ZDNN, the Californian chip giant added a serial processor ID to its most recent processor, the Pentium III.

But Microsoft, unlike Intel, seems willing to work with the privacy groups -- and that makes a difference, said CDT's Mulligan. "Unlike the dialogue with Intel -- which has gone a bit sour -- at least Microsoft said very quickly that they have a bit of problem and they have taken steps to solve it," she said, indicating that bringing in the FTC is usually a last resort.

The list of groups pushing for action against Intel also includes the Privacy Rights Clearinghouse, Private Citizen Inc., the Centre for Media Education, Consumer.net, Privacy International and the Privacy Times. The groups are questioning the truth behind Intel's statements that its controversial processors serial number can be turned off safely.

Sm@rt Reseller's Mary Jo Foley contributed to this report.

Editorial standards