Leading companies offering Web-based authentication and single
sign-on services stuck defending their record on privacy at the
Computers, Freedom and Privacy (CFP) conference in San Francisco
yesterday (18 April).
Executives from Microsoft, VeriSign and Sun Microsystems all touted
their Web authentication and location services as privacy-friendly,
rebuffing criticism from CFP attendees who raised concerns over
information sharing and data archiving.
"Privacy advocates generally don't like very large databases full
of personal information," said Jason Catlett, president of
Junkbusters, a privacy advocacy and antispam group.
Catlett as well as other CFP attendees expressed concern that the
user information gathered through Microsoft's Passport single
sign-on service, for example, could be vulnerable to security
leaks.
However, Brian Arbogast, vice-president of Microsoft's .net Core
Services Platform, Services Platform Division, refuted claims that
his company was endangering consumer privacy.
"I actually think that we are representing leadership in privacy,"
Arbogast said, adding that the Passport service gives users control
over their data.
Passport is an opt-in service that allows consumers to visit and
shop at a variety of Web sites without having to re-enter their
personal information because it is stored in their Passport
account. The Microsoft service is similar to Sun's Liberty Alliance
single sign-on service which is being adopted by a number of
companies to compete with Passport.
While privacy advocates expressed concern with any company storing
a wealth of consumer information, Arbogast argued that at least for
Microsoft's part, it was in the company's best interest to cater to
privacy concerns, not disregard them.
"I can not think of a situation where it would be in our best
interest to step away from our privacy policy," said Arbogast. "Our
business success is focused on the long-term and in the long-term
we have to give consumers what they want," he added.
Avi Rubin, principal researcher at AT&T Labs, warned consumers
that if privacy is what they want, they have to voice their
concerns now.
It's easier to build privacy protection into a technology than it
is to impose it on the technology later, Rubin said.
Despite suggestions that companies only put privacy protection in
place when consumers express outrage, VeriSign senior
vice-president and chief policy officer Roger Cochetti argued that
companies such as Microsoft and Sun have raised their own bars in
terms of privacy.
"[Passport and Liberty Alliance] have gone beyond anything I've
seen before in self-regulation of privacy," Cochetti said. VeriSign
works with both Microsoft and Sun, providing them with
authentication services.
Still, security remained a concern for some conference attendees
who poked fun at both Microsoft and Sun's security record.
"You are never going to hear me guarantee security, because we
can't," Arbogast conceded. He added, however, that Microsoft was
spending a lot of money to provide added security.
Regardless of increased security expenditure, Rubin expressed
concern over the entire Passport idea.
"Even assuming Passport could be done securely, the idea of
Passport is the enemy of privacy," he said.
Both privacy advocates and service providers attending the CFP
conference seemed locked in their debate over whether privacy and
Web services such as Passport are compatible.
"This topic hasn't been a big issue yet but will be a massive issue
soon," predicted Dan Gillmor, technology columnist for the
San
Jose Mercury News.