Microsoft puts more privacy in Passport

Microsoft has offered another small concession to critics of its upcoming products, altering plans for its Passport...

Microsoft has offered another small concession to critics of its upcoming products, altering plans for its Passport authentication service.

The technical changes come as pressure mounts to bring a speedy conclusion to Microsoft's ongoing legal battle with the US government. Members of the House of Representatives urged a quick settlement in a letter to Microsoft and the plaintiffs in the case, while the Department of Justice (DOJ) and 18 states filed papers with an Appeals Court to deny Microsoft's request to delay the case as it awaits review by the Supreme Court.

Microsoft said it will make some changes to the information users are required to provide when signing up for its Passport service, which allows users to visit multiple Web sites without having to enter their personal information each time.

Passport is used by many of Microsoft's Web properties, including free e-mail service Hotmail as well as by a growing list of partners such as and The authentication service stores up to 13 items of basic user information - ranging from ZIP codes to a street address - and also includes an "electronic wallet" that stores information for making online purchases, such as a billing address and credit card number.

Criticism of Passport has mounted, last month some privacy advocacy groups filed a complaint with the Federal Trade Commission (FTC) over concerns about how the service collects data from users and how that personal information might be used in future. In a bid to appease its opponents, Microsoft said it will now require a user to enter only an e-mail address and password to open a new Passport account

"We're saying partners will have the flexibility to decide what they ask [users] for," said Adam Sohn, a product manager in Microsoft's .Net platform group. That could range from the basic e-mail and password up to more than 13 pieces of personal data

"It's possible for folks to ask customers to give them more data, but we will make it very clear what information goes to Passport and what goes to the partners," said Sohn. He also stressed that despite noise from some critics, Microsoft makes no secondary use of the data. "We don't share it, we don't rent it, we don't publish it, we don't mine it and we don't market to it," he said.

Microsoft's changes are set to make will also affect one of Passport's add-on services, called "Passport Wallet," which automatically inserts the information required from a user to buy goods online, such as a credit card number. The wallet technology will now be part of the company's set of 12 planned Hailstorm Web services and called My Wallet.

The gestures to ease privacy concerns in Passport haven't satisfied some of Microsoft's harshest critics. Measures to reduce the information Passport collects about its subscribers don't go far enough, according to Jason Catlett, president of Junkbusters, a privacy advocacy group. Microsoft is still requiring users to provide an e-mail address, which will allow Microsoft to gain personally identifiable information, he argued.

While Microsoft won't be able to collect as much information about a users' behaviour on the Web, it will still be able to track users' activity and combine that with personal information they collect by other methods, Catlett said. "They can still see which sites you are authenticating at, and, if they own the site, then they are getting your personal information through those records," he added.

Microsoft also said this week that Passport will support an emerging industry standard for enhancing privacy on the Internet called P3P (Platform for Privacy Preferences). The technology allows users to better manage what information Web sites can collect about them. P3P identifies Web sites that use "cookies," or pieces of code that Web sites can attach to a user's browser and use to track his or her movements on the Web.

Currently under consideration by the World Wide Web Consortium (W3C), a standards body, Microsoft is now advocating P3P for use in all of its Internet services and Web properties, Sohn said. The company is set to launch its latest Internet Explorer Web browser 25 October, which will include support for P3P.

Microsoft partner Web sites that want to use Passport will also be required to support P3P. Any site using P3P must attach an XML (Extensible Markup Language) document to their cookies that describes the site's privacy policy. Users are expected to be able to set controls for what level of privacy they will accept from a Web site, and block those Web sites that don't meet a users' privacy requirements.

"[The addition of P3P] is completely non-responsive to the specific allegations of illegal behaviour that we charged Microsoft with," Catlett said. "They are replying with an answer, but the answer has nothing to do with the concerns."

Competitors ranging from AOL Time Warner to open source developer groups are working on other systems for single sign-on authentication. Many Internet companies are banking on the widespread adoption of such authentication services to make it easier to do business on the Web. But like earlier electronic business innovations, Junkbusters' Catlett isn't convinced it will live up to industry hype.

"I'm not sure it's [Passport] going to fly, but in case it does we have to try to protect the privacy of the people who use it," Catlett said. "It could end up being the largest surveillance mechanism in history."

Separately, 122 members of the House of Representatives backed a letter delivered to Microsoft and anti-trust regulators urging all of the parties involved to bring the pending antitrust case to a quick close. It was drafted by two members of Congress from Microsoft's home state of Washington - Jennifer Dunn, a Republican, and Democrat Jay Inslee, representatives for the Seattle area. In the letter, House members urged the Department of Justice and the 18 states that are plaintiffs in the case to bring the case to a just conclusion.

"The best thing for consumers and our economy is a quick settlement of this costly litigation," Dunn said. "At a time when the economy is struggling, our government should not be putting a chill on the innovative forces that drive the new economy,"

The House is showing bipartisan support for a settlement in the case. The letter said House members lauded ongoing negotiations between top Microsoft officials and the government, and encouraged "these discussions with the hope that a settlement can be reached at the earliest possible date and on reasonable terms".

Read more on IT legislation and regulation