Web service providers fend off privacy concerns

Leading companies offering Web-based authentication and single sign-on services stuck defending their record on privacy at the...

Leading companies offering Web-based authentication and single sign-on services stuck defending their record on privacy at the Computers, Freedom and Privacy (CFP) conference in San Francisco yesterday (18 April).

Executives from Microsoft, VeriSign and Sun Microsystems all touted their Web authentication and location services as privacy-friendly, rebuffing criticism from CFP attendees who raised concerns over information sharing and data archiving.

"Privacy advocates generally don't like very large databases full of personal information," said Jason Catlett, president of Junkbusters, a privacy advocacy and antispam group.

Catlett as well as other CFP attendees expressed concern that the user information gathered through Microsoft's Passport single sign-on service, for example, could be vulnerable to security leaks.

However, Brian Arbogast, vice-president of Microsoft's .net Core Services Platform, Services Platform Division, refuted claims that his company was endangering consumer privacy.

"I actually think that we are representing leadership in privacy," Arbogast said, adding that the Passport service gives users control over their data.

Passport is an opt-in service that allows consumers to visit and shop at a variety of Web sites without having to re-enter their personal information because it is stored in their Passport account. The Microsoft service is similar to Sun's Liberty Alliance single sign-on service which is being adopted by a number of companies to compete with Passport.

While privacy advocates expressed concern with any company storing a wealth of consumer information, Arbogast argued that at least for Microsoft's part, it was in the company's best interest to cater to privacy concerns, not disregard them.

"I can not think of a situation where it would be in our best interest to step away from our privacy policy," said Arbogast. "Our business success is focused on the long-term and in the long-term we have to give consumers what they want," he added.

Avi Rubin, principal researcher at AT&T Labs, warned consumers that if privacy is what they want, they have to voice their concerns now.

It's easier to build privacy protection into a technology than it is to impose it on the technology later, Rubin said.

Despite suggestions that companies only put privacy protection in place when consumers express outrage, VeriSign senior vice-president and chief policy officer Roger Cochetti argued that companies such as Microsoft and Sun have raised their own bars in terms of privacy.

"[Passport and Liberty Alliance] have gone beyond anything I've seen before in self-regulation of privacy," Cochetti said. VeriSign works with both Microsoft and Sun, providing them with authentication services.

Still, security remained a concern for some conference attendees who poked fun at both Microsoft and Sun's security record.

"You are never going to hear me guarantee security, because we can't," Arbogast conceded. He added, however, that Microsoft was spending a lot of money to provide added security.

Regardless of increased security expenditure, Rubin expressed concern over the entire Passport idea.

"Even assuming Passport could be done securely, the idea of Passport is the enemy of privacy," he said.

Both privacy advocates and service providers attending the CFP conference seemed locked in their debate over whether privacy and Web services such as Passport are compatible.

"This topic hasn't been a big issue yet but will be a massive issue soon," predicted Dan Gillmor, technology columnist for the San Jose Mercury News.

Read more on IT risk management