[ISN] IE 6 central to Passport privacy boost

From: InfoSec News (isnat_private)
Date: Fri Aug 10 2001 - 01:19:19 PDT

  • Next message: InfoSec News: "[ISN] A little note from the Management... :)"

    By Joe Wilcox and Wylie Wong
    Staff Writers, CNET News.com 
    August 9, 2001, 10:50 a.m. PT 
    Microsoft will soon be offering better privacy and security for online
    consumers, but at a price: exclusive use--for now--of the company's
    forthcoming Internet Explorer 6.0 Web browser.
    Microsoft executives said on Wednesday that the company's Passport
    authentication service will soon support an emerging privacy standard
    called Platform for Privacy Preferences, or P3P. The standard is
    advocated by the World Wide Web Consortium, a Web standards body, and
    was adopted by Microsoft in June for use in its software.
    P3P allows Web users to define what types of information they are
    willing to give, as well as whether they mind sharing that information
    with outside parties. Internet surfers will receive a warning before
    visiting sites that go beyond the stated level. P3P is "a good thing,
    because it establishes a set of standards and guidelines vendors have
    to comply with" regarding privacy, said David Smith, an analyst with
    Gartner. "More privacy is always a good thing, and Microsoft is
    offering more privacy."
    But the P3P features can work only if consumers have installed IE 6,
    said Brian Arbogast, a vice president of Microsoft's Personal Services
    Division. In negotiating contracts with new partners, Microsoft is
    requiring companies that plan to use the Passport service to support
    P3P, he added.
    Microsoft has built P3P into its own Web sites and will support it in
    IE 6, said Adam Sohn, product manager for Microsoft's .Net strategy.
    "The W3C is evangelizing this, and we're evangelizing it," he added.
    "It's good for consumers to manage their privacy."
    Passport is a key component of Microsoft's upcoming .Net and HailStorm
    Web services initiatives and is required for using some of Windows
    XP's newest features, such as Windows Messenger, a communications
    console featuring instant messaging, videoconferencing and application
    IE 6 is integrated into Microsoft's forthcoming Windows XP operating
    system, and it will soon be available as a download from Microsoft's
    Web site for users of older versions of Windows and other supported
    operating systems.
    Because Passport authentication is done using a Web browser, people
    using competing products, such as AOL's Netscape 6.1 or Opera, would
    not be able to use the enhancements unless those browsers are also
    made P3P-compliant. The same restriction would apply to older versions
    of Internet Explorer.
    Microsoft and rival AOL Time Warner are battling for control of
    technology such as Passport that makes it easier to navigate the Web
    and make purchases online. AOL's recent $100 million investment in
    online retailer Amazon.com was seen as a deal aimed at boosting AOL's
    own "e-wallet" technology and as a direct means of competing against
    Passport, according to sources.
    Restricting the use of the new security and privacy features to IE 6
    users "would be a mistake," said Guernsey Research analyst Chris
    LeTocq. "It doesn't make sense for Microsoft to shut out the largest
    part of its installed base from Passport services."
    Long arm of the law
    Increasing Passport's reliance on Microsoft's latest Web browser,
    which is in turn tied to its latest operating system, could also
    increase the legal groundswell building around the authentication
    service--and Microsoft's overall product strategy--despite what
    Microsoft claims is a sound technological justification for the move.
    In June, a federal appeals court found Microsoft guilty of
    anti-competitive behavior by its commingling of IE and Windows code.
    The IE 6 requirement with Passport is "likely to give people the
    message that Microsoft hasn't changed its behavior one iota on account
    of being found guilty by the Court of Appeals--same old full speed
    ahead," said Bob Lande, a professor at the University of Baltimore
    School of Law.
    Microsoft's interest in P3P predates the antitrust case originally
    brought by the Justice Department and 20 states--it was one of the
    company's interests in its April 1998 acquisition of Firefly Network.
    Although Microsoft shuttered Firefly in August 1999, many developers
    remained onboard to work on Passport.
    The Redmond, Wash.-based software giant officially launched the
    authentication service in March 1999, later requiring its use in MSN
    Messenger, Microsoft Reader e-books and access to paid Microsoft
    Developer Network online services, among other places.
    More than 200 companies have signed on to the Passport service,
    including Starbucks, RadioShack, Blue Nile, 1-800-Flowers.com, Office
    Depot, Office Max, Victoria's Secret and Hilton.com, as well as all of
    Microsoft's MSN properties and its travel site, Expedia, Microsoft
    said. Passport facilitates some 2 billion authentications a month,
    Microsoft claims.
    Microsoft's competitors and trustbusters started attacking Passport
    even before the U.S. Court of Appeals for the District of Columbia
    Circuit upheld eight separate antitrust violations against the
    Passport is one of several technologies--including media-player
    software and instant messaging--under fire because they are integrated
    into Windows XP. In an interview last month, Iowa Attorney General Tom
    Miller said the "integration restricts what OEMs (original equipment
    makers) can do" in customizing Windows XP for their customers.
    In another attack, a group of 10 privacy organizations in July asked
    that the Federal Trade Commission delay Windows XP's scheduled Oct. 25
    launch. The groups argued that Passport and other technologies that
    are part of Microsoft's .Net software-as-a-service strategy violate
    individuals' privacy.
    Passport has also come under fire from privacy experts. Part of the
    technology's allure is its single sign-on method. Passport uses one
    e-mail address and password to authenticate users and give them access
    to a variety of Web-based services--some delivered by Microsoft and
    others from third parties, such as American Express Blue Card.
    The potential for failure
    But that single point of access also has the potential to be a single
    point of failure. Privacy experts warn that someone obtaining a
    Passport user's e-mail address and password could access all of that
    user's services.
    In an indictment of Passport's security, AT&T Labs researchers David
    Kormann and Aviel Rubin faulted Microsoft's decision to convert
    Hotmail user IDs and passwords into Passport credentials. "Any
    compromised account, and for that matter any future compromise of
    Hotmail, could result in abuse of their account at these other
    merchants," they wrote in their report.
    Kormann and Rubin also faulted other aspects of Passport's single
    sign-on approach, including its use of encryption keys and the ability
    of bogus merchants to set up phony Web stores.
    Microsoft hopes to quell some of these criticisms by offering
    additional security features for its partner Web sites, such as banks,
    whose security needs are more stringent, Arbogast said. The new
    security features "offer a second level of authentication," he
    explained. "It can prompt you for a four-digit PIN (personal
    information number) or ask you a set of three different questions you
    have to answer."
    Arbogast reiterated Microsoft's contention that the company is
    concerned about security and privacy. Microsoft's Passport is not
    collecting user information, and the company's Passport partners are
    not sharing Passport user information with Microsoft, he said.
    Microsoft is relying heavily on Passport for its forthcoming new Web
    services strategy called HailStorm, which has been billed as a way for
    subscribers to access their e-mail, personal contact list, schedule
    and other Web services--such as shopping, banking and
    entertainment--through a variety of devices, such as PCs, cell phones
    and handhelds, from any location.
    In addition to the P3P support slated for later this year, Arbogast
    said Microsoft later this month will add support for Passport use on
    cell phones and personal digital assistants that offer Internet
    service through WAP (wireless application protocol), a technology used
    to help cell phone users view Web pages.
    When HailStorm services are available, people with new cell phones
    will be able to upload their contact list into their new phones
    without having to program each name and number, said Chris Payne, also
    a vice president of Microsoft's Personal Services Division.
    Microsoft will provide tools that will allow its Passport partners to
    sign on people to the Passport service, Sohn said. For example, when a
    service provider signs on a new cell phone user, it can now give the
    customer a Passport account as well, Sohn said.
    Later this year, Passport users will also be allowed to change their
    member name, according to Microsoft's Arbogast. In the past, people
    who wanted to change their member name had to re-register, and all
    their previous information was lost. Now they can switch member names
    but still have their information stored, Arbogast said.
    In the future, Microsoft will add Passport to smart-card technology as
    well as to biometrics, an emerging technology by which people are
    identified based on their physical characteristics or movements. It
    will also support digital certificates, Microsoft executives said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 03:22:29 PDT