FC: Roger Clarke reviews Microsoft VP's .NET privacy presentation

From: Declan McCullagh (declanat_private)
Date: Fri Oct 05 2001 - 06:53:41 PDT

  • Next message: Declan McCullagh: "FC: Former U.S. "drug czar" tells how to deal with terrorist groups"

    ********
    
    Date: Fri, 5 Oct 2001 08:08:32 +1000
    From: Roger Clarke <Roger.Clarkeat_private>
    Subject: Passport:  Notes on MS VP's Presentation
    Cc: rotenbergat_private (Marc Rotenberg), Chris Hoofnagle <hoofnagleat_private>,
             Declan McCullagh <declanat_private>
    
    This is a report on a presentation by the Microsoft Vice-President 
    responsible for .NET Core Services (i.e. Passport, Wallet, MyServices), 
    Brian Arbogast.
    
    The presentation was to a National Academy of Sciences Symposium on 
    'Authentication Technologies and Their Impact on Privacy', on Thursday 4 
    October, in Washington DC.  It was a public event, although in practice the 
    relevant Committee and the invited speakers made up the c. 30 
    present.  Arbogast agreed to make the PowerPoint slides available to the 
    Committee.
    
    As an inveterate M$ sceptic, I was impressed with the professionalism of 
    the presentation and responses, and very interested in the information 
    provided.  Feedback much appreciated.
    
    For Passport, see:
    http://www.passport.com
    For EPIC's resources on Passport, see:
    http://www.epic.org/privacy/consumer/microsoft/default.html
    
    
    Arbogast stated that the focus of his presentation was on privacy, because 
    the services he is responsible for "will succeed or fail based on trust by 
    customers and partners".
    
    He began with some 'if onlys' [a cute way of outlining a requirements 
    statement]:
    -   users had to deal with only a few online personas (rather than
         needing to remember lots of loginids and passwords)
    -   users were in control of their personas, associated data, and if or
         when their data is shared
    -   web-services were in control of the preferences and data that they
         manage for each customer persona [a bit dodgy, that one]
    -   web-services could cooperate on behalf of users [ditto]
    -   business models that fuel innovation flourished
    
    He defined authentication as "the process of uniquely and securely 
    identifying a user".  [That's conventional, but not careful enough. See:
    http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html#Auth
    http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Auth ]
    
    Authentication precedes authorisation, which is the process of determining 
    what the user can do.  [That's also conventional.]
    
    Passport is an authentication mechanism, which extends to the Internet the 
    notion of single-signon.  [That has been a focus for many years in large 
    organisations whose staff have to access multiple, independent corporate 
    applications, some of which are typically 15-20 years old].
    
    Passport was installed as the means whereby Hotmail users gain access to 
    their accounts, and has consequently achieved 165 million accounts since 
    launch in 1999, and over 2 billion authentication transactions per month.
    
    Consider a situation in which a user who has previously registered with 
    Passport in relation to a particular web-site (say Starbucks) goes back to 
    the Starbucks site.  The process is as follows:
    -   user requests page from the Passport-protected web-site
    -   the web-site auto-redirects to passport.com
    -   passport.com prompts the user for login and password (SSL-protected)
    -   passport.com auto-redirects back to the web-site, with tokens in the
         HTTP header as dictated by that web-site (presumably SSL-protected)
    -   the web-site requests the user's browser to set a cookie to enable
         state maintenance (and won't work without it)
    
    Serious issues arise of a practicality, security and privacy nature, e.g.:
    -   the power MS gains as an authenticator of people
    -   the power MS gains in the form of personal data
    -   the power MS gains in the form of logs of people's traffic
    
    The identifier used (or at least used currently) is the user's 
    email-address [a la PGP ...]
    
    A key question was what authentication does MS perform when a person first 
    registers.  Arbogast stated unequivocally that the only authentication 
    measure is a message sent to the email-address provided as part of the 
    registration, which must be responded to in the affirmative before the 
    registration is completed.
    
    Hence, when a user signs on, all that is actually known is that the current 
    user was aware of the loginid and password that the original user provided.
    
    [In the terms I use, this is weakly authenticated, persistent pseudonymity:
    http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Spect
    http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Inet ]
    
    Arbogast was asked what the undertakings were in relation to privacy of the 
    personal data.  He responded with what's up on the site now [after the 
    fracas last April when they still had the 'we can do prettymuch anything' 
    statement up on the site].  The present statement is strongly expressed, 
    and more or less 'no use or disclosure without explicit consent'.
    
    He was then asked whether there is any undertaking in relation to the 
    changing of those conditions.  Arbogast said that there is a very strong 
    commitment to *not* change those conditions.  He said that he's been 
    working with the lawyers to make that commitment as iron-clad and credible 
    as legally feasible.  Any change requires explicit consent from each user.
    
    He was also asked what logs are kept of transactions.  He stated (not quite 
    so emphatically, however) that only operational logs are kept, and only for 
    a short period of time.  [That needs to be pursued in order to ensure that 
    a clear statement to that effect is part of the fixed undertakings].
    
    I then asked about the location of the Passport data-store.  I identified 
    the following alternatives:
    1   in Redmond, as at present, which is the most threatening of all
    2   distributed geographically, but within MS (e.g. for the corporate and
         especially government markets, the data would have to be
         within-country, or government policy could preclude its use)
    3   distributed geographically, within MS and its Passport Partners
    4   on whatever client the user chooses, e.g.
         -   local ISPs, whether MS Passport Partners or not
         -   personal proxy-servers, e.g. on one's home-network
    5   on the user's machine (which doesn't work for the increasing numbers
         of people who use many machines, including at home, at work, in cafes,
         in their hands, on their wrists, etc.)
    
    [Clearly, from a privacy viewpoint, distributed is crucial, wide choice is 
    vital, and control is very strongly preferable.  5 is impractical.  I argue 
    very strongly for 4, and would be uncomfortable even with 3.  That's a 
    judgement about the needs of people generally, not just me in particular].
    
    Arbogast confirmed that currently it's emphatically 1.  And there's lots 
    and lots of site-security to avoid any nasty accidents.  [It does seem that 
    at long, long last the thick hides at MS have registered the fact that MS's 
    atrocious track-record on security is a problem and should be addressed].
    
    He said, however, that "they were giving serious consideration" (or similar 
    expression) to a federated model, once the Kerberos-based version is 
    released in 2002.  That's effectively 3.  I didn't manage to squeeze any 
    reaction from him about 4.
    
    He went further, and stated that they envisage that there will later be an 
    'Internet Trusst Network' with peer-to-peer cross-validation between 
    Passport and such other comparable schemes as emerge.  [The sceptic would 
    say that he *has* to say that, to avoid being attacked for monopolistic 
    behaviour.  But at least he said it].
    
    In answer to a question, he said that an informational RFC is "forthcoming 
    shortly" with open information on the use of Kerberos in the next version 
    of Passport, including (it was implied) any 'enhancements'. 
    [Not-quite-documented, not-quite-standard is one of MS's key means of 
    locking people into MS, and locking other suppliers out of a 
    pseudo-standardised market.  The tricks they've been playing in the browser 
    wars have been multiplicitous, not merely duplicitous].
    
    
    [From a privacy perspective, Passport is (at least currently) absolutely 
    ghastly, because of the centralisation of data and power; and EPIC and many 
    friends have a complaint before the FTC about many aspects of it.
    
    But, *if* it is developed as Arbogast stated, then it could arguably become 
    'a very good thing' in one very important respect.  That's because it would 
    then tend to entrench the expectation of weakly authenticated pseudonymity 
    as the norm on the Internet, not identification].
    
    -- 
    Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
    
    Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                     Tel: +61 2 6288 1472, and 6288 6916
    mailto:Roger.Clarkeat_private            http://www.xamax.com.au/
    
    Visiting Fellow                       Department of Computer Science
    The Australian National University     Canberra  ACT  0200 AUSTRALIA
    Information Sciences Building Room 211       Tel:  +61  2  6125 3666
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 07:39:12 PDT