Caught in the .NET

The heads of data protection agencies from 15 European Union (EU) countries have announced that they will continue their investigation into Microsoft’s .NET Passport system.

This comes in response to allegations that the Passport service does not have adequate safeguards to protect the personal information of users, and that it may break EU rules on data privacy. At a meeting in Brussels on 1 and 2 July, EU officials agreed upon a document that stated: ‘Although Microsoft has put in place some measures to address data protection, a number of elements of the .NET Passport system raise legal issues and therefore require further consideration’ (1).

Passport is used by websites such as Hotmail and Expedia, as well as Microsoft’s instant messaging software Messenger. According to Microsoft, the system currently supports an estimated 200million user accounts (2).

Passport provides an online identification and authentication system that employs a single sign-on system to facilitate e-commerce and browsing among different websites that require users to identify themselves. Sites use Passport to identify the user who is signed in, and to access information provided and managed by the user – such as their name, postcode, gender and date of birth.

Passport is part of ‘My Services’, a crucial component of Microsoft’s flagship .NET strategy. Microsoft’s big plans for My Services – which used to be code-named Hailstorm, until Microsoft sensibly renamed it – have failed to take off (3). Industry analysts have blamed Microsoft’s inability to find partners to adopt My Services as the major reason for its failure (4). The heavy criticism that the system has received from privacy groups, commentators, customers and competitors since its launch can hardly have helped Microsoft sell the idea to prospective partners (5).

Microsoft promotes Passport as making life online easier and better – listing faster online purchasing, no need to remember multiple sign-in names and passwords, and improved privacy as some of the benefits. There is even Kids’ Passport, providing ‘children with a positive, safe online experience’ (6).

Privacy organisations, including the Electronic Privacy Information Centre (EPIC) (7), argue that Passport poses serious privacy issues for children and adults alike. EPIC’s website urges web users to ‘Sign Out of Passport!’ – a pun on the button that users click to leave the Passport system. EPIC filed complaints to the US Federal Trade Commission (FTC) (8) in July and August 2001, alleging that Passport facilitates the building of online profiles of users, and that Microsoft has engaged in unfair and deceptive trade practices (9).

Dutch European Commission (EC) member Erik Meijer wrote to the EU in March 2002, raising problems with Passport’s collection of personal information as users go about their business online. Meijer also alleged that Microsoft ‘surreptitiously’ passes information to third parties (10). In May 2002, commissioner Frits Bolkestein responded to Meijer’s questions, and confirmed that the commission was looking into Passport’s compatibility (or otherwise) with EU data protection law, along with national data protection authorities.

In his reply, Bolkestein summarised the requirements for building a database of personal information consistent with EU data protection law. These include: that Microsoft have a specific, legitimate purpose for collection of the data; there is a right of access to the information collected; that consent be given freely when required; and that notice is given to national data protection authorities.

Richard Purcell, chief privacy officer at Microsoft, refutes claims that Passport abuses privacy. He compares Passport to a doorman who checks IDs but has nothing further to do with what happens once a person enters a site. Purcell claims that ‘these practices do indeed meet criteria’ laid down under strict EU data protection laws (11).

So far, the EU investigation into Passport has done little to deter Microsoft from pursuing other equally controversial projects: the software company recently announced another security initiative (code-named Palladium) that has already attracted criticism from privacy advocates.

One privacy advocate, commenting on Palladium and Passport, said that ‘Microsoft keeps re-labelling their plans for controlling the world’s personal data [but] I don’t think any number of new names will make it palatable for Microsoft to be in charge of so much information’ (12). Chris Hoofnagle, the legislative counsel at EPIC, has described Microsoft’s attempt to present Palladium as a means of empowering users to manage their own data, as ‘the ultimate in an Orwellian presentation’ (13).

Read on:

Storm over Hailstorm, by Jason Burton

Privacy online: what’s the problem?, by Norman Lewis

(1) EU: Microsoft Passport Raises Privacy Issues, Reuters, 2 July 2002

(2) .NET Passport Fact Sheet

(3) See Storm over Hailstorm, by Jason Burton

(4) Microsoft Has Shelved Its ‘Persona’ Service, New York Times, 11 April 2002

(5) See Microsoft postpones .NET My Services, The Register, 12 April 2002

(6) .NET Passport Fact Sheet

(7) See the Electronic Privacy Information Centre website

(8) See the Federal Trade Commission website

(9) Microsoft Passport investigation docket, on the Electronic Privacy Information Centre website

(10) Written question E-0718/02 to the European Commission, Erik Meijer, 4 March 2002

(11) Microsoft denies .NET Passport service conflicts with EU privacy laws, Associated Press, 11 June 2002

(12) Microsoft in ambitious security effort, Associated Press, 25 June 2002

(13) Is Microsoft’s Palladium a Trojan Horse?, Internet News, 28 June 2002