FC: Roger Clarke reviews Microsoft VP's .NET privacy presentation

[Declan McCullagh <declan () well com>]

********

Date: Fri, 5 Oct 2001 08:08:32 +1000
From: Roger Clarke <Roger.Clarke () xamax com au>
Subject: Passport:  Notes on MS VP's Presentation
Cc: rotenberg () epic org (Marc Rotenberg), Chris Hoofnagle <hoofnagle () epic org>,
        Declan McCullagh <declan () well com>

This is a report on a presentation by the Microsoft Vice-President 
responsible for .NET Core Services (i.e. Passport, Wallet, MyServices), 
Brian Arbogast.

The presentation was to a National Academy of Sciences Symposium on 
'Authentication Technologies and Their Impact on Privacy', on Thursday 4 
October, in Washington DC.  It was a public event, although in practice the 
relevant Committee and the invited speakers made up the c. 30 
present.  Arbogast agreed to make the PowerPoint slides available to the 
Committee.

As an inveterate M$ sceptic, I was impressed with the professionalism of 
the presentation and responses, and very interested in the information 
provided.  Feedback much appreciated.

For Passport, see:
http://www.passport.com
For EPIC's resources on Passport, see:
http://www.epic.org/privacy/consumer/microsoft/default.html


Arbogast stated that the focus of his presentation was on privacy, because 
the services he is responsible for "will succeed or fail based on trust by 
customers and partners".

He began with some 'if onlys' [a cute way of outlining a requirements 
statement]:
-   users had to deal with only a few online personas (rather than
    needing to remember lots of loginids and passwords)
-   users were in control of their personas, associated data, and if or
    when their data is shared
-   web-services were in control of the preferences and data that they
    manage for each customer persona [a bit dodgy, that one]
-   web-services could cooperate on behalf of users [ditto]
-   business models that fuel innovation flourished

He defined authentication as "the process of uniquely and securely 
identifying a user".  [That's conventional, but not careful enough. See:
http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html#Auth
http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Auth ]

Authentication precedes authorisation, which is the process of determining 
what the user can do.  [That's also conventional.]

Passport is an authentication mechanism, which extends to the Internet the 
notion of single-signon.  [That has been a focus for many years in large 
organisations whose staff have to access multiple, independent corporate 
applications, some of which are typically 15-20 years old].

Passport was installed as the means whereby Hotmail users gain access to 
their accounts, and has consequently achieved 165 million accounts since 
launch in 1999, and over 2 billion authentication transactions per month.

Consider a situation in which a user who has previously registered with 
Passport in relation to a particular web-site (say Starbucks) goes back to 
the Starbucks site.  The process is as follows:
-   user requests page from the Passport-protected web-site
-   the web-site auto-redirects to passport.com
-   passport.com prompts the user for login and password (SSL-protected)
-   passport.com auto-redirects back to the web-site, with tokens in the
    HTTP header as dictated by that web-site (presumably SSL-protected)
-   the web-site requests the user's browser to set a cookie to enable
    state maintenance (and won't work without it)

Serious issues arise of a practicality, security and privacy nature, e.g.:
-   the power MS gains as an authenticator of people
-   the power MS gains in the form of personal data
-   the power MS gains in the form of logs of people's traffic

The identifier used (or at least used currently) is the user's 
email-address [a la PGP ...]

A key question was what authentication does MS perform when a person first 
registers.  Arbogast stated unequivocally that the only authentication 
measure is a message sent to the email-address provided as part of the 
registration, which must be responded to in the affirmative before the 
registration is completed.

Hence, when a user signs on, all that is actually known is that the current 
user was aware of the loginid and password that the original user provided.

[In the terms I use, this is weakly authenticated, persistent pseudonymity:
http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Spect
http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Inet ]

Arbogast was asked what the undertakings were in relation to privacy of the 
personal data.  He responded with what's up on the site now [after the 
fracas last April when they still had the 'we can do prettymuch anything' 
statement up on the site].  The present statement is strongly expressed, 
and more or less 'no use or disclosure without explicit consent'.

He was then asked whether there is any undertaking in relation to the 
changing of those conditions.  Arbogast said that there is a very strong 
commitment to *not* change those conditions.  He said that he's been 
working with the lawyers to make that commitment as iron-clad and credible 
as legally feasible.  Any change requires explicit consent from each user.

He was also asked what logs are kept of transactions.  He stated (not quite 
so emphatically, however) that only operational logs are kept, and only for 
a short period of time.  [That needs to be pursued in order to ensure that 
a clear statement to that effect is part of the fixed undertakings].

I then asked about the location of the Passport data-store.  I identified 
the following alternatives:
1   in Redmond, as at present, which is the most threatening of all
2   distributed geographically, but within MS (e.g. for the corporate and
    especially government markets, the data would have to be
    within-country, or government policy could preclude its use)
3   distributed geographically, within MS and its Passport Partners
4   on whatever client the user chooses, e.g.
    -   local ISPs, whether MS Passport Partners or not
    -   personal proxy-servers, e.g. on one's home-network
5   on the user's machine (which doesn't work for the increasing numbers
    of people who use many machines, including at home, at work, in cafes,
    in their hands, on their wrists, etc.)

[Clearly, from a privacy viewpoint, distributed is crucial, wide choice is 
vital, and control is very strongly preferable.  5 is impractical.  I argue 
very strongly for 4, and would be uncomfortable even with 3.  That's a 
judgement about the needs of people generally, not just me in particular].

Arbogast confirmed that currently it's emphatically 1.  And there's lots 
and lots of site-security to avoid any nasty accidents.  [It does seem that 
at long, long last the thick hides at MS have registered the fact that MS's 
atrocious track-record on security is a problem and should be addressed].

He said, however, that "they were giving serious consideration" (or similar 
expression) to a federated model, once the Kerberos-based version is 
released in 2002.  That's effectively 3.  I didn't manage to squeeze any 
reaction from him about 4.

He went further, and stated that they envisage that there will later be an 
'Internet Trusst Network' with peer-to-peer cross-validation between 
Passport and such other comparable schemes as emerge.  [The sceptic would 
say that he *has* to say that, to avoid being attacked for monopolistic 
behaviour.  But at least he said it].

In answer to a question, he said that an informational RFC is "forthcoming 
shortly" with open information on the use of Kerberos in the next version 
of Passport, including (it was implied) any 'enhancements'. 
[Not-quite-documented, not-quite-standard is one of MS's key means of 
locking people into MS, and locking other suppliers out of a 
pseudo-standardised market.  The tricks they've been playing in the browser 
wars have been multiplicitous, not merely duplicitous].


[From a privacy perspective, Passport is (at least currently) absolutely 
ghastly, because of the centralisation of data and power; and EPIC and many 
friends have a complaint before the FTC about many aspects of it.

But, *if* it is developed as Arbogast stated, then it could arguably become 
'a very good thing' in one very important respect.  That's because it would 
then tend to entrench the expectation of weakly authenticated pseudonymity 
as the norm on the Internet, not identification].

--
Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke () xamax com au            http://www.xamax.com.au/

Visiting Fellow                       Department of Computer Science
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211       Tel:  +61  2  6125 3666




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------