IE 6 central to Passport privacy boost

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6828424.html?tag=tp_pr

By Joe Wilcox and Wylie Wong
Staff Writers, CNET News.com 
August 9, 2001, 10:50 a.m. PT 

Microsoft will soon be offering better privacy and security for online
consumers, but at a price: exclusive use--for now--of the company's
forthcoming Internet Explorer 6.0 Web browser.

Microsoft executives said on Wednesday that the company's Passport
authentication service will soon support an emerging privacy standard
called Platform for Privacy Preferences, or P3P. The standard is
advocated by the World Wide Web Consortium, a Web standards body, and
was adopted by Microsoft in June for use in its software.

P3P allows Web users to define what types of information they are
willing to give, as well as whether they mind sharing that information
with outside parties. Internet surfers will receive a warning before
visiting sites that go beyond the stated level. P3P is "a good thing,
because it establishes a set of standards and guidelines vendors have
to comply with" regarding privacy, said David Smith, an analyst with
Gartner. "More privacy is always a good thing, and Microsoft is
offering more privacy."

But the P3P features can work only if consumers have installed IE 6,
said Brian Arbogast, a vice president of Microsoft's Personal Services
Division. In negotiating contracts with new partners, Microsoft is
requiring companies that plan to use the Passport service to support
P3P, he added.

Microsoft has built P3P into its own Web sites and will support it in
IE 6, said Adam Sohn, product manager for Microsoft's .Net strategy.
"The W3C is evangelizing this, and we're evangelizing it," he added.
"It's good for consumers to manage their privacy."

Passport is a key component of Microsoft's upcoming .Net and HailStorm
Web services initiatives and is required for using some of Windows
XP's newest features, such as Windows Messenger, a communications
console featuring instant messaging, videoconferencing and application
sharing.

IE 6 is integrated into Microsoft's forthcoming Windows XP operating
system, and it will soon be available as a download from Microsoft's
Web site for users of older versions of Windows and other supported
operating systems.

Because Passport authentication is done using a Web browser, people
using competing products, such as AOL's Netscape 6.1 or Opera, would
not be able to use the enhancements unless those browsers are also
made P3P-compliant. The same restriction would apply to older versions
of Internet Explorer.

Microsoft and rival AOL Time Warner are battling for control of
technology such as Passport that makes it easier to navigate the Web
and make purchases online. AOL's recent $100 million investment in
online retailer Amazon.com was seen as a deal aimed at boosting AOL's
own "e-wallet" technology and as a direct means of competing against
Passport, according to sources.

Restricting the use of the new security and privacy features to IE 6
users "would be a mistake," said Guernsey Research analyst Chris
LeTocq. "It doesn't make sense for Microsoft to shut out the largest
part of its installed base from Passport services."

Long arm of the law

Increasing Passport's reliance on Microsoft's latest Web browser,
which is in turn tied to its latest operating system, could also
increase the legal groundswell building around the authentication
service--and Microsoft's overall product strategy--despite what
Microsoft claims is a sound technological justification for the move.

In June, a federal appeals court found Microsoft guilty of
anti-competitive behavior by its commingling of IE and Windows code.
The IE 6 requirement with Passport is "likely to give people the
message that Microsoft hasn't changed its behavior one iota on account
of being found guilty by the Court of Appeals--same old full speed
ahead," said Bob Lande, a professor at the University of Baltimore
School of Law.

Microsoft's interest in P3P predates the antitrust case originally
brought by the Justice Department and 20 states--it was one of the
company's interests in its April 1998 acquisition of Firefly Network.
Although Microsoft shuttered Firefly in August 1999, many developers
remained onboard to work on Passport.

The Redmond, Wash.-based software giant officially launched the
authentication service in March 1999, later requiring its use in MSN
Messenger, Microsoft Reader e-books and access to paid Microsoft
Developer Network online services, among other places.

More than 200 companies have signed on to the Passport service,
including Starbucks, RadioShack, Blue Nile, 1-800-Flowers.com, Office
Depot, Office Max, Victoria's Secret and Hilton.com, as well as all of
Microsoft's MSN properties and its travel site, Expedia, Microsoft
said. Passport facilitates some 2 billion authentications a month,
Microsoft claims.

Microsoft's competitors and trustbusters started attacking Passport
even before the U.S. Court of Appeals for the District of Columbia
Circuit upheld eight separate antitrust violations against the
company.

Passport is one of several technologies--including media-player
software and instant messaging--under fire because they are integrated
into Windows XP. In an interview last month, Iowa Attorney General Tom
Miller said the "integration restricts what OEMs (original equipment
makers) can do" in customizing Windows XP for their customers.

In another attack, a group of 10 privacy organizations in July asked
that the Federal Trade Commission delay Windows XP's scheduled Oct. 25
launch. The groups argued that Passport and other technologies that
are part of Microsoft's .Net software-as-a-service strategy violate
individuals' privacy.

Passport has also come under fire from privacy experts. Part of the
technology's allure is its single sign-on method. Passport uses one
e-mail address and password to authenticate users and give them access
to a variety of Web-based services--some delivered by Microsoft and
others from third parties, such as American Express Blue Card.

The potential for failure

But that single point of access also has the potential to be a single
point of failure. Privacy experts warn that someone obtaining a
Passport user's e-mail address and password could access all of that
user's services.

In an indictment of Passport's security, AT&T Labs researchers David
Kormann and Aviel Rubin faulted Microsoft's decision to convert
Hotmail user IDs and passwords into Passport credentials. "Any
compromised account, and for that matter any future compromise of
Hotmail, could result in abuse of their account at these other
merchants," they wrote in their report.

Kormann and Rubin also faulted other aspects of Passport's single
sign-on approach, including its use of encryption keys and the ability
of bogus merchants to set up phony Web stores.

Microsoft hopes to quell some of these criticisms by offering
additional security features for its partner Web sites, such as banks,
whose security needs are more stringent, Arbogast said. The new
security features "offer a second level of authentication," he
explained. "It can prompt you for a four-digit PIN (personal
information number) or ask you a set of three different questions you
have to answer."

Arbogast reiterated Microsoft's contention that the company is
concerned about security and privacy. Microsoft's Passport is not
collecting user information, and the company's Passport partners are
not sharing Passport user information with Microsoft, he said.

Microsoft is relying heavily on Passport for its forthcoming new Web
services strategy called HailStorm, which has been billed as a way for
subscribers to access their e-mail, personal contact list, schedule
and other Web services--such as shopping, banking and
entertainment--through a variety of devices, such as PCs, cell phones
and handhelds, from any location.

In addition to the P3P support slated for later this year, Arbogast
said Microsoft later this month will add support for Passport use on
cell phones and personal digital assistants that offer Internet
service through WAP (wireless application protocol), a technology used
to help cell phone users view Web pages.

When HailStorm services are available, people with new cell phones
will be able to upload their contact list into their new phones
without having to program each name and number, said Chris Payne, also
a vice president of Microsoft's Personal Services Division.

Microsoft will provide tools that will allow its Passport partners to
sign on people to the Passport service, Sohn said. For example, when a
service provider signs on a new cell phone user, it can now give the
customer a Passport account as well, Sohn said.

Later this year, Passport users will also be allowed to change their
member name, according to Microsoft's Arbogast. In the past, people
who wanted to change their member name had to re-register, and all
their previous information was lost. Now they can switch member names
but still have their information stored, Arbogast said.

In the future, Microsoft will add Passport to smart-card technology as
well as to biometrics, an emerging technology by which people are
identified based on their physical characteristics or movements. It
will also support digital certificates, Microsoft executives said.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.