Focusing public attention on emerging privacy and civil liberties issues

Sign Out of Passport!

"For a successful technology, reality must take precedence
over public relations, for nature cannot be fooled."
--Richard Feynman

News Items

Studies and Papers

FAQ on Microsoft Passport and Windows XP

  • What is Passport?
    • Passport is an online identification and authentication system operated by the Microsoft Corporation. Passport employs a single-signon system to facilitate e-commerce and browsing among different web sites that require a user to identify oneself.

      Once a user signs on to Passport, other affiliated sites visited by the user receive information about the user. Passport stores user information in a central database. Microsoft claims that there are over 200 million Passport accounts.

      The Passport service is intended to give Microsoft and Passport affiliates the ability to send unsolicited commercial email to Internet users and to profile their activities.

  • What information is stored in Passport?
    • To register for Passport, a user must submit an e-mail address. Users can also submit their real name, city/locale, gender, age, occupation, marital status, personal statement, hobbies and interest, favorite quote, favorite things ("Name your favorite books, artists, places, gizmos, or gadgets"), a personal photo ("include a photo of yourself, a loved one, or a favorite place, thing or pet"), and a home page.

  • What is Kids Passport?
    • Microsoft Kids Passport allows parents to consent to the collection, use and sharing of their children's information with Microsoft and with participating Passport Web sites that have agreed to utilize Kids Passport as their parental consent process. Information contained in the Kids Passport is disclosed to Passport-affiliated sites that children visit.

  • How does Kids Passport Endanger Privacy?
    • Kids Passport places the burden upon parents to review each affiliated site privacy policy. There is no central summary of the privacy policies from Kids Passport sites. Under COPPA, where consent is given to a series of web sites, a summary of all the relevant privacy policies must be provided to the parent.

      The Kids Passport privacy policy only requires one parental verification process. Participating Passport websites will not have to obtain "verifiable parental consent" if the user enters the site through Kids Passport because the participating websites will have already agreed to utilize Kids Passport as their parental consent process. Thus if a participating website changes its existing privacy policy after the parent has gone through the verification process and the changed policy conflicts with the parent's level of consent, the participating site will not have to obtain parental consent a second time. The burden will be on the parent to ensure that previously-given consent is consistent with participating websites' privacy policies at all times.

  • What is Microsoft XP?
    • Microsoft XP is the newest version of the Windows operating system. It is expected to become the primary means by which individuals access the Internet.

  • What is .NET?
    • .NET is the platform on which Microsoft will develop and deliver centralized web services. Systems such as .NET, which provide services from a central server, are dependent on user identification and authentication. If unchecked, Microsoft's .NET platform will result in users being required to identify themselves to merely surf the Internet.

  • What is Hailstorm?
    • Hailstorm is a group of services that Microsoft intended to provide from central servers. The Hailstorm services' future is currently uncertain. The company announced in April that it was not going to proceed with the development of certain services. Originally, the company planned to create services that included MyAddress, MyProfile, MyContacts, MyNotifications, MyInbox, MyCalendar, MyDocuments, MyApplicationSettings, MyWallet, MyUsage, and MyLocation.

      An extraordinary range of consumer information would have been collected and subsequently disclosed by means of HailStorm. This information includes a person's home telephone number, office telephone number, fax number, home address, business address, and geographic locations; a person's actual name, nickname, birthdate, anniversary, other special dates, and personal photograph; a complete list of all names of all contacts contained in an electronic datebook, including names, addresses, contact dates, and personal details for all friends and associates; information concerning location and contact information; all forms of incoming mail, including voicemail, electronic mail, and fax mail; tracking information; personal and business documents; favorite websites and other identifiers; receipts, payment instruments, coupons and other transaction records, devices settings and capabilities across all platforms, including PC, PDA, and telephones; and detailed usage reports for each one of these services.

  • What is Windows Product Activation?
    • Windows Product Activation (WPA) is an anti-piracy system embedded in Microsoft Windows XP, Office XP, and other Microsoft products. The WPA system scans the hardware components of users' systems and links the hardware setup to the license key for the software. If the user later attempts to install a WPA protected program on another computer, the license key will not match and the software will not work. In addition, if the user changes hardware in their computer, WPA may disable the software.

  • What's Wrong with WPA?
    • Through WPA and program registration, Microsoft can actually match users to their personal computers. Although Microsoft represents to users that the product activation process preserves anonymity, users cannot receive software support anonymously for the product that they activate and are forced to register for Microsoft Passport.

  • What is driver blocking?
    • Driver blocking is a newly-enabled system in Windows XP. Through requiring driver blocking, Microsoft can stop the use of programs that are not specifically written for Windows XP. Driver blocking will prevent users from employing software such as Black Ice and Zone Alarm, regardless of whether the programs actually work on the operating system. As a result, XP will reduce users' privacy and security.

      Driver blocking can also be used to require programmers to include Digital Rights Management (DRM) technology in files. DRM technology is privacy invasive, and results in restricting user control.

  • What is Digital Rights Management (DRM)?
    • DRM is a series of technologies that attempt to limit access, copying, printing, altering, sharing, and saving of files. DRM can exist at the hardware or software level, and acts to prevent the user from taking certain actions with files.

      DRM technologies have been developed with little regard for privacy protection. DRM technology usually requires the user to reveal his or her identity and rights to access the file. Upon authentication of identity and rights to the file, the user can access the content.

      These systems prevent anonymous consumption of content, and could be employed to profile users' preferences or to limit access to digital books, music, or programs.

  • What is Hotmail?
    • Hotmail is a free web mail service owned by Microsoft. In 2001, Microsoft populated the Passport database by giving all Hotmail users a Passport account. When users log into Hotmail, they also sign on Passport.

      Passport will track Hotmail users as they visit other MSN sites, and provide users' personal information to those sites, unless the users click on a small "Sign-Out" button on the page each time they wish to move to a different MSN site.

      Passport tracks the behavior and divulges the personal information of Hotmail customers who neither have been notified of their Passport accounts, nor have granted permission for such use of their information. If a user visits the MSN homepage, a Passport "Sign-in" button will appear. If the user who did not come from Hotmail or another MSN site clicks this button, information on Passport will appear, along with an invitation to join the Passport system. However, if a Hotmail user who did not click the Passport "Sign-Out" button before exiting Hotmail visits the MSN homepage and clicks the same button, the MSN page will reload, with a message greeting the user by name.

      Hotmail has been plagued by serious security flaws in recent years. For example, in August 1999, when Passport was combined with Hotmail, a defect was discovered in Hotmail that allowed "anyone to read the private correspondence of about 50 million subscribers."

  • What security issues are raised?
    • Microsoft is aware of significant risks that users will have their personal information, including their credit card numbers, disclosed to others when the Passport service is used at a shared or public terminal, which could include a computer in a library, community center, workplace, or airport lounge. Microsoft advises: You should always sign out of Passport when you are finished browsing the web to ensure that others cannot access your Passport profile or wallet.

      In February 1999, Microsoft was found to be quietly creating "a vast data base of personal information about computer users. "The online privacy seal organization TRUSTe subsequently found that Microsoft had compromised "consumer trust and privacy." Defects in Microsoft's software are routinely discovered that allow intruders unauthorized access to files, most recently a defect in Microsoft's IIS Web server software that has allows the "Code Red" virus to compromise an estimated 300,000 computers, including some of Microsoft's own servers.

  • Did the changes that Microsoft made to Passport in 2001 address privacy issues?
    • No. Although the modifications were a step in the right direction, they still ultimately fail to address the underlying issues raised in the complaint and supplementary material.

  • Does Passport comply with Safe Harbor provisions and other UK data regulations?
    • Currently, no.

  • If I sign up for Passport, can I control my personal data?
    • To a certain extent, yes. Users can edit their personal information and make some decisions about how much information to share beyond the required minimum. Additionally, Microsoft now allows users to "close" their Passport account. Information for closing an account is online at Closing Your .Net Account.

  • Are other companies creating services similar to Passport?
    • Yes. America Online (AOL) is developing a single-signon service that will store user information in a similar fashion to Passport. This service is called "Magic Carpet," and is still under development. In addition, Sun Microsystems has developed a service to compete with Passport called Project Liberty.

  • What do the experts say?
    • Walter S. Mossberg, a widely regarded commentator on the computer industry who writes a regular column for the Wall Street Journal, wrote:

      "Windows will keep monitoring your setup to check that it's still running on the same machine. If you make major hardware changes, the system could disable Windows and force you to check in with Microsoft in the mistaken belief the program has been transferred to another computer. One journalist reported that his copy of Office XP suddenly went into "reduced functionality mode" and insisted he activate again while he was using it on an airplaneĂ–

      "Microsoft has chosen a method of enforcing its policy that smacks of an invasion of privacy. The company says its database of PC configurations won't contain any personal information, and will be encrypted so that nobody can misuse it. But Microsoft's bully-boy behavior in the marketplace hardly inspires confidence that it won't somehow exploit this information.

      Stewart Alsop, a widely regarded commentator on the computer industry who writes a regular column for Fortune Magazine, wrote:

      "Microsoft is going to collect more and more information about what I buy and what I do. I don't really have a choice. It is very nearly impossible to use any computer without using Microsoft's software, and increasingly that means that it is very nearly impossible to avoid handing over your personal information to the company. And this situation is just going to get worse, because Microsoft does have a monopoly, and it is using that monopoly to aggressively expand its dominance of computers--personal computers, office servers, handheld computers, even set-top boxes--and its dominance of the Web and Web services delivered through its Internet Explorer browser.

      Esther Dyson, a widely regarded computer industry expert and chairman of EDVenture Holding, wrote:

      "I don't want the government, or Microsoft, asking me for my ID. I find it kind of amazing. You sit and think, 'Can they actually do this? Is it believable?' One hopes not."

  • What have the 15 groups done?
    • The organizations listed above have joined a complaint to the Federal Trade Commission (FTC) alleging that Microsoft is engaging in unfair and deceptive trade practices. Under section 5 of the Federal Trade Commission Act, the FTC has authority to investigate and bring actions against entities that engage in unfair or deceptive trade acts in commerce. Recent developments in the investigation are covered on the Passport Investigation Docket Page.

  • What is in the supplemental material that did not appear in the original complaint?
    • The supplemental material contained new information on Passport security flaws, Digital Rights Management, and the Children's Online Privacy Protection Act (COPPA).

  • What remedies have the groups requested?
    • The groups have requested a series of remedies to protect consumers from the privacy and security risks presented by Microsoft Passport and by Windows XP. Specifically, the groups request:

      An investigation into the information collection practices of Microsoft through Passport and associated services.

      A revision to the XP registration procedures so that purchasers of Microsoft XP are clearly informed that they need not register for Passport to obtain access to the Internet.

      An order to block the sharing of personal information among Microsoft areas provided by a user under the Passport registration procedures absent explicit consent

      An order to incorporate techniques for anonymity and pseudo-anonymity that would allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity

      An order to incorporate techniques that would enable users of Windows XP to easily integrate services provided by non-Microsoft companies for online payment, electronic commerce, and other Internet-based commercial activity

      An investigation to determine whether Passport complies with the requirements of the Children's Online Privacy Protection Act.

      And other relief as the Commission finds necessary to redress injury to consumers resulting from Microsoft's practices.

  • What can I do?
    • Be sure not to sign up for Passport. A Passport account is not necessary to access the Internet.

      You can also help by demanding that software companies such as Microsoft offer true Privacy Enhancing Technologies that provide anonymity and pseudo-anonymity.