Microsoft Modifies Data-Collection Plan

Microsoft is offering another small concession to critics of its upcoming products, this time changing plans for its Passport authentication service.

Now, customers can open a Passport account by disclosing only an e-mail address and password. Passport is intended to let users visit multiple Web sites without having to enter personal information each time, and can contain up to 13 pieces of information. It is a key element of Microsoft's .Net Internet strategy.

Hotmail and many other Microsoft Web properties already use Passport, as do a growing list of partners including Buy.com and OfficeMax.com. It can contain information ranging from zip codes to street addresses, and an "electronic wallet" component stores information for online purchases.

Criticism of Passport has mounted from some privacy advocacy groups. In July, some filed a complaint asking the Federal Trade Commission to investigate how Passport collects data and how it might be used.

"We're saying partners will have the flexibility to decide what they ask [users] for," says Adam Sohn, a product manager in Microsoft's .Net platform group. That could range from the basic data to additional information.

"We will make it very clear what information goes to Passport and what goes to the partners," Sohn says. He also stresses that despite comments from some critics, Microsoft makes no secondary use of the data. "We don't share it, we don't rent it, we don't publish it, we don't mine it, and we don't market to it," he says.

Microsoft will break out Passport's wallet technology into a separate service, called My Wallet, Sohn confirms.

Some of Microsoft's harshest critics remain skeptical, despite the concessions. The measures don't go far enough, according to Jason Catlett, president of Junkbusters, a privacy advocacy group involved with last month's FTC filing. Microsoft still requires customers to provide an e-mail address, which will allow Microsoft to gain personally identifiable information, he argues.

Microsoft won't be able to collect as much information about users' behavior online, but it could still track a customer's activity and combine that with personal information it collects by other methods, Catlett says.

"They can still see which sites you are authenticating at, and, if they own the site, then they are getting your personal information through those records," Catlett says.

Microsoft says Passport will support an emerging industry standard for enhancing online privacy, called P3P (Platform for Privacy Preferences). The technology lets users manage what information Web sites can collect about them. Partner Web sites that want to use Passport will also be required to support P3P, Microsoft says.

"[The addition of P3P] is completely nonresponsive to the specific allegations of illegal behavior that we charged Microsoft with," Catlett says.

Competitors ranging from AOL Time Warner to open source developer groups are working on other systems for single sign-on authentication. Many Internet companies expect widespread adoption of authentication services to make it easier to do business online. But Junkbusters' Catlett isn't convinced it will live up to industry hype.

"I'm not sure [Passport's] going to fly, but in case it does we have to try to protect the privacy of the people who use it," Catlett said. "It could end up being the largest surveillance mechanism in history."