Pondering Passport: Do You Trust Microsoft With Your Data?

You're surfing and shopping, and you stumble on a site that bears the Microsoft Passport logo. It's a graphical clue that you can simply enter your Passport log-in (your e-mail address) and your Passport password and start spending--the site is a Microsoft partner that already has access to your Microsoft Wallet (which contains information like your name, credit card numbers, and shipping and billing preferences). It's for your convenience, Microsoft says, so you don't have to re-enter such data.

But could the site actually be a facade that has just recorded your Passport log-in and password? And do the hackers who run the fake site next head to a real Passport site, where they log in as you and review your credit card information?

Microsoft says it can't happen. Digital certificates authenticate a true Passport site, says the company. Only two digital certificates have ever been stolen--from VeriSign, one of the main companies that issues them--out of millions that have been issued, and both were cancelled before they were used. Unfortunately for Microsoft, both were issued in March to a cracker pretending to be a Microsoft employee. When the ruse was discovered, VeriSign immediately updated its system to "blacklist" those two certificates. But that it happened at all helps explain why many potential customers are nervous.

It also doesn't help that a 1.5-year-old technical paper written by a pair of AT&T Labs researchers deprecates Passport. Microsoft claims to have addressed most of the problems outlined in the paper, but the concerns have caught the public's attention.

"If you look at the AT&T report, all you need is the person's user ID and password to get access to all of the user's information," says Rob Enderle, research fellow at Giga Information Group. "All you'd have to do is set up a fake Web page" that pretends to be a Passport partner and enables potential bad guys to steal the user's identify, Enderle adds.

Microsoft officials claim they have already fixed all serious holes in Passport's security model and that the AT&T paper is out of date. They say it is virtually impossible to "spoof" a user today, since valid Passport sites are registered with Passport. Also, Passport never sends the user's password to the site--it separately verifies the password and notifies the Passport partner site. Only then could a Passport partner site access your credit card information, and then only if you enter it in a Microsoft Wallet and choose to share it with the partner site (by buying).

Risk of Convenience

While the Passport system verifies customers every time they enter a Passport partner site, you enter your e-mail address and password only at the first Passport site you visit each session. The aim: a single sign-on.

The AT&T paper and other observers criticize Passport for using cookies stored on your computer to aid in authentication. But those cookies are encrypted and then deleted when you sign out of a Passport session. If you forget to sign out, the cookies are automatically deleted after a short time, Microsoft says. And if a malicious attacker tries to use a cracking tool against your account, Passport temporarily blocks use of the service after several unsuccessful password attempts. Microsoft addresses some of these concerns in a Passport white paper.

Still, customers worry whether Microsoft can, or will, be able to satisfactorily safeguard their personal information. And while the public will not get a crack at really trying Microsoft's new Web services model until at least the first half of next year, its first components are appearing in October, as part of Windows XP. (In fact, some PC vendors are already selling Windows XP-equipped PCs, so those components have already debuted.)

A Perception Problem

Microsoft's challenge is of public perception as much as reality.

Part of the problem is Microsoft's penchant for insisting its existing software is secure, despite frequent security lapses in other areas. The company experienced a prolonged service outage of its MSN Messenger service, infection of its free Hotmail service by the so-called Code Red worm, and even intrusion by a hacker who roamed Microsoft's internal network for at least 12 days--possibly compromising its Windows source code. A known, though patchable, security hole in some versions of Internet Explorer could enable a villain to masquerade as a valid Hotmail user.

In fact, IE and both the Outlook and Outlook Express e-mail programs are highly susceptible to attacks by creative miscreants. Meanwhile, a new breed of worm has begun to crop up that attacks MSN Messenger. While none of these security holes has led to any significant breach, they bolster the perception that Microsoft software can be insecure.

Company executives compound the problem with their tendency to describe the future as if it were already here. Overpromising has a downside: Customers begin to distrust company statements.

Building the .Net World

The latest brouhaha surrounds some little-noticed parts of Windows XP. This newest update to the operating system is the first version of Windows to replace the often flaky Windows 9 x/Me kernel with Microsoft's industrial-strength Windows 2000 kernel. It is also launching key components of .Net (pronounced "dot net"), the raft of Internet-based services that requires customer confidence for its success.

Windows XP will ship with two initial components of .Net My Services, the official name for its collection of Web-based services previously code-named Hailstorm. Windows Messenger and the Passport authentication technology are the first implementations of .Net. To use the new Windows Messenger, an MSN Messenger upgrade that combines instant messaging with real-time file sharing as well as audio and video conferencing, you must sign up for Passport.

Passport has been around for two years and already has about 165 million users, according to Microsoft. Both Hotmail and MSN Messenger require a Passport account. Microsoft has about 200 Passport partner sites, including Starbucks and Buy.com as well as its own Microsoft Network sites.

However, in the grander .Net scheme, Passport is the access control point for all your important information, from credit card numbers and PINs to multiple passwords, health records, mailing address information, bank records, and on and on. And now, a Passport program--Windows Messenger--will be part of the OS.

Microsoft's .Net vision is a world in which you can accomplish all sorts of complex tasks, from buying airline tickets to getting an authorization from your HMO to coediting a file with colleagues in real time over the Web with a mouse click or so. The first services will come in 2002. And it requires Microsoft to store all your important information and provide it whenever and wherever you need it on whatever device you have at hand.

"You should never have to enter information multiple times," Microsoft Chair and Chief Software Architect Bill Gates said in March, announcing the first Hailstorm services (now named .Net My Services). Passport won't store all of that information, but it will be the key to accessing it. Other .Net services will actually store much of your critical data, including Microsoft's Wallet.

Modifying Requirements

Answering concerns by customers and privacy groups, Microsoft is paring the amount of information you must provide to get a Passport account. To start, you need only supply an e-mail address, a password, and a secret question (to identify you if you lose your password). Microsoft's partners and even some of its own services may require additional information, however. For instance, Hotmail wants more data, including customers' birth dates and occupations.

Ironically, as recently as last week Microsoft.com didn't comply with Microsoft's official stance of requiring little information. The site requested the original six pieces of information: e-mail address, Passport-specific password, secret question and answer, your nation, state, and postal code.

"This is Microsoft.com and they are, like Hotmail, considered a Passport partner. And partners can require all of the fields, if they wish to do so," a company spokesperson explains.

To be fair, Microsoft's main Passport site complies with the new rules. Still, the company does not require its own primary site--one of the busiest on the Web--to comply. That kind of behavior--saying one thing and apparently repeatedly doing another--undercuts Microsoft's credibility with customers, competitors, partners, and legal observers.

Reassuring Customers

Microsoft insists it is not interested in accessing users' data, but in providing a useful service.

"We think the idea of storing certain data up in the [network] cloud so it can be accessed anytime, from any device, will be very valuable," says Adam Sohn, product manager on .Net core platform services.

For example, if you want to schedule an oil change at a QuickLube-type place, you could choose to let the vendor's scheduling application check your online calendar and automatically schedule the oil change. The vendor and customer would have an online "negotiation"--what Sohn calls "progressive consent"--in which you are asked to give access to the information, and can choose whether to proceed. In the previous example, for instance, all that the user would share from his or her personal calendar would be "free/busy" times.

Microsoft officials recently demonstrated how the same sort of negotiation could greatly simplify making a mortgage application. A user could choose to share specific financial data with a mortgage company in a way that automatically fills in necessary data fields, such as income, existing debts, and other information.

"It brings the 'user-in-control' model to the next level," Sohn says.

Sohn also cites upcoming changes for Passport. Some e-commerce applications will require one additional piece of information: a PIN, something many credit card companies have required for more than a decade. Like a Passport password, the PIN information is separately verified by the Passport system and is not passed to the partner site. But the point is to make Passport more secure.

Boosting Security

The next release of Passport will also default to not sharing Passport information with partners--the opposite of the current situation, Microsoft says.

"We're moving to a very pure 'opt-in' model," Sohn adds. Improving security is a Microsoft priority as it prepares to move to a world where focus is not on the desktop, but out in the network "cloud."

Indeed, Microsoft has already beefed up Passport security, adding 168-bit, "triple DES" (the federal government's "data encryption standard") encryption for passwords, secret questions and answers, and credit card numbers. Microsoft executives also say an upcoming version of Passport will implement Kerberos 5.0 security, a widely hailed public key/private key technology already used in Windows 2000 and Windows XP. It is also considering other, conceivably more secure, authentication methods such as the use of smart cards or of so-called "biometrics" such as electronic fingerprint identification, Sohn says.

Merchants that use Passport must also adopt Platform for Privacy Preferences or P3P, an emerging industry standard that is implemented in IE 6. Under P3P, users answer a set of multiple-choice questions about privacy preferences, which are stored in an XML document for later use. When the user visits a Web site, those preferences are automatically compared to an XML-encoded version of the site's privacy policy. If personal privacy preferences don't match the site's, the user can choose to not connect to that site. P3P is also part of the IE 6.0 browser, which comes with Windows XP.

Guarding Information

Although privacy and security are directly related, they are not identical.

Ensuring users' privacy obviously requires high-quality security. But security does not constitute privacy, as an e-commerce site may use Passport-based authentication but not assure the level of privacy a user might require in a P3P profile, for example. This is much like the physical world. We use credit cards, which are intended to ensure secure business transactions--but it does not ensure that the credit card issuer will not sell our private information to third parties.

In that regard, Microsoft has issued a blanket statement that it will never make use of users' private information.

"We will never make use of data [we collect], and the only time it will get shared is when the user decides to share it," says Microsoft's Sohn.

Despite those promises, however, a recent study by Jupiter Media Metrix finds 44 percent of new users and 34 percent of experienced Web users trust no one with their important data. Even more revealing, only about 5 percent of all users favor services like .Net My Services, while only 6 to 9 percent of MSN users actually trust Microsoft.

Indeed, Microsoft's own data seems to support this conclusion. The company acknowledges that less than one percent of Passport's 165 million users take advantage of the company's Wallet feature, which lets them store selected credit card information in order to pay for purchases electronically.

Ongoing Doubts

It may be hard for many users to trust Microsoft with their personal crown jewels simply because of the almost incessant barrage of security bulletins and patches the company has issued for its Windows product lines. Often, those glitches manifest themselves in components that Microsoft has bundled into the operating systems, including the IE browser, Outlook e-mail client, and Windows Media Player. Microsoft has already issued 48 bulletins about security holes in its various software products this year.

Microsoft's own vulnerabilities aside, the company also inherits users' feelings that the Web itself is inherently insecure. Witness repeated cases in which hackers violate the security of e-commerce sites and steal or reveal customers' credit card numbers. In other cases, entities ranging from health care providers to governmental agencies have inadvertently exposed confidential user data.

Microsoft continues to try calming user angst over data security. It plans to enable Passport to "federate" with other authentication and personal data storage schemes by implementing the Kerberos 5.0 standard authentication. That will happen next year with an update to Passport and the Windows.Net Server.

It's unclear whether fierce competitors like America Online and Sun Microsystems will do the same. Consider the inability of Microsoft, AOL, and others to agree on a standard for instant messaging. Still, users can choose which service providers they want to trust with their most important information.

Fundamentally, though, whether users accept Passport, Microsoft's .Net My Services, and the entire concept of software online boils down to a question of trust. Will users trust Microsoft--or anyone for that matter--to care for all their most sensitive and important information? That is a long road that Microsoft will have to travel.

"There is some doubt whether anyone is trusted enough [to be the guardian of users' critical information], but Microsoft is at the wrong end of the scale," says Giga's Enderle.

Microsoft has a lot of work to do in the meantime to prove it can safeguard users' data, acknowledges Sohn. "In the end, security is more of a journey than a destination," he says.

"Trust is something that's earned," Sohn adds. "[.Net My Services] is the ultimate 'opt-in' [because], if you don't like what we offer, you don't have to use it." Similarly, at one time an ATM card worked only in the electronic teller of the bank that issued it, Microsoft points out. Standards and interoperability came later.

Sohn couldn't be more right. And yet users' perceptions of the security and privacy of their most personal data are likely to become a defining factor as to whether .Net succeeds or fails.

As Bette Davis once said, it's likely to be a bumpy ride.