VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
tech: microsoft's secret user database
From:
Kelly Pierce <[log in to unmask]>
Reply To:
Kelly Pierce <[log in to unmask]>
Date:
Sun, 7 Mar 1999 08:19:00 -0600
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (185 lines) 
This was on the front page of today's nnew York Times

kelly

      March 7, 1999

Microsoft to Alter Software in Response to Privacy Concerns

      By JOHN MARKOFF

     SAN FRANCISCO -- The Microsoft Corporation moved to defuse a
     potentially explosive privacy issue today, saying it would modify a
     feature of its Windows 98 operating system that has been quietly
     used to create a vast data base of personal information about
     computer users.

     Microsoft conceded that the feature, a unique identifying number
     used by Windows and other Microsoft products, had the potential to
     be far more invasive than a traceable serial number in the Intel
     Corporation's new Pentium III that has privacy advocates up in
     arms. The difference is that the Windows number is tied to an
     individual's name, to identifying numbers on the hardware in his
     computer and even to documents that he creates.

     The combination of the Windows number with all these data, the
     company said, could result in the ability to track a single user
     and the documents he created across vast computer networks. Hackers
     could compromise the resulting data base, or subpoenas might allow
     authorities to gain access to information that would otherwise
     remain private and unavailable. Privacy advocates fear that
     availability will lead to abuses.

     "We're definitely sensitive to any privacy concerns," Robert
     Bennett, Microsoft's group product manager for Windows, said.

     "The software was not supposed to send this information unless the
     computer user checked a specific option."

     Mr. Bennett said the option to collect the information had been
     added to the software so that Microsoft support employees would be
     able to help users diagnose problems with their computers more
     accurately. He said the Redmond, Wash., software giant had never
     intended to use the data for marketing purposes.

     In response to a complaint from a software programmer in
     Massachusetts, Microsoft will not only alter the way the
     registration program works in the next maintenance release of
     Windows 98, Mr. Bennett said. He said Microsoft technicians would
     look through the company's data bases and expunge information that
     had been improperly collected as a result of earlier versions.

     The company is also exploring the possibility of creating a free
     utility program that would make it possible for Windows users to
     delete the serial number information from a small data base in the
     part of Windows system known as the registry, where it is now
     collected.

     Microsoft has been discussing the issue with a Cambridge, Mass.,
     programmer who contacted the company earlier this week after
     discovering that the Microsoft Office business software was
     creating unique numbers identifying a user's personal computer and
     embedding them in spreadsheet and word processing documents.

     The programmer, Robert M. Smith, who is the president of Phar Lap
     Software Inc., a software tools development company, told the
     company that he believed the practice created a potential threat to
     privacy.

     Microsoft officials said earlier this week that the numbers
     generated by the company's software were part of an effort to keep
     different components from interfering with each other in an
     increasingly complex world of networked computers.

     However, Mr. Smith said that the number, in effect, created a
     "digital fingerprint" that could be used to match a document
     created by a word processing or spreadsheet program with a
     particular computer.

     On Thursday, after further studying the "registration wizard" --
     the software module that enables customers to register their copies
     of Windows 98 operating system for support and updates -- Mr. Smith
     discovered that the number, known as a Globally Unique Identifier,
     was being transmitted to Microsoft as part of a list of
     registration information that generally includes the owner's name,
     address, phone number and other demographic information as well as
     details about the hardware and software on or attached to the
     user's computer.

     "Microsoft never asked me if it was O.K. to send in this number,
     and they never said it was being sent," Mr. Smith said. "They are
     apparently building a data base that relates Ethernet adapter
     addresses to personal information."

     Ethernet adapters are cards inserted in a personal computer that
     enable it to connect to high-speed networks within organizations
     and through them to the Internet.

     The controversy erupted just weeks after Intel, maker of the most
     widely used processors for machines that use the Windows operating
     system, agreed to make it possible for computer manufacturers to
     set its new Pentium III computer chip so that a serial number on
     the chip would not be recorded without the computer user's
     permission.

     Privacy activists have been attacking both companies, arguing that
     identification numbers can be easily misused to create electronic
     monitoring systems. Such systems could track a computer user's
     behavior in cyberspace or create dossiers of personal information
     about individuals.

     The issue has sparked a heated debate over the fundamental
     technology of modern computer networks and software systems, which
     routinely employ serial numbers to identify individual computers
     and software modules, known as "objects," that can be shared by a
     number of programs.

     But the Intel number only identified a computer. The Windows number
     identifies a person. And because the Windows number created a
     potential linkage between individuals and confidential documents
     they created, privacy advocates said they were outraged.

     "I think this is horrendous," said Jason Catlett, president of
     Junkbusters, a consumer privacy organization based in Greenbrook,
     N.J. "They're tattooing a number into each file. Think of the
     implications. If some whistle blower sends a file, it can be traced
     back to the person himself. It's an extremely dangerous feature.
     Why did they do it?"

     Privacy groups have long warned about the dangers of centralized
     information and of monitoring electronic behavior. The groups have
     been discussing the implications of the serial number on the
     Pentium III with Intel, and while some privacy advocates
     acknowledge that the number can play an important role in
     protecting both privacy and security, others have called for a
     boycott of Intel, arguing that the likelihood of misuse of the
     number outweighs its benefits.

     Beyond the fear of a centralized Big Brother, they add that the
     rise of the Internet has made it possible for individual companies
     to freely use detailed personal information for commercial ends.

     "The problem is the absence of legal rules that limit the
     collection and use of personal information," said Marc Rotenberg,
     director of the Electronic Privacy Information Center in
     Washington.

     "It's clear to me that large Internet companies such as Microsoft,
     AOL and Netscape will try to squeeze out privacy."

     Microsoft executives said on Friday evening that they had developed
     the feature for technical reasons related to the need to
     distinguish between millions of different hardware and software
     objects on the Internet. They said they had never considered the
     privacy implications.

     According to Microsoft software engineers, the roots of the
     company's numbering system go back to a system developed by
     computer researchers at the Open Software Foundation in Cambridge
     in the early 1990's.

     In an effort to develop technology that would enable computer
     systems to communicate across a network, a numbering system known
     as a Universally Unique Identifier, or UUID, was established as
     part of a software standard known as the Distributed Computing
     Environment, or DCE. Microsoft relied on this standard when it
     developed a remote computing capability for Windows known as Object
     Linking and Embedding, or OLE.

     The company's designers changed UUID to GUID, for Globally Unique
     Identifier, and that term is now widely used by software
     applications.

     For example, the GUID is used in setting "cookies" -- files that
     World Wide Web sites send to a visitor's hard drive to identify the
     user later and to track his or her travels through the Web.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2