PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
You can always count on Microsoft for controversy. No sooner did the company announce plans for rolling out its new set of software services, codename HailStorm, on Mar. 19, than the fur began to fly. What is HailStorm? Wade through all the flowery verbiage in the company's white paper, and it comes down to this: HailStorm will eliminate the need for users to have multiple passwords for Web sites or digital devices such as Palms and cell phones. Instead, consumers could collect and store all their information conveniently in one place -- with Microsoft.
The announcement immediately stirred up a furor. Gates haters decried HailStorm for violating user privacy. Some even accused Microsoft of mounting yet another assault on antitrust law. Much of the hubbub seemed to be pro forma Microsoft bashing -- journalists and analysts dutifully picking apart the company's first big move away from a PC-centric world. But those truly concerned about protecting their privacy online will want to pay close attention, because aspects of HailStorm are deeply troubling.
I BELIEVE. Storing all your personal data with Microsoft is enough to make some people's skin crawl. And yes, after one of highest-profile antitrust court cases in history, Microsoft has a reputation as the ultimate high-tech bully. It's not hard to see why some consumers fear that the company would take the same ruthless approach to personal data. But Microsoft knows that any plans to collect and use customer data in unsavory ways would kill the product, and it has taken pains to emphasize that "all data belongs to the user."
I'll take Microsoft at its word. For all its faults, the Colossus of Redmond is a pragmatic company. It wants HailStorm to succeed because the scheme looks like a good way to make money. Customers would have to pay Microsoft to store their information, and vendors would have to pay Microsoft to be part of the network. If it takes off, it could put Microsoft in the middle of every transaction that takes place online.
What worries me is the way the technology fundamentally works. The system is based on Microsoft Passport, a service that lets you enter personal data once and then use it on multiple Web sites. At the moment, Passport works on the Microsoft Network sites, including free e-mail service Hotmail, online magazine Slate, and the Expedia travel site, as well as about 80 other sites around the Web. Microsoft's idea with HailStorm is to make Passport the central authentication system for the entire Web.
JARRING COOKIES. But HailStorm would take cookies, already a target of privacy advocates, and add steroids to the recipe. Cookies are bits of code that inform Web-site operators whether you've visited their site and, perhaps, what you've looked at, clicked on, and bought while you were there. That may sound scary, but a cookie doesn't actually tell the site who you are. If you go to ToyRUs.com, the site doesn't know how old you are, what your income is, your race, marital status, or phone number.
The key to cookies is they deliver information about what you do on the site only to the Web-site operator. So if you buy a Pokemon game during a visit to ToysRUs.com, the site has the ability to pitch you the latest Pokemon accessories the next time you stop by.
From a privacy standpoint, cookies are potentially dangerous only if another Web site got hold of their information. For instance, your health-insurance company might want to know that you're buying the book The Unrecovered Anorexic from Amazon.com. And Amazon would probably love to know that you're concerned about your weight so it could pitch you the latest diet and weight-loss books. But that doesn't happen because cookies send information about you only back to the same Web domain it came from. Amazon cookie data goes to Amazon. Health information goes to your insurance company. Period.
COMBINING INFO. A worldwide Microsoft Passport service could change all that. Passport sites use session cookies, which means the information is stored with Passport only until you close your browser. With HailStorm, though, it wouldn't be the individual sites collecting your information. What you do at Hotmail, say, wouldn't stay just with Hotmail. That info would be combined in a central database with what you read at Slate, what tickets you buy at Expedia, and -- if it takes off -- what you buy at an antique cookbook store, flower shops, and other retailers. It would subvert the way cookies work in order to share information about you.
If HailStorm takes off as Microsoft hopes, this is very worrisome. Using a new version of the Windows operating system to leverage its authentication technology, Microsoft could easily sign up hundreds of millions of computer users (Passport already has some 160 million accounts, mainly due to the popularity of Hotmail). Such an enormous user base would put intense pressure on all Web vendors to use the system. And that means all kinds of data -- from banking to shopping to health insurance and credit -- could conceivably be stored in one place.
Richard Purcell, Microsoft's director of corporate privacy, argues that a centralized system is less risky than distributed information. At least a consumer knows who has his data and can hold that party -- Microsoft or another -- accountable. He has got a point. With thousands of distributed consumer databases throughout the country, it's impossible to know who has what data about you, which sites have security vulnerabilities, and if any of your information has been illegally accessed. "Centralization is a concern, but Microsoft is betting our company that we can do it right and make it more secure than anyone else," says Purcell.
THE DARK SIDE. But even Microsoft can't guarantee total security. Hackers have their ways, and they can be diabolically ingenious. "The more valuable the information, the harder people will try to break in and get it. And, ultimately, anything can be hacked," says Joel Spolsky, an independent computer programmer in New York. Spolsky, a former Microsoft employee, wrote about the dark side of Passport eight months ago in an article on his Web site.
Fact is, Microsoft doesn't have a great record with keeping hackers out. In January, it was a victim of a lengthy denial-of-service attack, where hackers flood a server with bogus requests to bring down the site. Imagine if you couldn't access or buy anything online because a Microsoft server that needed to authenticate your identity was overloaded. And last October, Microsoft revealed that for several weeks, hackers had access to company servers that held precious source code.
What if that were your personal information? What if everyone's could be sliced and diced by malicious hackers? Consumers want convenience. They have made clear that they're willing to trade some data for ease of use. But HailStorm may be asking for more than consumers are willing to give.
Black covers privacy issues for BusinessWeek Online in New York Edited by Alex Salkever
Copyright 2001 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
