PRIVACY: Microsoft software spying on us?

Harvey Newstrom (newstrom@newstaffinc.com)
Mon, 8 Mar 1999 00:47:56 -0500

If you're planning to upgrade to Windows '98, watch out for this "feature"!

> http://www.nytimes.com/library/tech/99/03/biztech/articles/07soft.html
>
> March 7, 1999
>
> Microsoft to Alter Software in Response to Privacy Concerns
>
> By JOHN MARKOFF
>
> SAN FRANCISCO -- The Microsoft Corporation moved to defuse a potentially
> explosive privacy issue today, saying it would modify a feature of its
> Windows 98 operating system that has been quietly used to create a vast
> data base of personal information about computer users.
>
> Microsoft conceded that the feature, a unique identifying number used by
> Windows and other Microsoft products, had the potential to be far more
> invasive than a traceable serial number in the Intel Corporation's new
> Pentium III that has privacy advocates up in arms. The difference is that
> the Windows number is tied to an individual's name, to identifying
numbers
> on the hardware in his computer and even to documents that he creates.
>
> The combination of the Windows number with all these data, the company
> said, could result in the ability to track a single user and the
documents
> he created across vast computer networks. Hackers could compromise the
> resulting data base, or subpoenas might allow authorities to gain access
> to information that would otherwise remain private and unavailable.
> Privacy advocates fear that availability will lead to abuses.
>
> "We're definitely sensitive to any privacy concerns," Robert Bennett,
> Microsoft's group product manager for Windows, said.
>
> "The software was not supposed to send this information unless the
> computer user checked a specific option."
>
> Mr. Bennett said the option to collect the information had been added to
> the software so that Microsoft support employees would be able to help
> users diagnose problems with their computers more accurately. He said the
> Redmond, Wash., software giant had never intended to use the data for
> marketing purposes.
>
> In response to a complaint from a software programmer in Massachusetts,
> Microsoft will not only alter the way the registration program works in
> the next maintenance release of Windows 98, Mr. Bennett said. He said
> Microsoft technicians would look through the company's data bases and
> expunge information that had been improperly collected as a result of
> earlier versions.
>
> The company is also exploring the possibility of creating a free utility
> program that would make it possible for Windows users to delete the
serial
> number information from a small data base in the part of Windows system
> known as the registry, where it is now collected.
>
> Microsoft has been discussing the issue with a Cambridge, Mass.,
> programmer who contacted the company earlier this week after discovering
> that the Microsoft Office business software was creating unique numbers
> identifying a user's personal computer and embedding them in spreadsheet
> and word processing documents.
>
> The programmer, Robert M. Smith, who is the president of Phar Lap
Software
> Inc., a software tools development company, told the company that he
> believed the practice created a potential threat to privacy.
>
> Microsoft officials said earlier this week that the numbers generated by
> the company's software were part of an effort to keep different
components
> from interfering with each other in an increasingly complex world of
> networked computers.
>
> However, Mr. Smith said that the number, in effect, created a "digital
> fingerprint" that could be used to match a document created by a word
> processing or spreadsheet program with a particular computer.
>
> On Thursday, after further studying the "registration wizard" -- the
> software module that enables customers to register their copies of
Windows
> 98 operating system for support and updates -- Mr. Smith discovered that
> the number, known as a Globally Unique Identifier, was being transmitted
> to Microsoft as part of a list of registration information that generally
> includes the owner's name, address, phone number and other demographic
> information as well as details about the hardware and software on or
> attached to the user's computer.
>
> "Microsoft never asked me if it was O.K. to send in this number, and they
> never said it was being sent," Mr. Smith said. "They are apparently
> building a data base that relates Ethernet adapter addresses to personal
> information."
>
> Ethernet adapters are cards inserted in a personal computer that enable
it
> to connect to high-speed networks within organizations and through them
to
> the Internet.
>
> The controversy erupted just weeks after Intel, maker of the most widely
> used processors for machines that use the Windows operating system,
agreed
> to make it possible for computer manufacturers to set its new Pentium III
> computer chip so that a serial number on the chip would not be recorded
> without the computer user's permission.
>
> Privacy activists have been attacking both companies, arguing that
> identification numbers can be easily misused to create electronic
> monitoring systems. Such systems could track a computer user's behavior
in
> cyberspace or create dossiers of personal information about individuals.
>
> The issue has sparked a heated debate over the fundamental technology of
> modern computer networks and software systems, which routinely employ
> serial numbers to identify individual computers and software modules,
> known as "objects," that can be shared by a number of programs.
>
> But the Intel number only identified a computer. The Windows number
> identifies a person. And because the Windows number created a potential
> linkage between individuals and confidential documents they created,
> privacy advocates said they were outraged.
>
> "I think this is horrendous," said Jason Catlett, president of
> Junkbusters, a consumer privacy organization based in Greenbrook, N.J.
> "They're tattooing a number into each file. Think of the implications. If
> some whistle blower sends a file, it can be traced back to the person
> himself. It's an extremely dangerous feature. Why did they do it?"
>
> Privacy groups have long warned about the dangers of centralized
> information and of monitoring electronic behavior. The groups have been
> discussing the implications of the serial number on the Pentium III with
> Intel, and while some privacy advocates acknowledge that the number can
> play an important role in protecting both privacy and security, others
> have called for a boycott of Intel, arguing that the likelihood of misuse
> of the number outweighs its benefits.
>
> Beyond the fear of a centralized Big Brother, they add that the rise of
> the Internet has made it possible for individual companies to freely use
> detailed personal information for commercial ends.
>
> "The problem is the absence of legal rules that limit the collection and
> use of personal information," said Marc Rotenberg, director of the
> Electronic Privacy Information Center in Washington.
>
> "It's clear to me that large Internet companies such as Microsoft, AOL
and
> Netscape will try to squeeze out privacy."
>
> Microsoft executives said on Friday evening that they had developed the
> feature for technical reasons related to the need to distinguish between
> millions of different hardware and software objects on the Internet. They
> said they had never considered the privacy implications.
>
> According to Microsoft software engineers, the roots of the company's
> numbering system go back to a system developed by computer researchers at
> the Open Software Foundation in Cambridge in the early 1990's.
>
> In an effort to develop technology that would enable computer systems to
> communicate across a network, a numbering system known as a Universally
> Unique Identifier, or UUID, was established as part of a software
standard
> known as the Distributed Computing Environment, or DCE. Microsoft relied
> on this standard when it developed a remote computing capability for
> Windows known as Object Linking and Embedding, or OLE.
>
> The company's designers changed UUID to GUID, for Globally Unique
> Identifier, and that term is now widely used by software applications.
>
> For example, the GUID is used in setting "cookies" -- files that World
> Wide Web sites send to a visitor's hard drive to identify the user later
> and to track his or her travels through the Web.
>
> -o-
> Subscribe: mail majordomo@repsec.com with "subscribe isn".
> Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
>