Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
SYS-CON.TV
WSJ Exclusive Interview: Single Sign-on is A Single Point of Failure, says EPIC Counsel
WSJ Exclusive Interview: Single Sign-on is A Single Point of Failure, says EPIC Counsel

Chris Hoofnagle, legislative counsel for EPIC, spoke exclusively to WSJ, with more background on EPIC's efforts to ensure consumer privacy online.

WSJ: Have you had any response from the states' attorneys general or the FTC?

Chris Hoofnagle, EPIC: No, and we wouldn't expect to. The investigations are confidential, and EPIC would not be notified of the investigation until it was completed.

WSJ: Microsoft's statement on Privacy Priorities and Practices with Respect to the EPIC Complaint to the FTC (www.microsoft.com/presspass/features/
2001/aug01/0824PrioritiesFS.asp
) says EPIC has stated publicly that they have no desire to talk to Microsoft until the FTC has decided to act on their complaint.

EPIC: Yes, that is true. We're not in the business of bargaining these issues with companies. We've brought these complaints to the FTC and will let the FTC decide. In other contexts, Microsoft has bargained away positions from other nonprofits by giving them lots of money, but we won't take donations from them, and we won't endorse products or companies. That's the way Microsoft has dealt with nonprofits, by simply buying them. There are plenty of examples of industry associations that are shadows, literally fronts of Microsoft PR.

WSJ: How will EPIC be able to resist the onslaught from Microsoft's array of legal counsel if it does come to a fight-out in court? Where will EPIC's funds come from?

EPIC: We've brought this complaint to the FTC, and the FTC does their own investigation, and if they decide to investigate, it often results in a consent order. When the FTC decides to pursue a case, the companies generally settle.

WSJ: Do you feel that Microsoft takes advantage of silence too often when challenged on matters of detail by EPIC or anyone else?

EPIC: Yes, because we've said that if Microsoft thinks that there's inaccurate representations, we'd like to fix them, and we'd like an answer to our substantive allegations, but there have been silences in a number of areas. For instance, Microsoft is essentially taking an agency position, entering an agency relationship with people's data, in order to make transactions and to authenticate them. They've disclaimed all the liabilities that would normally occur in an agency-type relationship. One of the basic questions we've had is that if Microsoft is so concerned about security and privacy, why aren't Passport accounts insured like VeriSigns' insured? They've always said that privacy and security are among their greatest concerns. However we've just seen the newest internal memo from Bill Gates dated January 15 to all Microsoft employees that it was time to get serious about security and privacy.

WSJ: Didn't Microsoft recently hire a privacy officer?

EPIC: This isn't the way you build security. You have to build it from the ground up. You can't say, now that there's public attention to the problems, now let's pretend we're paying attention to these issues. Microsoft has said that privacy and security is a central goal of their organization but they have not acted consistently with that goal.

WSJ: So Microsoft's recent statement of this as a renewed goal may be a result of EPIC's call for investigation?

EPIC: Yes, and Microsoft has hired a leading public relations firm, and they're engaging in standard tactics of silence and of avoiding the central issues. And one of the ways you can do that is by hiring a chief privacy officer, "Oh, yeah, we're committed about privacy, we've hired this chief privacy officer." It doesn't address the underlying problem of creating an authentication program that's linked to identity and that is required for interactions. The key to privacy is that aspect of minimization. It's bad practice to create personally identifiable records unless it's necessary. Microsoft, through Passport, is creating personally identifiable records. If you want help with a Microsoft product, some products require that you register for Passport before you even view a static Web page. There are an increasing number of pages that require logging in. This is a change in the Internet being an information superhighway into a system of tollbooths everywhere you go.

WSJ: Microsoft's statement on Passport notes that there is a way to delete information from the system, but there's also a warning that doing so could cause customers to "lose the ability to access and control the use of personal information" associated with Passport-enabled sites.

EPIC: This part of their statement is silly, and proves our point. Consumers aren't in control!

WSJ: Microsoft states that even though EPIC has "scoured the company's products and Web materials with great care, EPIC has not pointed to any specific content that is untrue or misleading." It says the EPIC complaint reflects a dislike for Microsoft's products and services.

EPIC: That's the disagreement. We're arguing that Microsoft's representation that data is secure and private through Passport is materially false, and of course they're going to say the opposite. Their system of required sign-offs does not per se increase security or privacy. It does create records where previously none existed. The single sign-on is a single point of failure, and people like Richard Smith have demonstrated that a central authentication creates more privacy risk than disparate ones. Although a single sign-on is more convenient, once compromised a single sign-on becomes more destructive. I often am engaged in debate with Microsoft. A standard tactic for them is to say, "They don't like us." And that is not an argument. We pursue all sorts of companies, and I in fact use a Microsoft operating system, I use Windows 2000 and Microsoft Word. It's not that I don't like Microsoft, it's that we think this service is invasive of privacy and security.

WSJ: What will EPIC's next step be, if investigations don't arise from your current actions?

EPIC: I think one thing to consider is compliance with international law. The European Union has much stronger privacy protections that include specific statements about access and how to create an account and delete a record. Their laws are also important in regards to minimalization and the idea that you should promote privacy and anonymity where possible. International law may provide a remedy.

WSJ: Microsoft states that despite Passport having millions of users and billions of authentications completed, "the complainants have been unable to cite any example of Passport data actually being compromised." Does EPIC have specific examples of Passport being compromised?

EPIC: On October 23, in a letter to FTC Chairman Timothy Muris urging action to protect consumers from the privacy risks associated with Microsoft Windows XP and Microsoft Passport, (see www.EPIC.org/privacy/c/microsoft
/ftcletter10.23.01.html
for the complete text), we listed links to news items where people have compromised the Passport system. Corporations bury security problems because it's bad PR. To even learn of a security problem is remarkable; there may be more out there that we don't know about.

WSJ: How else is EPIC seeking to protect privacy rights?

EPIC: We're watching the development of a similar authentication scheme, Project Liberty, It appears as though it presents the same risks. When that project is more fully developed, we'll be pursuing it as well.

WSJ: Wasn't Project Liberty setting itself up as an alternative to Passport, to prevent problems with misuse of private information?

EPIC: Some of the same issues will be inherent. It may be a better system, but some of the issues of making it easier to require identity still exist. It's difficult to assess it at this point; they don't have a lot accomplished so far.

WSJ: Is it EPIC's view that corporations should avoid collecting personal information whenever possible?

EPIC: That's a key factor here. Companies that care about privacy will give customers the possibility of making purchases anonymously, and Passport is a tool to prevent you from doing things that you previously could do with anonymity. We seem to be returning to an Internet where everywhere you go, someone is asking, "Who are you?" first.

WSJ: What about authentication when purchases are involved and there's a need to verify the identity of someone trying to make payment? How would they manage authentication without requesting personal information?

EPIC: That's a great question. One of the problems here is that most requests for Passport authentication are not involved with payment, so why do they need to know your identity? Authentication relating to payment is mostly going to be based on identity, but there are other ways to handle it. For example, the system of telephone calling cards, the ability of saying, I can pay you, without having to give information about who you are. With financial transaction, some personal information will still be needed, or for handling practicalities like, for example, shipping. There are examples of payment that can be done without giving identity, such as the calling card in the offline world. But Microsoft is not developing this.

The point of Passport is to simply know what content you're consuming. It's not just signing into Web pages. It's also as in Microsoft Reader; they want to know your identity so that when you buy an e-book they can link the e-book to your identity. In fact, you can't use Microsoft Reader without Passport. Not only do they know what Web pages you're going to, they know what books you're buying. We detail 12 different services that will be developed (by Microsoft), and they're calendar services and so on. They're all services that don't really require identity.

Microsoft has every right to make these services, but you can very well provide these services on a synonymous basis, where people sign in with a pseudonym. Companies that want your identity in these circumstances usually are not interested in protecting your privacy. And somewhere down the line it will have a secondary use.

For more on EPIC, see www.EPIC.org/. For more on the Liberty Alliance, see http://www.sys-con.com/java/newsletters/in25.cfm., and http://www.projectliberty.org/.

Chris Hoofnagle also recommends a paper by Roger Clarke: "Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue" (http://www.anu.edu.au/people/
Roger.Clarke/DV/AnonPsPol.html
)

Related Articles

Microsoft Passport 'Unfair and Deceptive,' says EPIC Urges the Use of State Law to Protect Consumers from 'Internet Tollbooth'

'Protecting Privacy Makes Good Business Sense,' Asserts MS Exec Sohn Regarding EPIC's Call for Investigation

About SOA News Desk
SOA World Magazine News Desk trawls the world of distributed computing and SOA-related developments for the latest word on technologies, standards, products, and services and brings key information to you in a timely and convenient summary form.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

SOA World Latest Stories
Most of the time there is a lot of work involved to move to the cloud, and most of that isn't really related to AWS or Azure or Google Cloud. Before we talk about public cloud vendors and DevOps tools, there are usually several technical and non-technical challenges that are connected ...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced b...
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, security is the highest adoption barrier. Is your organization ready to ...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at ...
The “Digital Era” is forcing us to engage with new methods to build, operate and maintain applications. This transformation also implies an evolution to more and more intelligent applications to better engage with the customers, while creating significant market differentiators. In bo...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundati...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
ADS BY GOOGLE