WSJ Exclusive Interview: Single Sign-on is A Single Point of Failure, says EPIC Counsel
WSJ Exclusive Interview: Single Sign-on is A Single Point of Failure, says EPIC Counsel
By: SOA News Desk
Jan. 1, 2000 12:00 AM
Chris Hoofnagle, legislative counsel for EPIC, spoke exclusively to WSJ, with more background on EPIC's efforts to ensure consumer privacy online.
WSJ: Have you had any response from the states' attorneys general or the FTC?
Chris Hoofnagle, EPIC: No, and we wouldn't expect to. The investigations are confidential, and EPIC would not be notified of the investigation until it was completed.
WSJ: Microsoft's statement on Privacy Priorities and Practices with Respect to the EPIC Complaint to the FTC (www.microsoft.com/presspass/features/
EPIC: Yes, that is true. We're not in the business of bargaining these issues with companies. We've brought these complaints to the FTC and will let the FTC decide. In other contexts, Microsoft has bargained away positions from other nonprofits by giving them lots of money, but we won't take donations from them, and we won't endorse products or companies. That's the way Microsoft has dealt with nonprofits, by simply buying them. There are plenty of examples of industry associations that are shadows, literally fronts of Microsoft PR.
WSJ: How will EPIC be able to resist the onslaught from Microsoft's array of legal counsel if it does come to a fight-out in court? Where will EPIC's funds come from?
EPIC: We've brought this complaint to the FTC, and the FTC does their own investigation, and if they decide to investigate, it often results in a consent order. When the FTC decides to pursue a case, the companies generally settle.
WSJ: Do you feel that Microsoft takes advantage of silence too often when challenged on matters of detail by EPIC or anyone else?
EPIC: Yes, because we've said that if Microsoft thinks that there's inaccurate representations, we'd like to fix them, and we'd like an answer to our substantive allegations, but there have been silences in a number of areas. For instance, Microsoft is essentially taking an agency position, entering an agency relationship with people's data, in order to make transactions and to authenticate them. They've disclaimed all the liabilities that would normally occur in an agency-type relationship. One of the basic questions we've had is that if Microsoft is so concerned about security and privacy, why aren't Passport accounts insured like VeriSigns' insured? They've always said that privacy and security are among their greatest concerns. However we've just seen the newest internal memo from Bill Gates dated January 15 to all Microsoft employees that it was time to get serious about security and privacy.
WSJ: Didn't Microsoft recently hire a privacy officer?
EPIC: This isn't the way you build security. You have to build it from the ground up. You can't say, now that there's public attention to the problems, now let's pretend we're paying attention to these issues. Microsoft has said that privacy and security is a central goal of their organization but they have not acted consistently with that goal.
WSJ: So Microsoft's recent statement of this as a renewed goal may be a result of EPIC's call for investigation?
EPIC: Yes, and Microsoft has hired a leading public relations firm, and they're engaging in standard tactics of silence and of avoiding the central issues. And one of the ways you can do that is by hiring a chief privacy officer, "Oh, yeah, we're committed about privacy, we've hired this chief privacy officer." It doesn't address the underlying problem of creating an authentication program that's linked to identity and that is required for interactions. The key to privacy is that aspect of minimization. It's bad practice to create personally identifiable records unless it's necessary. Microsoft, through Passport, is creating personally identifiable records. If you want help with a Microsoft product, some products require that you register for Passport before you even view a static Web page. There are an increasing number of pages that require logging in. This is a change in the Internet being an information superhighway into a system of tollbooths everywhere you go.
WSJ: Microsoft's statement on Passport notes that there is a way to delete information from the system, but there's also a warning that doing so could cause customers to "lose the ability to access and control the use of personal information" associated with Passport-enabled sites.
EPIC: This part of their statement is silly, and proves our point. Consumers aren't in control!
WSJ: Microsoft states that even though EPIC has "scoured the company's products and Web materials with great care, EPIC has not pointed to any specific content that is untrue or misleading." It says the EPIC complaint reflects a dislike for Microsoft's products and services.
EPIC: That's the disagreement. We're arguing that Microsoft's representation that data is secure and private through Passport is materially false, and of course they're going to say the opposite. Their system of required sign-offs does not per se increase security or privacy. It does create records where previously none existed. The single sign-on is a single point of failure, and people like Richard Smith have demonstrated that a central authentication creates more privacy risk than disparate ones. Although a single sign-on is more convenient, once compromised a single sign-on becomes more destructive. I often am engaged in debate with Microsoft. A standard tactic for them is to say, "They don't like us." And that is not an argument. We pursue all sorts of companies, and I in fact use a Microsoft operating system, I use Windows 2000 and Microsoft Word. It's not that I don't like Microsoft, it's that we think this service is invasive of privacy and security.
WSJ: What will EPIC's next step be, if investigations don't arise from your current actions?
EPIC: I think one thing to consider is compliance with international law. The European Union has much stronger privacy protections that include specific statements about access and how to create an account and delete a record. Their laws are also important in regards to minimalization and the idea that you should promote privacy and anonymity where possible. International law may provide a remedy.
WSJ: Microsoft states that despite Passport having millions of users and billions of authentications completed, "the complainants have been unable to cite any example of Passport data actually being compromised." Does EPIC have specific examples of Passport being compromised?
EPIC: On October 23, in a letter to FTC Chairman Timothy Muris urging action to protect consumers from the privacy risks associated with Microsoft Windows XP and Microsoft Passport, (see www.EPIC.org/privacy/c/microsoft
WSJ: How else is EPIC seeking to protect privacy rights?
EPIC: We're watching the development of a similar authentication scheme, Project Liberty, It appears as though it presents the same risks. When that project is more fully developed, we'll be pursuing it as well.
WSJ: Wasn't Project Liberty setting itself up as an alternative to Passport, to prevent problems with misuse of private information?
EPIC: Some of the same issues will be inherent. It may be a better system, but some of the issues of making it easier to require identity still exist. It's difficult to assess it at this point; they don't have a lot accomplished so far.
WSJ: Is it EPIC's view that corporations should avoid collecting personal information whenever possible?
EPIC: That's a key factor here. Companies that care about privacy will give customers the possibility of making purchases anonymously, and Passport is a tool to prevent you from doing things that you previously could do with anonymity. We seem to be returning to an Internet where everywhere you go, someone is asking, "Who are you?" first.
WSJ: What about authentication when purchases are involved and there's a need to verify the identity of someone trying to make payment? How would they manage authentication without requesting personal information?
EPIC: That's a great question. One of the problems here is that most requests for Passport authentication are not involved with payment, so why do they need to know your identity? Authentication relating to payment is mostly going to be based on identity, but there are other ways to handle it. For example, the system of telephone calling cards, the ability of saying, I can pay you, without having to give information about who you are. With financial transaction, some personal information will still be needed, or for handling practicalities like, for example, shipping. There are examples of payment that can be done without giving identity, such as the calling card in the offline world. But Microsoft is not developing this.
The point of Passport is to simply know what content you're consuming. It's not just signing into Web pages. It's also as in Microsoft Reader; they want to know your identity so that when you buy an e-book they can link the e-book to your identity. In fact, you can't use Microsoft Reader without Passport. Not only do they know what Web pages you're going to, they know what books you're buying. We detail 12 different services that will be developed (by Microsoft), and they're calendar services and so on. They're all services that don't really require identity.
Microsoft has every right to make these services, but you can very well provide these services on a synonymous basis, where people sign in with a pseudonym. Companies that want your identity in these circumstances usually are not interested in protecting your privacy. And somewhere down the line it will have a secondary use.
Chris Hoofnagle also recommends a paper by Roger Clarke: "Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue" (http://www.anu.edu.au/people/
Reader Feedback: Page 1 of 1
SOA World Latest Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week