Langa Letter: The End Of Anonymous Surfing? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
10:18 AM
Fred Langa
Fred Langa

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

During the run-up to Windows XP's release, we identified two important areas for concern regarding the way XP manages--or mangles--your privacy: Windows Product Activation and Passport.

To recap: We initially focused extensively on WPA. (See Is Windows XP's 'Product Activation' A Privacy Risk? and 1,000 Posts Later: WPA Update .) After those articles were written, Microsoft "softened" WPA. The company increased the number of components that it let you change without triggering a need to reactivate and changed the time period during which system changes are tracked. If you don't change your system components too much, too fast, you can avoid many of WPA's hassles. (Alas, one exception seems to be the network interface card; many users report that any NIC change seems to trigger the whole reactivation process, even if nothing else changes.) Even this gentler, kinder WPA remains an issue, because it's a mandatory element of XP. There's no getting around it. If you don't register, your software cripples itself and reverts to a reduced functionality mode.

But the greater security/privacy issue may lie with Passport, which is a nominally optional part of XP and many other Microsoft offerings.

Passport Has Your Number
Microsoft's Passport is a centralized, cross-domain logon-automation service. (Microsoft recently changed the service's name to .Net Passport, but we'll continue using the short form of the name here.)

Passport is very aggressively pushed within Windows XP and most of Microsoft's online offerings. While you don't have to sign up for Passport to use XP itself, you'll encounter it as a mandatory element of many of Microsoft's bundled offerings such as MSN/Hotmail, MSN Messenger, and the personalized versions of

In Microsoft's words, Passport is:

... an online service that makes it possible for you to use your E-mail address and a single password to sign in--securely--to any .NET Passport participating Web site or service. It lets you move easily among participating sites without the need to remember a different sign-in name and password for each site. With .NET Passport you can take advantage of personalization options at many Web sites, and you can also choose to use .NET Passport express purchase to make online shopping easy and convenient. Use .NET Passport on any web-enabled device.

As of now, the central Passport site stores a limited amount of user data: birth date, country/region, state, ZIP code, gender, accessibility, time zone, and occupation. By default, signing up for Passport authorizes Microsoft to share this demographic data with its partners, although, Microsoft says, not in a way that can be associated with you in particular.

That sounds fine. It sounds even better when you see that you can inform Microsoft not to share this demographic information: Just click the opt-out check boxes on the Passport member services form.

But there's a catch, because Microsoft and its partners actually still can track you via a unique numeric identifier:

Passport associates a Passport unique identifier with every Passport account at registration. The unique identifier is a unique 64-bit number that Passport sends (encrypted) to each Passport participating site that you choose to sign in to. This unique identifier makes it possible for the site to determine whether you are the same person from one sign-in session to the next.

This gives Passport-enabled sites a way to get around some techniques used for anonymous surfing. Even if a Passport site doesn't initially know you by name, it may still know you by your Passport's persistent numeric code and thus can build an ongoing profile of you and your surfing habits on that site. More darkly, there's also no technical reason two or more Passport-enabled sites couldn't combine their information to build a highly detailed personal profile about you, using Passport's unique numeric identifier as the unifying key. And if any one site has a record of your name, E-mail, credit-card numbers, and the like, then in theory all the sharing sites could have that information simply by collating their separately gathered data via the unique identifier.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll