More Big Brother.. Win98 id internals revealed quietly
"
Posted at 5:25 p.m. PST Saturday, March 6, 1999
Microsoft will alter software to
protect privacy
New York Times
SAN FRANCISCO -- Microsoft Corp. moved to defuse a
potentially explosive privacy issue on Saturday, saying it would
modify a feature of its Windows 98 operating system that has been
quietly used to create a vast database of personal information about
computer users.
Microsoft conceded that the feature, a unique identifying number used by Windows and
a handful
of other Microsoft products, had the potential to be far more invasive than a traceable
serial
number in Intel Corp.'s new Pentium III that has privacy advocates up in arms. The
difference is
that the Windows number is tied to an individual's name, to identifying numbers on the
hardware in
his computer and even to documents that he creates.
The combination of the Windows number with all these data, the company said, could
result in the
ability to track a single user and the documents he created across vast computer
networks.
Hackers could compromise the resulting database, or subpoenas might allow authorities
to gain
access to information that would otherwise remain private and unavailable. Privacy
advocates fear
that availability will lead to abuses.
''We're definitely sensitive to any privacy concerns,'' Robert Bennett, Microsoft's group
product
manager for Windows, said. ''The software was not supposed to send this information
unless the
computer user checked a specific option.''
Bennett said the option to collect the information had been added to the software so that
Microsoft
support employees would be able to help users diagnose problems with their computers
more
accurately. He said the Redmond, Wash., software giant had never intended to use the
data for
marketing purposes.
In addition to altering the way the registration program works in the next maintenance
release of
Windows 98, Bennett said Microsoft technicians would look through the company's
databases and
expunge information that had already been collected as a result of earlier versions.
The company is also exploring the possibility of creating a free utility program that would
make it
possible for Windows users to delete the serial-number information from a small
database in the
part of Windows system known as the registry, where it is now collected.
Microsoft has been discussing the issue with a Cambridge, Mass., programmer who
contacted the
company last week after discovering that the Microsoft Office suite of business software
was
creating unique numbers identifying a user's personal computer and embedding them in
spreadsheet
and word-processing documents.
Last week the programmer, Robert M. Smith, who is the president of Phar Lap
Software Inc., a
software tools development company, notified the company that he believed the
practice created a
potential privacy threat.
Microsoft officials said last week that they were using the number in the company's
software in an
effort to find a unique identifier to keep components from colliding with one another in
an
increasingly complex world of networked computers.
However, Smith said that the number, in effect, created a ''digital fingerprint'' that could
be used to
match a document created by a word-processing or spreadsheet program with a
particular
computer.
On Thursday, after further studying the ''registration wizard'' -- the software module that
enables
customers to register their copies of Windows 98 operating system for support and
updates --
Smith discovered that the number, known as a Globally Unique Identifier, was being
transmitted to
Microsoft as part of a list of registration information that generally includes the owner's
name,
address, phone number, certain other demographic information and details about what
hardware
and software are on or attached to the user's computer.
''Microsoft never asked me if it was OK to send in this number, and they never said it
was being
sent,'' Smith said. ''They are apparently building a database that relates Ethernet adapter
addresses
to personal information.''
Ethernet adapters are cards inserted in a personal computer that enable it to connect to
high-speed
networks within corporations, and from there out to the Internet.
The controversy erupted just weeks after Intel, maker of the most widely used
processors for
machines that run Windows, agreed to enable computer manufacturers to disable a
serial number in
its new Pentium III computer chip so that it was not visible to software or on a network
without the
computer user's permission.
Privacy activists have been attacking both companies, arguing that identification numbers
can be
easily misused to permit the creation of electronic monitoring systems that track a
computer user's
behavior in cyberspace, or dossiers of personal information about individuals.
The issue has sparked a heated debate over the fundamental technology of modern
computer
networks and software systems, which routinely employ serial numbers to identify
individual
computers and software modules known as ''objects'' that can be shared by a number
of
programs.
But the Intel number identified only a computer. The Windows number identifies a
person. And
because the Windows number created a potential linkage between individuals and
confidential
documents they created, privacy advocates said they were outraged.
''I think this is horrendous,'' said Jason Catlett, president of Junkbusters, a consumer
privacy
organization based in Greenbrook, N.J. ''They're tattooing a number into each file.
Think of the
implications. If some whistleblower sends a file, it can be traced back to the person
himself. It's an
extremely dangerous feature. Why did they do it?''
Privacy groups have long warned about the dangers of centralized information and the
dangers of
monitoring electronic behavior. The privacy community has been discussing the
implications of the
Intel Pentium III serial number with Intel, and while some privacy advocates
acknowledge that the
number can play an important role in protecting both privacy and security, others have
called for a
boycott of Intel, arguing that the likelihood of misuse of the number is extreme.
Beyond the fear of a centralized Big Brother, they add that the rise of the Internet has
made it
possible for individual companies to freely use detailed personal information for
commercial ends.
''The problem is the absence of legal rules that limit the collection and use of personal
information,''
said Marc Rotenberg, director of the Electronic Privacy Information Center in
Washington. ''It's
clear to me that large Internet companies such as Microsoft, AOL and Netscape will try
to squeeze
out privacy.''
Microsoft executives said on Friday evening that they had developed the feature for
technical
reasons related to the need to distinguish among millions of different hardware and
software objects
on the Internet but had never considered the privacy implications.
According to Microsoft software engineers, the roots of the company's numbering
system go back
to a system developed by computer researchers at the Open Software Foundation in
Cambridge in
the early 1990s.
In an effort to develop technology that would enable computer systems to communicate
across a
network, a numbering system known as a Universally Unique Identifier, or UUID, was
established
as part of a software standard known as the Distributed Computing Environment, or
DCE.
Microsoft relied on this standard when it developed a remote computing capability for
Windows
known as Object Linking and Embedding, or OLE.
The company's designers changed the UUID term to GUID, or Globally Unique
Identifier, and it is
widely used by software applications today. For example, the GUID is used in setting
''cookies'' --
files that Web sites write to a visitor's hard drive to identify the user later and to track his
or her
travels through the Web. |
