By Jane Black So much for the trustworthy computing that Microsoft has vowed to deliver so that personal computers can at last be a haven for personal data. On May 7, a researcher in Pakistan discovered yet another hole in Microsoft Passport, an authentication technology that holds the key to the user names, passwords -- and, sometimes, the credit-card numbers -- of more than 200 million PC users (see BW Online 4/12/01, "Watch Out for this HailStorm").
The flaw was frightening, if only because it was so obvious. By typing in a simple Internet address, or URL, that includes a Passport user name, a hacker could request a password reset from the Passport servers. Once the new password was set, the interloper would gain access to a bounty of information on the unsuspecting individual that might include e-mail messages, calendar appointments, shopping lists -- and credit-card information.
Microsoft (MSFT) won't comment on how many accounts might have been compromised. But Adam Sohn, the product manager for Passport, told BusinessWeek Online that only a "handful" of accounts may have been affected and that there was almost "zero correlation" between the invaded accounts and customers who stored credit-card information online.
HACKER MAGNET. Nonetheless, the Federal Trade Commission, with which Microsoft signed a consent decree last August promising to not make false statements about the security or privacy protections in Passport, is looking into the matter. If the FTC determines that Microsoft didn't have "reasonable" security in place, Bill Gates & Co. could end up paying a fine of $11,000 per breach.
Microsoft, by virtue of its hegemony in the PC market, is a magnet for hackers. And while it's certainly to blame for letting such a simple vulnerability exist, the flaw is less an indictment of the software king -- security experts say the same thing could have happened to any company -- than of the concept of Passport itself.
With Passport, Microsoft wants to make the Internet more convenient: No more remembering different passwords for different sites, no more pulling out your credit card every time you want to buy something. But the price of unfettered convenience is often a loss of privacy. That's a lesson that Microsoft -- and most Internet users -- still need to learn.
INFO PILE-UP. Convenience remains a worthy goal, of course. How many of us have passwords tacked to our PC monitors on Post-it notes? And how many hours have each of us wasted trying to remember or reset passwords when that Post-it turns up missing?
The trick is to increase convenience without heightening risk. After all, the more information that's stored in one place, the more attractive a target it is for hackers and criminals. A credit-card number sells for $10 on the black market, whereas a credit report sells for $60, according to Richard Hunter, director of security research at Gartner G2 and author of World Without Secrets: Business, Crime, and Privacy in the Age of Ubiquitous Computing.
Adds Hunter: "It's stockpiling all those connections, all those accounts in a single place, that makes things so dangerous." Why steal an engagement ring, if you can get your hands on the Hope Diamond?
CLASH OF CULTURES. Or at least, why not try, as long as so many people are suckers for convenience? A March Harris poll revealed that 64% of Americans are "privacy pragmatists," up from 54% in 1999. Privacy pragmatists are people like me who are concerned, at least in the abstract, about protecting their personal information, but who, with the right guarantees, are willing to trade it for convenience.
Privacy pragmatists are the people who use Microsoft Passport or supermarket discount cards or buy 12 CDs for a penny -- in return for a page worth of information about their taste in music. They're also the people of whom "privacy fundamentalists" despair: "It's impossible for individuals to be privacy pragmatists," argues Chris Hoofnagle, legal counsel at the Electronic Privacy Information Center in Washington, D.C. "There's too much asymmetry in the market. The [technology] companies say that their products are secure, but they give individuals very little independent evidence of their reliability."
So what's a privacy pragmatist to do? Are we condemned to having to choose between security breaches or a blizzard of Post-it notes? Security experts say the answer is for individuals to develop a more realistic understanding of the price of convenience. If, like me, you value the ability to link your MSN Messenger and Hotmail accounts, use Passport. If saving a dollar at the drugstore makes your day, it's probably worth it to let the store track your spending habits.
PAY ATTENTION. Just remember that with such convenience comes a responsibility to look out for yourself. First, you should regularly check your credit report. If something fishy is going on, it will show up there initially. In most states, consumers are entitled to one free credit report each year. You can also sign up for services, which cost $50 to $75 per year, that alert you when any change is made to your credit file or when an account is opened in your name.
Beyond that, use a variety of detailed passwords that are a combination of letters and numbers. And keep careful records of them -- offline. "Don't put off managing your data," warns Forrester Research security analyst Rob Enderle. "Victims are usually the people who aren't paying attention."
Easy as it is to bash Microsoft, the fact is that the latest flaw in Passport isn't only the Colossus of Redmond's problem. It's just one example of a classic 21st century dilemma of how and when to trade privacy for convenience. The answer is one most consumers don't want to hear: The passport to privacy is hard work. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column