Microsoft and Privacy

  Campaign on Passport and Windows XP

For information on consumer groups' campaign on Passport and Windows XP, see our news page.

  Open letter to Microsoft March 27, 2001

To: Richard Purcell, Director of Corporate Privacy
Michael Wallent, Product Unit Manager for Internet Explorer

Dear Sirs

I am bitterly disappointed by Microsoft's default settings for third-party cookies in IE6. These cookies should be blocked by default, because they are a security loophole. Privacy groups have opposed them for several years. The Internet Engineering Task Force's documents relating to cookies call for at least an alert. When Microsoft announced it was testing an alert several months ago, I and security expert Richard M. Smith praised Microsoft's move. Now we find that third-party cookies will be silently accepted by the browser for companies that say they offer some kind of opt-out from tracking. The obviously absurdity of this situation is that the average user is unaware of the cookies and the tracking, and would not know where to opt out. Microsoft even spurned the weak but preferable option of downgrading persistent third-party cookies to transient cookies. Microsoft's backdown on third-party cookies is deplorable.

Microsoft is conniving with the ad companies' construction of a surveillance network of a size unprecedented in history. Doubleclick alone records more than a billion page views a day across thousands of sites, along with URL, cookie and browser information. Microsoft's supposed privacy enhancement will do almost nothing to change this. Recent security scandals such as the break-ins at Doubleclick's servers and the forging of a Microsoft digital certificate illustrate how vulnerable this information is. It simply should not be collected without the user's consent and ongoing control.

You have suggested that Junkbusters should respond by creating an "import privacy rule" for IE6. We will not be doing this for several reasons.

First, I reject the premise that the manufacturer of a market-dominating product should be able to set its defaults to privacy-invasive levels, and then burden public interest groups with the task of "educating" consumers on how to protect their privacy. Under this logic, a manufacturer of defective tires would leave it to Ralph Nader to explain to drivers how to retrofit their vehicles to avoid explosions. What I say Microsoft should do is to set a high level of privacy protection, and then burden companies that want to perform surveillance on people to gain their consent to do so. Companies such as DoubleClick have plenty of opportunity to advertise. Let them persuade consumers to import a privacy setting of "low."

Second, we do not recommend consumers use any Microsoft products, for a variety of reasons including its history on privacy and security. Creating something called an "import privacy rule" for IE6 constitutes an implied endorsement very remote from our estimation of the company and its products. Regrettably, the products we recommend for people to protect their privacy online are not made by Microsoft. Other web browsers have consistently provided better cookie management features and less privacy-invasive defaults. It is very sad that the largest software manufacturer has done so little for privacy, and is willfully continuing that trailership position.

I repeat: Microsoft should set its browser to stop third-party cookies by default. Using P3P as an technologically confusing excuse to allow this security flaw and surveillance mechanism to continue is reprehensible.

Sincerely

Jason Catlett
President
Junkbusters Corp.

  Hotmail History

For background and news coverage on the Hotmail security saga, see our News page.

  Open Letter to Microsoft 1999/9/14

To: Robert J. Herbold, Executive Vice President and Chief Operating Officer, Microsoft Corporation

Dear Sir

Recent security and privacy breaches at Microsoft's Hotmail division have become so frequent and severe that several specific actions must quickly be taken to redress them. I call on you to announce promptly and voluntarily your intention to take these steps; if you do not I will seek to have them forced upon Microsoft.

Microsoft must inform Hotmail users accurately of the extent of its vulnerabilities, and stop representing the service as safe. For example, the FAQ listed at Hotmail's site contains a headline "Your e-mail is private and secure." This claim is plainly untrue, as recent series of bugs discoveries and Hotmail's commissioning of an audit indicates. Such false claims are illegal under various US laws including the Lanham Act and Section 5 of the Federal Trade Commission Act. I am forwarding a copy of this letter to regulators who have a history of using these laws to protect the public from deception.

I applaud the decision to commission an external audit of Hotmail's security, but for the public to see this as anything but a cynical PR ploy, several changes are needed in your instructions to the auditing firm. Specifically:

1. The name of the firm and the partner responsible should be immediately announced to the public.
2. The brief to the firm should be published as soon as practicable, and well before the audit is completed.
3. The published brief should include the specific assertions by Hotmail's management about which the auditing firm will express an opinion. Public comment should be accepted on the adequacy of the brief and assertions.
4. If there is a "cure period" during the audit (where problems discovered by the auditor can be fixed before the opinion is finalized) then this should be disclosed.
5. The instructions should require the auditing firm to publish its opinion on the Web no later than a week after its delivery to Hotmail.

If listing these reasonable requirements for the audit makes me sound suspicious, it is not because I am opposed to audits on principle, but because privacy advocates have had far too much experience with audits being used as a facade mounted in front of an unsafe structure. The Individual Reference Service Group, a lobby formed by companies that sell information used to track people, adopted under pressure of the threat of real regulation a "self-regulatory" system that called for annual audits of all its members, but the details of the assertions were not made available, and every report ended with a statement requiring that it not be used by the public. The audit is too often used by a "self-regulated" companies in the same way that a drunk uses a lamp-post: not to illuminate details but to support what would otherwise fall over.

I am also calling on TRUSTe to use its license agreement to compel Microsoft make the changes described above, though I have little faith in its "self-regulatory" model.

In March this year Hotmail users were required to enable cookies on their browsers as a condition of continued service. Hotmail told CNET news.com that the step was necessary for security. The step certainly reduced the privacy of many Hotmail users, because cookies are used as a tracking mechanism by many sites. Clearly this step has not been sufficient for security, and I suspect that it may not be necessary either. I suggest that you ask the auditors to give an opinion on whether the same level of security could be provided without cookies. I suspect that it could, and call on Hotmail to remove the requirement. If the auditor deems cookies helpful for detecting intrusions by being able to observe logins from unusual browsers, then why not email the accounts that had such logins during the period of vulnerability, so that they know if their accounts might have been compromised.

I remind you of my call in March for an audit on the Global User Identifier (GUID) incident. Microsoft has to date given no undertaking for such an audit, so I renew my call for one. As you probably know, Federal Trade Commission recently announced it will be hold hearings on the privacy implications of persistent identifiers, and I call on Microsoft to commit to participating in those hearings and to filing a substantive description of its use of persistent identifiers.

Microsoft should also turn off ActiveX by default. It has been the cause of a large number of serious security bugs in Microsoft's Internet Explorer (a Web browser), and is unsafe in its present form.

Microsoft must stop trying to brush privacy and security issues under the carpet. Yesterday CEO Steve Ballmer stated that the future of e-business can be summed up in three words: "share your data." Yet he barely mentioned privacy or security. Microsoft's new Passport product, already integrated with Hotmail, hopes to be the repository for consumers' personal data and credit card information. With Microsoft's present state and attitude towards security, only consumers with a privacy death-wish would use it. This Passport looks like a one-way ticket to a land of information vulnerability.

I would welcome any reply, and ask you to announce the steps you are taking to repair the vulnerabilities as soon as possible.

Sincerely

Jason Catlett, President, Junkbusters Corp.

Copy To:
Robert Lewin, TRUSTe
David Medine, Federal Trade Commission
Ron Plesser, Individual Reference Service Group
Eliot Spitzer, NY Attorney General

  Reply from Herbold, 9/15 at 10:18 PST

Thank you for your note and your continued vigilance on this issue. TRUSTe and Microsoft have posted a statement on the TRUSTe site to provide information about this review. We've engaged a third-party firm to validate our statements about the Hotmail security incident that was reported and fixed on 30 Aug 99. The results of the report are restricted to the parties who have mutually agreed to the review procedures, TRUSTe and Microsoft, due to AICPA rules governing the review. Also, in keeping with AICPA guidelines, we cannot publish or reveal the contents of the engagement agreement or procedures for the review. I trust that you understand that the integrity of the review is of utmost importance to both Microsoft and TRUSTe.

  Follow-up from Junkbusters to Herbold 9/15

Many thanks for the prompt reply. The integrity of the review is certainly paramount; I was not questioning the integrity of the auditors, but neither do I see how my requests would present any difficulty in that regard. Here is an example from another firm: http://www.eloan.com/s/show/pricewaterhouse
I trust that this firm did not breach the rules you referred to. What I am asking for is essentially the same thing, though they performed the audit without any incident to prompt it.

There were several other specific issues in my letter not covered in your reply. Of course nobody can do everything at once, but I would be glad to hear them addressed as you or your staff find time to do so.

  Investigation by CNET and subsequent statement

An investigation by CNET revealed that Microsoft chose to commission a "non-standardized" review called "Agreed-Upon Procedures Engagement" that can only be revealed to certain parties. They could and should have chosen a public audit.

Microsoft subsequently claimed the report gave them a clean bill of health, but still refused to disclose even the name of the auditor. For more details see our news page.

  History and background

On March 3, 1999 the New York Times published a story revealing that ``identifying numbers can easily be found in word processing and spreadsheet files created with Microsoft's popular Word and Excel programs.'' Also on Thursday March 4 Junkbusters issued a press release stating ``Because Microsoft's registration process links people to ID numbers, the company has a responsibility to inform the public about where those numbers go,'' and calling for disclosures from the company. Following correspondence with Microsoft Friday March 5 and a New York Times article Saturday March 6, Junkbusters issued a Privacy Advisory to consumers early on Sunday March 7 and announced its demands to Microsoft to remedy the defects in its software and to mitigate the likely harms caused by them.

On March 10 more holes were found, including identifying information set in cookies (see below). Microsoft told Junkbusters and Wired News that it would rewrite the affected cookies.

On Thursday March 4 Junkbusters also issued a report titled ``Bill? Bill Who?'' A study of the privacy and competitiveness implications of an annuity model for licensing Microsoft Windows 2000 which considers the linking of registration information with cookies and other identifiers.

Our news page contains both coverage on this story and background on Microsoft's inglorious record on privacy.

In September 2000 NTBUGTRAQ warned of a method method by which web sites could extract MSIDs from users, as well as making achieving the functionality of third-party cookies with regular cookies.

  Problem

Several problems arise from the combination of various defects in Microsoft's software and deliberate features in their software and systems.

1. Files produced by several popular Microsoft applications programs include a fingerprint or tattoo of an identifier called a GUID or Globally Unique Identifier. If the computer that produced the file has an Ethernet card, its number can be extracted, and the GUID uniquely identifies the card and thereby the computer. If the computer does not have an Ethernet card, a dummy address is used, and the GUID is not traceable.
2. An identifier (called the MSID by Microsoft) containing the Ethernet address is sometimes sent when a user registers using Microsoft's Registration Wizard, thus associating it with the user's real-world identity.
3. The MSID is then set as a cookie on the user's hard drive, and is transmitted to Microsoft whenever the user visits a microsoft.com web site.

  Platforms

The extent of the fingerprinting is not currently known with certainty (hence our first demand below). The New York Times article 3/3 specifically mentions Word and Excel programs. In another report a Microsoft representative mentioned PowerPoint. Other programs in the MS Office suite such as presumed to be affected. Other sources suggest that MS Office products on Macs are also affected. [Macintouch article] [Your Mac Article] [Usenet Post] All Macs have Ethernet cards. PCs without Ethernet cards are not affected. According to the New York Times article 3/6 Windows 98 programs are affected. It was previously reported here and elsewhere that Windows 95 registration wizard does not have the secret transmission of the GUID, but it was later reported that Word 97 will put GUIDs in documents regardless of the OS: Win95, Win98, and WinNT. We have reports that Microsoft Visual C++ fingerprints files, as well as ActiveX applications. Users of Office 2000 in certain markets where registration has been compelled by Microsoft since December 1998 are likely to be affected: although there is an option for anonymous registration, most people would have identified themselves in some way in order to receive the necessary authentication code back from Microsoft. The markets where compulsory registration was introduced include the US and Canadian academic markets and all markets in Australia, Brazil, and New Zealand. Until Microsoft discloses details it is difficult to determine the extent of the problem, but currently it seemly likely to affect tens of millions of people. This was extended in Windows 2000. (2000/2/11) [Wired]

  Risk Assessment

The problems raises a variety of risks concerning the association of transactions and documents with an unwitting individual. Here are a few scenarios given as examples.

1. Scenario 0: A government investigator wants to collect evidence on a suspect. He seizes the suspect's PC, obtains the Ethernet number, then subpoenas other organizations for all documents containing a matching fingerprint. Finding these is a completely automated process and a simple program could be written to scan hard drives of PCs or servers and report matching documents. This is not only a privacy risk, it is a corporate liability issue.
2. Scenario 1: Diana registers a product with Microsoft, giving her name and address over a Web form. Microsoft associates this name in a database with Diana's hardware identifier. Microsoft and anyone who has access to the information in this database can then associate files created by Diana with her. Microsoft has a economic incentive to engage in this kind of intrusive activity to look for evidence of violations of its copyright.
3. Scenario 2: George finds an embarrassing MS word document that he believes his coworker Fiona wrote, but Fiona carefully omitted any reference to herself and deleted all copies of the document from her PC because she knows that George has access to it. George obtains the hardware identifier from Fiona's PC, finds it is identical to the one in the MS word document, thereby obtaining evidence that the document was authored by Fiona. Unless Fiona was aware of the fingerprinting feature, she would not expect this to be possible.
4. Scenario 3: Similar to the previous scenario, except that Fiona is aware of the fingerprinting feature and erases the PC's entire hard drive before George gets to it. Unfortunately this isn't sufficient, because the PC contains an Ethernet card, from which George can obtain a number that links the PC to the fingerprint.
5. Scenario 4: Alice uses MS Word to author an invitation to her birthday party and emails it to Brian and Charles. Alice also writes a private letter to Charles that she does not want associated with her for fear that Brian will obtain a copy, so she gives it to Charles on a diskette and omits her name from the document. Brian does obtain a copy. By extracting the fingerprints from the two documents, Brian can infer that the private letter was authored by Alice.

  Recommendations for consumers

1. Seek alternatives to the affected Microsoft programs, such as old versions or competing products.

   Junkbusters is not currently calling for a boycott of Microsoft products because Microsoft says it is changing its practices and it claims that the damage it has done to people's privacy was not willful. Given their inglorious history on privacy and the credibility gap demonstrated in the trial against the Department of Justice, we have to question the sincerity of Microsoft's statements. Even independent analysts have expressed scepticism. This suspicion is one reason we have issued a set of demands below, but for now we are waiting to see how they respond before taking additional steps.

   Consumers may want to protect themselves from other instances of Microsoft putting their privacy at risk, by considering other software suppliers. Platforms such as GNU/Linux that have free, open source code are not likely to contain this kind of unpleasant surprise.

2. Check Microsoft's Web sites for patches to the Win98 RegWiz and Office 97 and a utility to remove the fingerprints. Microsoft published it around 18 March at http://officeupdate.microsoft.com but it appears to require registration, which doesn't help assuage the suspicious.
3. If you have not yet disclosed your identity to Microsoft in a registration process, avoid doing so. If you must register a product, do so as anonymously as possible. Avoid using a throwaway Hotmail account or WebTV browser to do so, since they are owned by Microsoft and your identity might conceivably be inferred.
4. If you have disclosed your identity to Microsoft:
   
   1. Stop cookies that might contain identifying hardware information from being transmitted to Microsoft when you visit one of their web sites.
   2. Consider the possibilities and consequences of your identity being associated with any files produced by a program that adds fingerprints to files.
   3. Consider sending a letter such as the following to Microsoft:

      I was distressed to learn that certain Microsoft programs secretly places in their files a "hardware identifier" that Microsoft (You) may associate with Me. I regard such identifiers as dangerous, sensitive, confidential, and belonging to Me. I demand that You not disclose such associations to others and that You immediately destroy all record of such identifiers under your control or influence. I consider that You obtained them improperly, and I find this conduct disgraceful. Please reply indicating Your commitment to do this and inform Me of the procedures for correcting the defects in Your software and affected files.

      In a NY Times article 3/6 Microsoft said it would modify the feature and would ``look through the company's data bases and expunge information that had been improperly collected as a result of earlier versions.'' This seems to address Demands 3 and 6 below, but an individual assurance is stronger. Our automatic letter-drafter will be expanded to include this letter.

  The implications of Ethernet addresses in cookies

Microsoft has been placing the Ethernet address of the PC as cookies on some users' browsers. Given that these cookies are transmitted to Microsoft's servers every time that a consumer visits a Microsoft Web site, it will not be sufficient for Microsoft to destroy merely the original registration information (which they have already indicated will be done). It will be necessary for Web servers to issue new "Set-cookie" instructions to consumers' browsers when they visit, overwriting the old cookies with new ones that does not contain the Ethernet address. If Microsoft intends to replace the old cookie with anything but a "null" cookie that is the same for everybody, the consumer's affirmative permission should be sought, and the consumer should be informed of the GUID fingerprint and its risks. Care will be needed to ensure that no chain of inferences can be made that allows Microsoft to unfairly track the user. This example really underscores the need for an independent auditor to oversee the cleanup task, one of our demands below.

  Sources

Here are the sources for the assertions in the statement of the problem above.

Points 1 & 2 come from a NY Times article 3/3, Page A1, reporting the findings of Richard M. Smith of Phar Lap Software, Inc.

Points 3 & 4 come from Microsoft's privacy policy which states:

``In creating a new profile or updating an existing one, we obtain your hardware identification number from the registry on your computer's hard drive... We then send a small bit of code back to your hard drive.''

A Microsoft product manager told CNNfn that the bug would be fixed in an update expected to be released over the summer. We consider this far too slow.

  More reference material

1. The first open letter 3/8 from Microsoft
2. The second open letter (which was modified on March 11, substantially changing the paragraph discussed in ZD Net News).
3. Phar Lap Software's Windows 98 RegWiz privacy leak demo page
4. CMP's Windows Magazine published a Microsoft RegWiz (no-)Privacy Demo and instructions for Disabling Microsoft RegWiz.
5. Microsoft's ``Office Update on Microsoft, Office 97, and Privacy''
6. A software application called Guideon to remove GUIDs was published very promptly by an independent company [our usual disclaimer]
7. Microsoft's announcement of its ``security enhancement'' for Registration Wizard
8. Microsoft's page explaining cookies, which (perhaps as late as March 11) said of a cookie, ``It doesn't tell us who you are, or your email address or anything else personal.'' Maybe it did.
9. The original Usenet post by Richard M. Smith.
10. The novel Ulterior Motive by former Microsoft employee Daniel Oran
11. Macintouch's page of illustrations of Office 98 security breaches
12. Microsoft's FAQ on the Windows registration bug
13. Microsoft Specifications on the GUID
14. Discussion on Slashdot
15. The Sydney Morning Herald on Office 2000 Registration Wizard (Dec 98)
16. Woody's Office Watch on Office 2000 Registration Wizard: (1) (2) (3) (4)
17. Story by TechWeb where an analyst expresses skepticism of Microsoft's claims.
18. The Australian Financial Review's skeptical view
19. Report from AP on Microsoft's publication of patching software
20. How it was revealed that Microsoft's annual report was produced on a Macintosh.
21. Columnist James Derk wonders if he's ``been listening to President Clinton's deposition too much, but it's hard to believe Microsoft's position...''

  1999/3/12 Letter to TRUSTe

As first reported by Wired News, Junkbusters wrote the following letters to TRUSTe.

I write to ask for information on TRUSTe's position on recent privacy incidents at Microsoft. As I'm sure you are aware from news reports, Microsoft's products and procedures have revealed personally identifiable information inappropriately and in some cases contrary to representations made by Microsoft to the consumer. The company claimed these were inadvertent errors, and has announced several measures they intend to take to fix them. A list of Junkbusters' demands appears in http://www.junkbusters.com/microsoft.html#demands
Microsoft have addressed some but not all of them.

The demand that is most relevant to TRUSTe is the need for an independent auditor to supervise the destruction of the illicitly-collected information, and to check the company's information practices for other threats to privacy. Microsoft have told me early in the week they would consider this, but have yet not committed to it. Independent audit has long been a component of TRUSTe's program, so this case raises an important question: will TRUSTe require independent audit to verify the compliance of a company's stated repairs to a known defect? One of the long-standing complaints against the DMA's procedures is that as soon as a company says they will cease a questionable practice, the DMA ceases to consider complaints against them. Independent audit is an illusive protection if it is not invoked, even in a case where dangers have already been identified and the effectiveness and sincerity of the company's efforts to protect privacy must be called into question.

I note that Microsoft, which is a sponsor of TRUSTe, is listed in the list of licensees as microsoft.com. Does this indicate that the company as a whole is not subject to TRUSTe's licensing terms, merely the web sites it operates?

I hope that TRUSTe will respond with statements of both its general policy and its specific intentions for this case.

Jason Catlett

Your letter raises serious questions about privacy practices and, under the terms of the TRUSTe license agreement with Microsoft, will trigger an investigation into the matter.

As you know, TRUSTe licensees all agree to such audits when complaints are raised. Further, should violations of the agreement be uncovered, an escalating series of remedial actions are proscribed.

One question I have on the basis of your letter is whether the possible problem is outside the terms of the licensing agreement. Our mission -- protecting online privacy rights -- is web-centric.

Thank you for your alerting me and we will get back to you within five business days.

On Monday March 22 TRUSTe posted their report, which states that although they believe Microsoft did ``compromise consumer trust and privacy,'' they did not breach TRUSTe's licensing agreement. Consequently TRUSTe did not require any third-party audit, nor did it impose any penalty beyond this verbal rebuke. For media reports on this see our News page.

Junkbusters promptly asked the FTC to investigate Microsoft.

  Letter to FTC March 22, 1999

Dear Chairman Pitofsky

This letter requests the Commission to use its investigative powers to assess whether Microsoft Corporation has acted unfairly or deceptively in recently publicized cases where its application software appears to have been programmed in a manner harmful to consumer privacy and inconsistent with representations made to the consumer.

The incidents are complex, and are documented at http://www.junkbusters.com/microsoft.html on our Web site, but I will attempt to summarize the key points here.

1. Microsoft's Registration Wizard, a PC software application that collects personally identifying information, has in some cases transmitted a unique number derived from the PC hardware (hereafter called a GUID or identifier). PCs have been thus identified even in cases when the consumer indicated through the interface that she did not want hardware information to be transmitted.
2. The identifier has in some cases been inserted as a ``cookie'' on the user's browser, so that each time the user visits a Microsoft web site, the browser is identified, and can be linked with the person who registered.
3. Documents created by Office 98 applications including Microsoft Word contain the identifier in a generally invisible but consistent location. The identifier could be used by Microsoft or others to identify the author of a document even when the author presumed the document contained no such link. I estimate the number of documents affected to be at least in the tens of millions, and probably in the billions.

Press reports say that Microsoft claimed to have been unaware of any of these features for the several months they have been active, until they were recently brought to public attention in front-page stories in the New York Times and other publications. The credibility of this claim has been questioned by independent industry analysts and media commentators. The programmer who discovered what Microsoft called a ``bug'' rebutted this claim, saying he believes it was deliberate. Microsoft has stated that they will remove the features, discontinue the practices, and destroy all the data that was collected inappropriately. While these undertakings are welcome, I believe that consumers should not have to rely on Microsoft's statements and actions to ensure that their privacy has been adequately protected, particularly when the sincerity of its statements are in doubt.

Hoping to resolve such doubts, Junkbusters and other privacy groups called on Microsoft two weeks ago to ``Engage a major firm of independent auditors experienced in privacy consulting (such as PriceWaterhouseCoopers or Ernst and Young) to perform a comprehensive investigation into Microsoft's information practices (including the question of what records of the GUIDs were collected and whether they have been expunged), under the direction of and reporting to a board including representatives of the Federal Trade Commission, other governmental entities concerned with privacy, and consumer and privacy groups.'' Although frequent discussions with Microsoft officials have since resolved many other concerns, I have not detected the slightest enthusiasm for an independent audit.

As you are undoubtedly aware, auditing is one of the mechanisms advertised by the seal organization TRUSTe as part of its enforcement program. Eager to test out this shining new machinery of self-regulation, I wrote to TRUSTe on March 12 asking whether they intended to require an audit. I would also have asked the same of the rival BBBOnline, but despite Microsoft's statement on their privacy Web page that they have a "relationship" with the Better Business Bureau, Microsoft was not a licensee of the BBBOnline privacy program as of March 19, so I was unable to pursue this avenue.

Today I received word that ``TRUSTe has determined that Microsoft has not violated its TRUSTe license...'' but that ``it did, in TRUSTe's opinion, compromise consumer trust and privacy.'' TRUSTe did not undertake to invoke a third-party audit, nor to impose any penalty beyond this verbal rebuke. This is disappointing, but not unexpected by privacy advocates who some time ago concluded that self-regulation is constitutionally ineffective, and any threat of consequences for violations is illusive. I hope that the Commission will take notice of this example in its current deliberations on the public policy question of whether consumers should be granted statutory privacy rights.

Accordingly, following the failure of appeals to Microsoft and the seal programs, I hereby request that the Commission investigate whether Microsoft has acted unfairly or deceptively in the matters enumerated above, and to make public information that it deems to be in the public interest, in accordance with 15 C.F.R. §2.46 (f).

I would point out that the practices may fit the FTC Act's criterion of being ``likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.'' Unintended location and identification of documents and individuals can clearly have substantial injurious consequences. Such injury is not reasonably avoided by consumers who are unaware of the feature. Microsoft has claimed that the features are not being used, so there appears to be no countervailing benefit at issue. History may judge that the insertion of secret identifiers into documents was the Internet-era equivalent of inserting sample razor blades into Sunday newspapers.

I would also suggest that the commission consider whether Microsoft's public statements regarding the incidents contained false claims or were otherwise deceptive. To pick one example, I objected to the following statement persistently and strenuously, both to Microsoft directly and in the media.

``There is no way to identify the originator of an Office 97 document by examining the unique number generated for that document without intimate knowledge of the originating PC network configuration, which is available only to the owner of that machine.''

There are two key questions that might also be addressed by an investigation. Has Microsoft effectively completed the corrective measures they stated they would perform (such as the destruction of the improperly collected information), and are these measures adequate to protect consumers from the possible privacy risks to which Microsoft has exposed them? In particular, Junkbusters and other privacy groups have asked Microsoft to contact each registered customer and explain the risks and remedies available, but we have received no undertaking from them to do this. This entreaty is repeated in a letter today to Microsoft COO Mr Robert Herbold (copy attached).

The requests in this letter are limited in scope and intent. In contrast to our letter of February 22 concerning Intel's PSN, this is not related to a boycott campaign. None of these requests is based on the Commission's powers concerning anti-trust. This letter does not propose any remedy nor is it a petition for relief; it merely asks the Commission to investigate and report to the public. I plan to continue working with privacy and consumer groups on this issue; I may join them in requesting a meeting with FTC staff after you have had time to consider this request. If you have any questions, or would like to initiate a meeting, I would be pleased to hear from you or any of your staff.

Very respectfully

Jason Catlett

  Letter to Microsoft 2/22

To: Robert J. Herbold, Executive Vice President and Chief Operating Officer, Microsoft Corporation

Dear Mr Herbold

This open letter notifies you of our request to the Federal Trade Commission to investigate whether Microsoft has acted unfairly and deceptively in recent privacy incidents, states the reasons for this request, and calls on Microsoft to act voluntarily to relieve the concerns that led to that request, with four specific direct actions.

First let me explain why I have addressed this letter to you. About a year ago I was struck by your public statement that "Privacy is not a product differentiator; it is a fundamental right for Internet consumers." This sentiment is closer to the view of most advocates that privacy should be treated as a fundamental human right, as opposed to many people in business who would prefer to consider it as a commodity and its policy questions as a trade issue. Beyond policy, your role as Chief Operating Officer indicates that you are responsible for the company's information practices. As you may know, I have been working with Microsoft staff on privacy issues for some time (and intensively of late), and appreciate their diligence in promptly responding to my many phone calls and emails, despite the very considerable workload they must be under from many other constituencies. They have already addressed many of the issues quickly and thoroughly. However, four major issues remain unresolved, and it seems these will only be answered from the highest level of the company. That is why I am bringing them to your attention specifically and formally.

1. An independent audit of Microsoft's information practices is needed. As I say in the attached letter to FTC Chairman Pitofsky, consumers should not have to rely on Microsoft's statements and actions to ensure that their privacy has been adequately protected. Justice must not only be done, it must be seen to be done. It would go a considerable distance towards repairing trust if Microsoft were to instigate voluntarily an independent privacy audit of the kind that Junkbusters and other privacy groups called for two weeks ago. Please let us know whether you intend to do this.
2. Some other important demands made at that time (available at http://www.junkbusters.com/microsoft.html#demands on the Web) have not been addressed. Chief among these are clear and conspicuous notice to consumers of the defect, and contacting every individual who has registered with Microsoft and might be using an affected product to inform them of remedies. Please either indicate whether this will be done, or why you consider the steps unnecessary.
3. Microsoft should also announce a commitment to Fair Information Practices in the sense of the 1980 OECD guidelines. Junkbusters and other privacy groups called for this in April 1998 and again in November, but we have had no response from Microsoft on it. The importance of this point has been increased by this incident and by recent reports that some multinational companies are resisting the Department of Commerce's ``safe harbor'' proposal to raise the standards of privacy provided to non-U.S. customers toward prevailing international levels. As you know, Microsoft is already legally required to protect the privacy of its European customers to levels arguably higher than the OECD guidelines. I hope that Microsoft is not planning to treat Americans as second-class citizens in their own country. The New York Times reported July 24, 1995 that the Microsoft Network (MSN) announced it would operate under the European Union's strong privacy standards, even for users in the US. I ask that you affirm such a commitment for msn.com, other Microsoft properties, and the company as a whole. If you consider such a commitment unwarranted, please state why.
4. Please indicate whether Microsoft supports legally enforceable privacy rights for Americans, requiring companies to treat personal information fairly in the sense of the OECD guidelines. If you believe that privacy is a fundamental right, surely you would agree that that right must be guaranteed by law. (A right without legal status is hardly much of a right.) If you do not believe Americans should have such rights, please state why.

Please don't misinterpret the very limited intent and scope of the request to the FTC, which is stressed in the conclusion of that letter. If you contrast this with the campaign currently being waged against Intel (featuring a consumer boycott, a petition to the FTC to enjoin shipment of product, and a call to mutual funds to divest holdings), I hope that you will see the proportionality with Microsoft's position. If the escalation from an inquiry of TRUSTe to a call to the FTC to investigate for unfairness and deception seems a large step, that is because no intermediate action appeared available under the current regime of privacy protection in the US, where privacy has generally been placed as an afterthought under the umbrella of trade practices. In other countries intermediate and more specific steps are available, as last week's complaint against Microsoft by a Swedish citizen to his country's Data Inspectorate illustrates. Our limited escalation reflects my hope that Microsoft will respond to the issues raised by privacy advocates that so far remain unaddressed. I hope that you will reply on all four points listed above, but please don't wait until you can answer all of them before responding to any one as soon as you are able.

Sincerely

Jason Catlett

1. Publish and widely publicize details of how the hardware identifier fingerprinting works, and which products are affected. [Not completed. In an email 3/13 we were told that Mac versions of Office products are affected, and that patches would be announced 3/14.]
2. Publish and widely publicize free software that removes the identifier from affected files. [They quickly announced they would produce the software, and published it around 18 March, however it remains to be seen whether they widely publicize it. Also it seems necessary to register with Microsoft to obtain the software; this should not be required.]
3. As quickly as possible, build and release as standard new versions of the affected products that do not include the identifiers. [They have said they will do this in the next release, apparently not until the summer. This is too slow.]
4. Either cease all shipments of the defective software (from itself and its distributors), or place clear and conspicuous notice of the defect on all old product that ships, warning the consumer of the risks and indicating where corrected versions are either currently available or will be made available. PC manufacturers should be involved to have the notice included as quickly as possible. [They have said nothing on this point.]
5. In so far as reasonably possible, contact every individual who has registered with Microsoft who might be using an affected product, and
   
   1. inform them of the fingerprinting and its risks, and
   2. offer a free replacement of all software for its new version.
   [In conference calls in March they told Junkbusters they are considering an email alert. But comments in the press and subsequent inaction suggest that they will not do it.]
6. Destroy all information under Microsoft's control or influence that concerns individuals' hardware identifiers, unless the specific, fully informed, uncoerced, affirmative consent of the individual concerned is obtained to maintain the information. (This includes such information stored as cookies on the user's hard drive.) [They have said they will do this, both for the databases collected and more recently for cookies containing MSIDs]
7. Engage a major firm of independent auditors experienced in privacy consulting (such as PriceWaterhouseCoopers or Ernst and Young) to perform a comprehensive investigation into Microsoft's information practices (including the question of what records of the GUIDs were collected and whether they have been expunged), under the direction of and reporting to a board including representatives of the Federal Trade Commission, other governmental entities concerned with privacy, and consumer and privacy groups. [No public statement on this. In phone conversations they said they would consider it. On 3/12 we asked TRUSTe what they would do (see above)]

Since these demands have not been met in full, Junkbusters has begun a campaign to pressure Microsoft to do so. The first act was a request to the FTC to investigate whether Microsoft's actions have been unfair or deceptive under the terms of Section 5 of the Federal Trade Commission Act.

This incident underlines the importance of the adoption of fair information practices(FIPs) by Microsoft and other companies. About a year ago privacy advocates joined in in December 1998 they again criticized Microsoft for failing to become FIP-compliant. On March 4 Junkbusters issued another press release alerting consumers to the dangers of Microsoft's unfair information practices. In this press release and on several subsequent occasions we have asked Microsoft whether Windows 98 reads or stores the Processor Serial Number on Pentium III systems. We have received no reply.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/microsoft.html