A few days ago, Joel Spolsky wrote a piece, entitled Does Issuing Passports Make Microsoft a Country?, that expressed a deep-set fear in Microsoft’s Passport. I’ll leave you to read the piece, rather than of summarizing it here; instead, I’ll just present the problems that I have with his arguments.
Simplified Cookie Explanation
I’ll start with a minor problem, just to get it out of the way. Joel presents an explanation of cookies that is extremely simplified, and tries to make the technology sound like it’s impossible for a website to store more than a unique identifier on your computer. This isn’t true, though — most websites store simply an identifier in their cookie because it’s more efficient, not because it’s all they can do. Cookies merely store variable names and the data for those variables, and that data can be anything the website wants it to be (so long as it’s under 4096 bytes in size times 20 cookies per domain). Most websites choose to use a single variable, which contains a unique identifier, because they can then house kilobytes upon megabytes of data on you in a database on their end, with no limitation on size and no security problem while the data’s flinging around the net with every single HTTP transaction you make against the server.
(Two good cookie references are Cookie Central and Netscape’s cookie implemetation page. And note that I bring this problem up only because Joel’s definition of cookies plays into his big-picture argument against Microsoft, namely that they are thwarting this mild-mannered, innocuous technology through devilish back-end tricks.)
Toysmart.com False Alarm
Another minor problem I have is Joel’s use of the recent Toysmart.com hoo-hah as an example of privacy rights gone wronged. While fears and objections were well-aimed early on, when the failed dot-com floated the idea of selling their customer list, it’s been very well-publicized that the FTC and a majority of state Attorney Generals nipped that attempt in the bud. I’m not sure what this example gains for Joel’s argument.
Browser-Based vs. Backend-Based
My big problem with the article, though, is that Joel’s implication that Microsoft is misusing browser technology completely ignores the fact that they could just as easily implement their data-sharing entirely on the back-end, without anyone being the wiser. Every major website page these days is generated by scripts, back-end procedures, and databases; Microsoft could use network connectivity between their various websites and intelligent scripting to provide the same functionality, and do so without breaking a sweat.
Picture a small slice of the current MS-owned website pie — Expedia and Investor. Now imagine that both of these websites are implemented such that they set their own individual cookies, not some master Passport cookie. Follow along with my (purely hypothetical) data exchange.
First, you go and log into Expedia. After you type in your username and password and click on the Log In button, the Expedia webserver contacts the master Passport database to validate your credentials. They check out, so the database sends back to the webserver your unique Passport identifier (say, “JASON12345”), and the webserver then sends that back to your browser in the form of a cookie, a cookie that’s specific to expedia.com, not to passport.com.
Next, you check out flights to Las Vegas… and Expedia sends that information to the master Passport database. You look at prices on cruises to the Carribean… and again, Expedia sends that information to the master Passport database. Everything that you do gets tracked, just like almost every e-commerce website worth its chops does today, but in addition, this information is all sent along to the master Passport database by the backend webserver, with no browser hijinks necessary.
Once done with Expedia, you trek on over to Investor. You type in your login information, and after clicking the “Log On” button, the Investor website contacts the master Passport database to validate your credentials. Once validated, the database sends the webserver your unique identifier (again, “JASON12345”), and the webserver sends that back to your browser in the form of a cookie, this one specific to investor.com.
This time, though, the Investor webserver also queries the master Passport database about your habits when you were on Expedia. It sees that you were interested in Las Vegas flights, so it assumes (perhaps incorrectly) that you aren’t averse to risk; when it returns the Investor home page to you, there are a few links to high-risk investment opportunities that wouldn’t be there for other customers. It sees that you’re interested in cruises, so it throws up a banner ad for a specialty cruise which will feature barons of finance and seminars on investing. And all of this happens in the microseconds after you click on the “Log On” button, all without the need for browser redirects or cookie tricks.
Why Implement Things the Way Microsoft Did?
I’m partly surprised that Microsoft didn’t implement Passport this way, but I think that I understand what my arguments would be if I were part of the Passport engineering group. I’d imagine that, given Microsoft’s ability to do what they want no matter how the browser’s implemented, consumers would rather not have to log into and out of every single subsite of a major website group. There’s something powerful about being able to log into Expedia, HotMail, Investor, CarPoint, and all the other MSN sites with a single click; it’s like being able to shop at all two hundred stores in the mall while only having to park the car once. (Interestingly, Joel even points out how painful it is to keep track of all the website logins and passwords that we all have these days, with which I don’t think anyone would argue.)
Also, though, Microsoft isn’t doing anything that Yahoo or the Go Network aren’t also doing. Yahoo has chosen to keep the yahoo.com domain name on all of their various subsites, so they don’t even have to resort to browser redirects to get cookies across sites. The Go Network uses redirects very early on to be able to share their cookies; going to http://www.espn.com/ redirects you to http://espn.go.com/ instantly, just as http://www.abc.com/ redirects you to http://abc.go.com/. And of course, their shopping and finance sites have go.com domain names, so again, cookie sharing is a breeze.
What’s My Point?
I guess that I don’t know what this whole controversy is about. Joel seems upset that Microsoft redirects you twice, but I wonder if he’d be upset if going to http://www.expedia.com/ redirected you to http://expedia.msn.com/, and Microsoft implemented cookie sharing that way. That’s how all the other major e-commerce players are doing it, and I’ve never seen an article about that, nor would I expect to.
The bottom line is that it’s still a web surfer’s job to understand what it is he or she is doing. If you’re scared about data sharing between websites, don’t frequent those websites. It’s not like Microsoft is hiding the fact that Investor and Expedia are part of the MSN empire, just like the Go Network isn’t trying to cloak their involvement in ESPN.com. But don’t invent nefarious plots and schemes to justify your fears; there are enough real bad neighbors out there on the Internet, and they’re much more worth our time and venom.
As someone who implemented one of the first external sites using Passport, there is even more that I think people should know about Passport. First, much of the original functionality of Passport was part of Microsoft Wallet — an ActiveX control that stored all data client-side encrypted. This was sometimes criticized as being proprietary, since netscape never did support ActiveX. So, the newer Passport uses technology first developed at Firefly to store information server-side. This has other benefits, especially as people use more mobile devices. The best way to really ensure this data is safe is to use public key encryption schemes in conjunction with smartcards to allow only people who have specific privileges to see your data. The protocols and technology for this are currently being specified, and nobody is pushing harder than Microsoft to make this a reality. In the future, yes your data will be stored centrally, but there it will be encrypted so that it cannot even be read by the place storing that information.
• Posted by: Joshua Allen on Jul 29, 2000, 1:51 AMOnce done with Expedia, you trek on over to Investor. You type in your login information, and after clicking the “Log On” button, the Investor website contacts the master Passport database to validate your credentials. Once validated, the database sends the webserver your unique identifier (again, “JASON12345”), and the webserver sends that back to your browser in the form of a cookie, this one specific to investor.com.
I’d appreciate a little more detail on this part, please. How does investor.com *know* to give you that same unique identifier?
If cookies worked the way you describe, you’re right, Joel wouldn’t have an issue. But there isn’t any way for investor.com to know, in the scenario that you gave above, that you’re the same person—that’s why cookies are secure in 99% of situations.
Dori
• Posted by: Dori Smith on Jul 29, 2000, 2:06 AMBackup Brain
How does investor.com *know* to give you that same unique identifier?
Because Investor.com would be validating your login against the same back-end authentication database as Expedia.com did, namely the Passport database. And that database has your name, password, and a single unique identifier (along with everything else that Microsoft wants to store about you, like shipping address, credit card info, past orders, etc.).
So, so long as you use the same username and password at each site, when each MSN site authenticates against the database, they each would receive the same unique identifier back; each site would then pass that identifier back to your browser in the form of a cookie.
Note that the hypothetical that I’ve described doesn’t exploit any functionality of cookies other than their most basic, that of storing a single variable for a single domain. Everything tricky, complex, or collaborative is done on the back-end, with dynamic pages that are generated after querying centralized resources like a single authentication database and a single customer tracking database.
That’s the beauty of implementing stuff like this on the backend — I can set up whatever centralized resources I want to (authentication databases, product catalogs, inventory systems, credit card transaction engines, etc.), put in place a pretty easy API to let other front-end systems use these resources, and then the barrier to creating a new front-end storefront or service website is tremendously lower.
/jason
• Posted by: Jason Levine on Jul 29, 2000, 9:19 AMYou wrote: I guess that I don’t know what this whole controversy is about.
Think ahead. Its a land grab, not just Microsoft sites will be involved and modified in this way, all sites using Microsoft’s web products will be affected. Here’s how:
Microsoft controls not just Passport. They also control FrontPage, arguably the most widespread and popular web site management tool, and a host of web image editing and html insertion tools. How long do you think it’ll take before they come up with “Passport extensions” designed for these tools? All in the name of protecting your privacy, of course…
Yes, they can do all of that with cookies too, there’s nothing MORE nefarious about this way of doing things than other ways. Then why would they be doing it this way? Well, contrary to cookies, this feature is much harder to “turn off” at the user end — e.g. by putting www.passport.com in a disallowed list in their firewall, for example. However if the redirection to www.passport.com doesn’t work then the user couldn’t visit the target site at all.
If they went for the back-end database sharing technique you outlined (very good idea, by the way, for a good example of its implementation visit www.yahoo.com and its subsites) then they’d be limited to Microsoft owned websites.
The only explanation that I can see for going about it this way is to extend Microsoft’s information gathering to unaffiliated sites. If I’m wrong, tell me, of course :)
Jacob
• Posted by: Jacob Levy on Jul 29, 2000, 1:04 PMJosh
You’re throwing out a bunch of smoke and mirrors about how the data is secure. Yeah, sure. So what.
The point of Joel’s article is that Passport gives Microsoft a fool proof way of putting 2 and 2 together when I visit a random site owned by them; they’ll know I am Jacob Levy who visited the Game Zone site at Saturday 1am when I visit Microsoft Money at 12noon. Scary!
It doesn’t stop there. With Microsoft’s stranglehold on the web site management tools, its easy for them to put “Passport extensions” into Frontpage, all justified by the privacy gobbledeegook of the kind you’re spouting, and pull every web site using that tool into the redirection scheme. It’s a land grab..
And in such a world, the privacy measures simply mean that noone *except* Microsoft will be able to read your data. Now I feel safe! Not :) Here’s why:
Microsoft the company will know that I visited Joe’s teen nymphette’s picture site (built with FrontPage of course) when I visit Microsoft Money. It’ll know I visited jobs.oracle.com (if they used FrontPage to build their site) to look if Oracle has interesting openings, so I can be sure I’ll get a phone call from a Microsoft recruiter asking if I’m in the market. And on and on..
Eeeeek!!
Jacob
• Posted by: Jacob Levy on Jul 29, 2000, 1:16 PMA few responses:
First, under their existing implementation, Microsoft could only extend their information gathering to other sites if those sites used Passport logins. If those sites don’t cross-identify you with Passport, then there’s no way for them to link your tracking data on their site with your Passport identity. And if you’re theorizing that future MS browsers will be constantly sending data to Passport even on sites that have no link to Passport, then show me some proof before you throw out that conspiracy theory. (Besides, in this scenario, you could shut off firewall access to Passport.com, since those third-party sites wouldn’t have any functionality that depends on Passport that would break with such a filter in place.)
Second, I find your notion about FrontPage to be scary, in that it’s suggesting something for which you have no proof, merely FUD about Microsoft. No extensions to FrontPage could operate without you knowing about them; likewise, you should never be running server-based software without understanding all of the features that it’s bringing to the table. If they develop an API for Passport that plugs into FrontPage, and you want to implement it in your dynamic sites, then great; if you don’t want to implement it, then don’t.
All of this feels like people freaking out based on theories and rumors. If DeepLeap had done this, people would be heralding it as an amazing innovation on the web. If the opensourcers had come up with this, it would be positioned as something that undercuts the evil empire of Microsoft and allows people to make their own choices, without having to submit to the man.
• Posted by: Jason Levine on Jul 29, 2000, 1:41 PMThe bottom line is that it’s still a web surfer’s job
to understand what it is he or she is doing. If you’re
scared about data sharing between websites, don’t
frequent those websites.
I think the issue is that the offensive tools combined with
conglomeration of businesses on the web will make “those
websites” about all there is.
I didn’t read Joel’s piece as a sole indictment against
Microsoft, just as I thought he started by glossing over
the risk of cookies in general. The interpenetration of
advertiser/trackers with content providers is a big deal,
and beyond the awareness/attention/ability of most web
surfers to keep in check.
For those who really care enough to send (and receive)
the very best, there are personal firewalls and proxy
servers for some damage control. There’s a considerabl
barrier to entry in the path of awareness, understanding
and implementation.
Having the monopoly
supplier of operating systems build user tracking capability
in is cause for concern, in that it will be that much
less accessible for web surfers to detect, understand,
and circumvent, if they wish to.
“Just don’t frequent those websites” is not a
• Posted by: Tom von Alten on Jul 29, 2000, 1:44 PMcogent plan.
The bottom line is that it’s still a web surfer’s job
to understand what it is he or she is doing. If you’re
scared about data sharing between websites, don’t
frequent those websites.
I think the issue is that the offensive tools combined with
conglomeration of businesses on the web will make “those
websites” about all there is.
I didn’t read Joel’s piece as a sole indictment against
Microsoft, just as I thought he started by glossing over
the risk of cookies in general. The interpenetration of
advertiser/trackers with content providers is a big deal,
and beyond the awareness/attention/ability of most web
surfers to keep in check.
For those who really care enough to send (and receive)
the very best, there are personal firewalls and proxy
servers for some damage control. There’s a considerabl
barrier to entry in the path of awareness, understanding
and implementation.
Having the monopoly
supplier of operating systems build user tracking capability
in is cause for concern, in that it will be that much
less accessible for web surfers to detect, understand,
and circumvent, if they wish to.
“Just don’t frequent those websites” is not a
cogent plan.
Tom von Alten
• Posted by: Tom von Alten on Jul 29, 2000, 1:44 PMFt. Boise
Jacob:
I just wanted to answer your FrontPage scenario here, even though I dealt with it under your original message as well.
Please explain exactly how Microsoft will be able to know that I’ve visited a site designed by FrontPage. Give me an exact technical run-down of the communication that will take place between my browser, the FrontPage-designed website, and Microsoft’s nefarious tracking computers (Passport, I’m assuming). I can’t think of how it would happen; I feel like this is more FUD.
/jason
• Posted by: Jason Levine on Jul 29, 2000, 1:54 PMPlease explain exactly how Microsoft will be able to know that I’ve visited a site designed by FrontPage.
Simple.
FrontPage inserts code into the first page (they have such a concept) of a site to do the redirection that currently is done by sites like Microsoft Money. It’s just HTML and JavaScript code, so it can live in any web page.
Suppose you make a site www.mylemonadestand.com with FrontPage and don’t take out the redirection code — after all, you bought FrontPage so you don’t have to edit HTML, right? Now, when I visit your site, I get momentarily redirected to www.passport.com and from there back to www.mylemonadestand.com. If I previously visited another site that also redirected, let’s say Microsoft Money, a cookie was already inserted into my browser from PassPort. Now, during the redirection, that cookie is sent for www.passport.com.
Microsoft now knows (a) I visited Microsoft Money (b) it learns about who uses FrontPage (www.mylemonadestand.com) and (c) it knows that I visited www.mylemonadestand.com. If I registered for an account at Microsoft Money, then (d) Microsoft also knows where I live, what my email is, etc etc etc
This information can also of course be used for innocuous things like building an incremental search engine (b), but (a), (c) and (d) scare me. Too much concentration of power in one place…
Of course they dont have to do this via redirection. It’s possible to do the same thing with one-pixel images too.
• Posted by: Jacob Levy on Jul 29, 2000, 2:15 PMOK, that’s a little more than I can stand. Do you have any proof that Microsoft will do this, or that it’s something that they want to do? Or are you just supposing that the can do it, so that’s enough to make you run scared?
Hell, I can stand at the rooftops and shout that Microsoft is going to steal my baby, but it doesn’t mean that anyone has to listen to me.
Right now, Yahoo has a million ways for you to host data on their network for free. They will store your pictures and files, keep track of your bookmarks, let you share your address book and calendar with other people, let you pay your bills, and even create your own websites, just like FrontPage. And every one of these services comes with a yahoo.com domain name, so they don’t have to do break a sweat to share cookies and tracking data across all of these sites. Are you scared of them, Jacob?
/jason
• Posted by: Jason Levine on Jul 29, 2000, 3:03 PMI dont have any *evidence* that this is going on.
But heck, it makes such a nice conspiracy theory that I couldn’t resist. And it’s *TECHNICALLY* possible.
Jacob
• Posted by: Jacob Levy on Jul 29, 2000, 5:04 PMNo extensions to FrontPage could operate without you knowing about them;
Bah.. And I have a bridge to sell you.
Let’s drop it or agree to disagree.
• Posted by: Jacob Levy on Jul 29, 2000, 5:06 PMso long as you use the same username and password at each site
That’s a big honking “if” right there. I’d like to use the same username on multiple sites, but the ones I like to use have usually already been taken. The chances that I have the same username on two large sites is pretty slim.
And what happens if there’s two people named “John” who both use the password “John”? They’re two different people, so you can’t tie them together in any meaningful way—all you’ve done is made a WAG that these are the same folks.
Sorry; this ain’t the same thing as Joel’s issue at all.
Dori
• Posted by: Dori Smith on Jul 29, 2000, 8:20 PMBackup Brain
No, Dori, in my hypothetical, the same backend username and password database is being shared by all the MSN sites, so there’s no way that there could be two different “dori” users at two different sites. Likewise, if someone named “dori” logged in at Expedia, MS could be damn sure that it’s the same “dori” that logged in at Investor last week, since it’s the same shared username and password database that’s tying the two websites together.
To illustrate:
You go and create an account at Expedia, with the username “dori”. When you click on the “Create Account” button, Expedia’s webserver contacts the master Passport database and checks to see if there’s a “dori”. There isn’t yet, so it creates the account, and you’re logged into Expedia.
Later, you visit Investor, and not knowing that the username and password database is shared, you try to create the “dori” account. Investor’s webserver contacts the same master Passport database to see if there’s already a “dori” — and alas, there is! It’s your account, from when you created it on Expedia; knowing that many users don’t know that the database is shared, Investor notifies you that the account already exists, and perhaps you were the one that created it when you were at a sister website. You then try to log onto Investor with the “dori” account that you created when you were at Expedia, and it works — because it’s the same backend password database, shared between the two websites. And all of the data sharing is going on behind the scenes, at the backend of the two websites.
So, it’s not a “big honking if” — you are easily able to use the same username and password on all the sites, because all of the sites share a single master username and password database. This is exactly like all of Yahoo and the Go Network’s sites, and it’s exactly like the way that Passport is currently implemented except it all takes place on the backend rather than requiring a browser redirect.
Likewise, using different usernames and passwords on all the sites would require effort on your part — you’d have to log out each time you leave a sister site, and then log back in with an alternate username and password when you visit the next site. Imagine doing this all over Yahoo (different username and password for Yahoo Mail, Yahoo Finance, Yahoo Calendar, etc.) — it’d drive most people mad.
Lastly — even if you don’t buy that my hypothetical would allow everything to take place behind the scenes, why isn’t the way that Yahoo and the Go Network currently share cookies across subsites the same thing as Joel’s issue? Hell, Yahoo does something much, much scarier, and has been doing it for a pretty damn long time, yet there’s no hoo-hah over it.
• Posted by: Jason Levine on Jul 29, 2000, 9:55 PMRight now, Yahoo has a million ways for you to host data on their network for free….And every one of these services comes with a yahoo.com domain name, so they don’t have to do break a sweat to share cookies and tracking data across all of these sites. Are you scared of them, Jacob?
Here’s the difference —
1) Yahoo! isn’t a dangerous monopolist like Microsoft and they haven’t been known for various privacy violations in the past (but you clearly don’t like this argument so let’s move on).
2) Yahoo! isn’t trying to get other non-Yahoo! websites to use their system Microsoft is. Don’t believe me? They say “When can I start using Passport on my site?
Now! The Passport wallet and single sign-in services are both available today worldwide, in 11 and 14 languages, respectively.”
3) Yahoo! doesn’t make server software, web page editing software, web browser software or operating systems. If Microsoft were to integrate Passport into these, things could get very sticky very quickly. Why bother to implement your own log-in system for your website? Much easier to click a button and use Passport’s.
I don’t think Joel was trying to point out something that’s currently a problem — he was just trying to warn us about future dangers — and I thing we’re heading towards a very dangerous place.
• Posted by: Aaron Swartz on Jul 30, 2000, 8:53 AMYou’re right, I don’t agree with the “dangerous monopolist” term, but let’s get past that.
To refute your glowing characterization of Yahoo, don’t forget thst it’s a company which has had it’s share of privacy issues:
As for them letting non-Yahoo sites use their web beacons, I believe I dealt with that in response to your other message. The long and short of it is that you’re incorrect; any company which advertises on Yahoo can and does use web beacons to co-track users with Yahoo.
And as for your Microsoft-as-maker-of-other-software argument, again I ask that you provide any proof that they are doing or plan to do any of this. And then, if they do it, show how people are being forced to use the Passport single-login system. If you’re a web developer and you don’t check what features are being “automatically” added to your sites or your software, then you don’t belong in the web design business, period.
(By the way, Yahoo Geocities does offer online web design assistants and automated site generation tools. And I’d argue that these are more dangerous, since all the code runs on the backend, and you have no clue how it’s working, what it’s doing, and what tracking is taking place.)
/jason
• Posted by: Jason Levine on Jul 30, 2000, 10:18 AMif they do it, show how people are being forced to use the Passport single-login system
The issue is not that they’re being forced, but merely encouraged. However, with Microsoft, encouragement can be a powerful thing. Especially, with the current system, when Microsoft is placing this as a major boon for consumers, and not mentioning any of the potential privacy problems. I think the worry is, that as we move to more centralized systems for log-in management, there are privacy concerns. I think that discussing those concerns in public is a good thing. I don’t want Microsoft as the gatekeeper for all my web account information, and I believe I should get to make that choice. Yahoo! is not trying to be a gatekeeper for account information — if they were, I would be just as harsh against them. Let’s cry for an open standard here, so that we can choose who we trust. When I see Microsoft trying to force that choice down my throat, I’m not very happy.
• Posted by: Aaron Swartz on Jul 30, 2000, 10:28 AMI agree with you that Microsoft Passport is one of many potentially nefarious devices for profiling consumers without their consent being propagated on the Web today.
As pointed out by Steven Champeon on a mailing list, Microsoft does, in fact, use the technique that you refer to toward the end of your article to share cookies among sites. Most MSN properties now live under the passport.com domain. For example, when you read your mail using Hotmail, you wind up at passport.com.
I think that the chilling thing about Passport in particular is that it’s being pitched to non-MSN sites, that’s what puts it ahead of Yahoo, the Go Network, and others in this space. I agree that there are lots of sites out there that are building new and innovative ways to profile users at the expense of their privacy, and I agree that they’re all deserving of criticism.
I don’t buy into the argument that exposing a problem or potential problem requires you to also mention all equivalent problems out of some sense of fairness. Spolsky’s criticism of Passport was on the mark, it is a consumer profiling system that has the potential to become a very big problem. There’s nothing that obliges him to criticise Yahoo, or Doubleclick, or whoever as well.
As can be seen from this site, his article has done a good job of sparking conversations about other sites that potentially compromise consumer privacy as well. I didn’t know about Yahoo web beacons until now, either. Now I do. That’s a good thing.
• Posted by: Rafe Colburn on Jul 31, 2000, 9:58 AM