As someone who implemented one of the first external sites using Passport, there is even more that I think people should know about Passport. First, much of the original functionality of Passport was part of Microsoft Wallet — an ActiveX control that stored all data client-side encrypted. This was sometimes criticized as being proprietary, since netscape never did support ActiveX. So, the newer Passport uses technology first developed at Firefly to store information server-side. This has other benefits, especially as people use more mobile devices. The best way to really ensure this data is safe is to use public key encryption schemes in conjunction with smartcards to allow only people who have specific privileges to see your data. The protocols and technology for this are currently being specified, and nobody is pushing harder than Microsoft to make this a reality. In the future, yes your data will be stored centrally, but there it will be encrypted so that it cannot even be read by the place storing that information.

Once done with Expedia, you trek on over to Investor. You type in your login information, and after clicking the “Log On” button, the Investor website contacts the master Passport database to validate your credentials. Once validated, the database sends the webserver your unique identifier (again, “JASON12345”), and the webserver sends that back to your browser in the form of a cookie, this one specific to investor.com.

I’d appreciate a little more detail on this part, please. How does investor.com *know* to give you that same unique identifier?

If cookies worked the way you describe, you’re right, Joel wouldn’t have an issue. But there isn’t any way for investor.com to know, in the scenario that you gave above, that you’re the same person—that’s why cookies are secure in 99% of situations.

Dori

Backup Brain

How does investor.com *know* to give you that same unique identifier?

Because Investor.com would be validating your login against the same back-end authentication database as Expedia.com did, namely the Passport database. And that database has your name, password, and a single unique identifier (along with everything else that Microsoft wants to store about you, like shipping address, credit card info, past orders, etc.).

So, so long as you use the same username and password at each site, when each MSN site authenticates against the database, they each would receive the same unique identifier back; each site would then pass that identifier back to your browser in the form of a cookie.

Note that the hypothetical that I’ve described doesn’t exploit any functionality of cookies other than their most basic, that of storing a single variable for a single domain. Everything tricky, complex, or collaborative is done on the back-end, with dynamic pages that are generated after querying centralized resources like a single authentication database and a single customer tracking database.

That’s the beauty of implementing stuff like this on the backend — I can set up whatever centralized resources I want to (authentication databases, product catalogs, inventory systems, credit card transaction engines, etc.), put in place a pretty easy API to let other front-end systems use these resources, and then the barrier to creating a new front-end storefront or service website is tremendously lower.

/jason

You wrote: I guess that I don’t know what this whole controversy is about.

Think ahead. Its a land grab, not just Microsoft sites will be involved and modified in this way, all sites using Microsoft’s web products will be affected. Here’s how:

Microsoft controls not just Passport. They also control FrontPage, arguably the most widespread and popular web site management tool, and a host of web image editing and html insertion tools. How long do you think it’ll take before they come up with “Passport extensions” designed for these tools? All in the name of protecting your privacy, of course…

Yes, they can do all of that with cookies too, there’s nothing MORE nefarious about this way of doing things than other ways. Then why would they be doing it this way? Well, contrary to cookies, this feature is much harder to “turn off” at the user end — e.g. by putting www.passport.com in a disallowed list in their firewall, for example. However if the redirection to www.passport.com doesn’t work then the user couldn’t visit the target site at all.

If they went for the back-end database sharing technique you outlined (very good idea, by the way, for a good example of its implementation visit www.yahoo.com and its subsites) then they’d be limited to Microsoft owned websites.

The only explanation that I can see for going about it this way is to extend Microsoft’s information gathering to unaffiliated sites. If I’m wrong, tell me, of course :)

Jacob

Josh

You’re throwing out a bunch of smoke and mirrors about how the data is secure. Yeah, sure. So what.

The point of Joel’s article is that Passport gives Microsoft a fool proof way of putting 2 and 2 together when I visit a random site owned by them; they’ll know I am Jacob Levy who visited the Game Zone site at Saturday 1am when I visit Microsoft Money at 12noon. Scary!

It doesn’t stop there. With Microsoft’s stranglehold on the web site management tools, its easy for them to put “Passport extensions” into Frontpage, all justified by the privacy gobbledeegook of the kind you’re spouting, and pull every web site using that tool into the redirection scheme. It’s a land grab..

And in such a world, the privacy measures simply mean that noone *except* Microsoft will be able to read your data. Now I feel safe! Not :) Here’s why:

Microsoft the company will know that I visited Joe’s teen nymphette’s picture site (built with FrontPage of course) when I visit Microsoft Money. It’ll know I visited jobs.oracle.com (if they used FrontPage to build their site) to look if Oracle has interesting openings, so I can be sure I’ll get a phone call from a Microsoft recruiter asking if I’m in the market. And on and on..

Eeeeek!!

Jacob

A few responses:

First, under their existing implementation, Microsoft could only extend their information gathering to other sites if those sites used Passport logins. If those sites don’t cross-identify you with Passport, then there’s no way for them to link your tracking data on their site with your Passport identity. And if you’re theorizing that future MS browsers will be constantly sending data to Passport even on sites that have no link to Passport, then show me some proof before you throw out that conspiracy theory. (Besides, in this scenario, you could shut off firewall access to Passport.com, since those third-party sites wouldn’t have any functionality that depends on Passport that would break with such a filter in place.)

Second, I find your notion about FrontPage to be scary, in that it’s suggesting something for which you have no proof, merely FUD about Microsoft. No extensions to FrontPage could operate without you knowing about them; likewise, you should never be running server-based software without understanding all of the features that it’s bringing to the table. If they develop an API for Passport that plugs into FrontPage, and you want to implement it in your dynamic sites, then great; if you don’t want to implement it, then don’t.

All of this feels like people freaking out based on theories and rumors. If DeepLeap had done this, people would be heralding it as an amazing innovation on the web. If the opensourcers had come up with this, it would be positioned as something that undercuts the evil empire of Microsoft and allows people to make their own choices, without having to submit to the man.

The bottom line is that it’s still a web surfer’s job
to understand what it is he or she is doing. If you’re
scared about data sharing between websites, don’t
frequent those websites.

I think the issue is that the offensive tools combined with
conglomeration of businesses on the web will make “those
websites” about all there is.

I didn’t read Joel’s piece as a sole indictment against
Microsoft, just as I thought he started by glossing over
the risk of cookies in general. The interpenetration of
advertiser/trackers with content providers is a big deal,
and beyond the awareness/attention/ability of most web
surfers to keep in check.

For those who really care enough to send (and receive)
the very best, there are personal firewalls and proxy
servers for some damage control. There’s a considerabl
barrier to entry in the path of awareness, understanding
and implementation.

Having the monopoly
supplier of operating systems build user tracking capability
in is cause for concern, in that it will be that much
less accessible for web surfers to detect, understand,
and circumvent, if they wish to.

“Just don’t frequent those websites” is not a
cogent plan.

The bottom line is that it’s still a web surfer’s job
to understand what it is he or she is doing. If you’re
scared about data sharing between websites, don’t
frequent those websites.

I think the issue is that the offensive tools combined with
conglomeration of businesses on the web will make “those
websites” about all there is.

I didn’t read Joel’s piece as a sole indictment against
Microsoft, just as I thought he started by glossing over
the risk of cookies in general. The interpenetration of
advertiser/trackers with content providers is a big deal,
and beyond the awareness/attention/ability of most web
surfers to keep in check.

For those who really care enough to send (and receive)
the very best, there are personal firewalls and proxy
servers for some damage control. There’s a considerabl
barrier to entry in the path of awareness, understanding
and implementation.

Having the monopoly
supplier of operating systems build user tracking capability
in is cause for concern, in that it will be that much
less accessible for web surfers to detect, understand,
and circumvent, if they wish to.

“Just don’t frequent those websites” is not a
cogent plan.

Tom von Alten


Ft. Boise

Jacob:

I just wanted to answer your FrontPage scenario here, even though I dealt with it under your original message as well.

Please explain exactly how Microsoft will be able to know that I’ve visited a site designed by FrontPage. Give me an exact technical run-down of the communication that will take place between my browser, the FrontPage-designed website, and Microsoft’s nefarious tracking computers (Passport, I’m assuming). I can’t think of how it would happen; I feel like this is more FUD.

/jason

Please explain exactly how Microsoft will be able to know that I’ve visited a site designed by FrontPage.

Simple.

FrontPage inserts code into the first page (they have such a concept) of a site to do the redirection that currently is done by sites like Microsoft Money. It’s just HTML and JavaScript code, so it can live in any web page.

Suppose you make a site www.mylemonadestand.com with FrontPage and don’t take out the redirection code — after all, you bought FrontPage so you don’t have to edit HTML, right? Now, when I visit your site, I get momentarily redirected to www.passport.com and from there back to www.mylemonadestand.com. If I previously visited another site that also redirected, let’s say Microsoft Money, a cookie was already inserted into my browser from PassPort. Now, during the redirection, that cookie is sent for www.passport.com.

Microsoft now knows (a) I visited Microsoft Money (b) it learns about who uses FrontPage (www.mylemonadestand.com) and (c) it knows that I visited www.mylemonadestand.com. If I registered for an account at Microsoft Money, then (d) Microsoft also knows where I live, what my email is, etc etc etc

This information can also of course be used for innocuous things like building an incremental search engine (b), but (a), (c) and (d) scare me. Too much concentration of power in one place…

Of course they dont have to do this via redirection. It’s possible to do the same thing with one-pixel images too.

OK, that’s a little more than I can stand. Do you have any proof that Microsoft will do this, or that it’s something that they want to do? Or are you just supposing that the can do it, so that’s enough to make you run scared?

Hell, I can stand at the rooftops and shout that Microsoft is going to steal my baby, but it doesn’t mean that anyone has to listen to me.

Right now, Yahoo has a million ways for you to host data on their network for free. They will store your pictures and files, keep track of your bookmarks, let you share your address book and calendar with other people, let you pay your bills, and even create your own websites, just like FrontPage. And every one of these services comes with a yahoo.com domain name, so they don’t have to do break a sweat to share cookies and tracking data across all of these sites. Are you scared of them, Jacob?

/jason

I dont have any *evidence* that this is going on.

But heck, it makes such a nice conspiracy theory that I couldn’t resist. And it’s *TECHNICALLY* possible.

Jacob

No extensions to FrontPage could operate without you knowing about them;

Bah.. And I have a bridge to sell you.

Let’s drop it or agree to disagree.

so long as you use the same username and password at each site

That’s a big honking “if” right there. I’d like to use the same username on multiple sites, but the ones I like to use have usually already been taken. The chances that I have the same username on two large sites is pretty slim.

And what happens if there’s two people named “John” who both use the password “John”? They’re two different people, so you can’t tie them together in any meaningful way—all you’ve done is made a WAG that these are the same folks.

Sorry; this ain’t the same thing as Joel’s issue at all.

Dori

Backup Brain

No, Dori, in my hypothetical, the same backend username and password database is being shared by all the MSN sites, so there’s no way that there could be two different “dori” users at two different sites. Likewise, if someone named “dori” logged in at Expedia, MS could be damn sure that it’s the same “dori” that logged in at Investor last week, since it’s the same shared username and password database that’s tying the two websites together.

To illustrate:

You go and create an account at Expedia, with the username “dori”. When you click on the “Create Account” button, Expedia’s webserver contacts the master Passport database and checks to see if there’s a “dori”. There isn’t yet, so it creates the account, and you’re logged into Expedia.

Later, you visit Investor, and not knowing that the username and password database is shared, you try to create the “dori” account. Investor’s webserver contacts the same master Passport database to see if there’s already a “dori” — and alas, there is! It’s your account, from when you created it on Expedia; knowing that many users don’t know that the database is shared, Investor notifies you that the account already exists, and perhaps you were the one that created it when you were at a sister website. You then try to log onto Investor with the “dori” account that you created when you were at Expedia, and it works — because it’s the same backend password database, shared between the two websites. And all of the data sharing is going on behind the scenes, at the backend of the two websites.

So, it’s not a “big honking if” — you are easily able to use the same username and password on all the sites, because all of the sites share a single master username and password database. This is exactly like all of Yahoo and the Go Network’s sites, and it’s exactly like the way that Passport is currently implemented except it all takes place on the backend rather than requiring a browser redirect.

Likewise, using different usernames and passwords on all the sites would require effort on your part — you’d have to log out each time you leave a sister site, and then log back in with an alternate username and password when you visit the next site. Imagine doing this all over Yahoo (different username and password for Yahoo Mail, Yahoo Finance, Yahoo Calendar, etc.) — it’d drive most people mad.

Lastly — even if you don’t buy that my hypothetical would allow everything to take place behind the scenes, why isn’t the way that Yahoo and the Go Network currently share cookies across subsites the same thing as Joel’s issue? Hell, Yahoo does something much, much scarier, and has been doing it for a pretty damn long time, yet there’s no hoo-hah over it.

Right now, Yahoo has a million ways for you to host data on their network for free….And every one of these services comes with a yahoo.com domain name, so they don’t have to do break a sweat to share cookies and tracking data across all of these sites. Are you scared of them, Jacob?

Here’s the difference —

1) Yahoo! isn’t a dangerous monopolist like Microsoft and they haven’t been known for various privacy violations in the past (but you clearly don’t like this argument so let’s move on).

2) Yahoo! isn’t trying to get other non-Yahoo! websites to use their system Microsoft is. Don’t believe me? They say “When can I start using Passport on my site?
Now! The Passport wallet and single sign-in services are both available today worldwide, in 11 and 14 languages, respectively.”

3) Yahoo! doesn’t make server software, web page editing software, web browser software or operating systems. If Microsoft were to integrate Passport into these, things could get very sticky very quickly. Why bother to implement your own log-in system for your website? Much easier to click a button and use Passport’s.

I don’t think Joel was trying to point out something that’s currently a problem — he was just trying to warn us about future dangers — and I thing we’re heading towards a very dangerous place.

You’re right, I don’t agree with the “dangerous monopolist” term, but let’s get past that.

To refute your glowing characterization of Yahoo, don’t forget thst it’s a company which has had it’s share of privacy issues:

• forcing users to give credit card information in order to get a free email account;
• being investigated by the FTC for uses of its tracking data;
• revealing user information against their own privacy policy;
• sending personal calendar reminder information to the wrong users.

As for them letting non-Yahoo sites use their web beacons, I believe I dealt with that in response to your other message. The long and short of it is that you’re incorrect; any company which advertises on Yahoo can and does use web beacons to co-track users with Yahoo.

And as for your Microsoft-as-maker-of-other-software argument, again I ask that you provide any proof that they are doing or plan to do any of this. And then, if they do it, show how people are being forced to use the Passport single-login system. If you’re a web developer and you don’t check what features are being “automatically” added to your sites or your software, then you don’t belong in the web design business, period.

(By the way, Yahoo Geocities does offer online web design assistants and automated site generation tools. And I’d argue that these are more dangerous, since all the code runs on the backend, and you have no clue how it’s working, what it’s doing, and what tracking is taking place.)

/jason

if they do it, show how people are being forced to use the Passport single-login system

The issue is not that they’re being forced, but merely encouraged. However, with Microsoft, encouragement can be a powerful thing. Especially, with the current system, when Microsoft is placing this as a major boon for consumers, and not mentioning any of the potential privacy problems. I think the worry is, that as we move to more centralized systems for log-in management, there are privacy concerns. I think that discussing those concerns in public is a good thing. I don’t want Microsoft as the gatekeeper for all my web account information, and I believe I should get to make that choice. Yahoo! is not trying to be a gatekeeper for account information — if they were, I would be just as harsh against them. Let’s cry for an open standard here, so that we can choose who we trust. When I see Microsoft trying to force that choice down my throat, I’m not very happy.

I agree with you that Microsoft Passport is one of many potentially nefarious devices for profiling consumers without their consent being propagated on the Web today.

As pointed out by Steven Champeon on a mailing list, Microsoft does, in fact, use the technique that you refer to toward the end of your article to share cookies among sites. Most MSN properties now live under the passport.com domain. For example, when you read your mail using Hotmail, you wind up at passport.com.

I think that the chilling thing about Passport in particular is that it’s being pitched to non-MSN sites, that’s what puts it ahead of Yahoo, the Go Network, and others in this space. I agree that there are lots of sites out there that are building new and innovative ways to profile users at the expense of their privacy, and I agree that they’re all deserving of criticism.

I don’t buy into the argument that exposing a problem or potential problem requires you to also mention all equivalent problems out of some sense of fairness. Spolsky’s criticism of Passport was on the mark, it is a consumer profiling system that has the potential to become a very big problem. There’s nothing that obliges him to criticise Yahoo, or Doubleclick, or whoever as well.

As can be seen from this site, his article has done a good job of sparking conversations about other sites that potentially compromise consumer privacy as well. I didn’t know about Yahoo web beacons until now, either. Now I do. That’s a good thing.