REDMOND, Wash., Aug. 12, 2001 — Traveling through the world’s untamed corners can be tricky if not treacherous; a passport is essential to ensure a swifter, safer journey. The cyber-world of the Internet can be equally challenging, especially when people want to purchase goods or services online. To bring convenience, safety and speed to Internet navigation, Microsoft introduced Microsoft Passport in 1999. Today, there are more than 165 million Passport accounts that generate more than two billion authentications each month.
To explain what Passport is and how it works, and to discuss the protections that Microsoft has adopted to promote consumer privacy, PressPass spoke with Brian Arbogast, Microsoft vice president of the .NET Core Services Platform.
PressPass: Why did Microsoft introduce Passport?
Arbogast: Back in 1999, Microsoft looked at the Internet landscape. More and more, when people went to Web sites — to shop, retrieve news stories, download software or participate in chats — they had to log in, giving their name, password and, often, additional information. There are so many user names and passwords that people have to remember today that it can create a pretty frustrating experience; in fact, most people write that information down on paper — which is not a safe or secure way to store this information. Beyond the inconvenience to consumers, this system was something of a drag on e-commerce, because it heightened the risk of Internet fraud, making it more difficult for online merchants to conduct business. Authentication services like Microsoft Passport are designed to help transform today’s Internet and computing experience by enabling single sign-in to multiple sites and services with one secure password.
PressPass: What exactly is Passport, and how does it address these problems?
Arbogast: Passport is an online authentication service that makes it easier and safer for people to go to and use secure Web sites. It lets people move easily among participating sites that they choose to visit without the need to maintain separate passwords for each site and re-enter their login and password each time they return to those sites. When you’re a Passport user and you go to a participating site anywhere on the Internet, Passport is a simple and secure way for the site to authenticate the user based on a single user name and password. That’s a benefit both to you and to the site because using sites that offer Passport makes the experience easier and more convenient.
PressPass: How does Passport do this?
Arbogast: You start the process by registering for a free Passport account. You can do this at http://www.passport.com/ , at participating sites across the Internet, or at MSN.com or Hotmail. For example, if you register at http://www.passport.com/ , you enter an e-mail name — it can be any address you already have, from AOL, Yahoo, Hotmail, or any other Internet provider — and a password. Then you provide a secret question and answer that can be used to authenticate you if you need to reset the password, and some basic demographic information: country/region, state and zip code, that’s it. Then, when you go to a participating site and enter your e-mail name and password, the site redirects you to Passport for authentication automatically. Passport checks the name and password and sends back a ticket authenticating you to the participating site.
PressPass: How does Passport save users from needing to re-key basic information such as first and last name, city, state, zip, mailing address, credit card information and so on?
Arbogast: If you only want to give Passport the basic information required, that’s all you have to do — it’s your choice. Participating sites may ask for other information beyond that; however, that information remains specific to that site and is not ever stored or seen by Passport. To take advantage of Passport to save re-keying other basic information — such as your first and last name, state, country and zip code — you can do that, as well. Passport gives you the option of providing some or all of this other information. You also have the option of setting up a Passport wallet, which holds your credit card information, billing address and shipping addresses, and which can be used to make secure purchases faster and easier. It’s completely up to you. If you choose to include any of this other information in your Passport account, then Passport can encrypt it and forward it to the participating site as part of the authentication process, saving you time and trouble. But you don’t need to supply any of this other information to be a Passport member and be authenticated when you go to a participating site.
PressPass: So the user chooses what information to share with Passport?
Arbogast: Absolutely. The user is in complete control of the information he or she supplies to Passport — and the user also actively controls with whom that information is shared. Some of the independent participating sites may ask you for additional information for their own purposes — for example, a bookseller may ask you what you like to read — but that’s between you and them. Passport never receives that information in any form whatsoever.
PressPass: With passwords and unique identifiers flying around the Internet, how secure is Passport in protecting a user’s privacy?
Arbogast: We are taking a leadership stance with regards to privacy on the Internet through new enhancements to Passport that you will see through this year, including P3P compliance as well as opt-in information sharing — giving consumers full control over how they want to manage their personal information on the Web.
First, Web sites have to establish a relationship with Passport before they can become a participating site. Second, we only send authenticating information when a user goes to a participating site and chooses to use Passport as the way to identify him- or herself to the site or to sign-in or make purchases. Passport never sends information at any other time to any other site for any other reason. That’s part of our contract with Passport members; we take that very seriously and we’re legally bound to it. Third, Passport never shares a person’s password — only the unique identifier that is assigned by Passport when a person registers, and even that is strongly encrypted as a part of Passport’s security. Fourth, the participating site has to maintain a secure server at its end to receive the encrypted information.
We obviously can’t be explicit about our security procedures, but we’re basing the Passport business on the security we provide.
PressPass: Many people are concerned about the amount of information that’s collected about them on the Internet — what do you say to people who are concerned that Passport is collecting information about where they go and what they spend, and then marketing and selling this information to other companies?
Arbogast: People absolutely should be concerned about privacy on the Internet and Passport is part of the solution. Passport gives users the ability to protect and alter personal information that likely is currently strewn across the Web. Passport never has any knowledge of what you do or buy on the Internet. Passport never mines personal information about you to sell to others and never uses your personal information for marketing additional services from Microsoft.
PressPass: It sounds like Microsoft has made privacy protection a very major issue.
Arbogast: We have. Our registration with our next service enhancement, which will be available before the end of August, will deal with personal data as strictly opt-in. Meaning, users must proactively choose to have information shared with others. And even then, the user actively chooses what information will be included in his or her user profile, and which sites will receive the information by logging in as a Passport member at those sites. That goes far beyond standard industry practice, in which companies generally share or sell personal information broadly unless a user actively chooses to opt-out of such sharing. Ironically, we offer greater privacy protection than some of our competitors who have expressed concerns about our service.
PressPass: How and why did Microsoft develop this privacy policy?
Arbogast: Microsoft has had an explicit concern about Internet security since 1998, when we mobilized a companywide initiative to put users in control of their personal information and created an ongoing Microsoft Corporate Privacy Group and Privacy Task Force to keep us fully focused on privacy issues. We’ve also begun widespread education of our business associates and the industry at large to protect user privacy online.
We understand that security and privacy are both technology and policy issues. So, on the policy side, we work closely with security and privacy organizations such as the independent TRUSTe privacy watchdog group, of which we’re a member and premier sponsor. We base our policies on the Fair Information Practices recognized by the Online Privacy Alliance, the U.S. Federal Trade Commission, the European Union Directorate General, and the majority of domestic and foreign privacy advocacy groups. And we complement our policies with technologies — such as high-level encryption and P3P– that help enforce those policies.
PressPass:
How strong is Passport’s privacy policy? How do consumers know that Microsoft will adhere to it?
Arbogast: Passport’s privacy policy is part of the legally binding agreement between Microsoft and Passport account holders. It’s also compliant with TRUSTe certification, and is monitored independently by TRUSTe, which is empowered to mediate any possible problems. The Passport privacy policy and Microsoft’s broader privacy policies are available for everyone to see at http://www.microsoft.com/info/privacy.htm , http://www.passport.com/Consumer/PrivacyPolicy.asp?lc=1033 , and http://www.msn.com/help/legal/privacy.htm
PressPass: What about the independent, participating Web sites — how do you ensure that they protect user information?
Arbogast: First, we require that all Passport partner sites have their own privacy policies, and we strongly encourage our customers to read these policies before they log in or share any information with those partners. We will soon be requiring that these partner sites also post a P3P privacy policy, which makes it easier for customers to understand exactly what data will be collected and for what purposes.
Should Passport account holders inform us of a privacy problem with a participating Web site, we’ll work to help resolve the issue and we are prepared to drop partners who violate user privacy agreements.
PressPass: I have heard that Windows XP users will have to sign up with Passport. Is this true?
Arbogast: Absolutely not. We do not require people to sign up with Passport to use Windows XP. We are offering consumers the choice to sign up for a Passport in Windows XP. If people already have a Passport account or choose to open one, they’ll get even more benefits than Passport users do today. For example, today, Passport simplifies the login process at participating sites, but users do have to log in to Windows and Passport separately. Using Passport in Windows XP, users can choose to automatically log in to Passport in the process of logging into Windows XP by selecting the sign me in automatically option when signing-in into Passport for the first time. This takes the concept of single sign-in to the next level. And users will be able to choose whether or not to take advantage of a broader range of services from third parties that are designed to work with Passport.
Making computing safer and more trustworthy is a continuing challenge because consumers want both privacy and convenience — and those values can easily conflict. So, as we continue to evolve Passport, we’ll continue to work with consumers and the industry to strike the right balance, to give our customers the highest level of protection and confidence, to give customers complete control over what information they provide and how it’s used, and to offer great technology services that enhance their lives.