[109256] in Cypherpunks
A-M$: m$ tracking visitors (fwd)
daemon@ATHENA.MIT.EDU (Osama Bin Laden)
Mon Mar 15 12:02:27 1999
Date: Mon, 15 Mar 1999 18:49:21 +0200 (EET)
From: Osama Bin Laden <waste@zor.hut.fi>
To: cypherpunks@toad.com
Reply-To: Osama Bin Laden <waste@zor.hut.fi>
---------- Forwarded message ----------
From: R Sriram <rsriram@krdl.org.sg>
Reply-To: Anti_MS@enemy.org
To: anti_ms@enemy.org
Subject: A-M$: m$ tracking visitors
http://www.wired.com/news/print_version/technology/story/18405.html?wnpg=all
Is Microsoft Tracking Visitors?
by Chris Oakes
3:00 a.m. 12.Mar.99.PST
For the second time inside of a week, programmers investigating
Microsoft's methods of collecting user data have discovered a
potential privacy violation.
Microsoft passes user data collected during Windows registration onto
its Web site Microsoft.com, according to the programmers. The apparent
breach calls into question what the software company is doing with
that data.
Earlier this week, programmers found that Microsoft was collecting a
unique identifier during the operating-system registration.
"The complete story has an alarming character," said Christian
Persson, editor in chief of Germany's c't magazine, a computer
publication that discovered the software behavior. "If privacy is not
a matter for you, you might say, 'So what?' But if it is, it has been
violated."
Peter Siering, senior editor of software development for the magazine,
observed registration software for Windows 98 sent numerical
identifiers to Microsoft.com, failing to inform the user it was doing
so.
Critics say this development harbors the potential for an
unprecedented compromise of personal privacy. Microsoft counters that
it has no designs on the illicit collection of personal information.
The transmission of the identifier -- if matched in a database to
personal name and contact information collected during the
registration process -- would allow Microsoft to identify registered
Windows users' visits to its Web site.
Siering used software tools to decrypt and monitor incoming and
outgoing information packets during the Windows 98 registration
procedure.
He found the registration software transfers a hardware identification
number that contains a derivative of the unique "Ethernet adapter"
number -- the Globally Unique Identifier, or GUID. The GUID
distinguishes computers on a network and is stored in the Windows
registry.
"If you have an adapter card in the PC ... it is a globally unique
number [that] is transferred to Microsoft," Persson said. The number
is transferred to Microsoft's own Web site during the process in the
form of a cookie.
Cookies are text files on a computer that are normally used to
anonymously identify repeat visitors to sites and are passed to the
Web site through the browser. They usually don't contain personal
data, using instead a random number that indicates a user's return
visit. The site uses the information to display custom data to the
user, such as local weather reports and news.
Austin Hill, president of privacy-software company Zero Knowledge
Systems said some Web sites already match user names and personal data
with cookies, including Excite. But Microsoft's action enables sites
to access and use the private information, even if the person hasn't
volunteered it.
"When you go to [other] sites, you can turn off cookies and you can
also go through and say, 'I want to erase my cookies,'" Hill
explained. "But if the cookie is based on your hardware -- that
particular machine -- then [the site] has the ability to continually
track you, even if you've erased cookies.
"If I erase that cookie after I register Windows 98, what happens?
Does it come back? If it comes back, does Windows 98 recreate the
cookie and put the ID back in? I don't know if that's being done right
now."
Microsoft told Wired News it was still investigating the issue. But it
said the allegation that it could use identifiers to track
Microsoft.com visitors was "completely speculative and untrue,"
according to an email from product manager Robert Bennett. He then
referred Wired News to public comment made during the earlier
discovery that identification numbers were used in Microsoft Office
documents.
"Speculative discussion is inevitable about a topic as emotional as
privacy," said the company's statement. "In this case, it has led to
rumors that the information gathered in the Windows registry is
somehow related, or could be related, to documents created using
Office 97 (Word, Excel, PowerPoint, Access).
"Microsoft does not, and could not, maintain a registry of Office
documents. There is no relationship between the Windows-registration
process and identifying numbers contained in the property stream of
Office 97 documents."
Upon further questioning, Microsoft conceded that plans were under way
to reengineer its Web sites and data-collection process to address
privacy concerns.
Jason Catlett of the privacy-advocacy group Junkbusters said Richard
Purcell, Microsoft's manager of customer information, told him
Thursday the company would rewrite their cookie-handling procedures.
Catlett said Purcell told him that Microsoft will make changes to the
[Windows 98] data collection process to "overwrite the cookies that
have a hardware identifier and replace them with a generic number that
does not include it." Purcell later confirmed the conversation in an
email to Wired News.
The news follows reports earlier this week that Massachusetts
programmer Richard Smith learned that Microsoft Office software
inserts IDs into each document a user creates. The company collects
the number when Windows 98 users register the software. Registration
typically collects a user's name, address, phone number, and so forth.
Microsoft acknowledged the behavior and said it would take steps to
address the issue. Privacy advocates said the company's response
didn't go far enough to reduce the risk of matching the numbers with
the identity of a PC user.
Smith, who tested and verified c't's discovery, said the company could
be collecting the ID number but still not using it for tracking
purposes. The advantage to Microsoft, he said, is that the cookie
would be used to synchronize the computer with the company's servers
during Windows update routines.
"From the outside we can't really tell.... The [ID-containing] cookie
certainly gives them a super tracking ability, but they may not be
using it."
Smith also noted the inclusion of the GUID in the Microsoft cookie was
inconsistent when tested on different machines. "On my home system,
the MSID does not contain my Ethernet adapter address. Why this system
at work does, I cannot say." The only notable difference is that his
system at work is not set up to convey the hardware-configuration
information during registration.
Overall, Smith doesn't like the pattern. "There's a problem here,
which is that information is being collected. I think there's yet more
stuff to come out here. I don't think we're finished."
== "Anti-M$ Mailing List", another fine service of Enemy.ORG / VBS ==
== [un]subscribe requests to Majordomo@Enemy.ORG or Anti_ms-owner@Enemy.ORG ==
