From: "Hebraic.Heritage.Newsgroup@sol.wwwnexus.com"
<Hebraic.Heritage.Newsgroup@sol.wwwnexus.com>
To: Hebraic Heritage Newsgroup <heb_roots_chr@geocities.com>, Hebraic Heritage
Newsgroup 2 <heb_roots_chr@geocities.com>
Subject: Windows 98 and Security
Date: Thu, 11 Mar 1999 15:47:30 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: "Webmaster" <Webmaster@WebbSource.Com>
To: heb_roots_chr@geocities.com
Subject: Microsoft 98 and Security
Microsoft to Alter Software in Response to Privacy Concerns
SAN FRANCISCO-The Microsoft Corporation moved to defuse a potentially
explosive privacy issue today, saying it would modify a feature of its
Windows 98 operating system that has been quietly used to create a vast data
base of personal information about computer users.
Microsoft conceded that the feature, a unique identifying number used by
Windows and other Microsoft products, had the potential to be far more
invasive than a traceable serial number in the Intel Corporation's new
Pentium III that has privacy advocates up in arms. The difference is that
the Windows number is tied to an individual's name, to identifying numbers
on the hardware in his computer and even to documents that he creates.
The combination of the Windows number with all these data, the company said,
could result in the ability to track a single user and the documents he
created across vast computer networks. Hackers could compromise the
resulting data base, or subpoenas might allow authorities to gain access to
information that would otherwise remain private and unavailable. Privacy
advocates fear that availability will lead to abuses.
"We're definitely sensitive to any privacy concerns," Robert Bennett,
Microsoft's group product manager for Windows, said.
"The software was not supposed to send this information unless the computer
user checked a specific option." Mr. Bennett said the option to collect the
information had been added to the software so that Microsoft support
employees would be able to help users diagnose problems with their computers
more accurately. He said the Redmond, Wash., software giant had never
intended to use the data for marketing purposes. In response to a complaint
from a software programmer in Massachusetts, Microsoft will not only alter
the way the registration program works in the next maintenance release of
Windows 98, Mr. Bennett said. He said Microsoft technicians would look
through the company's data bases and expunge information that had been
improperly collected as a result of earlier versions.
The company is also exploring the possibility of creating a free utility
program that would make it possible for Windows users to delete the serial
number information from a small data base in the part of Windows system
known as the registry, where it is now collected.
Microsoft has been discussing the issue with a Cambridge, Mass., programmer
who contacted the company earlier this week after discovering that the
Microsoft Office business software was creating unique numbers identifying a
user's personal computer and embedding them in spreadsheet and word
processing documents.
The programmer, Robert M. Smith, who is the president of Phar Lap Software
Inc., a software tools development company, told the company that he
believed the practice created a potential threat to privacy.
Microsoft officials said earlier this week that the numbers generated by the
company's software were part of an effort to keep different components from
interfering with each other in an increasingly complex world of networked
computers.
However, Mr. Smith said that the number, in effect, created a "digital
fingerprint" that could be used to match a document created by a word
processing or spreadsheet program with a particular computer.
On Thursday, after further studying the "registration wizard"-the software
module that enables customers to register their copies of Windows 98
operating system for support and updates-Mr. Smith discovered that the
number, known as a Globally Unique Identifier, was being transmitted to
Microsoft as part of a list of registration information that generally
includes the owner's name, address, phone number and other demographic
information as well as details about the hardware and software on or
attached to the user's computer.
"Microsoft never asked me if it was O.K. to send in this number, and they
never said it was being sent," Mr. Smith said. "They are apparently building
a data base that relates Ethernet adapter addresses to personal
information." Ethernet adapters are cards inserted in a personal computer
that enable it to connect to high-speed networks within organizations and
through them to the Internet.
The controversy erupted just weeks after Intel, maker of the most widely
used processors for machines that use the
Windows operating system, agreed to make it possible for computer
manufacturers to set its new Pentium III computer chip so that a serial
number on the chip would not be recorded without the computer user's
permission.
Privacy activists have been attacking both companies, arguing that
identification numbers can be easily misused to create electronic monitoring
systems. Such systems could track a computer user's behavior in cyberspace
or create dossiers of personal information about individuals.
The issue has sparked a heated debate over the fundamental technology of
modern computer networks and software systems, which routinely employ serial
numbers to identify individual computers and software modules, known as
"objects," that can be shared by a number of programs.
But the Intel number only identified a computer. The Windows number
identifies a person. And because the Windows number created a potential
linkage between individuals and confidential documents they created, privacy
advocates said they were outraged.
"I think this is horrendous," said Jason Catlett, president of Junkbusters,
a consumer privacy organization based in Greenbrook, N.J. "They're tattooing
a number into each file. Think of the implications. If some whistle blower
sends a file, it can be traced back to the person himself. It's an extremely
dangerous feature. Why did they do it?"
Privacy groups have long warned about the dangers of centralized information
and of monitoring electronic behavior. The groups have been discussing the
implications of the serial number on the Pentium III with Intel, and while
some privacy advocates acknowledge that the number can play an important
role in protecting both privacy and security, others have called for a
boycott of Intel, arguing that the likelihood of misuse of the number
outweighs its benefits. Beyond the fear of a centralized Big Brother, they
add that the rise of the Internet has made it possible for individual
companies to freely use detailed personal information for commercial ends.
"The problem is the absence of legal rules that limit the collection and use
of personal information," said Marc Rotenberg, director of the Electronic
Privacy Information Center in Washington. "It's clear to me that large
Internet companies such as Microsoft, AOL and Netscape will try to squeeze
out privacy." Microsoft executives said on Friday evening that they had
developed the feature for technical reasons related to the need to
distinguish between millions of different hardware and software objects on
the Internet. They said they hadnever considered the privacy implications.
According to Microsoft software engineers, the roots of the company's
numbering system go back to a system developed by computer researchers at
the Open Software Foundation in Cambridge in the early 1990's. In an effort
to develop technology that would enable computer systems to communicate
across a network, a numbering system known as a Universally Unique
Identifier, or UUID, was established as part of a software standard known as
the Distributed Computing Environment, or DCE. Microsoft relied on this
standard when it developed a remote computing capability for Windows known
as Object Linking and Embedding, or OLE. The company's designers changed
UUID to GUID, for Globally Unique Identifier, and that term is now widely
used by software applications. For example, the GUID is used in setting
"cookies"-files that World Wide Web sites send to a visitor's hard drive to
identify the user later and to track his or her travels through the Web.
**********************************************************************
From: "Webmaster" <Webmaster@WebbSource.Com>
To: heb_roots_chr@geocities.com
Subject: More Government Attacks on your privacy
In the wake of reports that the
U.S. Secret Service has funded a private company's development of a
database of driver's license photographs, the American Civil Liberties
Union is calling for government hearings to address threats to
personal privacy. The ACLU - in tandem with the Free Congress
Foundation, the Electronic Frontier Foundation, the Center for
Democracy and Technology, the Eagle Forum, Concerned Women for America
and the Electronic Privacy Information Center - sent a letter last
Wednesday to leaders of the Government Reform Committee in Congress.
In the letter, the groups "respectfully request that you hold a
committee hearing on the threat to privacy and civil liberties posed
by the abuse and authorized misuse of federal databases. We are
concerned about proposals that the federal government use database
information, initially gathered for one purpose, for completely
unrelated purposes, without the consent of the person to whom the data
relates." According to the ACLU, the letter was sent after the
Washington Post reported Congressional approval of nearly $1.5 million
in federal aid and technical assistance to Nashua, N.H.-based Image
Data for the development of a national license photograph database.
The government approved the aid hoping law-enforcement officials could
use the database in terrorism, immigration and "identity crime" cases,
according to the news report. The ACLU also has asked Congress to
strengthen the Drivers' Privacy Protection Act of 1994, which it calls
"loophole-ridden." The organization charges that the law has failed in
preventing the selling or disclosing of information about drivers
without their consent. ACLU Washington National Office Director Laura
W. Murphy, who signed the letter on behalf of the organization, said
the aim is to have "greater bipartisan oversight into the federal
government's role in protecting the privacy rights of American
citizens." No government committee currently has oversight on privacy
issues, Murphy said. "The right to privacy is not a distinct right;
it's one that's drawn from a variety of Constitutional amendments,"
she said. "And Congress doesn't treat it with the same level of
concern as it does, or used to, with other rights." The basic problem,
Murphy said, is not in the creation of databases, but in how they are
used. "Every time a new database is proposed, it's presented as a
practical solution to a compelling problem, like a DNA database that's
proposed to make it easier to catch criminals," she said. "They all
sound like a good idea, but inevitably they always get flipped into
use for another purpose, and the end result is that there's no privacy
left. And there's no one in Congress connecting the dots and no one
keeping Congress to its commitment to prevent use of the databases for
other purposes." The letter came during a month of controversy in a
number of states that sold driver's license information to Image Data.
They include South Carolina, where a citizen has brought a
class-action lawsuit against the state charging violation of privacy
rights, and Florida, where the governor canceled the state's contract
with Image Data after an ACLU campaign there. According to the ACLU,
states have sold thousands of their license files for a penny apiece.
"For the government to prostitute our private information is bad
enough," ACLU Associate Director Barry Steinhardt said in a statement.
"And to charge only a penny for our privacy adds insult to injury."
Image Data could not be reached for comment.
*******************************************************************