Microsoft Tests Software To Fight Identity Theft on Web
Microsoft Corp. technology wasn't implicated in the recent identity thefts that have alarmed consumers and Congress. But the software giant is nevertheless getting ready to spark what could be a major shift in how businesses and consumers safeguard personal information on the Web.
In coming months, Microsoft will roll out test versions of its next PC operating system and Internet browser that include new ways for computer users and businesses to identify themselves online, exchange data and guard against software that can steal personal information, according to Microsoft executives and people familiar with the company's plans.
The next version of Windows, code-named Longhorn, will introduce a software technology known as "Info-cards," which let computer users selectively disclose information about themselves to businesses or others online, according to people familiar with the plan. The software stores personal information such as a user's credit-card number, gender and phone numbers, and lets the user send and receive the information in an encrypted form that can be decoded only by trusted Web sites.
THINK PAD
? Bill Gates Ponders Microsoft's Future
Internet Explorer 7, meanwhile, will give computer users more tools and information for identifying and avoiding "phishing" attacks and other methods of stealing personal information over the Internet.
The two products follow a similar approach to protecting identities online: giving average computer users more direct control over how their personal information is used. That approach marks a major break from today's online world, in which computer users surrender vast amounts of personal information both to legitimate Web merchants and, inadvertently, to nefarious Web sites with little sense of how it is used.
"The way you earn customer trust is to put control of information in customers' hands," says Peter Cullen , Microsoft's chief privacy strategist. "It's more than just protecting information, it's providing them with the tools to make their own choices."
Microsoft's efforts come amid a furor over identity theft prompted by recent leaks of personal data from organizations such as ChoicePoint Inc. Those breaches resulted mainly from flaws in operating procedure rather than technology. Yet the incidents spotlight potential risks associated with society's reliance on computerized data storage and communication.
Microsoft executives wouldn't provide detailed product plans. But people familiar with the strategy note a striking change in how the company -- which has been criticized for giving computer security short shrift -- is tackling the problem of managing identities online.
The company several years ago sparked controversy with an earlier service called Passport, which was designed to let consumers use a single password to access multiple Web sites. Passport, in turn, was linked to a proposed set of Web services, dubbed Hailstorm, that would help consumers perform chores such as booking travel and accessing health records.
But those initiatives relied on consumers' information being centrally stored at Microsoft. That concept was opposed by many potential partners and privacy advocates, who raised issues about the influence Microsoft could wield as an information repository. The Federal Trade Commission also cited the company for misrepresenting the security of the Passport system.
Hailstorm was dropped by Microsoft altogether, while Passport failed to find a broad audience. Unlike those earlier efforts, the company's new Info-cards with Longhorn require no central information repository. Instead, computer users manage their own data. The technology is also built on standard technology "protocols," so it is open to any Web site or technology vendor and can run on Unix, Linux and other non-Microsoft software. The software is also designed to work with competing technologies for managing personal information, such as systems from the Liberty Alliance, an association of technology companies, banks and others. It's unclear if Microsoft has started working with other companies on the cards.
To users, Info-cards would appear as a window on the PC screen that acts as a sort of secure file folder for different kinds of personal information, such as date of birth, Social Security number, and credit-card numbers. Each person could maintain multiple cards, each containing different data; a card used at work could have information needed for company transactions, while one set up for home could be used for personal transactions such as buying books or music.
The card stores the data on the PC in an encrypted format. When making a transaction or logging on to a Web site it passes over only the information that the user allows. The encryption helps ensure that intercepted data would be useless to a digital thief.
One goal is to reduce the need for Web sites to hold on to the sorts of personal information that they often store today. Info-cards also would work with technology used by merchants to assure computer users that they are connected to legitimate Web sites -- not bogus sites designed to "phish" their personal information.
More broadly, such cards could gradually be used in place of passwords, which Microsoft Chairman Bill Gates often criticizes as an unreliable security measure. "This will help us move beyond passwords," says Mr. Cullen.
Detailed plans for rolling out the cards haven't been set. Longhorn is expected to be available as a test version in June and in a final commercial version sometime next year. But Microsoft will likely give PC makers and software developers an outline of some features at conferences planned for April and May.
The challenge for Microsoft is that to make the cards useful to consumers and businesses it will need broad support for the cards among Web merchants, banks and others. Microsoft is trying to gradually court those partners, and avoid the mistakes it made with Passport, say people familiar with its plans.
The new version of Internet Explorer, meanwhile, partly reflects pressure from a free rival browser called Firefox, which hasn't been as susceptible as Internet Explorer to security problems. Though few details have been disclosed, Microsoft executives say the new browser will give users more information to help detect if a Web site is trying to dupe them into providing personal information -- a bit like the clues someone might pick up when on walking into a bad neighborhood.
Key to Microsoft's approach is "providing information so users can make more informed decisions," says Dave Aucsmith, chief technology officer at Microsoft's security unit. The enhancements build off of similar user controls in an upgrade to Windows XP last summer called SP2 that can warn users of potentially harmful software and block its installation.
Microsoft runs the risk that giving more information to users about potential security concerns could only confuse them with more decisions to make. "That's always a challenge," Mr. Cullen says.
The company also must balance security requirements with the pressure to add sexy features to counter Firefox, since new features often open up new security risks. "The challenge is how to improve the browser from a security perspective, not just a feature perspective," says John Pescatore, an analyst at technology consultants Gartner Group.
The coming products are the latest sign of a security-conscious ethos at Microsoft, which has modified its organization and procedures in the wake of highly publicized virus programs and spyware that exploited flaws in its software. In each major product group, for instance, Microsoft has "privacy champions" that ensure a set of privacy guidelines are followed when designing and building new software, says Mr. Cullen. The Windows group has 160 champions that are overseen by a four-person "Windows Privacy Council."
Microsoft executives point out that the software maker is only one piece of a broader fight, since mass identity theft tends to occur at large information repositories, such as banks and credit agencies, not on individual PCs. "As big as Microsoft is, all the different pieces of the environmental puzzle have a role to play," Mr. Cullen says.
微软将推出新软件应对身份盗用问题
近期引发消费者和国会密切关注的网上身份盗用问题并不涉及微软(MICROSOFT Corp.)的相关技术。不过,该软件巨头即将推出可能导致企业和消费者网上信息安全保护方式发生重大转变的新举措。
据微软管理人士和熟悉公司计划的人士透露,微软将于未来数月推出新的电脑操作系统和网络浏览器测试版本。新版软件为个人电脑用户和企业用户提供了网上身份识别、数据交换及防止遭受窃取个人信息软件袭击等新功能。
知情人士透露,新操作系统能使电脑用户与网上伙伴进行有选择地信息共享。该软件帮助客户通过加密形式传输诸如信用卡号码、性别和电话号码之类的信息,这些信息只能被可靠的网站破译。
新版的网络浏览器7则将向用户提供更多工具和信息,进而帮助他们识别和避免遭受“钓鱼”以及其他网上盗取个人信息方式的攻击。
上述新版软件产品的推出旨在保护电脑用户的个人信息安全,并帮助客户更加直接地控制自身信息的使用情况。
微软首席隐私问题策略师Peter Cullen表示,争取客户信任的唯一方式就是将信息的控制权交给客户自己。新软件不仅能够保护客户的个人信息安全,更重要的是向他们提供了能够帮助其作出独立决定的工具。
