[A picture of private offices at Fog Creek Software] Alert! This ancient trifle retrieved from the Joel on Software archive is well-past its expiration date. Proceed with care.

Joel on Software

Does Issuing Passports Make Microsoft a Country?

by Joel Spolsky
Wednesday, July 26, 2000

Am I the only one who is terrified about Microsoft Passport? It seems to me like a fairly blatant attempt to build the world's largest, richest consumer database, and then make fabulous profits mining it. It's a terrifying threat to everyone's personal privacy and it will make today's "cookies" seem positively tame by comparison. The scariest thing is that Microsoft is advertising Passport as if it were a benefit to consumers, and people seem to be falling for it! By the time you've read this article, I can guarantee that I'll scare you into turning off your Hotmail account and staying away from MSN web sites.

This article has two parts. First, I'll present a brief technical overview of how Passport works and why it eliminates the last line of defense protecting your privacy. Second, I'll talk about how Microsoft plans to develop Passport to create a massive consumer information database and link all your private information together, and how they plan to profit fantastically from it.

But before I get started, let me say that I'm not just writing this to bash Microsoft. That's not my goal here. Microsoft is a large, diverse company with many smart people and many ethical people; they have many great products and some pathetic products, too. I spent 3 years working at Microsoft, many of my friends are still there, and I'm a Microsoft shareholder. I'm writing this article because I think the Microsoft Passport story is fascinating from a privacy perspective and from a business strategy perspective, and because nobody else seems to be covering it.

1. How Passport Works

In the olden days of interactive computing, you got an account on one computer which was all you ever used. You had one username and one password to remember. The web has changed things dramatically: because it is so easy to visit lots of web sites, you may have accounts with dozens of companies on dozens of different computers. I have 81 at last count. Most people have no hope of remembering 81 different account names and passwords, so they tend to just use the same password on every site, or they keep a long list of passwords written down somewhere. It's a bit of a nuisance. If you regularly shop online, you're probably getting sick of typing in your home address, credit card information, and remembering the user name and password for all those sites. It's extremely common for people to abandon their shopping carts on the web when they see the long form they have to fill out to make an account and purchase their products.

This is the kind of problem that Passport is promising to solve. To understand how it works, I'd like to take a few minutes to talk about some web security and privacy technology and how Passport subverts it.

How Cookies Work

There's a lot of wrong information about cookies out there. All a cookie does is tell a web site operator when somebody comes back to their site that has been there before. It doesn't give the web site operator any information about that person's identity; it just says "Hey, that visitor who was here last Tuesday at 4:15 PM? That person is back again."

Technically, the way it works is that when you go to the web site for the first time, the web server makes up an ID for you, for example, if I go to www.eCrap.com, it might make up the number 76JU589SU for me, which is completely meaningless. The web server sends this meaningless ID number to my web browser, which stores it.

Now, the next time I go to eCrap.com, my web browser will tell the web server: "Yo, in case you care, this is 76JU589SU coming back again. Thought you might want to know."

That's all there is to it. Now, since eCrap is smart, they opened a file on me, marked 76JU589SU. In that file, they could keep any information I give them. If I buy something from eCrap and give them my address, they could store my address in their 76JU589SU file. And my credit card. And a list of the things I bought. Next time I wanted to buy something, since they already knew who I am, they can offer to let me purchase it without typing in an address or credit card number, because they can just look that up in their file.

Theoretically, the only information eCrap can put in their file is the information that I give them. Amazon's files probably contain information about what books I bought, my address, credit card information, and maybe some information about what books I looked at but didn't buy... any information that they can gather from my activity on their web site. Amazon does not know how old I am or what color my hair is, since I never told them that information. They don't know that my favorite cafe is The Big Cup in New York City, because I never gave them that information, either. But they do know that I bought the book 101 Cute Puppies from them. One day, if 101 More Cute Puppies comes out, they are probably going to search their files for people who bought 101 Cute Puppies and tell us about the sequel the next time we log on.

How Cookies Protect Your Privacy

Now, suppose I decide to open a credit card account online. Of course, the credit card company would probably love to know that I just bought "Bankruptcy for Dummies" and "How to Stiff Everyone And Move To Brazil" from Amazon.com, but they are not going to find out. Why? Because my web browser will simply never send my Amazon cookie to the credit card company. The golden rule of cookies is that they are only sent back to the same web domain as they came from. This is important to remember, because it's the only thing that really protects you from having all the web sites you visit swap information about you. I don't want my credit card company to know that I bought a bankruptcy book. I don't want potential landlords to know that I read lots of articles about caring for Boa Constrictors. I don't want potential employers to know that I read web sites about homemade bombs. They'll probably take it the wrong way.

Unfortunately, this is one case where the consumer's interests and the web site's interests are diametrically opposed. Every web site in the world wants to show you targeted ads. When I visit The Dilbert Zone, they would love to know that I read The Jerusalem Post online and send me an ad for luxury apartments in Israel, because targeted ads sell for a lot more money than non-targeted ads.

Subverting The Golden Rule

Web advertising companies, like Doubleclick, are trying to collect as much information about people as possible, so that they can send them targeted ads. The way they do this is by having their member sites show ads which come from the same web domain.

Here's an example of how this works: I go to The Jerusalem Post to read the latest news. The Jerusalem Post web site includes an advertisement which is actually served up by the Doubleclick web server. Now Doubleclick opens a file on me and sends a cookie back to my web browser.

Later that day, I go to the Dilbert Zone. Dilbert also includes an advertisement, also served up by the Doubleclick web server. Remember, The golden rule of cookies is that they are only sent back to the same web domain as they came from. So my naive web browser says, "Oh, you're going back to Doubleclick, I'll just tell them that you're the same person that was here before..." and now Doubleclick knows that somebody who went to The Jerusalem Post before is now visiting Dilbert, so they show me that ad for the expensive apartment in Israel.

Passport Has Another Way

The Doubleclick trick for sharing your information only works for ads, but Microsoft Passport found a way to work around the golden rule for any site. Here's how it works.

Go to http://www.hotmail.com. Watch what your web browser does. You'll see that your browser first goes to Hotmail for a second, then jumps to www.passport.com for a split second, and  then immediately goes right back to Hotmail. What's going on? 

It turns out that there's a feature to allow a web page to tell your browser to go somewhere else instead. For example, if you try to go to eCrap.com, that site might tell your web browser "Oh, we've gone bankrupt. Please go to our lawyer's site instead, DeweyCheatumAndHowe.com." It's called a client redirect

That's what Hotmail is doing. It only takes a couple of seconds, but while it's happening, Hotmail and Passport are communicating through your web browser about who you are.

Now, if you go to another Microsoft web site, say, www.investor.com, the same thing will happen: you'll get redirected to Passport and then back to Investor. Because Passport is "telling on you", even though your web browser is supposed to be protecting your security by following the golden rule of cookies, it's really Passport that is signing you in. Bottom line: Hotmail knows that you're the same person that just went to Investor. And that applies to any Microsoft web site: Slate, Expedia, Hotmail, Investor, MSN, etc.

The way Passport uses client redirect to subvert cookie security is basically just taking advantage of a security hole in web browsers. Cookies weren't meant to allow this. But you can bet that this is one security bug that Microsoft is not going to fix.

To Summarize:

The golden rule of cookies that protects your privacy is that they are only sent back to the same web domain as they came from. Microsoft Passport eliminates this protection allowing any Passport site to share information about you.

2. How Passport Will Be Developed

The supposed benefit of Passport to consumers is that it allows them to use one login and password to access all the Passport web sites. 

But the benefit to the web sites is much greater, because now they can pool and share their information about you. Let's take a hypothetical example that's possible today. Microsoft's online travel agency Expedia is a Passport web site, and Microsoft Investor is too. One day, Expedia could start offering higher fares to customers who have more than a million dollars in their Investor stock portfolio. There's not really anything technically impossible about this, and it's probably legal, too.

Web businesses would love to have a way to combine their files on you. And the more businesses that have the opportunity to combine their files, the more valuable it is. There's a network effect going on here (a.k.a. Metcalfe's Law): the value of a network of web sites who swap data is the square of the number of sites in the network, because every site can exchange data with every other site.

The spooky thing about Passport is that there's one company that serves as the gatekeeper to joining the network: Microsoft. Which is why this has the potential of being a phenomenally valuable business. 

There are many ways Microsoft can profit from Passport. They could charge a commission when web sites sell data about consumers. They could sell private information which they collect from their participant sites. Or they could just charge web sites to belong to the network. It's a great business that makes credit agencies look like they have nothing.

The scary thing is that if you use Internet Explorer, Microsoft controls your web browser. You can be sure that Microsoft would love to eliminate that nasty two second flash while your web browser is redirected through passport.com. I'll bet there's a feature under development for a future version of IE that will make Passport just be built into the web browser, or even built into the operating system itself. Don't believe me? Here's a quote from Microsoft's .NET white paper:

Building on Microsoft Passport and Windows authentication technology, [Windows.NET] provides levels of authentication ranging from passwords and wallets to smart cards and biometric devices. Enables developers to build services that provide personalization and privacy for their customers, who in turn can enjoy new levels of safe and secure access to their services, no matter where they are or on what device. Supported in the first major release of Windows.NET, code-named "Whistler."

Notice the way Microsoft acts as if they are providing "privacy" and a "new level of safe and secure access." Uh huh. The best way to lie is through repeated assertion until eventually nobody notices the lie.

Passport will be built into IE, it will be built into the operating system, and it will be made available as a programming interface so that developers can use it, and frankly, there goes your last defense against corporations building up gigantic super-databases with outrageous amounts of personal information about everyone.

Yeah sure, Microsoft promises to protect your privacy... Does anybody really believe this for a minute? Every day there's a new story about a security breach -- Hotmail itself, a Passport site, had a major security breach a couple of months ago that made it into the headlines. During the next wave of web based business failures, we're going to start seeing a lot more stories like the one about how toysmart.com, as soon as they went bankrupt, reneged on their promise to protect the privacy of their customers. Even the best laid plans to protect consumer's privacy don't work. There are always software bugs and security goof-ups. Unscrupulous employees on the inside abuse their ability to look at the database. Court orders and subpoenas force companies to divulge information they promised to keep secret.

If Microsoft was honest about protecting your privacy, they would let users keep their private information on their own computers, and they would ask you every time they were going to reveal some data.

But they're not being honest. They want all your data in a big database on their server, thank you very much, and they want you to click "I Agree" to the 27 pages of legalese which says things like "Microsoft reserves the right to amend this agreement at any time." If you really trust any Internet company to protect your privacy, I've got a bridge to sell ya.


Read some of my reader's responses.
JunkBusters on Microsoft and Privacy
Have you been wondering about Distributed Version Control? It has been a huge productivity boon for us, so I wrote Hg Init, a Mercurial tutorial—check it out!

Want to know more?

You’re reading Joel on Software, stuffed with years and years of completely raving mad articles about software development, managing software teams, designing user interfaces, running successful software companies, and rubber duckies.



About the author.

I’m Joel Spolsky, co-founder of Fog Creek Software, a New York company that proves that you can treat programmers well and still be highly profitable. Programmers get private offices, free lunch, and work 40 hours a week. Customers only pay for software if they’re delighted. We make Trello, easy web-based collaboration software, FogBugz, an enlightened bug tracking and software development tool, and Kiln, a distributed source control system that will blow your socks off. I’m also the co-founder and CEO of Stack Exchange. More about me.

© 2000-2014 Joel Spolsky