Passport Required to Enter


Web sites using Microsoft's Internet Information Server (IIS) might soon have new options for tracking visitors.

According to a report in Wired magazine, the new version of IIS, announced for mid-June and currently in widespread beta-test, will support a feature called "Mandatory User Identification" (MUI). The article quoted a security expert who asked to remain anonymous: according to a non-disclosure agreement between beta testers and Microsoft, information about this feature may not be spread. "This feature has a large impact on privacy and needs open, public discussion," said the expert in order to justify this information leak.

Mandatory User Identification will automatically identify visitors to a Web site using Microsoft Passport.

Upon first contact, browsers send a user's Passport identification to the Web server, which then verifies this information in encrypted communication with Passport servers. If successful, Microsoft's back-end will authenticate the user, and provide the Web server with certain user demographics. Based on this information, which may include name, address, age, gender, citizenship and geographical location, a Web server can grant full access, limited access, or just present an error message.

Because of changes to the HTTP protocol, MUI requires changes in both Web servers and browsers. Apparently, Microsoft added MUI support to their Internet Explorer as part of the latest security patches.

The security expert was outraged, because Internet Explorer sends personal data without informing or asking the user, over an unencrypted connection. According to documentation provided with the IIS beta version, Web sites that enable MUI ought to "mention this fact in their privacy policy."

Apparently, MUI is already in use by some Web sites: certain documents on the Department of Energy's Web site regarding the location of power plants and oil refineries are only accessible to users whose "Passport" identifies them as american citizens. A spokesperson confirmed that the DOE was "experimenting" with MUI: "We have to be more careful about what information to distribute to whom. After 9/11, we removed certain documents that might be misused by terrorists. Microsoft's MUI technology allows us to make sure that information does not fall into the wrong hands."

An insider reported that many adult sites were also looking into using MUI to refuse access by minors: "This is much more convenient than using credit cards for identification, because it is automatic. And it is more secure, because little peeping Tom can steal Daddy's credit card, but not his Passport."

Another facet of the collaboration between Microsoft and its partners is highlighted by a patent for "Transparent and Efficient User Identification on Web Sites" that was recently awarded to Doubleclick, a company that is already notorious for tracking users using "Web bugs" (small graphics embedded in a Web site) and "Cookies." The patent essentially describes an MUI-like scheme for identification and authentication. The patent explicitly mentions the possibility of limiting access according to certain demographics, including regional advertisement "down to a city block." An interesting side note is that former CTO Kevin Ryan left Doubleclick for Microsoft only 9 months ago.

Microsoft replied to requests for information, confirming that such a feature was being worked on, but did not confirm or deny any dates for its ultimate release. "This feature will supply Web sites with vital demographic information, and enable them to provide users with a better, more personal Web browsing experience." Asked about data privay, the spokesperson said users will of course have the option to limit access to his or her profile. Open discussion was not necessary, as "we have covered all legal aspects, in close dialog with several government agencies and the Department of Homeland Security."

In a press release today, Norwegian company Opera, home of one of the few successful competing browsers next to Internet Explorer, announced that it was "disappointed" at Microsoft's secrecy. "We learned of Microsofts extensions to the common HTTP protocol only from the Wired article, and have yet to receive documentation from Microsoft detailing necessary protocol changes. This is another attempt of Microsoft abusing its monopoly. In the past, Microsoft edited the MSN home page to return false "CSS" formatting to Opera users, to discredit Opera as inferior. This is their latest attempt, trying to exclude Opera users from MUI-controlled Web sites."


First published on April 1, 2003 as an April Fools joke. Believe it or not at your own risk. Updated and revised March 2004.


Frank Pilhofer <fp -AT- fpx.de> Back to the Homepage
Last modified: Sun Mar 28 22:23:03 2004