Though Microsoft seems to have changed its tune about the importance of its users’ privacy in the past month, a company spokesman says the song could still remain the same for a few years.
Bill Gates, Microsoft’s chairman and chief
software architect, sent out a mass e-mail to 47,000 full-time employees in mid-January asking them to put privacy and security concerns ahead of new product development for the first time.
That would be a change from Microsoft’s position when a glitch in Windows Media Player was discovered early last year that would allow certain Web sites to monitor a user’s surfing habits. The problem was originally shrugged off by Microsoft as a non-issue, according to one U.S. Internet security expert, because it was initially a privacy concern, not a security concern.
A Microsoft security consultant seems hopeful that the software manufacturer will finally iron out all the bugs in its programs. The results, he cautions, just might not be visible tomorrow, though.
“I think we recognize that this is going to be a long-term effort and there’s going to be a few bumps and bruises along the way,” says Microsoft Canada’s Mike Lonergan. “So we’re not talking about an overnight success story here. While Microsoft is making some serious efforts right now (in regards to privacy and security), we recognize that this is going to have to be a multi-year effort to get the company’s entire direction changed and refocused.”
He points out there have been fixes to programs like Internet Explorer which makes it easier for the user to control how much information they want their computer to give out.
But Richard M. Smith, a Boston-based Internet privacy and security consultant, says the company has its work cut out if it wants to regain some of the credibility it lost by ignoring privacy issues in the past.
Smith discovered a flaw in Microsoft’s Windows Media Player early last year, which allowed some Web sites running ActiveX controls to capture the user’s unique Media Player ID number through a simple JavaScript. The Web site could then track users and report the Web surfer’s activities back to other malicious sites. He called this flaw a “supercookie,” since it couldn’t be dealt with by software that blocks regular cookies or other tracking mechanisms.
Microsoft offered users a way to manually fix the problem in a May 2001 security bulletin, but the company noted the fix-up was being offered as a solution to two unrelated security issues. Microsoft then played up the security breaches over the privacy issue by adding in the notice that “we typically do not discuss privacy issues in security bulletins.”
“I’ve dealt with (Microsoft’s) security department, and . . . they really do have this mindset that looking after privacy issues is not their job,” says Smith. “I think it’s embarrassing. A privacy leak is a security problem.”
“Microsoft needs to add 10 to 20 per cent more programmers to the development groups, and what these programmers have to do is focus on these security and privacy issues (exclusively),” he adds. “And Microsoft has the money to do it, so money is not the issue.”
Lonergan says the supercookies incident “”is an old issue that’s just kind of resurfacing”” in the press, and that the fix involves manually switching on a feature that randomizes the user ID.
He points out that the reason Microsoft offered a fixed ID in Windows Media Player was in case the user needed access to subscription-based media from a content provider.
As to whether or not Microsoft drew the line between security and privacy in this instance, he wasn’t sure. But he suggests the problem was looked at on both fronts only after it became a security issue.
“”The bulletin itself did address the problem as a specific privacy issue, and the security response centre doesn’t normally address privacy issues, per se,”” he says. “”But, as part of the fix process, it was deemed sufficiently imperative for us to be able to ship a fix for the privacy issue along with the related security issue.””