graphic
News > Technology
Privacy loophole in Win98
March 7, 1999: 8:33 p.m. ET

Microsoft to modify operating system to protect registration information
graphic
graphic graphic
graphic
NEW YORK (CNNfn) - Microsoft Corp. will modify a feature of Windows 98 that allowed the software giant to collect unique computer identifying information without a user's knowledge, company executives said Sunday.
     Rob Bennett, a group product manager at Microsoft, said the company learned Friday that Windows 98 users were transmitting a unique hardware identification number during the registration process -- even when they specifically elected not to send data about their hardware.
     Bennett said the bug would be fixed in an update to the widely used 8-month-old operating system, expected to be released over the summer.
     In addition, Microsoft will provide a software tool on its Web site to enable users to clear improper information from the system registry of their individual machines, Bennett said.
     And the company will re-examine its database of Windows 98 users to make sure that the company is not retaining improper information, he said.
     "We want to make sure our customers feel secure," Bennett said.
     The issue affects only users whose computers have Ethernet adapter cards, most common in office computers connected to a local area network, but it raises new questions about privacy in a world in which people increasingly exchange electronic information over the Internet.
     Microsoft (MSFT) also said it plans to eliminate a feature in its Office 97 word processing and spreadsheet software after concerns were raised about the use of the hardware identification number to generate unique numbers for each document.

    
Growing concern over privacy

     Microsoft's move comes as computer users are becoming increasingly alarmed that their identity and computer habits could be tracked by third parties over the Internet.
     Last month, Intel Corp., the world's largest chipmaker, came under fire when it disclosed its new processor would include a processor serial number (PSN), which would verify individual users' identities when conducting transactions over the Internet.
     Intel said the feature would help boost security of electronic-commerce transactions, but privacy groups quickly objected, claiming the information could be used by outside parties to track computer users.
     Originally, Intel (INTC) said it will include a software feature that will enable users to turn off the ID feature. After a number of privacy groups stated their concerns, the company then said users will have to turn the serial number feature on to execute e-commerce transactions instead of remembering to turn it off.
     The New York Times, which first reported the Microsoft privacy issue, said the feature had the potential to be far more invasive than the Intel serial number because the Windows number is tied to an individual's name, address and even to the documents an individual creates.
     The information is collected during the registration process, when new users are asked to register their copy of Windows 98 with the company so they can be contacted about updates or changes.
     If the user's machine has an Ethernet network adapter, the "registration wizard" uses that number to generate a new, random number that is retained both in the system registry of the individual machine and in the registration information that the user submits to Microsoft over the Internet.
     However, Bennett acknowledged, the Ethernet identifier -- which is hard-wired into network cards under a standard that predates the Internet Protocol -- remains recognizable, thus making the user potentially identifiable through the registration number.

    
Identifiers in Office

     Microsoft has been discussing the issue with a programmer who contacted the company last week after discovering the company's Microsoft Office business software was creating unique numbers identifying a user's personal computer and embedding them in spreadsheet and word processing documents.
     The programmer, Robert Smith, said the number could create a "digital fingerprint" that could be used to match a document created by a word processing or spreadsheet program with a particular computer.
     "I was explicitly looking for a problem like this," said Smith, whose company produces industrial operating systems and software development tools, including many that support Microsoft platforms.
     He said he was concerned that Microsoft is building a database of Ethernet addresses that "allows them to track where documents came from."
     And he said he suspected that the automatic transmission of Ethernet addresses in the Windows 98 registration process was part of an effort by the company to detect software piracy.
     "I don't think this is a bug," he said. "I think it's very intentional."
     Microsoft's Bennett denied the machine identification numbers were being used in anti-piracy efforts.
     And he said Microsoft's database of such numbers -- provided during the optional registration process -- is used only when users call the company for technical support.
     "We're not using these IDs for marketing or for tracking user behavior," he said. "It's not something were interested in doing. It's not something they're designed to do."Back to top
     -- from staff and wire reports

  RELATED STORIES

Pentium III battle persists - Feb. 18, 1999

Intel sets encryption plan - Jan. 18, 1999
  RELATED SITES

Microsoft

Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney




graphic

Contact Us Closed Captioning Manage Cookies+ Site Map

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.

Contact Us Closed Captioning Manage Cookies+ Site Map

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.