Copyright 1999 Globe Newspaper Company
The Boston
Globe
March 9, 1999, Tuesday ,City Edition
SECTION: ECONOMY; Pg. C1
LENGTH: 883 words
HEADLINE:
Privacy advocates decry digital 'fingerprints';
Step up call for federal
protection in wake of Microsoft disclosure
BYLINE: By
Hiawatha Bray, Globe Staff
BODY:
Nervous Americans are beginning to worry that their personal computers can't
keep a secret.
Reports of new technologies that create digital
"fingerprints" of computer users that could violate their privacy have led to
embarrassment for two of the nation's leading high-tech companies. As a result,
privacy advocates have stepped up demands for federal legislation to limit the
way firms collect and use personal information.
"The
law that protects our privacy has not kept pace with rapid
changes in technology," says Barry Steinhardt, associate director of the
American Civil Liberties Union. "We need to have some safety net of national
legislation that protects us from this kind of information grab." The privacy
issue heated up following reports that Microsoft Corp.'s Windows 98 software
automatically creates a unique identification number on every computer that uses
it. This number is then sent to Microsoft over the Internet when the software is
registered, without the user's consent.
"They've been apparently
collecting these hardware IDs for the last eight months or so, ever since
Windows 98 came out," said Richard Smith, president of Phar Lap Software Inc. in
Cambridge, who discovered the ID numbers and contacted Microsoft to object. The
ability of Windows 98 to create such digital fingerprints was first reported
Sunday in The New York Times.
The Windows 98 ID number might not be much
of a privacy threat by itself. But a similar ID is embedded in documents created
with Microsoft products like its word-processing program, Microsoft Word.
Someone with access to Microsoft's database of Windows 98 users could identify
the author of a particular e-mail. For instance, a court could subpoena
Microsoft's records to identify a message from someone using Microsoft Word.
Smith stresses most home computer users have nothing to worry about.
Both ID systems rely on a unique number contained on a piece of computer
hardware called an Ethernet card, which is used to link computers in networks.
Few home users have Ethernet cards, and on these systems the ID numbers couldn't
be used to track documents.
But Ethernet cards are used on tens of
millions of corporate PCs and a handful of home machines as well, and these
users could be affected.
For its part, Microsoft says it never intended
to collect the ID numbers without users' permission. Microsoft originally
developed the ID system to help its customer support staff identify technical
problems reported by its customers.
Product manager Rob Bennett said a
bug in Windows 98 causes it to transmit the number without the user's consent.
This bug will be replaced in future editions of the product. Microsoft also
vowed to delete the ID numbers from any of its corporate databases, and will
provide a free program that will let computer users remove the ID numbers from
their own machines.
Meanwhile, chip maker Intel Corp. may have settled
its federal antitrust case, but the company is still taking heat over a
controversial feature in its new Pentium III microprocessor. The chip can
automatically identify itself to other computers on the Internet. Furious
privacy advocates are urging consumers to boycott computers with the Pentium
III. They say the chip's identification system could be used to track a person's
movements on the Internet without his knowledge.
For instance, many Web
sites persuade consumers to provide their name and address. Now such a site can
also obtain the chip ID of the visitor's computer. And the site can sell this
information to other Internet companies. If enough firms buy the data, it
becomes very difficult for a user to visit a Web site without identifying
himself. Hundreds of Web sites could use the chip ID system to call up a
complete dossier on the visitor, even if that person has never been to the site
before, and never agreed to provide information.
Intel has sought to
mollify critics by including software that allows consumers to switch off the
chip ID feature. But last month, a German computer hacker demonstrated a program
that could bypass this safety feature and turn the chip ID on without the user's
knowledge.
The ACLU, which once seemed willing to accept the Intel chip,
with proper safeguards, is now taking a harder line because of the hacking
incident. Over the weekend the ACLU joined other privacy-rights groups to urge
the Federal Trade Commission to halt Pentium III sales until the chip ID is
removed.
Robert Smith, editor of Privacy Journal, says technology firms
seem not to think about the privacy implications of their latest gadgets. "It's
just amazing to me that companies don't address it before they implement new
technologies," said Smith.
US Representative Ed Markey (D-Mass.) takes a
jaundiced view of the industry's position. "Trust us, believe us, we'll never
compromise anyone's privacy," said Markey. "But whatever you do, don't pass any
legislation that'll hold us to what we declare is our corporate policy."
Markey wants more than pledges of good behavior. He says he'll introduce
legislation to create a privacy bill of rights. The law would give consumers the
right to know what information is being collected, and how it will be used, as
well as a right to refuse to provide this information.
GRAPHIC: PHOTO, GLOBE STAFF PHOTO/EVAN RICHMAN/Richard
Smith, president of Phar Lap Software Inc. in Cambridge, discovered the ID
numbers and contacted Microsoft to object.
LOAD-DATE:
March 09, 1999