Microsoft鈥檚 internet Passport scheme will be 鈥渟ubstantially鈥 modified, following the publication on Thursday of new European guidelines that aim to protect personal information.
Passport is intended to remove the need for internet users to enter log-on and other details into every new website they visit. This could include their name, address and credit card information. Passport collects this information and automatically provides it to accredited websites and companies that request it.
But privacy and data protection organisations have raised concern that this collected information could easily be misused. A working party of the European Union鈥檚 Data Protection Authorities has now issued a set of guidelines aimed at protecting information entered into such 鈥渟ingle-sign-on鈥 internet schemes, which Microsoft has accepted.
Advertisement
The new rules mean that Passport users who identify themselves as residing within the EU will be given advice on European data protection law and have the Passport system explained more fully. EU users will also be given options allowing them to configure the types and amount of personal data that may be passed on by Microsoft and participating websites.
Secure passwords
The modifications are designed to make Passport comply with the European Data Protection Directive, passed in 1995. Users will also be given advice on creating more secure passwords. Changes to the Passport system will be introduced over the next 18 months.
Frits Bolkestein, the European Commission鈥檚 Internal Market Commissioner, adds: 鈥淭he bottom line is that users鈥 data will now be better protected. Microsoft has agreed to implement a comprehensive package of data protection measures, which will mean making substantial changes to the existing dot.NET Passport system.鈥
A spokesman for the UK鈥檚 Data Protection Commission, which participated in the working group, told New Scientist: 鈥淚t鈥檚 not very transparent how [Passport] works and it鈥檚 difficult to terminate an account. These things are going to be resolved now.鈥
Centralised database
An alternative online identification project called the Liberty Alliance will also have to comply with the new guidelines. This scheme was developed by a number of Microsoft鈥檚 rivals including Sun Microsystems, AOL and Hewlett Packard.
It is designed to let different companies share information without the single centralised database required by Passport. It is currently in the development stage.
Concerns still remain over the security of single-sign-on systems such as Passport. Some experts say a single security breach could expose vast amounts of personal information.
Bruce Schneier, chief technical officer of US firm Counterpane Internet Security told New Scientist: 鈥淚t has all-or-nothing failure characteristics. This makes Passport very dangerous. It鈥檚 a one-stop shop for anyone trying to steal your identity or invade your privacy.鈥
Microsoft has also faced pressure in the US to ensure that personal information entered into Passport is not misused. In August 2002, the software company agreed with the US Federal Trade Commission to let an external company audit the security of the system.