&
Reuters
Sunday, March 7, 1999
12:56pm, PT

Microsoft admits Windows privacy flaw

Software giant to fix Windows ID bug,
which connects users to their documents.
But privacy groups remain concerned.

Microsoft Corp will fix a flaw in Windows 98 that allowed the software giant to collect unique computer identifying information without a user's knowledge, company executives said Sunday.

But a software programmer who detected the problem said he remained concerned Microsoft was amassing a huge database that theoretically could be used to track down the authors of individual documents.

Rob Bennett, a group product manager at Microsoft, said the company learned Friday that Windows 98 users were transmitting a unique hardware identification number during the registration process -- even when they specifically elected not to send data about their hardware.

The problem first was disclosed in Sunday's New York Times.

Bennett said the bug would be fixed in an update to the widely used eight-month-old operating system, expected to be released over the summer.

The issue affects only users whose computers have Ethernet adapter cards, most common in office computers connected to a local area network, but it raises new questions about privacy in a world in which people increasingly exchange electronic information over the Internet.

Microsoft also said it plans to eliminate a feature in its Office 97 word processing and spreadsheet software after concerns were raised about the use of the hardware identification number to generate unique numbers for each document.

"We're very, very concerned about privacy issues and the perception of privacy issues, so this is not going to be there in Office 2000", said Steven Sinofsky, a Microsoft vice president.

Richard Smith, president of Phar Lap Software Inc. in Cambridge, Mass., said he discovered the Office and Windows issues and brought them to Microsoft's attention after privacy concerns were raised about identification numbers on Intel Corp's new Pentium III computer chips.

"I was explicitly looking for a problem like this", said Smith, whose company produces industrial operating systems and software development tools, including many that support Microsoft platforms.

He said he was concerned that Microsoft is building a database of Ethernet addresses that "allows them to track where documents came from."

And he said he suspected that the automatic transmission of Ethernet addresses in the Windows 98 registration process was part of an effort by the company to detect software piracy.

"I don't think this is a bug", he said. "I think it's very intentional."

Microsoft's Bennett denied the machine identification numbers were being used in anti-piracy efforts.

And he said Microsoft's database of such numbers -- provided during the optional registration process -- is used only when users call the company for technical support.

"We're not using these IDs for marketing or for tracking user behavior", he said. "It's not something were interested in doing. It's not something they're designed to do."

Sinofsky, who heads up Microsoft's Office operations, said that because anybody could use a given computer or change identifying information on a document, it was "not conceivable" that a specific document could be linked to a specific person. But he acknowledged there was a legitimate "emotional" element to such concerns.

"I would say most people don't quite get how computers work, and they're suspicious of computers in general", he said. "That's probably why a lot of these privacy concerns are happening."


Copyright © 1999 by Reuters. All Rights Reserved. Reprinted with permission.