Gatekeeper of your personal data
For Microsoft's .Net "magic" to work, consumer data needs to be stored centrally so it can be accessed by all the HailStorm-certified Web services. Microsoft casts itself as the gatekeeper for all that consumer data, saying it will store personal information for a monthly subscription fee at HailStorm data centres it plans to operate.
"Microsoft holds all the data: That's part of operating the service platform," said Ruth Anne Lorenzen, director of division marketing for .Net. It's only with the data residing in the "cloud" at HailStorm data centres, she said, that the .Net vision can work. She acknowledged that numerous issues regarding how consumer permissions will be handled have yet to be addressed. For instance, how will consumers know if the site to which they are handing over data has a stringent privacy policy and offers high-level security?
The only thing that seems certain is that anyone who plays in the HailStorm world will have to sign on to a Microsoft licensing agreement.
"People who call the HailStorm platform--site operators, developers--will have to have a license relationship with us and have to be certified," Lorenzen said. "They will have to have architected their solution in a way that meets" Microsoft's privacy and security standards.
But industry analysts, privacy experts and even some Microsoft supporters question whether Microsoft is capable of offering privacy guarantees, given the lack of any clear-cut laws surrounding privacy and the company's own antiprivacy legislation stance.
"Why are they being hypocritical?" asked John McCarthy, a group director at Forrester and a privacy expert. "They themselves are waving the flag for privacy, 'We're good citizens, we treat everyone with respect.' Yet they have joined the industry alliance to slow down privacy legislation. That strikes me as hypocritical."
Purcell would not say whether the company would support legislation, offering only that it would never back "bad legislation."
"This is really, really hard stuff--there can be strong, unintended consequences," Purcell said. "Law tries to nail this down and build a box around it so it doesn't move that much. We don't feel that friendly towards any effort that will try to halt or contain innovations."
Meanwhile, Microsoft's chief rival juggernaut, America Online, does support baseline federal legislation girding privacy.
Online players should be backing legislation, said Ari Schwartz, a senior policy analyst at the Centre for Democracy and Technology, a civil liberties organisation that last year received a US$150,000 contribution from Microsoft. A good law, he said, could turn into a distinct advantage for cyberspace.
"Instead of putting it in terms of, 'Regulation will bog down the Internet,' " Schwartz said, a good law would allow online companies to say: "Your privacy is protected more on the Internet than offline. You should shop online because you have the basis in law to know you are protected."
Besides questioning Microsoft's position on legislation, privacy and security experts also ask whether the company can create the highly secure environment needed to be the gatekeeper of consumers' data--and if the idea of having any one company serve as the steward of personal information for online users is a good idea at all.
"I, personally, would not buy into that kind of service," said Bob Lewin, president and CEO of Truste, a 4-year-old organisation that grants its seal of approval to sites that disclose their data collection practices. Microsoft is a "premier" sponsor of Truste, contributing US$100,000 per year to its operation.
Although Lewin believes Microsoft has been responsive to consumer complaints over its privacy and security problems, the idea of creating a single online repository for personal data has too many risks. "I believe in distributed knowledge, for want of a better term," Lewin said. "When you collect material like that--whether it's a Microsoft or someone else--no matter how well you protect it, there's always ways to get into it. And if you put it into one spot, once you get in there, you've got keys to the kingdom.
Some people might feel the types of services made possible by .Net are "convenient," Lewin said, "but the price for the convenience is the risk. It really boils down to convenience and the level of risk they're willing to take. From our point of view, putting it all together is not the best idea."
With a centralised database, "there is no way you can be 100 percent sure this data will not get away from you. It's an accident waiting to happen," said Deborah Pierce, a staff attorney specialising in privacy at the Electronic Frontier Foundation.
"I think this is really awful," she said. "This is all of your personal information. You might have doctor's appointments, prescriptions you take. It could subject the consumer to all sorts of problems if it got out, from identify theft to job discrimination. I think it's a bad idea."
Others worry that governments could easily gain access to the vast concentration of personal information.
"They advertise [.Net] as one-stop shopping for the consumer, but it could turn into one-stop shopping for the cops," said Peter Swire, the Clinton administration's privacy czar, who now is a law professor. "The Fourth Amendment was designed to protect your home and your papers and effects. Your papers and effects used to be locked in your homes. What HailStorm does is put all of your papers and effects in somebody else's hands. The Fourth Amendment does not apply to records you have given to somebody else."
Fourth Amendment jurisprudence "starts from the proposition that if you trust information to a third party, you have lost control of it," said Stewart Baker, the former general counsel at the National Security Agency who is partner at law firm Steptoe & Johnson.
While the status of Fourth Amendment law in cyberspace is in its infancy and is constantly being tested, Baker predicted that in the end, "what the courts are likely to say in most of these cases is if you trust somebody else, you have to put your fate in their hands. If you wanted to protect all of the information people were storing on Microsoft's servers as though it were the hard drive of the user, it would require new legislation. Even Microsoft can't give you an assurance."
Microsoft's Purcell said the company is aware of the Fourth Amendment implications for .Net. There are "lots of interesting legal questions around this," he said, noting that Microsoft executives are "engaged with the government in discussions" around the Fourth Amendment and cyberspace.
