Microsoft's unprincipled action

by Scott Bradner

That did not take long. Only a few weeks after the brouhaha over Intel's addition of a serial number to the Pentium III processor chip along comes the disclosure that Microsoft has been inserting unique serial numbers of its own in the files that are created by its Office suite of programs. That’s not all, back in Redmond WA they have also been building a database of which user is tied to which serial number. So if you are a whistle blower that wants to remain anonymous do not write your expose using Microsoft Word. Your target could just subpoena Microsoft to find out the name of the user of the software that created the file.

Microsoft quickly announced that it would modify the registration software to stop it from sending the serial number to Redmond. They are also going to scrub the serial numbers they already received from their database and are thinking about creating a free utility program that could be used to remove the serial number from a user's computer.

Microsoft said that the serial number was created as part of an effort to make it easier for Microsoft support technicians to diagnose problems that resulted from interactions between software packages and that they never considered the privacy implications of the feature. I'm willing to accept that, even though I'm not quite sure how a software specific serial number helps in this case. But it is quite troubling that Microsoft was oblivious to the privacy aspects. Intel claimed that it was also blindsided by the privacy advocates attacks.

What is so hard to understand about the issues here? Even though Sun's Scott McNealy told us last month to get over the fact that people no longer have any privacy, it seems a no brainer to figure out that it is not a good idea privacy-wise to create yet another way to keep track of what people do or create. But somehow this level of understanding seems to be unachievable in corporate America. I sometimes wonder if there are any people in some of these organizations - people would have seen that if they do this to others they are also doing it to themselves.

Missing from most of the heat over the Intel and Microsoft missteps and the ongoing fight over other personal data such as the picture on your drivers license, which some states are now selling, has been a statement of principal. Here is an easy one to remember - people should be able to say who can get information about them and what that data can be used for. If Intel and Microsoft had thought about this simple principal they would not have done what they did.

disclaimer: If Harvard has principals beyond "Veritas" I'm not the one to intone them thus the above is mine alone.