Networks for the Future: To .NET or Not

PART 1: The Microsoft Network

In accordance with the Tunny Act, NetAction recently sent comments to the Department of Justice regarding their Proposed Final Judgment in the Microsoft Anti-trust case[1]. We found that the proposed remedy was not in the public's interest on several levels. One of our primary concerns is that it puts undue and unnecessary control in the hands of a single company whose past has demonstrated it cannot protect our security and does not have a demonstrated interest in our digital safety.

In this paper we expand on the concerns raised in our Tunney Act comments and propose guidelines[2] by which the networks of the future might be analyzed. These guidelines will be used to examine both contexts: The Microsoft Networks (below) and The Open Networks (in Part 2). Following the guidelines, we borrow from the palettes of others in sketching these horizons.

As we have shown in our Tunney Act comments, the Proposed Final Judgment (Judgment) does not protect consumers from Microsoft's past, current, or future behavior. The Microsoft future looks dismal for consumers on several fronts: privacy, security, competing software and services, digital rights management, and even the very nature of the Internet.

Privacy

Consumers have a growing concern for their privacy. Each day they learn how much another company knows about them–often more than a person would voluntarily tell those companies if they had a choice. Companies have long been assembling detailed digital personae, or profiles, on how consumers live. Even fewer consumers are willing to let businesses sell such information to third parties who assemble mailing lists for sale. "The public is especially concerned about 'Big Brother' activities: surveillance of individuals by employers or insurers who can look for telling patterns of behavior in data about the individual's location, education, gender, family, income, and purchases."[4] A recent Gartner survey finds that "Many consumers do not want to risk privacy and security for the convenience of having their online identities managed."[5]

The Gartner survey points out that more than half (54%) of the users that register for web sites do so because the site requires it. Further, 5% of users never register–their concerns are largely to avoid solicitations and because of lack of trust in how the sites handle their financial information.[6]

Microsoft's Passport, .NET, and Hailstorm services promise convenience in trade for trust. However, Microsoft is forcing the issue by requiring users "to send some sort of information about themselves–even if just a numerical activation key based on their hardware profile–over an active Internet connection."[7]

The Electronic Privacy Information Center (EPIC) put it well in their Dec. 11, 2001 letter to the Senate Judiciary Committee: "The privacy and security risks are heightened in this situation because of Microsoft's dominance in the operating system, browser, and office applications markets."[8] EPIC points out that Passport, Microsoft's online identification and authentication system, "will enable unprecedented profiling of individuals' browsing and online shopping behaviors and could literally become the tollbooth that controls Internet access for millions of consumers in the United States."

Passport is not the only problem. It is part of the bigger problem: Hailstorm (more on Hailstorm[9] shortly), .NET, XP's mandatory authentication services–some of the many tools that Microsoft is using to proprietize all Internet and transactional services. Each of these components is designed to squeeze and control the consumer for additional profits and information.

Microsoft's dominance in the home computer market gives them a big step into forcing identity services on consumers. Once locked in, Microsoft will have little incentive to cooperate with other services, vendors, or standards other than to collect tolls. "Over time, Microsoft will ease the consumer's way into services that Passport interacts with and will make it difficult to interact with services that don't comply with Passport."[10]

In no way is this a benefit to consumers. They don't want this kind of power used against them. What option do they have when their hardware becomes obsolete and they need to buy a new computer? They will not have the option of using their old familiar software because they will not have that choice in the marketplace. Their privacy will be lost with the mandatory registration of their new software. And it won't stop there.

Security

Why should consumers trust a company so well known for their security vulnerabilities? Why should they be forced to?

"Without question, Microsoft's dominance in the OS market plays a big part in the security-breach headlines. The sheer number of Microsoft users makes the company a target for hackers, both increasing the chances that security flaws will be discovered and heightening the virus's impact. Many experts, analysts, and hackers believe Microsoft's hegemony isn't the only problem. They say the software simply has too many interfaces that malicious programmers can exploit."[11]

While Microsoft can claim over 90% of the desktop operating systems and 96% of the productivity applications suites, they should also claim four of the biggest sources of vulnerability:

Security is an ongoing battle between Microsoft, their customers, and the computing environment.

The Redmond, Wash.-based software giant has been criticized by computer security experts for developing software that too readily allows code to perform executions on Windows systems, opening the door to viruses that steal data, delete files or leave open back doors on systems for future hacking.[12]

For their part, customers "probably have not downloaded the patches because there are so many of them."[13] This leaves millions of home and office computers open and vulnerable–ready for hackers to lay a foundation for later coordinated and distributed denial-of-service cyber-attacks.[14] While Microsoft is quick to point out that users must be proactive about security, Microsoft is just as quick to take advantage of the fact that people generally don't change their default settings or icons on their desktops, giving Microsoft a large number of incidental additional users.[15]

Microsoft acknowledges this responsibility on one level, and hides from it on another. For example, how does Microsoft handle the news of publicly-discovered security breaches? They hide it. At last year's Trusted Computing Forum, MS put forward a plan in which researchers and security people would keep quiet about new vulnerabilities for 30 days. "They don't take security seriously. They treat security as a public relations problem," said Bruce Schneier, chief technical officer of Counterpane Technologies Inc., an online security services company.

"An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data."[16]

"It's much easier to hide the information than to fix the problem. That's their motivation here. Microsoft put out 60 patches to fix security problems in 1999, 100 last year and 55 [in 2001]. Some of the flaws have been in such important programs as Windows XP and Microsoft's Internet server software, known as IIS. After Nimda and Code Red attacked holes in IIS, an influential Gartner analyst advised clients to look for alternatives."[17]

However, consumers don't always have that option. The vast majority of computers available to them have Microsoft's Windows operating system pre-installed.

What should be done about this gross lack of security? Experts in the field recognize that Microsoft should take more responsibility and be held to a higher standard than they currently hold. An article in Business Week agrees:

"The bottom line: Microsoft should be held to a higher standard for security in these programs. The Colossus of Redmond has a public duty to ensure that these technologies are designed without gaping flaws. No, we can't expect IE or XP to be perfect. But let's try to make it a little safer out there, please."[18]

With this big a market, Microsoft does have a public duty to ensure that home and office computer systems are reasonably secure. Currently, "security" in Microsoft products is a public joke (albeit one that's not funny). In a rush to add new features, Microsoft has long overlooked their duty of care and responsibility to ensure our safety.

Competing Software and Services

A short-sighted court[19] found Microsoft's Internet Explorer web browser was not in competition for the browser market, and did not unfairly compete with Netscape in a niche market. Instead, the court agreed with Microsoft that its browser was tightly integrated into the operating system in such a way that it could not be separated. In contrast, Microsoft tried to "tightly integrate" Sun's java programming language into its operating system, but was found by the court to have compromised the market and their license with Sun.[20]

Currently, we see Microsoft moving to tightly integrate other add-on products and services that have proven markets–and were developed by competing companies. A few of the better known firms whose technologies may be excluded from working access to Windows include AOL and Yahoo (default web page & search database, instant messenger), and Real.com (audio/video players, streaming servers); there are many more. Microsoft is poised to extend and secure their monopoly and thus control consumers' desktops and computing activities.[21] We can expect to see Microsoft distorting competition, stifling innovation, and running these other companies out of business if we don't intervene. What's at stake?

Microsoft's own sales literature confirms this direction. (See Top 10 Reasons to Get Windows XP Home Edition,[22] Plus! for Windows XP,[23][24] Building User-Centric Experiences: An Introduction to .NET,[25] My Services[26] and others.)

Microsoft's MSN web service is the most popular web destination–largely because Internet Explorer, currently the most common web browser, has default settings that force users to MSN upon first use of the browser, and to the MSN search site when user-entered URLs have a typo or result in some kind of error. "Windows XP is chock full of MSN hooks. The Internet search feature from the Start Menu uses MSN. Windows Media Player drives traffic to MSN, as does the Passport authentication feature found in Windows Messenger. The Photo & Camera Wizard, where people can order online prints from digital images, also directs traffic to MSN."[27] The latest development, "Smart Tags," ties their operating systems and newest applications to their web sites.

"The feature gave Microsoft "some powerful leverage," LeTocq said, particularly since the company can use its products to redirect users to MSN Web properties and eventually sites "with premium paid services." The test version included Smart Tags for sports, stock and university information."[28]

Microsoft is moving toward a new browser: MSN Explorer. "MSN Explorer offers relatively little flexibility compared to IE, and analysts expect the company may push that browser more heavily..."[29] What's to stop Microsoft from creating technical obstacles to installation of any competing add-ons as default functions?

Not surprisingly, the MSN door is not always open to browser competitors. As CNET reported last year, "some people trying to access Microsoft's MSN.com with a non-Microsoft browser are finding themselves locked out."[30] Competing browser users "could not reach the upgraded MSN site. Instead, they were given the option of downloading a version of Microsoft's Internet Explorer."[31]

Yahoo recently developed an upgrade to its service which effectively redirected IE's default hooks–available only to Windows users (where it's needed most). Yahoo's "add-on exploits little-known customization features in IE and the Windows operating system. It takes over searches in the browser address bar, switches the default e-mail client to Yahoo Mail, embeds its instant messenger within the IE window, adds a Yahoo toolbar below the standard IE menu, places a shortcut to Yahoo Mail on the PC desktop and offers to set the home page to Yahoo.com."[32] While many people find this a welcome change, "analysts predict Microsoft may quickly change its interface to limit competitors' ability to tinker with IE settings on behalf of consumers. 'It would not surprise me if all of a sudden those interfaces changed,' said Carl Howe, an analyst at Forrester Research."[33] Indeed, "Microsoft has always viewed the Web browser as a powerful platform that it needed to control."[34] Now Microsoft's control is being extended to all services on the desktop.

Digital Rights Management

Microsoft's control of consumer desktops is about to become supremely selective, now that they have been awarded a software patent for a "Digital Rights Management operating system." Consumers who care about their privacy rights will be most alarmed by this section:

"The digital rights management operating system also limits the functions the user can perform on the rights-managed data and the trusted application, and can provide a trusted clock used in place of the standard computer clock."[35]

In general,

"Digital Rights Management (DRM) systems restrict the use of digital files. DRM technologies can control file access (number of views, length of views), altering, sharing, copying, printing, and saving. These technologies may be contained within the operating system, program software, or in the actual hardware of a device. ...

DRM systems can prevent the anonymous consumption of content. DRM systems could lead to a standard practice where content owners require all purchasers of media to identify themselves. In other areas where individuals can borrow or purchase media, such as video rental stores or libraries, statutory and ethical protections prevent the transfer of personal information linked to the content acquired. ...

In addition to destroying anonymity in access to digital information, DRM can be used to facilitate profiling of users' preference or to limit access to certain content. This marks an important development in the use of copyright law: copyright can regulate duplication of works to protect content owners. Now, copyright is being used as a justification to both protect content and to profile the consumers of content."[36]

The impact? Digital rights management (DRM) systems will not only discourage unauthorized copying, they will discourage (in some cases prohibit) fair use copying by people who may, for example, wish to make a copy of a recording for use in an audio changer which resides in the trunk of their car. DRM will effectively discourage fair use by people who are largely uninterested or too lazy to get around the DRM system, or who are intimidated by copyright owners' threats (rightful or not). Regrettably, the Supreme Court does not appear to have grasped the principle of protecting non-infringing users against nuisance complaints by copyright holders.

Another example: consumers may not be aware that registration of their new XP operating system is now mandatory and may lock them completely out of their systems if they have not registered.[37] Using their old software is not an option if a new computer is required. When consumers buy a new machine, it comes with a new version of Windows, like it or not. It takes a special person to build his own computer so that he might enjoy his familiar version of Windows, or less likely, another operating system. Microsoft is increasingly tying their operating system and software to a specific machine, so when that machine is no longer usable, the Windows license expires with it.

Increasingly, Microsoft is both the desktop and the middleman to a developing set of services (travel, auto buying, stocks, news & sports, etc.). "A monopoly in operating system software is a platform for unprecedented control over the flow of information to consumers. Control over this software can be leveraged to near total control over the computer screen. Dominating the screen means controlling ... what [consumers] see and when they see it."[38] Microsoft will soon be the master desktop gatekeeper, and no one will be able to argue about their decisions. "Experience shows that companies holding that kind of power eventually will exercise market power for their own benefit at the expense of consumers."[39] Having Microsoft in control of the screen and the channel choices is not a good situation for computer users.

The Nature of the Internet

Open and unrestrained access to the Internet's broad range of content and services is crucial to an informed citizenry as well as to a robust economy. However, Microsoft would like to be in control here as well. Microsoft seems determined to become a middleman to all of our requests and interactions. As middleman, they will be able to force costly software upgrades, impose mandatory compliance with any and all licenses, and dictate the types and manner of our financial transactions.

"If there is any doubt about Microsoft's determination to expand its Internet strategy through Windows XP, consumers may be reminded of it no fewer than five times as soon as they try the new operating system. In the second through sixth attempts to connect to the Net, Windows XP will implore consumers to sign up for something called Passport–an identification technology that, in many ways, is a key to Microsoft's future."[40] Passport registration is required if users expect customer service or support. Prompting for registration includes messages that suggest Microsoft products are necessary to access the Internet, provide greater security, and may be the only applications that work properly with Windows XP. Persuasive posturing for a monopoly.

Passport collects personal information about users: private information like nicknames, special dates, friends and family members, financial information including credit card numbers, utilities like address books and calendars, methods of communications like phone, fax, and voice mail numbers and email addresses, and more. This information is then "managed" (see the Privacy section above) and linked with web use patterns and transactional data. Microsoft proposes to share this database with vendors. This vast intrusive database is all in the name of user identity verification. "The sobering reality is that the overwhelming majority of consumers are not interested in Passport," said Gartner vice president Avivah Litan. "Consumers are primarily concerned with their privacy and security, and they are not willing to sacrifice privacy in exchange for advanced Web interaction services, such as those offered by Passport."[41]

Starting with a mandatory Passport account, Microsoft plans to leverage its dominant position through its server technology called .NET (pronounced "dot net," also known as Hailstorm). .NET is part of "a controversial strategy to transform Microsoft from a traditional software company into a global network of services ranging from communication to entertainment on a subscription basis. If successful, Microsoft could challenge AOL Time Warner and other media giants for control of the Internet and entirely new industries–similar to the way it has dominated the software market, locking customers into Microsoft-sanctioned goods and services."[42] In other words, Microsoft will use its desktop monopoly to act as supreme gatekeeper:[43]

"Microsoft is moving into an area where they would become much like a toll-taker, where the toll is taken on the transactions that move between a consumer and a business or B2B."[44]

While .NET is being targeted at IT departments, Microsoft clearly has its eyes on the consumer market. "Sources close to the Redmond, Wash., company said it is moving ahead with plans for a Home Network server that will connect computers, electronics and home appliances."[45] Microsoft's user examples "revolve around information being retained in a user-centric architecture, as opposed to an application-centric or device-centric architecture. ... Binding all of these together and providing a unique and secure key for accessing this information would be an Identity service through which the users manage their data, and through which applications request permission to interoperate with this data."[46] So not only is Microsoft interested in controlling user desktops, they're also interested in being gatekeeper–using Microsoft's proprietary standards and interfaces–for any and all devices that connect to the Internet. This power would ultimately marginalize competitors for services such as instant messaging, Internet telephony, media players, and collaborative software. "The clear and present danger is that Microsoft's strategy of bolting its Internet-related services to its Windows, Office and browser monopolies will lead to a monopoly in Internet services. Microsoft will then be in the position of supplanting the Internet as we know it today with an Internet proprietary to Microsoft.[47]

Why would Microsoft do such a thing? They're in the business of making money.

Consumers are about to feel the financial squeeze tighten even more. While web surfers are watching the Internet turn commercial, Microsoft is leading the charge. "Users of the [.NET] services will be required to pay a fee to use them. Analysts said that if the HailStorm model is widely adopted–and if people will pay a premium for security–the days of ad-subsidized Internet services, such as free e-mail and messaging, may be over. ... Microsoft's HailStorm model, in contrast, would take content, services and even software away from the PC."[48]

"Analysts said it remains unclear whether these types of services will be attractive enough for consumers to open their wallets. But even if HailStorm fails to take off, the project could pave the way for Microsoft technology to become the standard payment mechanism on the Net."[49]

If Microsoft is allowed to dominate and dictate the interactive and financial protocols on the net, the consequences will be felt not only by American computer users. The Passport and Microsoft's user database will extend its reach in many unforeseen ways. We can't imagine any of them will be in the public's interest.

Through their Digital Rights Management, Microsoft proposes to put "users" in control. Actually, Microsoft is in control.

".NET My Services also turns the industry debate over online privacy on its head. ... .NET My Services uses legal and technical mechanisms to prohibit any unauthorized use... The .NET My Services architecture defines identity, security, and data models that are common to all services and ensure consistency of development and operation. ... .NET My Services will help move the Internet to end-user subscriptions, where users pay for value received."[50]

How trustworthy is .NET if everything about a person is in Microsoft's hands? Even before .NET is available, a "concept virus" has already been published. "'This [virus] is obviously meant to scare customers and Microsoft alike into thinking that .NET servers are vulnerable, and it may succeed,' DiDio told NewsFactor. 'Microsoft has made some significant strides in bolstering the inherent security in its products,' she added, 'but it's also true that neither Microsoft nor any software vendor can make its software impervious to viruses [and other types of] rogue code.'"[51]

Is forcing a pay-by-the-month service on consumers a good thing? Is taking away consumers' ability to choose when they want to upgrade and pay for new software a good thing? Microsoft thinks so. But consumers will see this as a violation of their right to self-determination, their privacy, and their economic well-being. And they will increasingly have little say over their situation.

Next: PART 2: The Open Future | Footnotes