Tangled Webs

    Big Brother Revisited
Issue 4.6
Apr 1, 1999

Boxing Cassandra

It's not that I dislike being proven right, it's just that I would have preferred to have been wrong about this particular issue. In a recent edition of Tangled Webs, I wrote that Microsoft most likely had a hand in Intel's decision to place a unique identifier on the Pentium III and speculated that Microsoft had its own designs on identifying individuals over the Internet. Almost on cue, events unfolded to support my claims.

While CPU ID numbers are not yet common, Ethernet cards can provide similar information. Years ago network card vendors worked out a method of assigning each card a unique 32-digit identifier so that cards could be positively identified over a LAN. Windows uses this information to build a Globally Unique Identifier (GUID) and stores that identifier in the system registry.

A network-card-based ID is inferior to a CPU-based one for several reasons. The most obvious is that a network card does not positively identify a computer. Cards can be changed. Some computers have more than one card. Some have none. Imperfect though they are, the way in which GUIDs are being abused today portends a dangerous lack of privacy in all areas of our lives.

The Shape of Things to Come

In early March it was discovered that MS Office97 was hiding the computer's GUID in each and every office document created. In this way, all documents created in Microsoft Office can be traced back to the machine that was used to create them. On March 3, an article about this was published in the New York Times, and that got Microsoft's attention.

Microsoft responded with a full court press release. It is testament to the agility of Microsoft's spin doctors that this invasion of privacy is now being referred to as the "Unwanted Data Bug". The term is not only misleading, but a dangerous trivialization.

I have developed quite a bit of software over the years, and I've been responsible for more bugs than I care to admit. And let me tell you, some of them have been real doozies too. I can assure you with complete confidence, that this invasion of privacy is not a bug. It is unquestionably there by design.

To store the GUID in this way requires that the application query the system registry, obtain the GUID, create a string of characters based on that information and then hide that string in a specific location in every file created. This cannot be done by accident. That Microsoft asks us to believe that this happened inadvertently, not just once, but in all Office applications is insulting to the point of outrage.

As invasive and offensive as this practice is, however, one fact led us to believe that things were still under control. Identifying the creator of a document required either physical access to the computer in order to obtain the GUID or the possession of an Office document known to have been created by that person. There was no central database linking GUIDs to real names and addresses.

We should have known better.

Shortly after this issue came to light, it was discovered that during Windows98 registration, the GUID was secretly being sent to Microsoft and stored in their databases. Furthermore, the GUID was saved as a browser cookie so that Microsoft could have immediate access to the real world identities of all Windows98 users whenever they visited microsoft.com.

For the most part, cookies are harmless. If you erase them and revisit a site, you will appear as a new user and you will be assigned a new ID number. There is no way to associate you with your past actions or your actions at other sites. When the cookie is based on your GUID, however, it can be recreated exactly as before and anonymity completely lost.

Microsoft Replies

Microsoft spokesmen responded to this discovery by doing what they do best; lying through their teeth. Product Manager Robert Bennett told Wired News that the findings were "completely speculative and untrue." An official statement Microsoft claimed "Speculative discussion is inevitable about a topic as emotional as privacy. In this case, it has led to rumors that the information gathered in the Windows registry is somehow related, or could be related, to documents created using Office 97."

The next day, Microsoft admitted it was all true and agreed to change Windows98 registration so that GUIDs are no longer collected without users' knowledge and to erase the GUIDs that they have already collected. They have, however, been cool to the idea of external verification that they actually do so. Microsoft has also promised that future versions of Office and Windows will not store the GUID in this way.

Somehow, I don't feel reassured. If I came into the office and found a coworker rifling through my desk I would most certainly not be satisfied with the claim that it was an accident, a promise to put back what was taken, and an assurance that he would be more careful in the future.

Microsoft was not collecting this information by accident, and I think the public should demand to know exactly how Microsoft planned to use it. Until we have these answers, we would do well to conclude that perhaps this really was a bug. After all, it only took two years for it to come to light. Perhaps in the future Microsoft will indeed be more careful by encrypting this information so it is not so easily detected.

[ Home Page] [ Back to Index ] [ Previous Issue ] [ Next Issue ]

© Copyright 1999, Tim Romero, t3@vanguardjp.com
This article fist appeared in the Mar 28, 1999 edition of The Japan Times.
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.vanguardjp.com/t3/tangledwebs/index.shtml