- The agreement between European data protection officials and Microsoft to alter the .Net Passport service and better protect users' personal data is more show than substance, according to privacy experts and analysts familiar with the terms of the agreement.
Dwight Davis, vice president of Summit Strategies says it's a case of Microsoft's self interest and the European Union's (EU) interest in protecting its citizens being "happily aligned".
Despite blustery statements from European officials about wringing "substantial changes" to .Net Passport out of Microsoft, the modifications agreed to are "minor tweaks" to the .Net Passport service, Davis says.
Those changes include giving users finer control of what information they share with Passport, a summary of key information about privacy policies within the EU, a link to the European Commission's (EC) site on data protection laws and a tool for creating secure passwords.
Users will be able to take advantage of the features through the addition of a prompt that will ask users to designate themselves as EU residents.
"Microsoft told me that they've been planning these features all along and that they presented them to the EU," Davis says.
EU data protection officials stood by the agreement.
"The changes give users greater control over how their information is used," says Iain Bourne, strategic policy manager for the UK Data Protection Authority, which participated in the EU-wide committee investigation into online authentication systems.
They will also give a better explanation of how information is used by Microsoft. "There wasn't adequate transparency until now, so Microsoft had a problem with some EU data protection laws," Bourne says.
Not on the table in Microsoft's negotiations with the EU, however, were more substantial changes, such as separating .Net Passport from the Windows XP operating system or Microsoft applications and services, says John Pescatore, an internet security analyst at Gartner.
"Almost everyone who buys a new computer right now is buying Windows XP, and it's nearly impossible to start up new Windows PCs without getting a new Passport account," Pescatore says.
Changes that would allow organisations other than Microsoft to own Passport user identity information in a so-called "federated network" were also not part of negotiations with the EU. However, those changes may be coming anyway, with or without EU intervention, Davis says.
Microsoft indicated that it is developing a federated version of the .Net Passport technology. The main alternative to .Net Passport, the open source Liberty Alliance platform, operates on a federated identity model and was not singled out for any changes.
Mandating substantive changes in the way Passport stores user information or is tied to applications or services like MSN accounts would have been much harder for Microsoft to comply with and could have given the rival Liberty Alliance companies a head start in Europe, according to Pescatore.
The absence of such mandates should be interpreted as a victory for Microsoft, Pescatore says.
That worries Liberty Alliance supporters.
"It's a huge issue having an alternative to .Net," says Christine Varney, a lawyer from the offices of law firm Hogan & Hartson which represents the Liberty Alliance in Washington, DC.
Unlike .Net, the Liberty Alliance, which receives backing from Microsoft rival Sun Microsystems, is not a branded service, leaving it up to the individual participating companies.
So far around 150 companies, including financial services company, American-Express, have expressed an interest in using the system.
While he couldn't say one system is better than the other, Bourne expressed support for solutions that avoid using a centralised database that gathers large amounts of information, such as .Net Passport.
Although the US government's Federal Trade Commission (FTC) reviewed and mandated changes to Passport in August, the US government has had little to say about privacy concerns stemming from Passport since then.
As for extending EU-style protections to Passport users in the US, Microsoft claimed that it does not know of -- and thus cannot link to -- a similar US government site that would summarise US data protection laws like the site sponsored by the EC, according to Davis.
Unlike the EU, the US does not have clear and overreaching laws concerning the protection of personal data, according to legal experts.
"There is very little in the way of privacy law in [the US]. You have the financial arena with strict regulation and health care. Outside of those arenas, there's not much," says Mark Grossman, chair of technology law group of Becker & Poliakoff in Miami, Florida.
In the absence of such laws and with little indication from the Bush administration that strengthening consumer data privacy is a priority, residents in the US and other countries are more likely to have personal information shared or used in ways that they do not approve of than their counterparts in the EU, according to Grossman.
(Additional reporting by Paul Meller in Brussels.)