Some See Effort to Control Piracy in Windows 98 Privacy Breach

Privacy advocates reacted with skepticism Sunday to steps Microsoft Corp. said it would take to defuse a budding controversy over newly discovered mechanisms in its software that could be used to determine the identities of computer users.

Some skeptics, including the Cambridge, Mass., programmer who discovered the software problem last week, said they suspect the company was engaged in a scheme to combat software piracy, rather than improve customer support, which is Microsoft’s explanation.

“I think it’s being used to detect piracy because it allows them to see whether the same copy of Windows 98” is duplicated on multiple computers, said Richard M. Smith, president of software firm Phar Lap Inc., who discovered the possible privacy breach while examining his home computer systems.

Microsoft rejected that interpretation but said it would make changes in its Windows 98 software as well as Office 2000, its upgrade for Office 97, to allay consumer concerns.

“This is just like a bug in a product that causes security holes or corrupts data,” said Steven Sinofsky, a Microsoft vice president. “If there is even a perception that there is a security problem, we will address it.”

The controversy is the latest in a series of perceived privacy breaches, most notably Intel Corp.’s decision to put unique serial numbers on its newest microprocessor, the Pentium III. Intel agreed to disable the feature after widespread complaints that it could be used to track consumers as they surf the Internet.

Microsoft’s troubles center on decisions made in recent years to make broader use of the so-called Globally Unique Identifier, or GUID, a number long used on networked computers to distinguish one from another.

When Microsoft released Office 97, a suite of programs such as Word, it included a function that encodes the identifier in every document created using that software. The goal, said Sinofsky, was to make it easier to maintain links on the Web between documents even after a document has been moved or renamed.

That decision raised the possibility, for the first time, that electronic documents could be traced back to the computers on which they were created, raising fears that a corporate whistle-blower, for example, might be unmasked by tracing back a document he or she created and distributed.

Until recently, there was no database connecting the identifiers to individuals.

When Microsoft introduced Windows 98 last year, however, it included a “registration wizard” that sends the identifier along with such personal information as name and phone number entered by the consumer during the registration process. The company said the purpose of the identifier was to help its technical support people identify the configuration of a customer’s computer.

But Smith discovered that the registration process would do this even if a customer specifically asked that the configuration of his or her computer not be sent to Microsoft.

Microsoft’s Sinofsky said new versions of Windows shipped later this year will fix that error. Microsoft has also promised that it will erase the GUIDs of any customers who had asked that the information not be collected, although he said it appears that information was not stored anywhere.

Privacy advocates supported some of the remedies Microsoft has outlined but said the company needs to go further by trying to reach all the potential users affected by the problem and putting in writing the company’s pledge to destroy any inappropriately collected data.

Most home PC users aren’t affected by the problem because the identifying numbers are lifted from ethernet cards, devices inside PCs mostly used by businesses as a means of connecting computers to networks.

But the issue has raised broader concerns about Microsoft’s intentions in using the identifiers. There are about 60 million copies of Office 97 in use, and virtually all new personal computers use Windows 98.

Smith and others suspect that Microsoft may have been devising a way to root out pirated copies of its products. Since the ethernet IDs are unique, Microsoft could spot illegal duplicates of its products during registration or tech support calls whenever a product ID is associated with numerous ethernet IDs.

“Across the industry, piracy is the main factor that’s driving user identification numbers,” said Marc Rotenberg, director of the Electronic Privacy Information Council.

Even if the controversy is rooted in an honest mistake, Microsoft may have trouble convincing consumers and critics because of its history of misstatements and aggressive tactics. The company’s ongoing antitrust trial in Washington has produced numerous episodes in which Microsoft executives have been caught in contradictory statements.

“We really have to take a very jaundiced eye when we hear these ‘Whoops, sorry!’ statements from Microsoft,” said Jason Catlett, president of Junkbusters Corp., a privacy watchdog company in Green Brook, N.J.

The issue of privacy in the Computer Age has become particularly heated over the last year. Studies show that consumers are increasingly concerned about the use of personal information, such as names, addresses and credit card numbers, that they are commonly asked for on the Internet.

Microsoft’s new troubles are also sure to embolden U.S. privacy advocates as they push for further domestic reforms, and even federal legislation, to protect consumers.

“We keep coming back to these endless problems with self-regulation, this idea that the industry is going to be able to manage privacy on its own,” said Rotenberg. “We need to establish some clear legal rules.”