Microsoft will modify future releases of Windows 98 to allow greater control of a feature that could be used to collect private information about users of the popular operating system, the company said today in a letter to customers.
The software giant will offer a free utility to current users of Windows 98 who want to delete the feature, called Registration Wizard, which sends to Microsoft a globally unique number that is tied to a given user's hardware configuration when the user registers. The objective of having the hardware information on file is to shorten customer service call times, Microsoft said.
The software maker acted quickly today to brief consumer groups about its efforts to address the issue -- a sign that it has learned a valuable lesson from the backlash Intel suffered over its plans to embed a unique serial number in its Pentium III processor.
"Microsoft says they have addressed the issue. We still need to see how that plays out, but we're pleased that they understand this is a problem and that they're doing something about it," said Ari Schwartz, policy analyst at the Center for Democracy and Technology (CDT) in Washington, D.C., who was briefed by Microsoft by telephone earlier today.
Microsoft learned on Friday that "the Registration Wizard might inadvertently be sending a specific hardware identifier to Microsoft during user registration, regardless of whether the user chose to send his or her hardware diagnostic information," Yusuf Mehdi, director of Windows marketing said in a letter posted on the Microsoft Web site.
"This hardware ID is only used by the software system and is not used for customer record-keeping purposes," he wrote. "Nonetheless, there are hypothetical scenarios under which this number could be used to learn something about the user's system without his or her knowledge."
Microsoft will sift through its own database and delete information that had been "inadvertently gathered" through the Windows 98 numbers, Mehdi wrote. The company also will modify the feature in future Windows 98 versions so that hardware ID information is not sent to Microsoft unless a user checks the option to provide it.
The number was first discovered by a programmer in Cambridge, Massachusetts, who contacted Microsoft last week.
"These two cases -- the Microsoft case and the Intel case -- have done a lot to alert people to what can happen with identification out there on the Internet," said Schwartz of the CDT.
The threat to privacy posed by the Registration Wizard may be relatively small, given that the user information is sent only to Microsoft and doesn't appear to be available to Internet users at large, Schwartz said. Nevertheless, the issue is disturbing because the software flaw would have allowed Microsoft to collect user data even after the user explicitly requested otherwise, he added.
Intel, meanwhile, has been dragged through the fire over a unique serial number it decided to embed in each of its Pentium III processors. Intel said the number allows for increased security on the Internet by making it easier to verify the identities of two parties in a transaction.
Under pressure from consumer groups the company offered at least one mechanism that allows users to disable the serial number so that it can't be read, although some consumer advocates say a skilled hacker could read the serial number if they wanted to.
Schwartz said the Pentium III's serial number has a greater potential for harm than Microsoft's Registration Wizard.
"The Intel situation is different because people can design software and Web sites based around whether or not you have this serial number, and they can force you to divulge information about yourself as a condition of receiving their service," he said.
The CDT also fears that online marketers, as well as other people with more unscrupulous motives, could use the Pentium III serial number to help build databases of information about users based on their activities on the Internet.
Some means of identifying users on the Internet is necessary, Schwartz acknowledged. But the CDT, along with other privacy groups, believes it can be achieved using smart cards, digital certificates, and biometrics, which use unique physical characteristics like fingerprints to identify users, he said.
"I think software and hardware firms will find there are a lot of instances where you don't need to know a user's identity. In the meantime, they're creating a lot of hassle for themselves on the (public relations) front," Schwartz said.
Schwartz acknowledged that there are likely other technologies on the Internet that allow users to be identified and their Web movements to be tracked. The Intel and Microsoft products have generated a lot of reaction because they are so widely distributed, he said.