 Number 194 - July 1999 |
| Windows 98 Privacy Issue: A fine kettle of fish ... | |
| by John Schatmeyer, The Suncoast Beeper, April 1999 | |
|
An issue concerning
unique identifiers (or tattoos) in Windows 98 surfaced in early March. A
researcher discovered that Word97 and Excel97 files contained an
embedded string (GUID) that contained a unique 12-character code (MAC
address) individually assigned to all Ethernet network adapter cards. He
also discovered that the same address was embedded in a unique
32-character hardware identifier located in the Registry. The immediate
privacy concern was that the combination could be used as a universal
means of tracing documents to their authors.
While Microsoft was reacting to that development and trying to explain most of the issues as unintentional bugs or mistakes, it was reported that two unique 32-character identifiers (MSID & HWID) actually reside in the Registry. Both appear to be first generated during the on-line product registration portion of installation. One, the Hardware ID (HWID), was reported to identify computer hardware in unique association with the owner's personal information supplied during product registration. In many cases, this descriptive ID was transmitted to Microsoft in spite of the owner's instruction not to submit hardware information. While acknowledged as a registration "bug," Microsoft claimed the information was never used for any purpose other than customer support, and indicated it would take steps to remove HWID from future versions of Windows and no longer collect the HWID during registration. Microsoft has not supplied a fix to remove the now abandoned HWID from existing Windows 98 installations in spite of the fact that others may be using this identifier. The company has supplied software only to remove the GUID codes from existing and future Office 97 files. The second identifier associating a registered user with a specific computer is the equally unique 32-character MSID. The purpose of this identifier is not completely clear, but it is also associated with the personal information transmitted to Microsoft during the online registration process. Unless unintentionally altered, this identifier also exists in the www.microsoft.com cookie file and uniquely identifies a registered Windows 98 visitor each time the Microsoft website is accessed. The "cookie GUID" enables tracking and profiling website visitors for marketing purposes. |
Microsoft has given no
indication that it intends to abandon MSID (as it did for HWID). MSID is
obviously not a bug or mistake, and Microsoft carefully avoids any
discussion of this ID in news releases. It must be recognized that one
purpose of these IDs was to combat software piracy and to ensure one
license was used on one machine. It seems as if one of the ID's must be
preserved for that purpose.
While being tracked and profiled by Microsoft on their website may seem bad enough, there is more. Although the IDs were first thought to be for internal use by Microsoft, it has been reported that other companies may be accessing the IDs during registration of their products. These companies may be collecting one or both of these IDs and building their own marketing and software piracy databases. It is important to know that once accessed by installation software any covert transmission of the IDs would have been typically performed over direct telephone link via your analog modem. The main reason for that procedure was evidently a belief that it could be accomplished that way. Therefore, direct 800 number telephone registration remains a tip-off that a company may be trying to collect more information than you provide in electronic registration fill-in boxes. Unfortunately it was discovered several days later that HWID and MSID values could be accessed by simply triggering an Active-X control in Windows 98 and that these unique identifiers could be collected by any website without the visitor's knowledge. The only current fix for this breach of privacy is provided at Windows Magazine website (www.winmag.com) where a command is provided to disable the Regwiz Active-X control. However, vigilance is still required because websites can easily create and implant new Active-X controls to perform the same function, and the old control can be reactivated by upgrades and installation software. The most effective solution is to purge both IDs from the Registry and ensure they remain erased. If necessary, the MSID could be temporarily restored when required by Microsoft for a legitimate purpose. The unfortunate part of this solution is that it requires hacking the Registry. Hopefully, utilities will soon be available to erase these revealing IDs from the Registry and enable the MSID when necessary (and at the option of the computer owner). |
|
Number 194 - July 1999 |
|