Survey.Net Logo
Your source for information, opinions & demographics from the Net Community!

ANNOUNCING: The Internet's finest interactive, totally-automated, immediate survey system. We can take any form and instantly create a dynamic demographic database and show you the results as soon as you complete the survey!

Melissa virus exposes personal privacy issue

by Cruce Saunders

Last week, the Melissa virus - a Microsoft Word-based macro virus which secretly spawned e-mails wreaked havoc with a number of corporate mail servers. It was all over the news, and even more amazing was the quick apprehension of a suspect. Queries were abound regarding how the authorities were able to track down the suspected author so efficiently. Their responses have been ambiguous at best, and the FBI recently stated that they are not under any obligation to reveal their methods. While doing research on this story, I stumbled upon some information which seems to shed a lot of light on how the elusive author of the Melissa virus could be tracked down, and it also exposes a rather treacherous personal privacy issue that the computing public is probably unaware of:

"Late Friday it was brought to our attention that the Windows 98 Registration Wizard might inadvertently be sending a specific hardware identifier to Microsoft during user registration, regardless of whether the user chose to send his or her hardware diagnostic information. This Hardware ID is only used by the software system and is not used for customer record keeping purposes. Nonetheless, there are hypothetical scenarios in which this number could be used to learn something about the user’s system without his or her knowledge." - Microsoft Press Release (http://www.microsoft.com/presspass/features/1999/03-08custletter.htm)

"It was brought to our attention"?

Are you kidding me? Do programmers write software that "inadvertently", without their knowledge or intent, transmits tracking information from one system to another? I think not.

If Microsoft can arbitrarily claim they didn't realize they were transmitting private information, and the American public buys it, then we are all in really deep trouble.

What is the issue here?

You mean aside from whether or not you should be outraged that corporate america, specifically Microsoft, thinks we're a bunch of brain dead idiots?

There are a number of issues, all of which seem to be coalescing right about now - and they relate to the issue of privacy. There's the Intel Pentium III issue, where one of the "new features" of this chip is its embedded, unique serial number, which can hypothetically be retrieved by software and used to create a trail straight back to your computer from wherever you've been. I guess Intel's version of a "safer Internet" involves the "security" you might feel knowing that one web site may know all the other web sites you've visited - provided they're sharing what they know from your 'virtual tracking device' built into the Pentium III.

And there's the Microsoft GUID issue - a REALLY scary tracking system whereby a unique identifer is not only tied to your computer, but to a plethora of documents originating on your system! Create a Microsoft Word document lately? Did you know that the document is secretly branded as coming from a particular computer? Compile a software program? It's branded as well. We may never know the full extent to which data originating on our system is being branded as coming from us. The GUID is some sort of hardware/software hybrid unique identifier - we don't know a whole lot about it because Microsoft has never been very open about the intent of their software development efforts. The bottom line is that this is some sort of system in place to not only uniquely identify your computer hardware and software, but serves to "electronically brand" a wide variety of documents that may originate therein and later be transmitted elsewhere.

Microsoft confirms the GUID saying:

"The unique identifier number inserted into Office 97 documents was designed to help third parties build tools to work with, and reference, Office 97 documents. The unique indentifier generated for Office 97 documents contains information that is derived in part from a network card, not from an individual user's identity, and thus it is not possible to reliably determine the author of a document." (source: http://www.microsoft.com/presspass/features/1999/03-08custletter2.htm)

The network card address is a unique computer-based identifier. Yes, Microsoft may not be able to tell you WHO was using the computer, but they damn sure know exactly WHICH computer it was. It doesn't take a rocket scientist to figure out there's not that much of a distinction in most cases.

So Microsoft states that this unique identifier is not a threat to privacy?

Well, if this system exists, it will likely be the lynch-pin which helps to nail the suspected author of the Melissa virus. By using Microsoft Word documents as the carrier for this virus, the embedded GUID should be able to trace the virus back to a particular computer, and ...who might be the owner of that computer? Furthermore, with the GUID being embedded in program code, if the Melissa virus's author used work dervative of someone else - maybe some poor hacker who never intended to cause harm who did nothing but post some sample code somewhere, the crime could also be linked back to this person as well!

Did any of us know that our work was being branded? I didn't. I did not know that I was assigned an id number that was public (typically, these things are considred sacred, such as a SSN) - excuse me, my *computer* has a unique id - not much of a difference - that's like saying, "Well we have no idea who robbed the bank; we can positively identify the CAR that the bank robbers used, but obviously that's not enough to find the bank robbers." That seems to be what Microsoft and Intel would like us to believe.

The implications are far reaching for this technology. It basically signals the end of anonyminity on the Internet. If your PC can be definitively identified, and this information is disseminated without your approval, then YOU CAN BE TRACKED. This is great for demographic market targeting for advertising, and tracking down people (for whatever reason) but really lousy for personal privacy.

Up until now, when you surfed the net, you were relatively anonymous - to track someone online required a major amount of effort, including subpoenas ordering local ISPs to coordinate their logs with others in order to find out who was on an IP address at a particular time. With cpu or computer-based unique identifiers, that's no longer necessary - you do not need legal approval to find out this information. It's just a matter of time before the data is being logged on a larger scale, and this will generate a market for exchange of the information in order to build databases of demographic info.

Now generally, I believe, if you're not doing anything wrong, you ultimately have nothing to worry about - and there's no sense being too paranoid. But on the other hand, adaptation of a global unique identifier which brands not only your computer, hardware and software, but ALSO the data that you unknowingly send to others --- that's going a bit too far. I fail to see the positive, "Where do you want to go today" implications of something like this. Oh, I can certainly see the use for such an identifier, but it's completely antithetical to the principle of personal privacy!

Being a webmaster and ISP, I can tell you that if *I* can track computers on my web site (beyond single sessions), that opens up a whole new realm of digging into peoples' lives. If others can do it, I will do it simply because I'll be forced into it in order to remain competetive in the marketplace. I can associate everything they do on my web site with their unique identifier - and yes, maybe I only have an "ID" (their unique machine) and no name, but somewhere, some time, this poor sap will type in his e-mail or name, and *BINGO* I got him - everything falls into place!! And then the info becomes *valuable* - maybe even opening a side venture of information brokering - hey we gotta pay the bills right? "Hey Bob! I see you're back on my site - since I now know you like to look at naked pictures of young boys while your wife is asleep, can I interest you in this web site? It's called hardyoungboys.com and it's only $9.95 a month! And I promise I won't tell your wife... as long as you're a member."

Shouldn't it be our right to surf the Internet without fear that someone is taking notes?

What do we do about it? Be wary of anyone defending or downplaying the privacy issue of this technology - sure, in the "right" hands, it's innocuous. But when the fecees hit the fan, it's rarely Ghandi who's pitching. If you are passive right now, systems will be in place where at a not-too-distant date, they'll be too entrenched to remove when it becomes obvious your personal liberties have been violated. Whether Microsoft has any intent to do something with the info they gather is irrelevent - the fact that they're implementing technology that can be abused by others very easily, and technology we're not asking for (and what's even more frightening is technology we had to accidently stumble upon), which doesn't offer us any real advantage - that's what the problem is!

It's important to take a stand now before there are too many software systems in which these technologies are entrenched. The GUID issue has been around for a long time - it's interesting that it's coming more to light now, when there's a possibility this "technology that does not represent a threat to privacy" may help put a 30 year old guy from New Jersey in prison for ten years.

Think about it,

References:

Watchdog Group Backs off Microsoft http://www.zdnet.com/zdnn/stories/news/0,4586,2230228,00.html

Privacy Groups to Take on Microsoft http://www.zdnet.com/zdnn/stories/news/0,4586,2222971,00.html

AOL info cracked virus case http://www.zdnet.com/zdnn/stories/news/0,4586,2236028,00.html

Melissa trail leads to 'ex' virus writer http://www.zdnet.com/zdnn/stories/news/0,4586,2234018,00.html

How GUID Tracking Technology Works http://www.zdnet.com/zdnn/stories/news/0,4586,2234550,00.html

FTC Meets with Privacy Groups over Pentium III Complaint http://www.idg.net/idg_frames/english/content.cgi?vc=docid_9-126426.html

Privacy Commissioner Blasts Pentium III http://www.idg.net/idg_frames/english/content.cgi?vc=docid_9-121163.html

Intel ID Plan Raises Privacy Concerns http://www.msnbc.com/news/233775.asp

Intel Pentium III Called "Toxic Hardware" http://www.itrain.org/itinfo/1999/it990124.html

How to Protect Ourselves from Electornic Invasion http://www.zdnet.com/anchordesk/story/story_3216.html


Cruce is an independent writer and webmaster at a major ISP in the Southern United States. He can be reached at cs@nerd.com - and please no spam.


This page last updated: Thu Sep 30 15:53:56 1999 CST

Return to the Home Page.


Copyright ©1996, ICorp/InterCommerce Corporation,
All rights reserved worldwide
Send comments to Webmaster@Survey.net