This article may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. To maintain the flow of the article, we've left these URLs in the text, but disabled the links.

May 1999

Microsoft Systems Journal Homepage

Editor's Note

Recently, there has been tremendous media coverage of Internet security and privacy issues regarding both Intel and Microsoft products. Intel made the news when it was publicized that the Pentium III contained a number that has the potential to uniquely identify the CPU (http://support.intel.com/support/processors/pentiumiii/psu.htm). The Microsoft splash occurred when it was discovered that the Windows 98 Registration Wizard and Office 97 documents contained unique numbers as well.

    We'd just like to bring up a few points. Not to make excuses nor dismiss any customer concerns, but rather to add a dose of fact, history, and common sense.

    First the facts. At Intel's site referenced above, you will see that they have taken steps to disable this feature. The processor will have the ability to prevent the serial number from being read. A utility will be provided to explicitly enable and disable the feature at your discretion. Intel is also issuing guidelines for responsible use of the serial number by Web sites and ISVs, and stating that they "will not maintain a database that correlates processor serial numbers with consumers."

    So what are we doing about our issues? The Microsoft Web site (http://www.microsoft.com) is immediately being updated to stop the receipt of the incoming number. The next service release of Windows 98 will have an updated Registration Wizard which won't even generate the number, let alone send it. There will also be a tool provided to purge the registry of hardware registration information and Microsoft will purge the number from the records of those users who originally chose not to send this information.

    Here's the history. These numbers (at least in the Microsoft cases) are GUIDs. Remember that Globally Unique Identifiers are unique "random" numbers that are vital to the proper authentication of system components. Y2K would be nothing in comparison to the trouble we'd all be in if GUIDs were not unique. Obtaining a GUID boils down to a call to UuidCreate. This RPC API combines several time values and one source of the latest security concerns, an Ethernet/Token Ring (IEEE 802.x) address. This number is also referred to as a Media Access Control (MAC) address. If you have a net card installed, then the last six bytes of the 16-byte GUID refer to this unique piece of hardware.

    Now, some common sense. Microsoft has its own published privacy principles at http://www.microsoft.com/info/privacy.htm. There are also organizations such as TRUSTe that provide independent review. TRUSTe is a "nonprofit privacy initiative dedicated to building users' trust and confidence on the Internet and accelerating growth of the Internet industry." They've "developed a third-party oversight 'seal' program that alleviates users' concerns about online privacy, while meeting the specific business needs of each of our licensed Web sites" (http://www.truste.org).

    Computer scientists and consumers alike should maintain a healthy skepticism. But until there are no more questions to ask, complete anonymity is nothing more than idealistic. Absent running your battery powered computer in a shielded room with no outside communications, individual knowledge and reliance on independent, watchdog agencies are perhaps the closest we can come to electronic privacy right now—4A6F7365-7068-522E-466C-616E6967656E, aka J.F.

From the May 1999 issue of Microsoft Systems Journal