Analysis: Microsoft gets by with .Net 'tweaks' in EU

The agreement Thursday between European data protection officials and Microsoft  to alter the .Net Passport service and better protect users' personal data is more show than substance, according to privacy experts and analysts familiar with the terms of the agreement.

"I think this is a case of Microsoft's self interest and the European Union's (EU) interest in protecting its citizens being happily aligned," said Dwight Davis, vice president of Summit Strategies

Despite blustery statements from European officials about wringing "substantial changes" to .Net Passport out of Microsoft, the modifications agreed to are "minor tweaks" to the .Net Passport service, Davis said.

Those changes include giving users finer control of what information they share with Passport, a summary of key information about privacy policies within the EU, a link to the European Commission's (EC) site on data protection laws and a tool for creating secure passwords.

Users will be able to take advantage of the features through the addition of a prompt that will ask users to designate themselves as European Union (EU) residents.

"Microsoft told me that they've been planning these features all along and that they presented them to the EU," Davis said.

EU data protection officials stood by the agreement.

"The changes give users greater control over how their information is used," said Iain Bourne, strategic policy manager for the U.K. Data Protection Authority, which participated in the EU-wide committee investigation into online authentication systems.

They will also give a better explanation of how information is used by Microsoft. "There wasn't adequate transparency until now, so Microsoft had a problem with some EU data protection laws," Bourne said.

Not on the table in Microsoft's negotiations with the EU, however, were more substantial changes, such as separating .Net Passport from the Windows XP operating system or Microsoft applications and services, said John Pescatore, an Internet security analyst at Gartner

"Almost everyone who buys a new computer right now is buying Windows XP, and it's nearly impossible to start up new Windows PCs without getting a new Passport account," Pescatore said.

Changes that would allow organizations other than Microsoft to own Passport user identity information in a so-called "federated network" were also not part of negotiations with the EU. However, those changes may be coming anyway, with or without EU intervention, Davis said.

Microsoft indicated that it is developing a federated version of the .Net Passport technology. The main alternative to .Net Passport, the open source Liberty Alliance platform, operates on a federated identity model and was not singled out for any changes.