Watch CBSN Live

Microsoft Pledges Privacy Fix

Microsoft Corp., whose Windows software runs most of the world's personal computers, acknowledged that the latest version of its dominant operating system can be used to help trace the identity of authors of some types of electronic documents.

A Microsoft official said Sunday that the company was working this weekend to correct the problem.

A programmer, Richard M. Smith of Brookline, Mass., first noticed last week that documents created using Microsoft's Word and Excel programs in tandem with its Windows 98 operating system included within their hidden software code a 32-digit number unique to his computer.

The number is at least partly based on a 12-digit number unique to a computer's Ethernet network adapter, a hardware device common in business environments that allows high-speed Internet connections.

The disclosure carries important privacy implications, since those documents can be traced back to a specific computer even when an author wishes to remain anonymous.

The majority of home computers aren't equipped with such network cards although they are becoming more common as consumers opt for high-speed Internet connections in their homes.

But even without an Ethernet card, Windows 98 generates this 32-digit identifier. It merely bases the number for those computers on a "dummy" network address that is the same for all such machines.

Robert Bennett, Microsoft's group product manager for Windows, said Sunday that the company will create a software tool to let customers clear the ID number from the Windows repository of system settings, called its registry.

The ID number is transmitted to Microsoft whenever a customer registers his copy of Windows 98 using the automated "registration wizard" included in Windows.

"Since people's Ethernet addresses are also being placed into Word documents, someone at Microsoft could use this database to look up where a document came from," Smith warned in email.

Bennett said Microsoft was investigating whether the number ever was sent to the company even when customers had explicitly indicated they didn't want information sent about their computers, such as their network address.

"Microsoft is in no way using that identifier, or any identifier, to track user behavior or to do any marketing," Bennett said, adding it was never intended to be sent regardless of consumer preference.

"If it is, it's just a bug," Bennett said. "If it is indeed happening, and we have testers working this weekend, we'll absolutely fix that."

Bennett promised that Microsoft also would wipe any of those numbers from its internal databases that the company can determine may have been inadvertently collected.

Privacy groups said they were appalled by Microsoft's decision to generate an identifier that can so easily be traced.

They warned, for example, that a coworker could easily verify the addresof a colleague's network card and then prove whether that colleague anonymously wrote specific Word or Excel documents.

Microsoft's decision and its implications come as Congress considers whether to propose new federal privacy laws governing the high-tech industry.

View CBS News In
CBS News App Open
Chrome Safari Continue