Can the Internet industry spank itself? Some are watching the outcome of the latest major Web breakdown to see.
Microsoft has chosen an undisclosed independent auditor to give Hotmail a security once-over. As it does so, the company, industry watchdog Truste, and privacy advocates cast the audit as a testament to – or failure of – effective self-regulation.
Also:
Hotmail Scofflaw? No Worries
Hotmail Fallout: A Mere Trickle
Hotmail Hackers: 'We Did It'
Hotmail Accounts Exposed to All
Want Security? Forget Web Mail
Did MS Dig Its Hotmail Hole?
Following a recommendation last week by Truste, Microsoft went about choosing an independent auditing firm this week to test the security of its free Hotmail email service.
"We're doing an independent review or audit of the Hotmail incident of last week, which got lot of attention," said Microsoft spokesperson Tom Pilla.
Hotmail users were confronted with an alarming security breach last week. Hackers exposed every Hotmail email account so that anyone who knew a person's username could access that account without a password.
"Truste said Microsoft was in compliance and believed [the Hotmail security issue] to be resolved. But we are continuing to investigate that incident completely to ensure that the service complies with the high standards we put on consumer privacy," Pilla added.
Truste spokesman Dave Steer emphasized that his organization didn't order Microsoft to hire an auditor; rather, it was a recommendation. Pilla underscored the point. "They suggested and we agreed. It's not something we had to do."
So if the agreement was such a non-threatening, voluntary arrangement, does it stand up as an effective demonstration of the power of self-regulation?
"Yeah, I think it [does]," Pilla said. "As soon as the incident occurred we [were] in close coordination with Truste, as we always are on these things."
Last week, Truste took an initial stance that the incident was a security issue, not a privacy matter. But Steer said the organization sees the two issues as connected, and a Truste statement on the organization's Web site clarifies its position.
"The statement clearly highlights the fact that there's not trust without privacy and similarly there's not privacy without reasonable security of the data being protected," Steer explained. "So in some instances, yes – security and privacy go hand in hand."
Jason Catlett, a privacy advocate who closely watches the self-regulation issue, was guardedly impressed by the sheer notion of an audit.
"I don't write it off as [a] meaningless act. I'm quite pleased that they have agreed to an independent audit. It's a small window opened in the fortress Redmond," he said.
But Catlett read hidden meaning in the unprecedented Microsoft decision, and doesn't see it as evidence of self-regulation's effectiveness.
"Basically, [Microsoft] realize[s] that nobody believes a single word they say anymore, so they're paying an accounting firm to say things for them."
The nature of this security breach – a simple function of logging into an email account – made it easier for Microsoft to open up Hotmail for review, Catlett said.
In contrast, the company's undisclosed use of a unique identifier in Microsoft Office documents and Microsoft cookies created during user registration of Windows, had much broader implications.
Thus, when an audit was badly needed, Microsoft declined.
"Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog group] went to the FTC and asked them to require an audit, and Microsoft just refused."
This time, "Truste suggested an audit and Microsoft agreed – this is the coziest regulation imaginable," Catlett said.
Pilla disagreed. "I think it's a very good expression of self-regulation," he said. "I think our swift response to the Hotmail incident coupled with inviting a third party review is evidence of our commitment to protecting people's online privacy."
The legitimacy of the Hotmail audit will depend on the particular security issues the auditing firm is asked to test. "Management makes some assertion and the acting firm attests to that assertion. If the assertions are very limited, then the conclusion [of the] accounting firm is very limited," Catlett said.
Pilla said he couldn't comment on the specifics of the audit yet. "We don't know what the process is, moving forward."
He also wouldn't say whether the public would ever get to review the test conducted by the auditing firm.
As to skepticism of the self-regulatory process, Truste's Steer said, "We don't dictate where the program is going to go based on the skeptics. We have to take a good hard look at what the consumer needs. ... Any reasonable person can take a look at what's going on right now and come to their own conclusion. If you ask me personally, I think this is an example that the system worked."
Whatever the outcome, it will no doubt be logged into any case histories seeking to build a case for or against self-regulation.
Pilla said the audit should take "not months but a fairly short amount of time."
Said Catlett: "They're on a tightrope where they're trying to maintain credibility as a consumer advocacy organization while still not scaring away potential licensees with any real prospects of sanctions."
Related Wired Links:
'A Flaw Worse Than Melissa'
26.Aug.99
Hotel Hotmail
22.Mar.99
Hotmail Bug, Still an Open Book?
21.Sep.98
Another Freemail Security Flaw
31.Aug.98
Microsoft Rights Hotmail
27.Aug.98
Hotmail Open to Script Attacks
24.Aug.98
