24 year old student lights match: Europe versus Facebook

If you are interested in social networks, don't miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information.  Click on the red “CC” in the lower right-hand corner to see the English subtitles.

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues.  In Europe there is a requirement that entities with data about individuals make it available to them if they request it.  That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection.  He argues that the record Facebook provided him finds them to be in flagrante delicto.  

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).  This was followed by another perfectly executed move:  setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel.  As part of the documentation, they publicised the procedure Max used to get his personal CD.  Somehow this recipe found its way to reddit  where it ended up on a couple of top ten lists.  So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

If that seems to be enough, it's not all.  As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it.  The response ratchets the battle up one more notch: 

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

Thanks for contacting Facebook,
Facebook User Operations Data Access Request Team

What a spotlight

This throws intense light on some amazingly important issues. 

For example, as I wrote here (and Max describes here), Facebook's “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months. 

If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile – even if you never click the “like” button.  These long lists of pages visited, tied in Facebook's systems to your “Real Name identity”, were not included on Max's CD. 

Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”? 

It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max's media talent is able to do with the answers once they become public. 

The result may well impact the whole industry for a long time to come.

Meanwhile, students of these matters would do well to look at Max's many complaints:

no

date

topic

status

files

01

18-AUG-2011

Pokes.
Pokes are kept even after the user “removes” them.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

02

18-AUG-2011

Shadow Profiles.
Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

03

18-AUG-2011

Tagging.
Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out).
Info: Facebook announced changes.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

04

18-AUG-2011

Synchronizing.
Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

05

18-AUG-2011

Deleted Postings.
Postings that have been deleted showed up in the set of data that was received from Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

06

18-AUG-2011

Postings on other Users’ Pages.
Users cannot see the settings under which content is distributed that they post on other’s pages.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

07

18-AUG-2011

Messages.
Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

08

18-AUG-2011

Privacy Policy and Consent.
The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

09

18-AUG-2011

Face Recognition.
The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

10

18-AUG-2011

Access Request.
Access Requests have not been answered fully. Many categories of information are missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

11

18-AUG-2011

Deleted Tags.
Tags that were “removed” by the user, are only deactivated but saved by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

12

18-AUG-2011

Data Security.
In its terms, Facebook says that it does not guarantee any level of data security.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

13

18-AUG-2011

Applications.
Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

14

18-AUG-2011

Deleted Friends.
All removed friends are stored by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

15

18-AUG-2011

Excessive processing of Data.
Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
It seems Facebook is a prime example of illegal “excessive processing”.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

16

18-AUG-2011

Opt-Out.
Facebook is running an opt-out system instead of an opt-in system, which is required by European law.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

 

24-AUG-2011

Letter from the Irish DPC.

 

Letter (PDF)

 

15-SEPT-2011

Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.

 

Letter (PDF)

17

19-SEPT-2011

Like Button.
The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

18

19-SEPT-2011

Obligations as Processor.
Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

19

19-SEPT-2011

Picture Privacy Settings.
The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

20

19-SEPT-2011

Deleted Pictures.
Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

21

19-SEPT-2011

Groups.
Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

22

19-SEPT-2011

New Policies.
The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

 

U-Prove Minimal Disclosure availability

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills!  But today, just for once, I'm going to pick up an actual Microsoft press release and lay it on you.  The reason?  Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important:

SAN FRANCISCO — March 2, 2010 — Today at RSA Conference 2010, Microsoft Corp. outlined how the company continues to make progress toward its End to End Trust vision. In his keynote address, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, explained how the company’s vision for End to End Trust applies to cloud computing, detailed progress toward a claims-based identity metasystem, and called for public and private organizations alike to prevent and disrupt cybercrime.

“End to End Trust is our vision for realizing a safer, more trusted Internet,” said Charney. “To enable trust inside, and outside, of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.”

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

The company also shared details about a new partnership with the Fraunhofer Institute for Open Communication Systems in Berlin on an interoperability prototype project integrating U-Prove and the Microsoft identity platform with the German government’s future use of electronic identity cards.

As further evidence of how the company is enabling a safer, more trusted enterprise, Microsoft also today released Forefront Identity Manager 2010, a part of its Business Ready Security strategy. Forefront Identity Manager enables policy-based identity management across diverse environments, empowers business customers with self-service capabilities, and provides IT professionals with rich administrative tools.

In addition, Charney reviewed company efforts to creatively disrupt and prevent cybercrime. Citing Microsoft’s recently announced Operation b49, a Microsoft-led initiative to neutralize the well-known Waledac botnet, Charney stated that while focusing on security and privacy fundamentals and threat mitigation remains necessary, the industry needs to be more aggressive in blunting the impact of cybercriminals. Operation b49 is an example of how the private sector can get more creative in its collective approach to fighting criminals online.

“We are committed to collaborating with industry and governments worldwide to realize a safer, more trusted Internet through the creative disruption and prevention of cybercrime,” Charney said.

Readers may remember the promise I made when Microsoft's purchase of U-Prove and Credentica was announced in March 2008 and some worried Microsoft might turn minimal disclosure into something proprietary:

[It isn't…] trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo.

So here are the specifics of today's annoucement:

  • Microsoft is opening up the entire foundation of the U-Prove intellectual property by way of a cryptographic specification published under the Microsoft Open Specification Promise (OSP).  
  • Microsoft is donating two reference SDKs in source code (a C# and a Java version) under a liberal free software license (BSD); the objective here is to enable the broadest audience of commercial and open source software developers to implement the technology in any way they see fit.
  • Microsoft is releasing a public Community Technology Preview (CTP) of the integration of the U-Prove technology (as per the crypto spec) with Microsoft’s identity platform technologies (Active Directory Federation Services 2.0, Windows Identity Foundation, and Windows CardSpace v2).
  • As part of the CTP, Microsoft is releasing a second specification (also under the OSP) that specifies the integration of the U-Prove technology into so-called “identity selectors” using WS-Trust and information cards.

I really want to thank Stefan Brands, Christian Paquin, and Greg Thompson for what they've done for the Internet in bringing this work to its present state.  Open source availability is tremendously important.  So is the achievement of integrating U-Prove with Microsoft's metasystem components so as to show that this is real, usable technology – not some far-off dream.

At RSA, Scott Charney showed a 4-minute video made with the Fraunhofer FOKUS Institute in Germany that demonstrates interoperability with the German eID card system (scheduled to begin rolling out in November 2010). The video demonstrates how the integration of the U-Prove technology can offer citizens (students, in this case) the ability to minimally disclose authoritative personal information.

There is also a 20-minute video that explains the benefits of integrating the U-Prove technology into online identity management frameworks.

The U-Prove code, whitepaper and specifications, along with the modules that extend ADFS V2, WIF and CardSpace to support the technology, are available here.

Microsoft must “U-Prove” what its plans are

Kuppinger Cole‘s analyst Felix Gaehtgens calls on Microsoft to move more quickly in announcing how we are going to make Credentica's Minimal Disclosure technology available to others in the industry.  He says,

“On March 6th, almost a month ago, Microsoft announced its acquisition of Montreal based Credentica, a technology leader in the online digital privacy area. It’s been almost a month, but the dust won’t settle. Most analysts including KCP agree that Microsoft has managed a master coup in snapping up all patents and rights to this technology. But there are fears in the industry that Microsoft could effectively try to use this technology to enrich its own platform whilst impeding interoperability by making the technology unavailable. These fears are likely to turn out to be unfounded, but Microsoft isn’t helping to calm the rumour mill – no statements are being made for the time being to clarify its intentions.”

Wow.  Felix makes a month sound like such a long time.  I'm jealous.  To me it just flew by.  But I get his message and feel the tines of his pitchfork.

Calling U-Prove a “Hot Technology” and explaining why, Felix continues,

“…if Microsoft were to choose to leverage the technology only in its own ecosystem, effectively shutting out the rest of the Internet, then it would be very questionable whether the technology would be widely adopted. The same if Microsoft were to release the specifications, but introduce a “poison pill” by leveraging its patent. This would certainly be against Microsoft’s interest in the medium to long future.”

This is completely correct.  Microsoft would have to be completely luny to try to partition the internet across vendor lines.  So, basically, you can be sure we won't.

“There is a fair amount of mistrust in the industry, sometime even bordering on paranoia because of Microsoft’s past approach to privacy and interoperability. The current heated discussion about the OOXML is an example of this. Over the last years, Microsoft has taken great pains to alleviate those fears, and has shown an willingness to work towards interoperability. But many are not yet convinced of the picture that Kim is painting. It is very much in Microsoft’s interest to make an official statement regarding its broad intentions with U-Prove, and reassure the industry if and how Microsoft intends to follow the “fifth law of identity” with regards to this new technology.

We are working hard on this.  The problem is that Microsoft can't make an announcement until we have the legal documents in place to show what we're talking about.  So there is no consipiracy or poison pill.  Just a lot of details to nail down.

Reactions to Credentica acquisition

Network World's John Fontana has done a great job of explaining what it means for Microsoft to integrate U-Prove into its offerings:

Microsoft plans to incorporate U-Prove into both Windows Communication Foundation (WCF) and CardSpace, the user-centric identity software in Vista and XP.

Microsoft said all its servers and partner products that incorporate the WCF framework would provide support for U-Prove.

“The main point is that this will just become part of the base identity infrastructure we offer. Good privacy practices will become one of the norms of e-commerce,” Cameron said.

“The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace-managed cards (i.e., those cards issued by an identity provider),” Mark Diodati, an analyst with the Burton Group, wrote on his blog

In general, the technology ensures that users always have say over what information they release and that the data can not be linked together by the recipients. That means that recipients along the chain of disclosure can not aggregate the data they collect and piece together the user’s personal information.

[More here…]

Eric Norlin has this piece in CSO, and Nancy Gohring's ComputerWorld article emphasizes that “U-Prove is the equivalent in the privacy world of RSA in the security space.”  Burton's Mark Diodati covers the acquisition here.

Gunnar Peterson from 1 Raindrop notes in That Was Fast

…the digital natives may be getting some better tooling faster than I thought. I am sure you already know there is a northern alliance and Redmond is U-Prove enabled. I fondly remember a lengthy conversation I had with Stefan Brands in Croatia several years ago, while he patiently explained to me how misguided the security-privacy collision course way of thinking is, and instead how real security is only achieved with privacy. If you have not already, I recommend you read Stefans’ primer on user identification.

Entrepreneur and angel investor Austin Hill gives us some background and links here:

In the year 2000, Zero-Knowledge acquired the rights to Dr. Stefan Brands work and hired Stefan to help us build privacy-enhanced identity & payments systems.  It turns out we were very early into the identity game, failed to commercialize the technology – and during the Dot.Com bust cycle we shut down the business unit and released the patents back to Stefan.  This was groundbreaking stuff that Stefan had invented, and we invested heavily in trying to make it real, but there weren’t enough bitters in the market at that time.  We referred to the technologies as the “RSA” algorithms of the identity & privacy industry.  Unfortunately the ‘privacy & identity’ industry didn’t exist.

Stefan went on to found Crendentica to continue the work of commercialization of his invention. Today he announced that Microsoft has acquired his company and he and his team are joining Microsoft.

Microsoft’s Identity Architect Guru Kim Cameron has more on the deal on his blog (he mentions the RSA for privacy concept as well).

Adam Shostack (former Zero Knowledge Evil Genius, who also created a startup & currently works at Microsoft) has this post up.   George Favvas, CEO of SmartHippo (also another Zero-Knowledge/Total.Net alumni – entrepreneur) also blogged about the deal as well.

Congratulations to Stefan and the team.  This is a great deal for Microsoft, the identity industry and his team. (I know we tried to get Microsoft to buy or adopt the technology back in 2001 🙂 

(I didn't really know much about Zero-Knowledge back in 2000, but it's interesting to see how early they characterized of Stefan's technology as being the privacy equivalent of RSA.  It's wonderful to see people who are so forward-thinking.)

Analyst Neil Macehiter writes:

Credentica was founded by acknowledged security expert Stefan Brands, whose team has applied some very advanced cryptography techniques to allow users to authenticate to service providers directly without the involvement of identity providers. They also limit the disclosure of personally-identifiable information to prevent accounts being linked across service providers and provide resistance to phishing attacks. Credentica's own marketing literature highlights the synergies with CardSpace:

“`The SDK is ideally suited for creating the electronic equivalent of the cards in one's wallet and for protecting identity-related information in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.”

This is a smart move by Microsoft. Not only does it bring some very innovative and well-respected technology (with endorsements from the likes of the Information and Privacy Commissioner of Ontario, Canada) which extends the capabilities of Microsoft's identity and security offerings; it also brings some heavyweight cryptography and privacy expertise and credibility from the Credentica team. The latter can, and undoubtedly will, be exploited by Microsoft in the short term: the former will take more time to realise with Microsoft stating that integrated offerings are at least 12–18 months away.

[More here…]

Besides the many positives, there were concerns expressed about whether Microsoft would make the technology available beyond Windows.  Ben Laurie wrote:

Kim and Stefan blog about Microsoft’s acquisition of Stefan’s selective disclosure patents and technologies, which I’ve blogged about many times before.

This is potentially great news, especially if one interprets Kim’s

Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash.

in the most positive way. Unfortunately, comments such as this from Stefan

Microsoft plans to integrate the technology into Windows Communication Foundation and Windows Cardspace.

and this from Microsoft’s Privacy folk

When this technology is broadly available in Microsoft products (such as Windows Communication Foundation and Windows Cardspace), enterprises, governments, and consumers all stand to benefit from the enhanced security and privacy that it will enable.

sound more like the Microsoft we know and love.

I hope everyone who reads this blog knows that it is elementary, my dear Laurie, that identity technology must work across boundaries, platforms and vendors (Law 5 – not to mention, “Since the identity system has to work on all platforms, it must be safe on all platforms”). 

That doesn't mean it is trivial to figure out the best legal mecahnisms for making the intellectual property and even the code available to the ecosystem.  Lawyers are needed, and it takes a while.  But I can guarantee everyone that I have zero intention of hoarding Minimal Disclosure Tokens or turning U-Prove into a proprietary Microsoft technology silo. 

Like, it's 2008, right?  Give me a break, guys!

Paul Madsen leaks internal photo

Despite my repeated requests not to go there, Paul Madsen of ConnectID has published a leaked, top secret, internal Microsoft Identity and Access photo.  His post reads as follows:

An un-named source in Redmond sent me this never before seen picture of the first ever infocards assembly line.


In the front you can see a worker inserting secret keys obtained from the bins below (the punch-card calculating machines on which those keys were generated are in another room). Other workers further down the line can be seen inserting attributes before securing the top of the cards with wrenches.

My source tells me that another line is planned.

Luckily, the IP revealed by this photo is part of the Open Specification Promise (OSP).  I checked with our operations people to see if the items in the bin  really are the secret keys, but apparently they are silver bullets.

More on the iTunes approach to privacy

Reading more about Apple's decision to insert user's names and email addresses in the songs they download from iTunes, I stumbled across a Macworld article on iTunes 6.0.2 where Rob Griffiths described the store's approach to capturing user preferences as “spyware”.

I blogged about Rob's piece, but it turns it was 18 months old, and Apple had quickly published a fix to the “phone-home without user permission” issue.  

Since I don't want to beat a dead horse, and Apple showed the right spirit in fixing things, I took that post down within a couple of hours (leaving it here for anyone who wonders what it said). 

So now, with a better understanding of the context, I can get on with thinking about what it means for Apple to insert our names and email addresses into the music files we download – again without telling us.

First I have to thank David Waite for pointing out that the original profiling issue had been resolved:

Kim, [the Macworld] article is almost 18 months old.  Apple quickly released a newer version of iTunes which ‘fixed’ this issue – the mini store is disabled by default, and today when you select to ‘Show MiniStore’ it displays:

“The iTunes MiniStore helps you discover new music and video right from your iTunes Library. As you select tracks or videos in your Library, information about your selections are sent to Apple and the MiniStore will display related songs, artists, or videos. Apple does not keep any information related to the contents of your iTunes Library.

Would you like to turn on the MiniStore now?”

The interesting thing about the more recent debacle about Apple including your name and email address in the songs you buy from their store is that they have done this since Day 1. Its only after people thought Apple selling music with no DRM was too good to be true that the current stink over it started.

It's interesting to understand the history here.  I would have thought that in light of their previous experience, Apple would have been very up front about the fact that they are embedding your name and email address in the files they give you.  After all, it is PII, and I would think it would require your knowledge and approval. 

I wonder what the Europeans will make of this?

A take on Microsoft, OSP and Open Source

Here is how Martin LaMonica from CNET interpets the Open Specification Promise:

The software giant on Tuesday published the Microsoft Open Specification Promise, a document that says that Microsoft will not sue anyone who creates software based on Web services technology, a set of standardized communication protocols designed by Microsoft and other vendors.

What's new…
Microsoft has promised not to sue anyone who creates software based on Web services technology covered by patents it owns.

Bottom Line
The move reflects how Microsoft has had to come to terms with open-source products and development models.

Reaction to the surprise news was favorable, even from some of Microsoft's rivals.

“The best thing about this is the fundamental mind shift at Microsoft. A couple of years ago, this would have been unthinkable. Now it is real. This is really a major change in the way Microsoft deals with the open-source community,” said Gerald Beuchelt, a Web services architect working in the Business Alliances Group in Sun Microsystems’ chief technologist's office.

Microsoft has never sued anyone for patent infringement related to Web services. But its pledge not to assert the patents alleviates lingering concerns among developers who feared potential legal action if they incorporate Web services into their code, said analysts and software company executives.

Open-source developers, for example, should have fewer worries about writing open-source Web services products. Also, other software companies could create non-Windows products that interoperate with Microsoft code via Web services.

The move reflects how Microsoft has had to come to terms with open-source products and development models.

When Linux began to take hold in the late 1990s, company executives seemed shaken by the shared code foundations of the open-source model. CEO Steve Ballmer famously called Linux a “cancer,” while founder Bill Gates derided the “Pacman-like” nature of open-source licensing models.

Other Microsoft executives, such as Windows development leader Jim Allchin, have in years past painted open source as “an intellectual property destroyer.”

But in the past two years, Microsoft has stepped up its Shared Source program, in which it gives free access to source code under terms similar to those in popular open-source licenses. It has also said it will make Windows-based products work better with those from other vendors, including Linux and other open-source software.

Standards in play
To be sure, Microsoft, which spends more than $6 billion a year on research and development, remains committed to generating proprietary intellectual property. In some cases, that means commercial licensing, rather than opening up access to others.

“In the future, I am sure we will take positions on IP (intellectual property) that will not be so agreeable to various constituencies,” wrote Jason Matusow, Microsoft's director of standards affairs, in his blog.

In the case of Web services, having a pledge not to assert patents around these protocols–which are the communications foundation of Vista, the next version of Windows due early next year–helps drive adoption of those standards in the marketplace, said analysts and software company executives.

Open-source projects, in particular, have become powerful forces within the industry for establishing standards, both de facto and those sanctioned by standards bodies.

“I expect that more and more vendors will realize that a software standard cannot be successful if the relevant patents are incompatible with open-source licenses and principles,” said Cliff Schmidt, vice president of legal affairs at the Apache Software Foundation, which hosts several open-source projects.

Patent pledges of various forms have become more common, he noted. Sun recently said that it would not assert patents relating to the SAML (Security Assertion Markup Language) standard and the OpenDocument Format. IBM gave open-source communities access to 500 patents last year.

More to come?
Microsoft's Matusow said that the Open Specification Promise is part of the company's efforts to “think creatively about intellectual property.”

For the Open Specification Promise, the company sought input from open-source legal experts, including Red Hat's deputy general counsel Mark Webbink and Lawrence Rosen, an open-source software lawyer at Rosenlaw & Einschlag in Northern California.

Matusow said Microsoft is still a big believer in intellectual property but added that the company has chosen a “spectrum approach” to it, which ranges from traditional IP licensing to more permissive usage terms that mimic open-source practices.

“That is the point of a spectrum approach. Any–and I do mean any–commercial organization today needs to have a sophisticated understanding of intellectual property and the strategies you may employ with it to achieve your business goals,” he said.

The current Open Specification Promise does not specifically cover CardSpace, formerly called InfoCard. But the promise not to assert patents could be extended from current Web services standards, said Michael Jones, Microsoft's director of distributed systems customer strategy and evangelism.

“Licensing additional specifications under these same terms should be much easier to do at this point, but I obviously can't make public commitments yet beyond those we already have buy-off on,” Jones said on a discussion group at OSIS, the open-source identity selector project.

Old concerns
Web services standards are authored by several vendors, often including Microsoft and IBM, and are built into products from many vendors.

IBM lauded the move in a statement on Wednesday. “We've provided open-source friendly licenses for Web services specifications and have made non-assert commitments for a broad set of open-source projects including Linux,” said Karla Norsworthy, vice president for software standards at IBM.

Web services specifications are standardized in the World Wide Web Consortium and in the Organization for the Advancement of Structured Information Standards. Both bodies allow people to license standards either royalty-free or on so-called RAND terms (reasonable and non-discriminatory terms).

But Microsoft's Open Specification Promise goes a bit further. It means that developers at Apache projects, for example, no longer have to worry about Microsoft asserting Web services patents down the road, said Apache's Schmidt.

Similarly, Rosen said that the “OSP is compatible with free and open-source licenses.”

That clarity is a far cry from the early days of Web services, which took shape around 2000, when Microsoft and IBM teamed with others to improve system interoperability using XML-based protocols.

Lingering concerns remained among outside developers and were points of dispute in some Web services standardization efforts.

In 2000, Anne Thomas Manes was the chief technology officer of a Web services start-up called Systinet. The venture capitalist backers of the company were nervous that implementing these newly published specifications, created by other companies, could lead to lawsuits down the road, she said.

Until now, there was still a “niggling concern” that Microsoft would sue people. Back in 2000, Systinet decided to accept the risk of creating software based on specifications created by others, even though they did not have a license, she said.

“We went ahead and did it anyway despite the risk, because we were of the impression that Microsoft and IBM really wanted people to implement it,” she said.

To me it isn't really very surprising that Microsoft is doing everything it can to co-operate with everyone else in the industry on fundamental infrastructure like identity and web service protocols.  It suddenly seems like this is being made into a bigger deal than it really is.  That said, I'm really glad that lingering doubts about our intentions are dissipating.   

Microsoft patent non-assertion covenant is remarkable

David Berlind at ZDNet has an interesting analysis

Microsoft has issued a declaration — something it calls the Open Specification Promise — that it won't assert certain Web services patents it holds (or may hold in the future). Martin Lamonica reports:

Microsoft is pledging not to assert its patents pertaining to nearly three dozen Web services specifications–a move designed to ease concerns among developers by creating a legal environment more friendly to open-source software….The software giant published on Tuesday the Microsoft Open Specification Promise (OSP) on its Web site.

This isn't the first time that Microsoft has moved its intellectual property in the open direction (along a spectrum of closed to open), particularly when it pertains to something like Web services that's so fundamental to technology. But in many such cases, there were enough strings attached to keep open source developers from making use of Microsoft's IP even though it was being made available in some open context.  Some of Microsoft's anti-spam technologies come to mind. The licensing language for Microsoft's Office Open XML document format has gone through several iterations over the last two years, each one more open-friendly than the last.  But in this case, Microsoft cut to the chase.  Even Larry Rosen, the open source lawyer that wrote the book on open source licensing, has given the OSP his blessing.  While Microsoft is refraining from directly addressing the open source-angle, Lamonica wrote:

Lawrence Rosen, an open-source software lawyer at Rosenlaw & Einschlag in Northern California, gave open-source developers a green light to work with the Web services standards….”This OSP enables the open-source community to implement these standard specifications without having to pay any royalties to Microsoft or sign a license agreement. I'm pleased that this OSP is compatible with free and open-source licenses,” Rosen said in a statement on Microsoft's OSP site.

Another sign of acceptance could also be the silence (as of the time I published this blog) from two of the more vocal bloggers when it comes to vetting the openness of Microsoft's announcements. From his blog, IBM's vice president of standards and open source Bob Sutor offered none of his own commentary and instead only linked to two stories about the move: one the aforementioned News.com story by Martin Lamonica and the other a review of the move by intellectual property lawyer Andrew Updegrove (who also serves as counsel to OASIS — the consortium under which a lot of the Web services specifications development takes place). Sun's chief open source officer Simon Phipps has yet to post anything to his blog. Both men are customarily very fast to expose what they view as smoke or mirrors in Microsoft's intellectual property-related announcements. That's not to say such analyses aren't forthcoming. For all I know (I haven't contacted either of them yet), lawyers from both companies could be pouring through the documentation right now, looking for red flags to make hay about.

Royalties (payments that developers must make to patent or copyright holders) are complete dealbreakers when it comes to deciding whether something is open or closed. But what few people know is that signing a license agreement, even if the technology in question is royalty-free, is another.  Requiring the signed execution of license — known as “privity” in lawyer-land — flies in the face of open source because open source allows for sublicensing (the ability to take code that was licensed to you and pass it on without going back to the licensor for permission). 

Users and developers need only agree to the license terms that come packaged with open source code. They don't have to send a signed document back to the licensor. In fact, Microsoft's privity requirement when it comes to its CallerID antispam technology was (and still is, if you ask me) the key stumbling block to the creation of an Internet anti-spam standard. Amongst those orginally charged with investigating the possible creation of such a standard, the open source-“brained” technologists walked away from the initiative when Microsoft's licensing restrictions — mainly the privity requirement — came to light.

All this said, Microsoft's motives for declaring the OSP are relatively transparent. In fact, Microsoft came right out and said as much. Again, according to Lamonica:

In an FAQ on the OSP page, Microsoft said that the move is designed to get more people to use Web services protocols–a set of XML-based standards meant to make products from different vendors work well together….”It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever,” according to the FAQ.

Microsoft, I believe, is being very practical about its future here.  Looking at the .NET net architecture that the company has so heavily invested in — an architecture that's more about Web services than it is anything else — it is absolutely critical for the software giant to get its fair share of the next wave of IT spending, a lot of which will have to do with Web services and componentized software. If intelletual property rights in any way shape or form slow down the adoption of Web services, then everybody in the Web services ecosystem, Microsoft included, loses.  By taking this high road, Microsoft is recognizing that if the Web services ecosystem is allowed to flourish, that the resulting slice of the pie it gets (others will get their slices too) will be far larger than entire pie it might have been entitled to had it kept its patents to itself. 

More importantly, the issuance of this non-assertion covenant is a signal from Microsoft that it is quite prepared to change its colors and its cultures. Provided there are no gotchas (and Larry Rosen's endorsement is usually a pretty good sign their aren't), this is a new Microsoft.  One I really haven't seen yet. One I'm sure the industry will be looking forward to seeing more of.

Sun's Simon Phipps has now posted about the Promise, and he mentions that I didn't send a heads-up email that would have allowed him time to think about the announcement in depth before it was made.  Simon, I really apologize.  This was far from my intent – it was a question of neither hand knowing what the other wasn't doing.  And of the general turbulence of being at DIDW.  So I promise it won't happen again, and look forward to meeting you in person.

In light of this, it's a mark of Simon's magnanimity that his comments were generally very positive.  He made some technical points that can really only be decoded by legal experts – so I will pass them along.

Ben Laurie responds to OSP

Ben Laurie, a major contibutor to internet security through his work at Apache, and now at Google, is generally positive about OSP but has questions: 

“Kim Cameron announced that Microsoft are making it possible for anyone to implement Infocard-compatible systems (and other systems the depend on the same protocols), via the Open Specification Promise.

“First off, let me say that this is a huge step forward – there’s been a great deal of uncertainty around WS-* and friends because of the various patents various companies own. Microsoft taking this step definitely helps.

“But, there are some details that worry me – firstly I am curious why Microsoft have taken the approach of this promise rather than an explicit licence. I’ve talked to various lawyers about it, and the general feeling I get is that they’d be more comfortable with a licence, but they can’t point to anything obviously wrong with the promise approach.”

So I need to make it absolutely clear that if anyone feels more comfortable with a RANDZ (Reasonable and Non-Discriminatory Zero Royalty) License rather than the Open Specification Promise, Microsoft will be happy to provide them with one.  The goal was simply to provide a simple, clear alternative for those who wanted one.  Ben continues:

“Secondly, there’s this definition:

“’Microsoft Necessary Claims’ are those claims of Microsoft-owned or Microsoft-controlled patents that are necessary to implement only the required portions of the Covered Specification that are described in detail and not merely referenced in such Specification. ‘Covered Specifications’ are listed below.

“(my italics). Now, I’ve implemented a lot of software from protocol specifications, and there are two things that are extremely common:

  • “The specifications include many optional parts. These parts will not be covered by Microsoft’s promise.
  • “The specifications reference other specifications for vital parts of their implementation. These parts will not be covered by Microsoft’s promise.

“Now, exactly what affect these considerations have on Microsoft’s promise and implementations of WS-* et al is something I have not had the time or energy to assess – perhaps others with more intimate knowledge of the specs could help me out there? I’d love to hear that, in fact, this is a non-problem.”

It may help to recall what Standards Guru Andy Updegrove says about the phrase “…that are described in detail and not merely referenced in such Specification….”:

“While not usually phrased in this fashion, this is a common limitation intended to clarify that, for example, other standards that may be referenced, or so-called “enabling technologies,” the use of which would be required to use an implementation (e.g., the computer upon which the software is running) are not included.”

But I do understand Ben's question about the required versus optional parts of a specification and will ask our legal people to clarify. 

Ben's next point:

“Another factor to consider is that (as I understand it) Microsoft are not the only people with IP around these standards. Will everyone else be so generous with their IP? Microsoft don’t care, of course, because they have the usual patent mutually assured destruction – but those of us with smaller patent portfolios are not so fortunate.”

So, as always, I guess I’m an optimistic cynic.

Incidentally, another thing Kim has talked about several times is Microsoft allowing exact copies of their user interface. I’m in two minds whether its a good idea to copy it, but this promise doesn’t cover the UI, as far as I can see. I wonder when that piece will be forthcoming?

I really want to make it clear that I have never suggested I would ask Microsoft to allow people to make “exact copies” of our user interface.  And in fact, no one has ever asked to be able to do this.

What we want to be able to do is create a “ceremony” that is recognizable across platforms.  I'm talking about the equivalent of using a steering wheel and brakes in a car.  All cars have them, so even if we like a particular type of car, we can get in another one and drive it.  This doesn't mean the cars are “exact copies” of each other, or even that the steering wheel and brakes look or feel identical. 

As Novell's Dale Olds put it at DIDW, we are talking about sharing a predictable sequence of experiences, not cloned screens.  So in this sense, I think everyone shares Ben's “two-minds” thinking.

Doc Searls on OSP

Doc Searls – true wit, luminary and marketing guru – not to mention Editor of the Linux Journal, on the OSP:

It isn't entirely a joke (or a fair statement) that Microsoft has become a legal department traveling as a software company. Yet there are some upsides. One is that some very smart lawyers at a very large company have had to engage Reality through company technologists brave and determined enough to engage the open source community in constructive collaboration.

With positive results.

That's what has been going on with the corner of Microsoft that has been involved in the Identity Space.

I'm writing this from a room where Microsoft technologists are meeting with friends — and that's what they are now — with Red Hat, Novell, Higgins, XRI/XDI/i-Names and other open source efforts — as well as others from the customer side. They're talking right now about the Microsoft Open Specification Promise. The intention of the promise is to make Microsoft-developed (and -co-developed) technolgies completely useful by open source projects. Or maybe by anybody.

I don't have time to write more at the moment. But I'd like to hear what you think. This is original and well-intended work by honorable people who really want the whole market to work, and not just for one company to muscle everybody else.

It's also a beginning. Times are a-changing. Everybody can help with that.

Check out Kim Cameron's IdentityBlog. Follow links there and at Johannes Ernst's blog.