Boxing Cassandra

While CPU ID numbers are not yet common, Ethernet cards can provide similar information. Years ago network card vendors worked out a method of assigning each card a unique 32-digit identifier so that cards could be positively identified over a LAN. Windows uses this information to build a Globally Unique Identifier (GUID) and stores that identifier in the system registry.

A network-card-based ID is inferior to a CPU-based one for several reasons. The most obvious is that a network card does not positively identify a computer. Cards can be changed. Some computers have more than one card. Some have none. Imperfect though they are, the way in which GUIDs are being abused today portends a dangerous lack of privacy in all areas of our lives.

The Shape of Things to Come

Microsoft responded with a full court press release. It is testament to the agility of Microsoft's spin doctors that this invasion of privacy is now being referred to as the "Unwanted Data Bug". The term is not only misleading, but a dangerous trivialization.

I have developed quite a bit of software over the years, and I've been responsible for more bugs than I care to admit. And let me tell you, some of them have been real doozies too. I can assure you with complete confidence, that this invasion of privacy is not a bug. It is unquestionably there by design.

To store the GUID in this way requires that the application query the system registry, obtain the GUID, create a string of characters based on that information and then hide that string in a specific location in every file created. This cannot be done by accident. That Microsoft asks us to believe that this happened inadvertently, not just once, but in all Office applications is insulting to the point of outrage.

As invasive and offensive as this practice is, however, one fact led us to believe that things were still under control. Identifying the creator of a document required either physical access to the computer in order to obtain the GUID or the possession of an Office document known to have been created by that person. There was no central database linking GUIDs to real names and addresses.

We should have known better.

Shortly after this issue came to light, it was discovered that during Windows98 registration, the GUID was secretly being sent to Microsoft and stored in their databases. Furthermore, the GUID was saved as a browser cookie so that Microsoft could have immediate access to the real world identities of all Windows98 users whenever they visited microsoft.com.

For the most part, cookies are harmless. If you erase them and revisit a site, you will appear as a new user and you will be assigned a new ID number. There is no way to associate you with your past actions or your actions at other sites. When the cookie is based on your GUID, however, it can be recreated exactly as before and anonymity completely lost.

Microsoft Replies

The next day, Microsoft admitted it was all true and agreed to change Windows98 registration so that GUIDs are no longer collected without users' knowledge and to erase the GUIDs that they have already collected. They have, however, been cool to the idea of external verification that they actually do so. Microsoft has also promised that future versions of Office and Windows will not store the GUID in this way.

Somehow, I don't feel reassured. If I came into the office and found a coworker rifling through my desk I would most certainly not be satisfied with the claim that it was an accident, a promise to put back what was taken, and an assurance that he would be more careful in the future.

Microsoft was not collecting this information by accident, and I think the public should demand to know exactly how Microsoft planned to use it. Until we have these answers, we would do well to conclude that perhaps this really was a bug. After all, it only took two years for it to come to light. Perhaps in the future Microsoft will indeed be more careful by encrypting this information so it is not so easily detected.