Tech Update: In my discussions with you, Scott McNealy, and other Sun executives, Sun maintains that Microsoft's Passport and .Net My Services are the lynchpins to the next Microsoft monopoly and that any final judgment in the antitrust case must address that threat. What's the basis of that argument?
Schwartz: There are two separate issues. There's the business issue. And then, there's the high science technology issue. So, the business issue is fundamentally--if you force every Windows' user to divulge their personal information to you by presenting Passport requirement in the delivery of any form of Microsoft service--then, in fact, they're not only maintaining a legal monopoly, they are perpetuating it by just extending the value that they're able to harvest from every Windows' desktop that goes out there.
Tech Update: Give me an example.
Schwartz: My father, your parents, and the American public are not sophisticated enough to refuse the consistent bombardment of Microsoft's reminder: You need to have a Passport to log onto the Internet, to check your Hot Mail, to use MSN Messenger, to get access to MSN services--etc., etc. [Editor's note: A message surfaces when Windows XP is first started urging users to get a Microsoft Passport; some people feel the message suggests you need Passport for Internet access. Passport is actually not needed for Internet access.] So, there's no clearer mechanism that I can see to kind of steal customer identity than that. That's me as a consumer talking. I'm angry about it.
Tech Update: What about you as a Sun executive though?
Schwartz: You know, on behalf of Sun Microsystems we don't have a consumer business. I don't have any relationship with the American public. But, our customers do. I can tell you that the telecommunications industry, the financial services industry, the media industry are up in arms. I mean they're furious at the fact that Microsoft is now going to take an existing monopoly and go extend it a little bit more by getting the identity of their consumers. I think that presages Microsoft's entrance into a whole bunch of identity-based businesses. Everything from instant messaging to financial services. They've already got one of the more popular financial services sites out there with MSN Money Central. Why don't they just become a credit card issuer?
Tech Update: Based on the opinion handed down from the U.S. Court of Appeals last June, there needs to be a causal connection between those two things: the businesses Microsoft engages in and creation or maintenance of a monopoly. Wouldn't Microsoft be able to successfully defend its actions in an evidentiary hearing where that causal connection must be discovered?
Schwartz: I don't think they can. Why else would you require that your customers deliver their identity to you unless you planned on delivering identity-based services? It would be arbitrary. What are they pursuing? Just consumer convenience? No, of course not. Realistically, is it really convenient to only have access to your Passport identity on Microsoft-controlled properties? That's not convenient. That's convenient for Microsoft. But, my identity roams where I roam. It's in the seat back in my automobile, and in the handset that I carry around, and the airplane that I fly in and all forms of other things. Microsoft isn't going to be [in all those places] because Microsoft is only where Windows is. So, first and foremost I think that Microsoft wants to distract from that business argument.
Tech Update: OK, so that's the business issue. Earlier you said there were two issues: a business issue and a high-technology science issue. What about that second issue?
Schwartz: Microsoft wants to say that whatever "isn't going to violate Kerberos standards or that we're not going to wrap Active Directory content into whatever [Kerberos] tickets are issued." To a degree, who cares? First and foremost, there's the business monopoly that needs to be addressed because that's more dangerous to businesses in general than anything else.
Tech Update: But isn't the interoperability of authentication technologies equally important?
Schwartz: Clearly. Companies like VodaFone for example will want a single sign-on for all of the 75 to 80 VodaFone services. Right now, all of them have separate IDs to log onto the separate services. So, today, you log onto their phone service, then one of their premium services and what-have-you. Your preference would be to have a single user ID and password to do that. That won't happen unless somebody, perhaps VodaFone itself, acts as the trust broker for all VodaFone properties. Trust-brokering is kind of a nebulous thing because AOL is the current trust broker for all of AOL properties, right? Does that mean that all those users are authenticated for transactions? The credit card industry will tell you that authentication is a fundamentally very different animal than what you think of as authentication on the Internet. What we think of as authentication, they think of as verification.
Tech Update: What's the difference?
Schwartz: User ID and login. Authentication confers a transfer of liability for fraud. So, if you have been authenticated to a level sufficient for the credit card industry to say that you have been authenticated, that means the credit card companies are eating the fraud. That's why it doesn't happen on the Internet, because authentication in their eyes doesn't happen on the Internet, unless you get a smart card, which is a whole separate discussion. When it happens in the mall, the merchant is there to authenticate you and there's a whole bunch of policies and provisions that every credit card issuer promulgates that basically says if you follow these steps: you check the customer's I.D., you get a signature and you ask the following three questions, we'll accept the fraud. Therefore, credit card issuers own the fraud in the mall. But today, merchants own the fraud on-line. So, in order for the sort of authentication that needs to happen, it will, by necessity, have to be federated.
Tech Update: In the context of building single signons and verifying transactional IDs, what does it mean to federate authentication?
Schwartz: In a federated world, there has to be some form of trust brokering. In order for United Airlines to accept a user that has logged in to CitiGroup as a user who is verified to engage in transactions, UAL has to trust that CitiGroup has, in fact, performed the necessary authentication and verification. But, if that user isn't going to engage in transactions where there's risk of fraud, then maybe full-blown verification isn't necessary and UAL will trust a lesser form of authentication, maybe without verification [in the credit card sense] from another site. United Airlines, for example, may not care that much, if all you're going to do is go check the levels in your [frequent flyer] account. So, in some instances United Airlines will be in a position to say "We'll trust the authentication that any site passes us, and in other cases, the authentication will only trust certain level of verification." Hopefully, we can standardize that through Project Liberty.
Tech Update: So, what does all of this have to do with Passport and the risk of that leading to Microsoft's next monopoly?
Schwartz: What Microsoft wants to say is that authentication won't be federated. It looks like it might, but who cares? That's not what's interesting. Federated authentication is only useful to users to the extent that they have access to all the services that they want. Not all of those services will be provided by Microsoft or .NET My Services.
Tech Update: So, if I can jump ahead here, the scenario you're worried about is the one where a user has some information tucked away in the Passport realm?
Schwartz: Right.
Tech Update: It could be in the database at Starbucks. It could be in the database at an instance of .Net My Services that's run by Microsoft.
Schwartz: Right.
Tech Update: But, the trust broker simply deals with deciding who is trustworthy based on the sort of transaction that's about to take place. It doesn't handle the passage of the customer information that's stored in those databases.
Schwartz: Right.
Tech Update: So, your concern is that, regardless of how a user or a transaction is authenticated or verified, if a single company like Microsoft is collecting customer information through the monopoly it has on the desktop and storing it in a repository that it runs like .Net My Services, Microsoft can basically hold that information hostage and charge money to those who need access to it?
Schwartz: Microsoft will. Microsoft has already stated it will. There's two things you should do. One, you should read the Passport License Agreement on Passport.com and read the paragraph that deals with what they can do with the information that you've provided to them. You will be stunned. [Editor's note: at the time this interview was published, Microsoft's Passport Privacy Policy included the following: ".NET Passport will not share, sell, or use your personal information in a manner that differs from what is described in this Privacy Statement, unless we have your consent."]
Tech Update: What's your interpretation of the agreement?
Schwartz: It basically confers to Microsoft the ability to use, sell, modify, distribute, publish, or do anything it wants with all the personal information that you give them. In no way are they prohibited from taking your identity and selling it to somebody that they deem would be of interest to them. In addition to that Microsoft will have its own walled garden. They want that walled garden to be everyone running Microsoft products. That's everyone who has a desktop personal computer because, by definition, they are a monopoly. The problem is that there will be other [non-Microsoft] gardens--and here's another convenient example: [a cell phone]. We should be asking what information in the Microsoft realm won't be available to non-Microsoft realms. [Editor's note: ZDNet editorial director David Berlind asked this very question of Microsoft's officials. Read the interview.] If access to the information that's kept in the Microsoft's realm is restricted to users and companies that are in the Microsoft walled garden, it's an impediment to companies in other gardens. Therefore, it is anti-competitive.
Tech Update: So, your concern goes beyond that of companies not being able to get access to customer information. Your also concerned about Microsoft placing restrictions on what the customers themselves can do with the information?
Schwartz: If consumers cannot travel freely from one identity realm to another, and take information as they see fit from one to the other, that's a big problem for businesses. Microsoft will say "Oh, no, no, no. We're not going to hurt you retailers, or merchants. We're just going to charge your users five bucks every time they want to take their Passport identity to a non-Microsoft environment." Based on what merchants have told us, Microsoft has stated that they'll charge the user. Merchants--merchants like the airlines--have come to us and said "Microsoft has assured us that they won't charge us for accepting Passport. However, Microsoft has stated publicly and they have also told us (the merchants), that they will charge users for rights to get access to their own information." That again, is the ultimate form of monopoly reign. It's like [Microsoft saying to the customer], please give me your data, and then I am going to charge you to get access to it.
Tech Update:. Last question: According to precedent law, one of the goals of any antitrust remedy is to restore competition to the relevant market; the one that's been illegally monopolized. Do you really think that the relevant market--which, according to all the legal documents is "Intel-based PC operating systems"--can be restored?
Schwartz: Do I believe that competition can be restored to PC operating systems?
Tech Update: Yes. My theory on this is that by the time that an antitrust remedy really sinks in--ten to twenty years or something like that--desktops could be irrelevant.
Schwartz: I do not believe the government should give up.
