Tech Update: Executives from Sun Microsystems think that Passport is the key to Microsoft's next monopolies. (See the interview: Sun's Schwartz: 'Microsoft can't be trusted'.) At the heart of the claim is the idea that Microsoft is collecting and controlling customer information. What information does Microsoft collect through its Passport service?
Sohn: Today, in Passport, there is a profile system that contains about thirteen fields of information. Those fields can be populated at varying levels by the site that signs you up. [Editor's note: Users may sign up at any site that participates in the Passport program.] Some sites may sign you up only with a user name and password. Some sites may ask for a little bit of information. In the case of a site like Microsoft's Hotmail, it asks you for a little bit of information like country, state and zip code.
Tech Update: Why does Hotmail need that information?
Sohn: It uses that information to target advertising to you. Hotmail's business model is based on the premise that you're getting free e-mail. Hotmail takes that information and uses it based on their privacy policy. So, Hotmail's use of that data is governed by its relationship with the customer and that relationship is based on Hotmail's privacy policy.
Tech Update: But the data is stored in Microsoft's central repository--Passport--right?
Sohn: The data that Hotmail collects is stored in the Passport profile. So, yes, Passport is the data repository for Hotmail. But once the user opts in to share that data with other partners, those partners, including Hotmail, get the data too. The registering site always gets the data at registration, pursuant to their policy and the data we hold in Passport is pursuant to the Passport policy.
Tech Update: There are some obvious advantages to storing up-to-date profile information in a central repository where others can get at it. Will Passport users be able to make this information available to others across the Internet?
Sohn: Yes. Users can ask to have their data shared with another Passport partner site. However, once a user shares their data with another site, it also becomes subject to the privacy policy of that site.
Tech Update: Is .Net My Services for the rest of the personal information--the information that goes beyond the basic thirteen fields stored in Passport, stuff like music preferences or whatever?
Sohn:. Think about .Net My Services as a sort of federation; a really big tree and [Microsoft] is just one leaf on that tree. One node in the network. The most likely scenario is that a user will have access to applications and experiences that rely on the data stored in a .Net My Services repository. Some of those might be telecommunication services from your phone company or cell phone provider. Some may be various different Web sites like merchants, portals, or ISPs. Each one of those is a different leaf on the tree and each one of those can have its own instance of a .Net My Services repository. Your data can live in multiple places including those businesses that you have a relationship with or even locally on your own device. Or maybe some of your data lives at your workplace.
Tech Update: Are the rules for sharing that data pretty much the same as they are with the data that's kept in the Passport repository?
Sohn: Yes. You share that data based on your consent with anybody who's done the right technical work who knows how to ask for it.
Tech Update: With any merchant?
Sohn: Any merchant who has done the right work.
Tech Update: Executives from Sun have described a scenario in which Microsoft can collect a lot of information through its monopoly of the desktop, store it in its Passport and .Net My Services repositories, and charge merchants for access to that data. So, even though there will be other instances of .Net My Services repositories run by non-Microsoft companies, suppose I have chosen to keep my personal data in one of Microsoft's instances. Do you have plans to charge me as a user to store that information there or to share it with the merchants of my choosing?
Sohn: We're envisioning a world where the user is in control. So, if the user wants to buy something from a merchant, would they want Microsoft or anybody else to get in the way? So, that's one reason I would say that Microsoft would not be interested charging for access to that data. Think about if you were a user whose data was stored with us, and you wanted to shop at some merchant. But Microsoft says to the merchant, "Hey, we're going to charge you to get access to this user's information." The merchant would send you a email saying "Hey, don't stand for this. We're a leaf on the .Net My Services tree and we don't charge you money. Come store your data with us or keep it with some other service you where there's no charge for sharing the data." If Microsoft tried a strategy where we charged for access to that data, I think it would blow up in a heartbeat. It's not something that we've ever thought about. It's not something that we're ever going to do. Less friction is better. The idea is any time, anywhere, any device access, and the user in control. That's what this whole thing is about.
Tech Update: Another contention of Sun's is that you'll sell the data back to the user. Scott McNealy talks about this a lot. The idea being that once you harvest this data from the user through Windows or some other Microsoft technology, you'll charge the user to access it, maintain it, keep it up to date, and share it with merchants. Does Microsoft have any plans to do any of those things?
Sohn: There are basically two hypothetical scenarios and they're the basis for how a lot of companies capture revenue off the Internet. The first is when a business like Microsoft's MSN offers a free service to end-users that captures revenue from advertising. That service might rely on data that's stored in a .Net My Services repository, and the data wasn't made available to that service until the end-user gave his consent. But beyond that, there's no charge to the end user for interacting with that data because of the business model that MSN has chosen for that particular experience. Then, there's the scenario where MSN offers some premium service where the business model is based on subscription revenue. For example, a lot of people pay America Online $22 per month and you get a certain set of premium services. MSN will offer similar premium services to capture subscription revenue, and .Net My Services will be built into those experiences. So, those are two scenarios where MSN will run services that have .Net My Services built into them. In answer to your question, if you as a user decide to use some non-Microsoft application, service, or merchant that needs access to the data that was captured through a Microsoft-run service and you consent to that sharing, you won't be charged for that and neither will the merchant or the service. If [Microsoft] puts up barriers to sharing that data, it would undermine the value of the new Web services model. It would destroy the dream.
Tech Update: But, suppose I don't want those services? Suppose I just chose Microsoft's instance of .Net My Services as simply a repository to store my data?
Sohn: We're looking into a crystal ball a little bit now, as these offerings are not in the market yet so I can't tell you if that option will be available. The idea is that if you have a relationship with MSN where that data is stored, whether or not you're paying for that relationship, the idea that we would charge you to share that with someone else is counterintuitive to the business model. We don't want any barriers to applications being able to get access to the user's data with the user's permission and we don't want barriers to the user being able to share that data when they choose. The whole idea behind having any time, anywhere, any device access to this data is premised on the fact that you can actually move this data around in a secure way that respects your privacy. A way that allows you to make informed decisions about what is the intent of the people who are asking for that data. We want to enable all of that and that's what this platform does. So, charging a toll every time a user wants to project some data somewhere is just not going to make this a very useful service.
Tech Update: Just to confirm what you said earlier about Microsoft's plans, you don't see Microsoft offering .Net My Services strictly as a repository of data. You only see it as appearing as an embedded part of a service that relies on that data, and that service is what people will subscribe to?
Sohn: Yes. That's exactly the way the model will work for Microsoft. Now it's possible that somebody else will build a data center, based on .Net My Services software that we would sell, throw some UI on top of it and the only reason you'd ever go there is to manage your data. I suppose that's possible but I don't know that it's a really interesting business model. What's more interesting is providing value to end users that they'll be interested in paying for. If you think about it today, the .Net My Services stuff that's running out there is an enabling technology. It may be interesting to engineers, but in itself, it's not interesting to end users.
Tech Update: But it's certainly interesting to me as a user if I know that I can say, well there's this place where I can just go in and enter a bunch of data and then I don't have to re-enter it with every merchant. That's supposedly the promise of .Net My Services.
Sohn: The idea that all your data is going to be stored in one data center is not what the vision is here. The vision is that wherever the data's stored, the network is smart enough to make it available when you give permission. So we are not going to be the guys who do every single bit of work, about every single piece of information in your life. We're going to offer the platform, and we're going to offer some services, and there are going to hundreds and thousands of other service providers who will do really cool and innovative kinds of stuff in addition to us.
Tech Update: Another concern is that Microsoft will sell the customer data stored in the Passport and .Net My Services repositories to third parties, sort of the way mailing lists are sold today.
Sohn: Microsoft will not make any secondary use of that data. We won't sell it, we won't mine it, we won't rent it, and we won't publish it. Period. End of story. Likewise, we have absolutely no business model around owning this data. The idea that we're just one node in a federation proves that the value is not in having the data. So, the value proposition is that you need a place to put this data and sometimes it can be in one repository and in other times in can be in a set of repositories. We think more likely it will be spread through the federation. As I said earlier, when you as a user give another service or application the consent to access your data, then that data now resides in that service and is pursuant to their privacy policies. In that scenario, some of the properties that Microsoft runs like MSN, Hotmail, and bCentral are customers of Passport. Once the user consents to share that data with some experience provider, Microsoft-owned or otherwise, then it will be pursuant to the privacy policy of those experience providers. I think that, in the long run, the only providers that will survive are ones who are responsible about how that data gets used.
Tech Update: What I just heard is that you wouldn't sell that data. I want to read to you a paragraph from the .Net Passport Privacy policy.
Sohn: Just so you know, Passport does not equal .Net My Services.
Tech Update: I don't know that the distinction is totally clear to someone who signs up for Passport. But I just want to read to you the paragraph. It says, ".Net Passport will not share, sell or use your personal information in a manner that differs from what is described in this privacy statement unless we have your consent." What that says to me is that there exists the possibility under which .Net Passport, Microsoft, or .Net My Services--I don't care what you call it--will sell my personal information. In other words, this to me is a disclaimer that says, "We won't sell it unless we have your consent." It makes me think that Microsoft is thinking about selling it when you just told me it isn't.
Sohn: We will not make secondary use of that data. We don't care about owning it. What that statement says to me is we will not do any of those things--not just sell--but do anything different than what you are reading without telling you first. It tells users what Passport will not do. Remember, each site has a policy, there is no "Microsoft" overall policy. If we do do what our critics say we'll do--and they have no evidence that we ever have even considered this, they are only fear mongering--we've committed to ask [for consent]. I think this is very clear. Frankly that is part of standard fair information practices, the TRUSTe stuff. [Editor's note: The TRUSTte seal of approval guarantees that a privacy policy can be upheld to a certain standard; see TRUSTe.com for more information.] I've been out on the road in front of press and analysts with the vice president in charge of this stuff and we are not going to make secondary use of that data. But I will take that feedback and say to [the people who write our policies] that there are folks out there who think this means we can turn around and sell the data. How do you think we should reword it?
Tech Update: You want me to take a crack at it?
Sohn: Sure.
Tech Update: ".Net Passport, Microsoft, .Net My Services and all the related services that are run by Microsoft will never sell your personal data. Microsoft will never sell the personal information that you supply to these services." How's that?
Sohn: I'm going to take that feedback back to [Microsoft VP] Brian Arbogast and the privacy policy guys. But I am telling you what the intent of the corporation is, and we'll go take a look at that policy. The intent of the corporation is that we have no plans to sell that data. I can't say it any clearer than that. And I can say to you that if there is any confusion at all in there, we're going to take a look at it.
Tech Update: Let's switch gears to the last concern. Is there any circumstance where a third-party such as merchant or an end-user that needs access to data stored in Passport's repository or a .Net My Services-based repository will require access to a Microsoft technology in order to get that access?
Sohn: In the scenario where this stuff is all the way out at the edge of the network and users are going to manage it locally on their devices, that's probably stuff that we're going to write. We do write the software that goes into the infrastructure. But, let me paint the picture where the user and the merchant will not have to have any software requirements. So, imagine a user that uses MSN and they have a Linux box running Mozilla or Netscape on it. They'll be able to access all their services through their browser and maybe they pay some subscription revenue for a premium service on MSN like we talked about before. But they won't have to run any Microsoft technologies locally. If they want to access those services through a cell phone that runs Java, or a Palm device, or a RIM Blackberry, assuming that whoever wrote the operating systems for those devices does the work to understand the standard Web services protocols, no Microsoft technologies will be required there either.
Tech Update: And none of the required Web services protocols are proprietary to Microsoft?
Sohn: Right. To access that information, you'll have to be able to understand some industry standard stuff like XML, SOAP, probably Kerberos, maybe some other encryption formats and security technologies--all stuff that's out in the world.
Tech Update: Are any of those encryption or security formats based on a proprietary Microsoft technology that developers would have to pay to license?
Sohn: No. I'm talking about security and encryption solutions like PKI, SAML, XRML, XMLencrypt, etc. The other thing developers will have to know is what the structure of the information is and how to form a SOAP message that can request data from a .Net My Service and how to receive data back from a .Net My Service.
Tech Update: Will third parties ever be charged to get an understanding of, or access to, any of those .Net My Service data structures? I just want to make sure that developers will be able to get access to and understand those data structures on a free and non-discriminatory basis.
Sohn: If you look at the Windows platform today, our business model does not charge the ISV for access to the technical information they need to write to the platform. We expect .NET My Services technologies to track to this model, where this type of technical information is freely available to developers.
Tech Update: So, the bottom line is that Microsoft technology will not be required to access data that's kept in a .Net My Services repository?
Sohn: The idea is to make this information available to any system, application or device that the user chooses to make it available to. When we launched .Net My Services (then code named HailStorm), the demo we did had a very rudimentary version of an address book service and we demonstrated how the service could be accessed from a Windows PC, a Windows CE-based PocketPC, a Palm, a Linux box, a Sun Solaris workstation, and Apple's iMac. It worked because the stuff is based on XML and SOAP.
