.NET users 'wide open' to fraud

Microsoft's flagship .NET strategy will fall far short when it comes to protecting consumers from fraud on the web, and may even breach European law.

According to industry experts, Microsoft's strategy - with its Passport security engine's reliance upon a single sign-in point - leaves people wide open to fraudsters, who would be able to get multiple information from one single source.

Even more worrying for the Redmond giant is the concern voiced by some that the .NET vision will be incompatible with European data protection legislation.

Bill Malik, VP and research director at Gartner Group, told silicon.com the system would present an intolerable level of risk for some businesses and governments. He said: "I can't see the banking sector going for it, and I can't see anyone with obligations under the EU data protection directives wanting to get involved."

Microsoft's initiative could really come unstuck if it falls foul of EU data laws.

The Information Commissioner's Office said it is not investigating .NET currently, but is concerned by both the data and security implications of all so-called 'single sign-on' initiatives.

Lawyers agreed there are many data protection issues which Microsoft will have to be aware of, including ensuring consumers are notified as to how information will be used.

Last month Microsoft signed up to the cross-border Safe Harbour agreement on data protection, meaning it is obliged to conform to the stricter legal framework for data protection in the EU, or face censure from the FTC.

.NET is Microsoft's name for its integrated web services from which multiple websites will share information to provide the user with the best possible service. For example, it should allow users to buy from different sites without ever entering their credit card details, which would all be secured via Passport.

By definition, this relies on an authentication engine to guarantee a user's identity, side-stepping the need for separate security on individual websites. In addition to data protection issues, this single sign-on is a potential boon for net criminals.

Alan Brown, assistant director of the Digital Freedom Network, went further. "Personal consolidation efforts have been tried before in online products and they're lousy ideas for the same reason that no one should change all of their locks so that a single key could open them all," he said. "Lose that key and the finder inherits your life. Only a fool would do the same with their passwords, and I don't think there's a constituency more eager to see Microsoft's consolidation of personal data succeed than hackers."

Microsoft was unable to provide a spokesperson for this story.