Subject: Re: Clay Shirky on hailstorm
From: Frank Hecker <>
Date: Thu, 07 Jun 2001 00:18:52 -0400

(I beg pardon for my lateness in commenting on this...) wrote:
> Tim O'Reilly wrote:
> > Clay Shirky has a very interesting article on Hailstorm on,
> > at
> >
> > He looks especially at how MS mixes decentralization and open access on
> > the client side with strong control of third party development and user
> > data. He explains how we should think of it as an
> > authentication-centric, rather than hardware-centric system.
> Read and search for
> the word "control".  Each time you see that word, remind
> yourself that Microsoft can only deliver that control to end
> users if they retain that control themselves and then are
> trusted to act as the end user's proxy.  This gives the user
> the illusion of control.  However the real control remains with
> Microsoft.

I wouldn't be happy either having to store all my personal data with
Microsoft, but I don't believe that individuals per se are the real
targets of Microsoft's attempts at control; rather I believe the real
targets are businesses that "partner" with Microsoft or that might
attempt to compete with it.

I believe that Microsoft has a strong business incentive to avoid doing
things that would cause it to lose the trust of the "typical" individual
end user of Hailstorm; after all, Microsoft's whole strategy with
Hailstorm depends on getting a critical mass of individuals to use the
service, and ultimately on getting the majority of end users to sign up.

When I myself "[read] and
search for the word 'control'", I find the most interesting occurrence
of the word "control" to be the very last one in the white paper:

  ... Microsoft intends to contractually bind licensees to specific
  terms of use that control what can and cannot be done with user data
  originating from a HailStorm source.

"Licensees" in this context are not individuals, they are other
companies offering net-based services to individual end users under the
Hailstorm scheme.

Now suppose some significant fraction of end users end up going through
Hailstorm to access third-party services. Then it seems to me that the
above-mentioned contracts basically give Microsoft a massive amount of
leverage over companies providing such services, the same way that
Microsoft's contracts with PC vendors gave it leverage over those
vendors. Just as Microsoft could potentially bully PC vendors by
threatening them "under the table" with the loss of their licenses to
bundle Windows, in the future Microsoft could potentially threaten
service providers with the loss of their access to
Hailstorm-authenticated users and their information. Microsoft could
make renewal of Hailstorm contracts "unofficially" contingent on signing
of unrelated agreements favorable to Microsoft, "informally advise"
other companies to avoid competing with Microsoft's own net-based
services, and potentially do pretty much anything else in the way of
business tactics that Microsoft has traditionally been able to do in the
software arena.

Also, Microsoft's leverage is not limited to just renewing or not
renewing Hailstorm contracts. The white paper also notes that

  HailStorm uses legal and technical mechanisms to prohibit any
  unauthorized use of the userís data, _and that limitation on use
  will extend beyond the specific transaction in which the data was
  obtained._ [emphasis added]

So, in other words, if you are a service provider who has happened to
attract the unfavorable attention of Microsoft, you could potentially
find yourself on the receiving end of a full-fledged privacy audit of
your business -- just like the software audits you found to be so much
fun, except potentially extending to every aspect of your business,
including all your information systems, whether running Microsoft
software or not.

And the most clever thing about all of this is that Microsoft can
justify whatever it does to other companies on the basis that "we're
doing it for the users". Of course, Microsoft made that same claim with
software: "We're just innovating for the users." However here it's a
much more politically credible argument, because Microsoft can claim to
be protecting people's most precious personal data, can ally itself with
the most vocal and energetic privacy advocates, and can advocate the
most stringent privacy laws and regulations. In fact, the more zealous
Microsoft is in "protecting our users' privacy", the bigger the hammer
they have with which to threaten Hailstorm licensees, so IMO Microsoft
has every incentive to be just as zealous in "protecting users' privacy"
with Hailstorm as it had in "protecting intellectual property" with

Frank Hecker            work:        home: