Microsoft's HailStorm has Privacy Implications for Financial Industry
By Ivy Schmerken
Wall Street & Technology
September 17, 2001

As Microsoft gets ready to ship Windows XP on Oct. 25th-the next generation of the dominant desktop operating system-financial services institutions will undoubtedly be eyeing HailStorm-a personalized notification service that is being bundled into XP or can be purchased separately. Should Wall Street firms consider upgrading their desktops to Windows XP to take advantage of the new functionality?

With its ongoing anti-trust battle, competitors and some critics say the functionality bundled into XP presents the same anti-competitive issues raised by the government's anti-trust case, and that Microsoft is using the monopoly position of its desktop software to dominate authentication and messaging on the Internet.

HailStorm Web services are organized around the concepts of my calendar, my accounts, my documents and my location, explains Jeremy Lehman, Microsoft chief technologist for financial markets, adding that the end-user is not required to use Windows XP or any other Microsoft platform. Microsoft has shown HailStorm to work on Unix, Macintosh, Blackberry Rim pagers and other devices, he says. A retail securities arm of a global universal bank is planning how HailStorm will allow customers to receive intimately personalized investment advice. "The bank would like to find a technology to allow their financial advisors to scale out to reach those down-market individuals in a more personal manner," says Lehman.

HailStorm works in tandem with Passport-an authentication and Web registration service-that will allow the user to store personal financial data, such as credit card payment information, online in an electronic type of wallet and share that information with other Web sites to conduct e-commerce transactions. Banks and brokerage houses could design vertical applications using the HailStorm services but would they feel comfortable using Passport to store employee or client personal identity information?

"Personal information management and Web authentication and identification services-compare that to a media player and you're talking about the difference between a firecracker and a nuclear bomb," says Kevin Meek, a lawyer who heads the technology practice group at Houston-based Baker Botts.

"If people are going to have problems with media players and instant messaging, can you imagine what it'll be like when Microsoft is not only that, but they're the bank and the stock exchange and (decide) whether or not you'll get on a plane?," asks Meek.

Today, 160 million-plus Passport accounts are issued to users of Microsoft's Hotmail email service. Privacy concerns were initially raised over collecting and monitoring everything that a consumer is doing, notes Hagay Shefi, CEO of GoldTier Technologies. "You have the physical evidence of where I'm flying and what hotels I'm staying in, and what restaurants I'm eating in and what stores I'm buying from, who's my cell phone provider and who's my broker," says Shefi. "You're naked," he adds.

In response, privacy organizations have filed a petition with the Federal Trade Commission to investigate these practices. A complaint filed by the Electronic Privacy Information Center (EPIC), argues that "Microsoft has engaged, and is engaging in unfair and deceptive trade practices intended to profile, track and monitor millions of Internet users."

But Microsoft's Lehman denies any of this is true. "The end user owns all the information. It would be up to the end user to opt what they want to expose to the bank. Everything about Passport and HailStorm are at the discretion and control of the user. Microsoft will not let it out," he insists, noting that Microsoft has gone to great lengths to build in the security and win the confidence of consumers. In a move to silence its critics, Microsoft struck an alliance in July with VeriSign Inc.-an Internet trust authority-to support deployment of HailStorm.

But one sticky point is that initially all Passport and HailStorm Web services will be hosted in Microsoft data centers located worldwide. At a future point, Microsoft will provide the technology and set of processes to partners for hosting their own HailStorm services. There is already interest from banks, market data firms and global financial networks, hints Lehman, who calls this a "federated model."

But, "If they're going to migrate this stuff back into the B2B world, then they're going to have to address some of the (privacy) issues-where does the intellectual property live, who really controls the authentication and verification of identities," says Bob Lamoreaux, chief technology officer of WorldStreet Corporation, who is piloting HailStorm for the next generation of its institutional pre-trade information service. Lamoreaux says that Microsoft is very open and interested in listening to what the financial industry is telling it.