Microsoft Ordered to Fix Passport Problems

The U.S. Federal Trade Commission said Thursday that it has reached a settlement with Microsoft over misrepresentations of the privacy and security of the company's Passport Internet sign-on service, Passport Wallet, and Kids Passport.

After a year-long investigation, the agency concluded that the Passport services did not provide the security required to store sensitive user information, and collected more personal user information than stated in the company's privacy policy.

"We believe that Microsoft made a number of misrepresentations regarding the security of Passport, the information it stores, the security of online purchases using Passport Wallet, and the information collected on Websites using Kids Passport," FTC Commissioner Timothy J. Muris said during a conference call Thursday.

Setting Guidelines

The FTC has ordered Microsoft to cease misrepresenting the information collected by the services, implement and maintain an information security program, and have its security program certified by an independent specialist every two years for the next 20 years.

The settlement represents a significant development concerning government regulation of information technologies.

"Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so," Muris said.

In a statement released Thursday, Microsoft said that it thoroughly cooperated with the FTC in its review and that the agreement "reinforces Microsoft's commitment to improving security, and we will meet and work to exceed this high bar."

The FTC said that it initiated its investigation following a complaint filed in July 2001 by the Electronic Privacy and Information Center claiming that Microsoft falsely represented the privacy and security of user information collected by Passport.

Single Sign-On

Passport is a single sign-on service that stores users' information, allowing them to surf a number of Websites without having to re-enter data, and is central to the company's .Net Web services initiative.

Despite concerns raised by privacy groups, such as EPIC, that the system gives Microsoft too much control over sensitive user data, the company has repeatedly testified to the privacy and security of the system. The security concerns are even more crucial for Passport Wallet, which stores user credit card numbers and billing information for use in e-commerce transactions.

Although the agency said that it did not detect any breaches in Passport's security, it said that it found "inadequacies" in the security that could be avoided.

Personal Data

Furthermore, the agency said that Microsoft collected some user information without notifying users.

"[Microsoft] violated their privacy policy by collecting more information than they said they would collect," J. Howard Beales, director of the FTC's Bureau of Consumer Protection, said during the conference call.

At issue was the fact that Microsoft collected and maintained for a limited period of time information on which Web sites customers signed into and did not mention this practice in its privacy policy. During its own conference call Thursday, the software maker said that this information was only collected for customer service purposes, however, and that it has recently updated its privacy policy to reflect the practice.

"Most importantly, we have never shared this information with anyone. We have not shared it for free, for a price and not even with our partners," said Brad Smith, Microsoft senior vice president and general counsel.

Because Kids Passport was advertised as allowing parents to have complete control over what information Web sites would be able to access about their children, the misrepresentation in this case was particularly egregious, the FTC said.

Making Amends

Microsoft said it will more clearly state the security and privacy features of its products in the future.

"We understand the importance of online network security and appreciate that it constantly evolves," Smith said. "We've never claimed infallibility and in hindsight we wished we had held ourselves to a higher bar one or two years ago."

Smith added that the case will set new standards for the whole industry, and reflects the U.S. government's heightened interest in ensuring network security.

When asked how the FTC settlement will affect a European Commission probe into Passport privacy issues, Smith said that it would be up to the EC to decide if the new measures abated their concerns.

"We will of course be energetic in providing [the EC] with information on the settlement and ultimately they will have to decide if this order addresses the privacy issues they have in mind," Smith said.

The settlement is a consent agreement, the FTC said, and does not constitute an admission of wrongdoing. However, each violation of the order carries an $11,000 civil penalty.