Windows XP Is Nosy, Privacy Groups Complain
As they threatened, a handful of consumer advocacy and privacy organizations have asked the Federal Trade Commission to force changes in Microsoft Windows XP that could delay the product's release.
The groups are concerned that Microsoft's Passport authentication system
has "the potential to track, profile and monitor users of the Internet ...
[with] far-reaching and profound implications for privacy," according to the
Passport provides a sign-on system so you can access a variety of services and Web sites with just one password. It stores such information as your name, address, age, phone number, e-mail address, preferences, and payment information for online transactions. Passport will be a central feature of the "Hailstorm" system, a main component of .Net, Microsoft's online services program that is under development.
However, it's also part of Windows XP, the next version of the Windows
operating system, which is
Microsoft calls the claim filed with the FTC "totally unfounded."
"Privacy and security are fundamental design points in the architecture of Passport and Hailstorm, as well as .Net services," says Jim Desler, a Microsoft spokesperson for legal issues. "All of these services place the consumer in control of their personal information."
Customers are not required to sign up for Passport simply because they use the Windows XP operating system, according to Microsoft representatives. The privacy groups, however, argue its presence within the operating system is deceptive.
"Although it is technically possible to use XP without providing
personal information, in practice it is simply too difficult because of
Microsoft's efforts to collect that information. Essentially the average user
is required to give out personal information," says Jason Catlett, president of
The complaint states that Microsoft tries to force Windows XP users into unnecessarily signing up for and disclosing information to Passport.
Passport includes features that give users some control over the personal information that is disclosed to third parties, however the information is still under Microsoft's control. The groups disapprove of that practice.
Microsoft also shares user information among sites in its MSN family of Web sites, and tracks Hotmail customers, the complaint says.
The combination of confusing and misleading options and information in both Windows XP and Passport "[makes] it difficult, if not impracticable, for consumers to exercise control over their personal information," the groups write.
The problem becomes even more serious when e-commerce is involved, they
say. The Passport system could lead to fraud if someone else has access to your
PC when Passport is activated, leaving your payment options available to them,
says Richard Smith, chief technology officer for the
Microsoft could address the group's concerns easily, says Marc
Rotenberg, executive director of the
"Microsoft could stop some of the issues we protest fairly easily. For example by allowing services to operate with a pseudonym," he says.
However, Microsoft has been adamant about staying on track for the
October release. The first "release candidate" version of Windows XP entered
Several state attorneys general have also expressed interest in the
complaint, Rotenberg says. Several states are reportedly considering
"Microsoft has also contacted us; they would like to talk with us. But at this point our interest is to pursue with the complaint," Rotenberg adds.
The complaint asks the FTC to investigate Passport's information collection practices, and order Microsoft to revise the Windows XP registration procedures so consumers are clearly informed that they don't need to use Passport to go online. It asks the FTC to order Microsoft not to share Passport information with MSN sites without explicit customer consent, and to support anonymous log-ons as well as permit customers to use some other type of online payment services even when running Windows XP.
"The Passport policy now reassures users, but Microsoft should warn users of the risks. That's a typical role the FTC plays. It can require a company to be more forthcoming about risks," Rotenberg says.
Other groups involved in the complaint are The Center for Digital Democracy, The Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, The Consumer Federation of America, The Consumer Task Force for Automotive Issues, The Electronic Frontier Foundation, The Media Access Project, NetAction, The Privacy Rights Clearinghouse, and the U.S. Public Interest Research Group.