Windows XP Is Nosy, Privacy Groups Complain

As they threatened, a handful of consumer advocacy and privacy organizations have asked the Federal Trade Commission to force changes in Microsoft Windows XP that could delay the product's release.

The groups are concerned that Microsoft's Passport authentication system has "the potential to track, profile and monitor users of the Internet ... [with] far-reaching and profound implications for privacy," according to the formal complaint, filed Thursday.

Passport provides a sign-on system so you can access a variety of services and Web sites with just one password. It stores such information as your name, address, age, phone number, e-mail address, preferences, and payment information for online transactions. Passport will be a central feature of the "Hailstorm" system, a main component of .Net, Microsoft's online services program that is under development.

However, it's also part of Windows XP, the next version of the Windows operating system, which is scheduled to ship October 25. When a PC running Windows XP connects to the Internet, a dialog box appears saying you need a Passport in order to use Windows XP communication features like instant messaging, voice chat, and video, according to the complaint.

Microsoft calls the claim filed with the FTC "totally unfounded."

"Privacy and security are fundamental design points in the architecture of Passport and Hailstorm, as well as .Net services," says Jim Desler, a Microsoft spokesperson for legal issues. "All of these services place the consumer in control of their personal information."

Customers are not required to sign up for Passport simply because they use the Windows XP operating system, according to Microsoft representatives. The privacy groups, however, argue its presence within the operating system is deceptive.

"Although it is technically possible to use XP without providing personal information, in practice it is simply too difficult because of Microsoft's efforts to collect that information. Essentially the average user is required to give out personal information," says Jason Catlett, president of Junkbusters, one of the groups involved in the complaint.

The complaint states that Microsoft tries to force Windows XP users into unnecessarily signing up for and disclosing information to Passport.

Passport includes features that give users some control over the personal information that is disclosed to third parties, however the information is still under Microsoft's control. The groups disapprove of that practice.

Microsoft also shares user information among sites in its MSN family of Web sites, and tracks Hotmail customers, the complaint says.

The combination of confusing and misleading options and information in both Windows XP and Passport "[makes] it difficult, if not impracticable, for consumers to exercise control over their personal information," the groups write.

The problem becomes even more serious when e-commerce is involved, they say. The Passport system could lead to fraud if someone else has access to your PC when Passport is activated, leaving your payment options available to them, says Richard Smith, chief technology officer for the Privacy Foundation, one of the complainants.

Microsoft could address the group's concerns easily, says Marc Rotenberg, executive director of the Electronic Privacy Information Center, another participant in the complaint.

"Microsoft could stop some of the issues we protest fairly easily. For example by allowing services to operate with a pseudonym," he says.

However, Microsoft has been adamant about staying on track for the October release. The first "release candidate" version of Windows XP entered the final test cycle early in July, and Microsoft expects to produce an update to the release candidate (RC2) "during the next few days," says Jim Allchin, a Microsoft vice president.

Several state attorneys general have also expressed interest in the complaint, Rotenberg says. Several states are reportedly considering additional antitrust charges against Microsoft for some of the features it has built into Windows XP.

"Microsoft has also contacted us; they would like to talk with us. But at this point our interest is to pursue with the complaint," Rotenberg adds.

The complaint asks the FTC to investigate Passport's information collection practices, and order Microsoft to revise the Windows XP registration procedures so consumers are clearly informed that they don't need to use Passport to go online. It asks the FTC to order Microsoft not to share Passport information with MSN sites without explicit customer consent, and to support anonymous log-ons as well as permit customers to use some other type of online payment services even when running Windows XP.

"The Passport policy now reassures users, but Microsoft should warn users of the risks. That's a typical role the FTC plays. It can require a company to be more forthcoming about risks," Rotenberg says.

Other groups involved in the complaint are The Center for Digital Democracy, The Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, The Consumer Federation of America, The Consumer Task Force for Automotive Issues, The Electronic Frontier Foundation, The Media Access Project, NetAction, The Privacy Rights Clearinghouse, and the U.S. Public Interest Research Group.

Joris Evers, IDG News Service correspondent in Amsterdam, and Matt Berger, IDG News Service correspondent in San Francisco, contributed to this report.