Microsoft Satisfies European Privacy Rules

An agreement between European data protection officials and Microsoft to alter the .Net Passport service and better protect users' personal data is more show than substance, say privacy experts and analysts familiar with the terms of the agreement.

"I think this is a case of Microsoft's self interest and the European Union's (EU) interest in protecting its citizens being happily aligned," said Dwight Davis, vice president of Summit Strategies.

Despite blustery statements from European officials about wringing "substantial changes" out of Microsoft regarding its Passport single authentication service, the modifications agreed upon Thursday are "minor tweaks" to the .Net Passport service, Davis said.

Those changes include giving users finer control of what information they share with Passport, a summary of key information about privacy policies within the EU, a link to the European Commission's (EC) site on data protection laws and a tool for creating secure passwords.

Users will be able to take advantage of the features through the addition of a prompt that will ask users to designate themselves as European Union (EU) residents.

"Microsoft told me that they've been planning these features all along and that they presented them to the EU," Davis said.

Privacy Concerns

EU data protection officials stood by the agreement.

"The changes give users greater control over how their information is used," said Iain Bourne, strategic policy manager for the U.K. Data Protection Authority, which participated in the EU-wide committee investigation into online authentication systems.

They will also give a better explanation of how information is used by Microsoft. "There wasn't adequate transparency until now, so Microsoft had a problem with some EU data protection laws," Bourne said.

Not on the table in Microsoft's negotiations with the EU, however, were more substantial changes, such as separating .Net Passport from the Windows XP operating system or Microsoft applications and services, said John Pescatore, an Internet security analyst at Gartner.

"Almost everyone who buys a new computer right now is buying Windows XP, and it's nearly impossible to start up new Windows PCs without getting a new Passport account," Pescatore said.

Alternative Available

Changes that would allow organizations other than Microsoft to own Passport user identity information in a so-called "federated network" were also not part of negotiations with the EU. However, those changes may be coming anyway, with or without EU intervention, Davis said.

Microsoft indicated that it is developing a federated version of the .Net Passport technology. The main alternative to .Net Passport, the open source Liberty Alliance platform, operates on a federated identity model and was not singled out for any changes.

Mandating substantive changes in the way Passport stores user information or is tied to applications or services like MSN accounts would have been much harder for Microsoft and could have given the rival Liberty Alliance companies a head start in Europe, according to Pescatore.

The absence of such mandates should be interpreted as a victory for Microsoft, Pescatore said.

That worries Liberty Alliance supporters.

"It's a huge issue having an alternative to .Net," said Christine Varney, a lawyer from the offices of law firm Hogan & Hartson, which represents the Liberty Alliance in Washington, D.C.

Unlike .Net, the Liberty Alliance is not a branded service, leaving it up to the individual participating companies. Around 150 companies, including Microsoft rival Sun and financial services company American-Express, have expressed interest in using the system.

While he couldn't rate the systems, Bourne expressed support for solutions that avoid using a central database that gathers large amounts of information, as .Net Passport does.

Little U.S. Oversight

Although the Federal Trade Commission reviewed and mandated changes to Passport in August, the U.S. government has had little to say about privacy concerns stemming from Passport since then.

As for extending EU-style protections to Passport users in the U.S., Microsoft claimed that it does not know of--and thus cannot link to--a similar U.S. government site that would summarize U.S. data protection laws like the site sponsored by the EC, according to Davis.

Unlike the EU, the U.S. does not have clear and overreaching laws concerning the protection of personal data, according to legal experts.

"There is very little in the way of privacy law in (the U.S.). You have the financial arena with strict regulation and health care. Outside of those arenas, there's not much," said Mark Grossman, chair of technology law group of Becker & Poliakoff in Miami, Florida.

"The FTC works with existing law, but their basic position is: 'You don't have to have a privacy policy, but if you do you better abide by it,'" Grossman said.

In the absence of such laws and with little indication from the Bush administration that strengthening consumer data privacy is a priority, residents in the U.S. and other countries are more likely to have personal information shared or used in ways that they do not approve of than their counterparts in the EU, according to Grossman.

Paul Meller of the IDG News Service contributed to this report.