RealTime IT News

Microsoft Cuts Passport Deal With FTC

Microsoft Corp. agreed Thursday to 20 years of independent, third-party audits of the Passport identification and authentication system to settle Federal Trade Commission (FTC) charges that Microsoft falsely misrepresented the privacy and security of personal information collected from consumers through Passport.

FTC Commissioner Timothy J. Muris said his agency's review of Passport procedures found no actual examples of security or privacy breaches but "we found there was potential for both."

The FTC ruled that Microsoft misled consumers by overstating the security level of Passport and also misrepresented its privacy policy when it collected and held, for a limited time, a personally identifiable sign-in history for each user

The agreement calls for the formalization, documentation and independent audit of Passport's security procedures every two years for the next 20 years to give the FTC, as well as Microsoft customers and partners the "clear indication" that Microsoft is meeting a "high standard for online security."

There was no fine in the settlement, but if Microsoft fails to comply with the new order, it would be subject to an $11,000 per violation, per day fine.

The FTC is accepting public comment on the proposed order until Sept. 9, after which the Commission will determine whether to make it final.

The settlement brought a unanimity of praise for the FTC from the coalition of consumer groups, led by the Electronic Privacy Information Center (EPIC), who initially prompted the Commission's probe into Passport's true security levels.

"The FTC going after Microsoft on a consumer complaint is quite significant and the order is quite sweeping," said Marc Rotenberg, executive director of EPIC. "We put them to the test. Frankly, we're pleased but in some cases the FTC went further than anticipated."

Junkbusters President Jason Catlett added, "Although finding that Microsoft has bad security it may seem like concluding the obvious, it's very significant that a government agency conducted an on-site investigation and put conduct remedies in place."

In an online interview on the company site, Brad Smith, senior vice president and chief legal counsel of Microsoft, said, "Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future."

Smith said the FTC approached Microsoft last August seeking information on "how we described some of our privacy and security measures in Passport."

Much of the discussion with the FTC, according to Smith, focused on what should be considered "reasonable" online security measures.

"The FTC's complaint asserts that we should have taken additional security steps earlier in the operation of the Passport service. We understand this concern. While we always believed that we were employing reasonable and appropriate security measures, we recognize that network security constantly evolves," Smith said. "A level of security that seemed reasonable when we launched Passport in 1999 does not seem so reasonable by today's norms. Hence, even though we know of no instance where a Passport user's information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar."

Passport is a free service that authenticates users' identities, allowing them to move seamlessly within partner sites and make purchases without having to re-enter information.

Microsoft operates three related Passport services: Passport Single Sign-In (Passport); Passport Express Purchase (Passport Wallet); and Kids Passport.

Passport collects personal information from consumers while Passport Wallet collects and stores consumers' credit card numbers and billing and shipping addresses and enables consumers to use the stored information when making purchases at participating Web sites. Kids Passport allows parents to create Passport accounts for their children that can limit the collection of personal information by participating Web sites.

Microsoft's Passport privacy policies included statements such as, "Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information" and "Your Passport is protected by powerful online security and a strict privacy policy."

The Kids Passport privacy policy included statements such as, "Microsoft Kids Passport allows parents to consent to the collection, use and sharing of their children's information with Passport participating sites. You can choose to allow Passport to share all of the information in your child's Passport profile with a participating site or service, or you can limit the information shared to just a unique identifier or age range."

According to the Commission's complaint, Microsoft falsely represented that:

  • It employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet
  • ;

  • Purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet when, in fact, most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions;
  • Passport did not collect any personally identifiable information other than that described in its privacy policy when, in fact, Passport collected and held, for a limited time, a personally identifiable sign-in history for each user; and
  • The Kids Passport program provided parents control over what information participating Web sites could collect from their children.
  • "The FTC made a very thorough review of our Passport privacy statement, as well as our related policies and procedures. After this review, the FTC complaint asserts that only one thing was not adequately described. That is a temporary log that we keep and use to permit our customer service representatives to support Passport users who have contacted our support team," said Smith. "It's important to note that no personal information has been shared with anyone else or misused in any manner as a result of these temporary logs. The FTC complaint itself recognizes that the log is only 'linked to a user's name in order to respond to a user's request for service.'"

    Smith added that Microsoft has already changed its privacy statement.