European Countries Mull Probe of Microsoft Passport

Adding to its potential regulatory problems in Europe, Microsoft Corp.
might face an investigation of its Passport
digital-identification system by European Union (EU) countries.

The European Commission, the EU’s executive arm, said it would examine the
privacy safeguards of Microsoft’s Passport, according to reports over the
weekend. Under EU law, the European Union’s 15 member states would need to
act on their own to penalize Microsoft, but the Commission is often looked
to for guidance in such matters.

A privacy probe would come in addition to the investigation from the
Commission’s competition unit, which is examining the market dominance of
Microsoft’s Windows operating system and considering a probe of its bundling
of the Windows Media Player.

According to published reports, European Commissioner for Internal Markets
Frederik Bolkestein, responding to a written question by European Parliament
member Erik Meijer, said that the Commission regarded privacy concerns about
Passport “a matter of priority.”

“The question of whether, and to what extent, the (EU) directive applies to
a database located outside the Union, especially where data is collected
directly from data subjects via the Internet, is a complex one which the
Commission and national data protection authorities are at present examining
carefully,” Bolkestein wrote.

Microsoft officials were unavailable for comment. According to reports, the
company said it has met with officials from the Commission and member states
to discuss the issue.

Launched in 1999, Passport is a free service that authenticates users’
identities, allowing them to move seamlessly within partner sites and make
purchases without having to re-enter information. As of February, researcher
Gartner Group estimates 14 million people were using Passport, which was
meant to be the forerunner for My Services, the consumer side of its .Net
strategy. However, the service has floundered as other businesses resisted
sharing consumer information with Microsoft. In April, Microsoft quietly shelved its plans to launch My Services.

Both Passport and My Services raised potential obstacles to Microsoft in
Europe. With restrictions on cross-border transfers of personal information,
Europe traditionally takes a more expansive view of consumer privacy than in
the United States.

“It was our opinion that the system violated American law,” said Chris
Hoofnagle, legislative counsel for the Electronic Privacy Information Center
(EPIC). “Reasoning from that says it would violate European law, which is
much stronger.”

In the United States, Microsoft’s Passport service has come under fire for
its potential to invade consumers’ privacy and security flaws.

“Microsoft’s software and services are notoriously insecure,” said Jason
Catlett, a privacy advocate and president of Junkbusters.com. “Even if they
could protect it, there’s the question whether you want a court-certified
law breaker in charge of personal information.”

In July 2001, the EPIC, joined by other privacy advocates, filed a formal
complaint against Microsoft with the Federal Trade Commission (FTC),
followed by a letter this past January to state attorneys general urging
them to investigate the service.

Neither the FTC nor any states have announced probes of Passport.