Privacy watchdog EPIC (the Electronic Privacy Information Center), dissatisfied with a lack of response from the Federal Trade
Commission regarding complaints about Microsoft’s .NET
Passport authentication service, asked the state attorneys general Tuesday to pursue the matter.
In a letter to all 50 state attorneys general Tuesday, EPIC Executive Director Marc Rotenberg, Legislative Counsel Chris Hoofnagle
and Law Clerk Nathan Mitchler said, “The Electronic Privacy Information Center urges you to take action to protect consumers against
unfair and deceptive trade practices raised by Microsoft Corp.’s Passport service and related “Wallet,” “Kid’s Passport,”
“Hailstorm,” and “.NET Services.” These systems unfairly and deceptively gather personal information and expose consumers to the
release, sale, and theft of their personal information. Immediate state action is necessary to protect consumers and ensure
Microsoft does not continue to improperly collect personal information.”
Hoofnagle said the organization sent the letters in response to frustration at a lack of visibility into the FTC’s movement on its
complaints (EPIC filed an initial complaint with the
FTC in July 2001. In August 2001, the FTC wrote to EPIC and said, “We will evaluate your complaint to determine what action, if any,
would be appropriate in this case. Please be advised that any commission investigation is non-public until the commission decides to
issue a formal complaint. As a result, we will not be able to advise EPIC or the other complainants of our decision as to whether to
investigate the matter.”)
But Hoofnagle also explained that EPIC turned to the state attorneys general because many states have stronger consumer protections
than the federal government, especially California, which grants citizens the inalienable right to privacy in its constitution.
“We mentioned California because they have among the strongest statutes for consumer protection,” Hoofnagle said.
Jason Catlett, president of Junkbusters Corp. and a fellow at the Kennedy School of Government, Harvard University, added, “What
we’ve tried to do is get the obvious agency to act. They’ve failed to act after several months and now we’re going down to the next
level.”
Specifically, EPIC alleges that Passport, which Microsoft says has more than 200 million accounts, allows an “unprecedented
profiling of individuals’ browsing and online shopping behavior.” And the organization claims that opens consumers, who have been
assured by Microsoft that the Passport service is secure, to numerous privacy and security risks from online profiling, to e-mail
spam, to stolen credit card data from alleged security holes in the Passport and Wallet systems.
“The vulnerability of Passport combined with its pervasion of the Internet creates serious risks to personal information sacrificed
by consumers to gain access to services integrated with Microsoft authentication software under the belief that Microsoft is
adequately protecting their data,” EPIC wrote in its letters to the state attorneys general.
Catlett explained that EPIC’s problem is not with Microsoft’s collection of data, which he noted is not illegal, but with
Microsoft’s representation of its Passport service as a secure method for storing personal data and credit card numbers online. In
its letter to the attorneys general, EPIC noted a recent instance that it said displayed the vulnerability of Passport.
“In November a computer programmer illustrated a serious flaw in the Passport Wallet service that could affect 200 million users,”
EPIC wrote. “By exploiting the flaw, a user’s entire Passport account, including credit card numbers stored in the database, could
be made public. Microsoft recognized the problem and disabled the Wallet service in order to patch the flaw. Since its introduction,
consumers using Passport and Windows have been exposed to two major Internet viruses, and personal information in Passport was
compromised numerous times.”
EPIC also noted that Microsoft offers no mechanism for allowing consumers to delete their Passport registrations.