agreed Thursday to 20 years of independent, third-party audits of the Passport identification and authentication system to settle Federal Trade Commission (FTC) charges that Microsoft falsely misrepresented the privacy and security of personal information collected from consumers through Passport.
FTC Commissioner Timothy J. Muris said his agency’s review of Passport procedures found no actual examples of security or privacy breaches but “we found there was potential for both.”
The agreement calls for the formalization, documentation and independent audit of Passport’s security procedures every two years for the next 20 years to give the FTC, as well as Microsoft customers and partners the “clear indication” that Microsoft is meeting a “high standard for online security.”
There was no fine in the settlement, but if Microsoft fails to comply with the new order, it would be subject to an $11,000 per violation, per day fine.
The FTC is accepting public comment on the proposed order until Sept. 9, after which the Commission will determine whether to make it final.
The settlement brought a unanimity of praise for the FTC from the coalition of consumer groups, led by the Electronic Privacy Information Center (EPIC), who initially prompted the Commission’s probe into Passport’s true security levels.
“The FTC going after Microsoft on a consumer complaint is quite significant and the order is quite sweeping,” said Marc Rotenberg, executive director of EPIC. “We put them to the test. Frankly, we’re pleased but in some cases the FTC went further than anticipated.”
Junkbusters President Jason Catlett added, “Although finding that Microsoft has bad security it may seem like concluding the obvious, it’s very significant that a government agency conducted an on-site investigation and put conduct remedies in place.”
In an online interview on the company site, Brad Smith, senior vice president and chief legal counsel of Microsoft, said, “Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future.”
Smith said the FTC approached Microsoft last August seeking information on “how we described some of our privacy and security measures in Passport.”
Much of the discussion with the FTC, according to Smith, focused on what should be considered “reasonable” online security measures.
“The FTC’s complaint asserts that we should have taken additional security steps earlier in the operation of the Passport service. We understand this concern. While we always believed that we were employing reasonable and appropriate security measures, we recognize that network security constantly evolves,” Smith said. “A level of security that seemed reasonable when we launched Passport in 1999 does not seem so reasonable by today’s norms. Hence, even though we know of no instance where a Passport user’s information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar.”
Passport is a free service that authenticates users’ identities, allowing them to move seamlessly within partner sites and make purchases without having to re-enter information.
Microsoft operates three related Passport services: Passport Single Sign-In (Passport); Passport Express Purchase (Passport Wallet); and Kids Passport.
Passport collects personal information from consumers while Passport Wallet collects and stores consumers’ credit card numbers and billing and shipping addresses and enables consumers to use the stored information when making purchases at participating Web sites. Kids Passport allows parents to create Passport accounts for their children that can limit the collection of personal information by participating Web sites.
According to the Commission’s complaint, Microsoft falsely represented that:
“The FTC made a very thorough review of our Passport privacy statement, as well as our related policies and procedures. After this review, the FTC complaint asserts that only one thing was not adequately described. That is a temporary log that we keep and use to permit our customer service representatives to support Passport users who have contacted our support team,” said Smith. “It’s important to note that no personal information has been shared with anyone else or misused in any manner as a result of these temporary logs. The FTC complaint itself recognizes that the log is only ‘linked to a user’s name in order to respond to a user’s request for service.'”
Smith added that Microsoft has already changed its privacy statement.