Consumer advocates such as Jason Catlett, founder of Junkbusters, are calling for full disclosure of the report. Otherwise, Catlett says, Hotmail's 40 million registered users will have no assurance that their accounts are safeguarded.
As first reported by CNET News.com, an outside audit of Hotmail was commissioned after the service was pulled offline last month when it was discovered that accounts could be entered without passwords as long as a user's name was known. Microsoft patched that security hole the day it was found, but the company is investigating a program that people could use to generate false passwords to crack open Hotmail accounts.
After the first security hole was uncovered, Microsoft and the Web privacy seal program Truste announced that the company's email service would undergo a voluntary review by a Big Five accounting firm that will not be named. Both touted the independent review as proof that industry self-regulatory efforts will improve consumers' online privacy.
However, Microsoft now says that it can't reveal the scope of the review or the final report because of guidelines set by the American Institute of Certified Public Accountants (AICPA), which oversees the conduct of major firms.
"The results of the report are restricted to the parties who have mutually agreed to the review procedures, Truste and Microsoft, due to AICPA rules governing the review," Microsoft's chief operating officer, Bob Herbold, stated in an email provided to News.com.
Microsoft's statement prompted Catlett to send a letter to the company, Truste, and the Federal Trade Commission. "If the audit isn't made public, then Truste should be called 'Trust Me,' because the consumer has no independent confirmation that their personal data stored by Hotmail is safe," Catlett said today. "If they are going to hide the audit report, it defeats the whole purpose."
Specifically, Microsoft has commissioned an "Agreed-Upon Procedures Engagement," in which the parameters of the review are set by the certified public account, the client, and usually a specified third party, in this case Truste. The results of this type of report can only be made available to those parties, according to the AICPA.
"The idea is that this is not a standardized review, and it may not be appropriate for someone else to view because it could be misinterpreted," said Cathy Mathews, director of technical member services for the California Society of Certified Public Accountants, whose members follow AICPA guidelines.
"Under the CPA rules, [Microsoft] has to be careful about what they say publicly about the review because they may make statements that aren't OK with the CPA firm," she added. "The firm won't want to mislead the public about what they have done here."
A test of self-regulation
The online industry and the Clinton administration have endorsed so-called privacy seal programs as a way to safeguard anonymity. But as more Net users provide valuable personal information in exchange for goods and custom Web content, privacy advocates say better laws are needed to shield privacy, because industry guidelines don't come with strong enough enforcement.
That is why Catlett is calling on Truste to take formal action and "compel" Microsoft to make changes to its system, as well as to make a full disclosure of the audit.
"Microsoft must inform Hotmail users accurately of the extent of its vulnerabilities, and stop representing the service as safe," Catlett stated in his letter to the company and Truste.
Microsoft said today that it will make some type of announcement when the security review is completed.
"Truste has requested that we verify that Microsoft's statements about the identification [of the problem with Hotmail], our remedy, and our ongoing quality assurance to prevent further occurrence of this are indeed correct," said Richard Purcell, director of data policies and practices for Microsoft.
"The rules mean the firm can't publish the findings, and we can't publish its report, but it doesn't disallow us from releasing a statement about the findings on our own," he added.
The Truste seal usually applies to the use of personal information collected from surfers, but licensees must also ensure that they will "help protect the security" of the information they store.
When Truste receives complaints, as it did with Hotmail, it pledges to investigate the matter. Depending on the allegation, that could result in an on-site review by a certified public accounting firm, the revocation of the site's trustmark license, or a complaint to the FTC.
Truste has made other investigations public, including one that focused on a feature in Microsoft's Windows 98 operating system. Still, Truste's guidelines don't state that the details of an audit will be published. And in the case of the Hotmail audit, it was only suggested by Truste--not ordered--so it is not overseeing the review.
"The big difference to keep in mind here is that we never got to the stage where we mandated Microsoft to do the audit. If that had been the case, then we might be in a different situation. We hope it can be made public," Truste spokesman David Steer said.