Privacy terms revised for Microsoft Passport

The company is facing scrutiny of a major new software initiative dubbed "HailStorm" that will build on the 2-year-old Passport and other Microsoft technologies to create a new method of delivering software applications over the Internet.

Passport is a single sign-in service that gives consumers a key for multiple Web sites. Among other things, HailStorm has been billed as a way to widely manage personal data as consumers operate computer applications.

"Unfortunately, they're old terms of use," Microsoft spokesman Tom Pilla told CNET News.com early Wednesday, adding that the original terms of use were changed "to reflect the (site's) privacy statement."

The new, much stricter agreement clarifies that Microsoft's right to use customer communications is only in the case of an exchange with the company.

"By submitting any feedback or suggestions to Microsoft concerning the Passport Web Site or the Passport Service, you warrant and represent that you...are granting Microsoft and its affiliated companies permission to use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such feedback or suggestions."

It also limits the company's use of customer personal information "in connection with (customer) registration for the Passport Service(s)," giving the site's privacy policy ultimate reign over the terms of use and any "conflicting language contained in these Terms of Use concerning use of such information."

The agreement is also careful to point out that the terms don't apply to "documents, information, or other data that you upload, transmit or otherwise submit to or through any Passport-enabled Properties."

Privacy advocates were outraged at the original terms of use for Passport, which apparently granted Microsoft enormous control over customer communications--contradicting the site's privacy policy.

According to the original terms of use which appeared on the site early Wednesday, "by posting messages, uploading files, inputting data, submitting any feedback or suggestions, or engaging in any other form of communication with or through the Passport Web Site, you...are granting Microsoft and its affiliated companies permission to: Use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such communication."

HailStorm itself has become a lightning rod for criticism from privacy advocates, since the plan would, in essence, make Microsoft the keeper of a wide range of personal data, such as credit card numbers and banking information. Critics argue that Microsoft's single repository of user data would be vulnerable to hacker attacks, and that the company might be tempted to sell or otherwise use the data inappropriately.

Microsoft executives argue that people will own their data, which will be maintained in a secure repository under supervision of a third-party hosting company. Charles Fitzgerald, Microsoft's director of business development, said another plan under discussion would let people "own" their data locally on smart cards to increase security. Fitzgerald also said Microsoft has no plans to mine, sell, target or publish user data stored in HailStorm.

Deborah Pierce, staff attorney for the Electronic Frontier Foundation, said that the original terms of use brought up the issue of trust.

"Why should I trust this company with managing all of my personal data? When I see terms of service that basically gives them control over my personal information and potentially the content of messages, that doesn't instill confidence or trust in me for their new service," she said.

The original terms of use for Passport, which has 160 million customers, also gave Microsoft authorization to "sublicense to third parties the unrestricted right to exercise any of the foregoing rights granted with respect to the communication" and "publish your name in connection with any such communication."

"The foregoing grants shall include the right to exploit any proprietary rights in such communication, including but not limited to rights under copyright, trademark, service mark or patent laws under any relevant jurisdiction," the terms of use originally stated. "No compensation will be paid with respect to Microsoft's use of the materials contained within such communication."

That the terms of use and privacy policies went relatively unnoticed for nearly two years underscores widespread disregard for such policies, which are often written in legalese and run several pages long. In many cases, only the most tech-savvy or privacy-conscious Web surfers read such guidelines, often after hunting them down at the bottom of company Web sites or raising the font size for readability.

Often, Web visitors simply don't notice or fear site policies that in theory are designed to protect consumers as well as companies.

Microsoft's Pilla said the company has different terms of use and privacy policies for each service in the MSN Network, including Hotmail, Passport and MSN Messenger. He said that each privacy policy is approved by Truste--a privacy policy auditor--and written with consumers' notice and consent in mind.

The EFF's Pierce speculated that in the event of a court case under the original terms of use, Microsoft could show consumers would be bound by the varying policies. However, she was unmoved by Microsoft's claims that the policies had escaped review before the HailStorm announcement was made.

"They should have looked at this before they put out a press release for HailStorm," she said. "They should have examined all the terms of use for all the affected pieces of this project, like Passport and Hotmail, to make sure they're all internally consistent. It was very sloppy."

HailStorm is expected to enter testing later this year and become available next year through Microsoft's products, including its Windows operating system, Office business software and Xbox gaming console. HailStorm will also become a component of the company's Web sites, such as MSN and bCentral.

News.com's Mike Ricciuti contributed to this report.