CNET también está disponible en español.

Ir a español

Don't show this again


Truste OKs Hotmail security fixes

Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail users in August, according to the results of an outside audit.

    Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail users in August, according to the results of an outside audit released today.

    The announcement disclosed only that a "Big Five" accounting firm reviewed the "nature, extent, and cause of the problem," as well as the solutions that Microsoft put in place. As part of the audit, Microsoft employees who fixed the hole were interviewed, and the unnamed firm tested the solution to make sure the problem wouldn't reoccur.

    As previously reported, the review of Hotmail was commissioned after the service was pulled offline for two hours when it was discovered that accounts could be accessed without passwords as long as a user's name--which is commonly found in a Hotmail address--was known.

    Microsoft said it fixed the problem the same day and has since admitted that the hole was the result of a string of code that hadn't been tested for security.

    Microsoft in August voluntarily agreed to the audit at the request of the Web privacy seal program Truste, which Microsoft generously sponsors. Until today, however, there had been doubts about whether any results of the audit would be made public.

    "Both Microsoft and Truste have confirmed that we've effectively resolved that incident, and that we are in compliance with Truste's licensing agreement," Richard Purcell, data practices director at Microsoft, said today.

    "The firm had technical experts, and they were careful about reviewing the solutions we put in place at the code level," he added.

    Truste monitors participating sites' privacy practices and ensures that licensees "help protect the security" of the information they collect and store.

    Watchdogs skeptical
    Based on guidelines set by the American Institute of Certified Public Accountants (AICPA), which oversees the conduct of major firms, Microsoft and others participating in the audit were restricted from releasing the accounting firm's full report.

    But consumer advocacy group Junkbusters had called for full disclosure of the report, insisting that if the results weren't made public, Hotmail users would have no assurance that their accounts are safeguarded.

    Despite the announcement that Hotmail is secure, Jason Catlett, founder of Junkbusters, was not satisfied with the level of detail in the companies' announcement.

    "All Microsoft and Truste are saying is that someone went in with a notebook and pen and asked questions, but the company is not revealing the name of the auditor or the instructions to the auditor--the summary is vague," Catlett said. "They had the chance to commission an audit that could have been open."

    Specifically, Microsoft had commissioned an "Agreed-Upon Procedures Engagement," in which the parameters of the review are set by the certified public account, the client, and usually a specified third party, in this case Truste. The results of this type of report can only be made available to those parties, according to the AICPA.

    The online industry and the Clinton administration have endorsed so-called privacy seal programs as a way to safeguard anonymity. But as more Net users provide valuable personal information in exchange for goods and custom Web content, privacy advocates say better laws are needed to shield privacy, because industry guidelines don't come with strong enough enforcement.

    Truste says its voluntary efforts are effective.

    "From our point of view this does demonstrate that the resolution process we have in place works," said Bob Lewin, executive director of Truste.

    But for Microsoft, the review only puts to rest concern over the August 20 Hotmail security hole. The company has since been investigating programs that people could use to generate false passwords to crack open Hotmail accounts.

    "We can't prevent malicious hackers from targeting these platforms," Purcell added. "But it's important to say that we really have a strong sense of responsibility about protecting the security of customers' information."