Want CNET to notify you of price drops and the latest stories?

Microsoft, FTC reach privacy settlement

The software giant settles with the Federal Trade Commission over complaints that its Passport identification service violates people's privacy and security.

6 min read
WASHINGTON--Microsoft on Thursday agreed to make sweeping changes to its Passport authentication system as part of a settlement agreement with the Federal Trade Commission.

The settlement addresses allegations that Passport collects too much information, uses unfair or deceptive practices, and fails to adequately protect the privacy or security of personal information, particularly of children. The FTC's investigation and settlement came in response to a series of complaints made against Passport last summer, said agency chairman Timothy Muris.

Passport is Microsoft's online authentication system, which allows customers to use single sign-in to access multiple Web services. The idea behind Passport is simple: Microsoft would collect and store an ID, password and other personal information such as a shipping address or credit card number. This electronic "wallet" would travel around the Web with a consumer, making it easier to engage in a range of online transactions, such as banking, making travel plans or subscribing to an online publication. AOL Time Warner and Sun Microsystems have backed services using a similar concept.

Microsoft uses Passport authentication for its MSN Messenger and Hotmail e-mail services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings. The service also is a cornerstone for .Net, Microsoft's slowly evolving Web services strategy.

But critics have assailed the plan on several fronts, particularly privacy and security, and the FTC on Thursday agreed on some points.

"We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program," Muris said during the conference call.

The FTC outlined its findings in a six-page complaint. Many of the problems resulted from Microsoft failing to adhere to its own privacy statements about Passport, Passport Wallet or Kids Passport.

As part of the settlement agreement, Microsoft has changed its privacy statements to accurately reflect what information is collected and how it is used, Brad Smith, Microsoft's general counsel, said in a separate conference call.

In an eight-page settlement released Thursday, Microsoft also agreed not to engage in unfair or deceptive practices and to protect the security and privacy of personal information.

The settlement "prohibits Microsoft from misrepresenting its privacy and security practices," Muris said. "The settlement...also requires Microsoft to establish a program to protect the security, confidentiality and integrity of its customers' personal information."

Microsoft is bound by the agreement for 20 years, which is the customary time period for settlements of this type.

"We're just, in fact, at the beginning of the FTC's oversight of Microsoft's online services," said Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), in a separate conference call. "This is a very big development."

Within one year, Microsoft must "obtain certification from a qualified, independent third party that its security program provides at least the protections that the order mandates," Muris said. The assessment must be performed biannually.

Smith said that Microsoft would abide by third-party audits essentially indefinitely.

For five years, Microsoft must also provide the FTC with all advertising or other documentation pertaining to the collection of personal information; plans, studies, audits or other related information; and any information that might question Microsoft's compliance with the settlement.

"Privacy and security promises must be kept," Muris said during the conference call. "It's good business, it's the law and we'll take action against companies that do not keep their promises."

The FTC settlement is part of an ongoing attempt by Microsoft to smooth over legal problems with regulators, Smith said. "Our agreement with the FTC underscores our commitment as a company to forge a more constructive dialog with government on important public issues."

Jupiter analyst Michael Gartenberg concurred: "As Microsoft attempts to put an end to its trial and tribulations with the government, it will be very aggressive" about settling any outstanding issues.

"At a time when Microsoft is looking for greater user adoption of Web-based services, all which require delivering personal information to them, it needs to be certain that customers are satisfied with the security and privacy being offered."

Passport rejected
A group of privacy organizations, including EPIC and Junkbusters, filed a complaint in July 2001, alleging Passport and the accompanying Wallet service violated Section 5 of the Federal Trade Commission Act. That section covers unfair or deceptive practices.

In August 2001, the lose affiliation of 14 groups amended its original complaint. Among other things, the groups charged that Kids Passport did not comply with Children's Online Privacy Protection Act (COPPA).

The groups also charged that Microsoft was using Windows XP to force signups of the authentication system. Passport is required to use some XP features, such as Windows Messenger.

Users receive five prompts to signup for a Passport account after installing the operating system. Microsoft had already announced plans to remove the prompts as part of Windows XP Service Pack 1. The update, expected as early as late August, includes other tweaks in response to Microsoft's antitrust settlement with the Justice Department and nine of 18 states. A federal judge has yet to approve the deal.

"The FTC has essentially agreed with us, the privacy organizations, as to our original petition," Rotenberg said. "Both in terms of online privacy and also as a legal precedent, it's a very significant outcome."

The FTC contacted Microsoft soon after the groups filed their complaints, Smith said during the conference call. "We cooperated fully in that process," he said. The two sides came to an agreement "in the last few weeks," he added.

As part of the settlement, Microsoft has agreed to make numerous changes to tighten up how much information it collects or what it tells consumers about how information will be used.

The FTC's privacy complaint focused on a single issue: Microsoft's collecting of very detailed information from people's sign-in information and the Web sites onto which which they logged on without notifying customers of the activity. Smith said Microsoft used the information for customer support purposes. In response, Microsoft "changed our privacy statement so that our current privacy statement does make very clear that we collect this information," Smith said.

The FTC also found potential problems with Passport security, which Microsoft also is addressing.

"I want to emphasize that we did not uncover any security breaches during our investigation," Muris said. "Nevertheless, we did uncover the potential for a security problem. We were able to act before the potential became reality."

In response to FTC concerns, Microsoft will institute a comprehensive security program, Smith said. "Clearly the FTC is setting a high bar, not only for Microsoft but for our entire industry, when it comes to security and privacy...a level of security that seemed reasonable when we launched Passport in 1999 does not seem so reasonable by today's norms."

It is uncertain what the broader implications could be for other companies conducting transactions or collecting personal information over the Internet, analysts said. One concern was that many of the allegations made against Microsoft could apply to the company's competitors such as Sun and AOL.

"We're pleased," Rotenberg said. "In some areas the FTC went further than we anticipated...The ongoing presence of the FTC in overseeing some of the new services that are going to be made available to consumers online is important as well."

He added, "The order is quite sweeping because the commission is, in effect, telling Microsoft that it's going to be held to a very high standard in its future representations to consumers about privacy practices. It is further going to require high security standards."

"Anyone in this space will follow suit," Gartenberg said. "The key is that they have a policy and practice in place."

Rotenberg also noted the settlement represents an important precedent that could affect other companies, particularly as the FTC applies its authority under Section 5 of the Federal Trade Commission Act to police online transactions.

"It indicates that as a matter of precedent that the FTC does have the authority to safeguard online privacy," he said.