Article - Microsoft Settlement over FTC Investigation of Passport (December 2002)
Microsoft has become the latest company to be caught up in adverse publicity for its privacy practices, following a US Federal Trade Commission investigation relating to the online Passport authentication service. After consumer complaints alleging that Microsoft had misrepresented the security of its Passport service, the FTC conducted an investigation, finally reaching a settlement with Microsoft in August 2002.
This agreement between Microsoft and the US Federal Trade Commission emphasises the importance of making accurate representations to consumers about privacy practices, and is likely to lead to much greater scrutiny of privacy policies and statements about internet security practices in the future.
Passport is a core element of Microsoft’s .Net strategy, which aims to capitalise on Microsoft’s enormous Hotmail user base, making Microsoft the leading vehicle for online authentication of customer identities. The convenience that Passport offers is that it saves web users from having to re-enter their details each time they visit a web site. Instead, they simply enter and verify their Passport details and the information is provided from a Microsoft server (where it is held permanently) to the relevant web site operator. Microsoft has marketed Passport in conjunction with other Microsoft programs and services, such as Windows XP, and through its Internet portals such as ninemsn in Australia.
Three Passport services were the subject of the Federal Trade Commission’s investigations, following by the consumer groups’ complaints in July 2001: Passport Sign-In, Passport Express Service (Passport Wallet), and Kids Passport. Passport Sign-in allows users to sign into participating sites with the same member identification. Passport Wallet works in a similar way to Passport Sign-in, allowing users to purchase goods and services on participating websites with stored credit card information. Passport Kids allows parents to restrict access to their children’s personal information by participating web sites.
The FTC investigated the claims that Microsoft had made a number of misrepresentations regarding its Passport services, and made four key findings:
- The FTC voiced concerns over representations relating to the superior quality of Passport security and privacy in comparison to other on-line authentication services when in fact, the security provided by Passport was comparable to that provided by other services.
- It was also found that Kids Passport did not give parents control over the information that participating websites could collect once a child had signed up to the service.
- Despite its claims, the FTC found that Microsoft had failed to implement sufficient measures to ‘prevent unauthorised access to the Passport system; detect possible unauthorized access; monitor the Passport system for potential vulnerabilities; and record and retain system information.....(for) security audits’.
Nevertheless, the FTC did not find any actual security breaches during its investigations. The FTC argued however that it was acting before such breaches emerged.
The coalition of consumer groups that initially raised the concerns relating to Passport welcomed the Settlement and consequent Orders. Marc Rotenberg, Director of EPIC responded to the Consent Order by commenting:
‘We’re just, in fact, at the beginning of the FTC’s oversight of Microsoft’s online services... (t)his is a very big development... The FTC has essentially agreed with us, the privacy organisations, as to our original petitions. Both in terms of online privacy and also as a legal precedent, it’s a very significant outcome’.
However, EPIC remains concerned about a number of privacy issues, and in a statement issued before the FTC, EPIC argued that the settlement did not address all of the privacy hazards associated with the passport system. EPIC alleged that since the original complaint was filed in July 2001, Microsoft had been involved in further security breaches. Specifically, EPIC cited reports of a flaw in Windows XP, Office 2000, and other Microsoft products could enable a malicious actor to use a web page or email to send commands to a user’s computerand that Microsoft has been investigating expanding Passport into a credit card authentication system. EPIC also highlighted concerns that in some circumstances, consumers are compelled to use Passport in order to access other services, with EPIC arguing that this is a reason for more comprehensive constraints on Microsoft’s development of Passport. EPIC also argued that Microsoft should be required to notify users of products such as Windows XP that a Passport is not essential to access on the Internet.
EPIC’s four further recommendations to the FTC are that:
- The FTC should ensure Microsoft’s compliance with the EU-US Safe Harbour requirements;
- The FTC should place constraints on the range of services that Passport can provide;
- The FTC should examine other authentication systems including AOL’s Screen Name Service and Project Liberty.
The Microsoft decision is significant both for Microsoft and for online businesses. It demonstrates that despite the substantial resources invested in privacy measures following the appointment of Richard Purcell as Microsoft’s Chief Privacy Officer last year, a diverse technology business such as Microsoft is still vulnerable on privacy issues. It also demonstrates that even under a Republican appointed chairman, Timothy J. Muris, the FTC is likely to continue to pursue privacy issues. While the FTC is no longer advocating new privacy legislation, it appears committed to using its existing powers when privacy issues arise. As Muris said when announcing the decision:
‘Good security is fundamental to protecting consumer privacy...(c)ompanies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It’s not only good business, it’s the law. Even absent known security breaches, we will not wait to act.’
 Complaint 012 3240 In the Matter of Microsoft Corporation United States of America Federal Trade Commission, 3
 Ibid, 4
 Ibid, 5
 Ibid, 2
 No 012 3240 Submission by the Electronic Privacy Information Centre to the FTC, Washington DC in the Matter of Microsoft Consent Order, 9 September 2002: <http://www.ftc.gov/os/comments/microsoftcomments/epic.pdf>
 Ibid, 2