ZDNet UK / News and Analysis / Infrastructure / Networking

Settlement means sweeping changes to Passport

By Joe Wilcox, CNet, 9 August, 2002 07:50

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, FTC, Settlement, Passport, Authentication

NEWS
Microsoft on Thursday agreed to make sweeping changes to its Passport authentication system as part of a settlement agreement with the Federal Trade Commission. The settlement addresses allegations that Passport collects too much information, uses unfair or deceptive practices, and fails to adequately protect the privacy or security of personal information, particularly of children. The FTC's investigation and settlement came in response to a series of complaints made against Passport last summer, said agency chairman Timothy Muris. Passport is Microsoft's online authentication system, which allows customers to use single sign-in to access multiple Web services. The idea behind Passport is simple: Microsoft would collect and store an ID, password and other personal information such as a shipping address or credit card number. This electronic "wallet" would travel around the Web with a consumer, making it easier to engage in a range of online transactions, such as banking, making travel plans or subscribing to an online publication. AOL Time Warner and Sun Microsystems have backed services using a similar concept. Microsoft uses Passport authentication for its MSN Messenger and Hotmail email services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings. The service also is a cornerstone for .Net, Microsoft's slowly evolving Web services strategy. But critics have assailed the plan on several fronts, particularly privacy and security, and the FTC on Thursday agreed on some points. "We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by Web sites participating in the Kids Passport program," Muris said during the conference call. The FTC outlined its findings in a six-page complaint. Many of the problems resulted from Microsoft failing to adhere to its own privacy statements about Passport, Passport Wallet or Kids Passport. As part of the settlement agreement, Microsoft has changed its privacy statements to accurately reflect what information is collected and how it is used, Brad Smith, Microsoft's general counsel, said in a separate conference call. In an eight-page settlement released Thursday, Microsoft also agreed not to engage in unfair or deceptive practices and to protect the security and privacy of personal information. The settlement "prohibits Microsoft from misrepresenting its privacy and security practices," Muris said. "The settlement... also requires Microsoft to establish a program to protect the security, confidentiality and integrity of its customers' personal information." Microsoft is bound by the agreement for 20 years, which is the customary time period for settlements of this type. "We're just, in fact, at the beginning of the FTC's oversight of Microsoft's online services," said Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), in a separate conference call. "This is a very big development." Within one year, Microsoft must "obtain certification from a qualified, independent third party that its security program provides at least the protections that the order mandates", Muris said. The assessment must be performed biannually. Smith said that Microsoft would abide by third-party audits essentially indefinitely. For five years, Microsoft must also provide the FTC with all advertising or other documentation pertaining to the collection of personal information; plans, studies, audits or other related information; and any information that might question Microsoft's compliance with the settlement. "Privacy and security promises must be kept," Muris said during the conference call. "It's good business, it's the law and we'll take action against companies that do not keep their promises." The FTC settlement is part of an ongoing attempt by Microsoft to smooth over legal problems with regulators, Smith said. "Our agreement with the FTC underscores our commitment as a company to forge a more constructive dialog with government on important public issues." Jupiter analyst Michael Gartenberg concurred: "As Microsoft attempts to put an end to its trials and tribulations with the government, it will be very aggressive" about settling any outstanding issues. "At a time when Microsoft is looking for greater user adoption of Web-based services, all which require delivering personal information to them, it needs to be certain that customers are satisfied with the security and privacy being offered." A group of privacy organisations, including EPIC and Junkbusters, filed a complaint in July 2001, alleging Passport and the accompanying Wallet service violated Section 5 of the Federal Trade Commission Act. That section covers unfair or deceptive practices. In August 2001, the lose affiliation of 14 groups amended its original complaint. Among other things, the groups charged that Kids Passport did not comply with Children's Online Privacy Protection Act (COPPA). The groups also charged that Microsoft was using Windows XP to force signups of the authentication system. Passport is required to use some XP features, such as Windows Messenger. Users receive five prompts to signup for a Passport account after installing the operating system. Microsoft had already announced plans to remove the prompts as part of Windows XP Service Pack 1. The update, expected as early as late August, includes other tweaks in response to Microsoft's antitrust settlement with the Justice Department and nine of 18 states. A federal judge has yet to approve the deal. "The FTC has essentially agreed with us, the privacy organisations, as to our original petition," Rotenberg said. "Both in terms of online privacy and also as a legal precedent, it's a very significant outcome." The FTC contacted Microsoft soon after the groups filed their complaints, Smith said during the conference call. "We cooperated fully in that process," he said. The two sides came to an agreement "in the last few weeks", he added. As part of the settlement, Microsoft has agreed to make numerous changes to tighten up how much information it collects or what it tells consumers about how information will be used. The FTC's privacy complaint focused on a single issue: Microsoft's collecting of very detailed information from people's sign-in information and the Web sites onto which which they logged on without notifying customers of the activity. Smith said Microsoft used the information for customer support purposes. In response, Microsoft "changed our privacy statement so that our current privacy statement does make very clear that we collect this information", Smith said. The FTC also found potential problems with Passport security, which Microsoft also is addressing. "I want to emphasise that we did not uncover any security breaches during our investigation," Muris said. "Nevertheless, we did uncover the potential for a security problem. We were able to act before the potential became reality." In response to FTC concerns, Microsoft will institute a comprehensive security program, Smith said. "Clearly the FTC is setting a high bar, not only for Microsoft but for our entire industry, when it comes to security and privacy... a level of security that seemed reasonable when we launched Passport in 1999 does not seem so reasonable by today's norms." It is uncertain what the broader implications could be for other companies conducting transactions or collecting personal information over the Internet, analysts said. One concern was that many of the allegations made against Microsoft could apply to the company's competitors such as Sun and AOL. "We're pleased," Rotenberg said. "In some areas the FTC went further than we anticipated... The ongoing presence of the FTC in overseeing some of the new services that are going to be made available to consumers online is important as well." He added, "The order is quite sweeping because the commission is, in effect, telling Microsoft that it's going to be held to a very high standard in its future representations to consumers about privacy practices. It is further going to require high security standards." "Anyone in this space will follow suit," Gartenberg said. "The key is that they have a policy and practice in place." Rotenberg also noted the settlement represents an important precedent that could affect other companies, particularly as the FTC applies its authority under Section 5 of the Federal Trade Commission Act to police online transactions. "It indicates that as a matter of precedent that the FTC does have the authority to safeguard online privacy," he said.
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section. Have your say instantly, and see what others have said. Go to the ZDNet news forum. Let the editors know what you think in the Mailroom.

Related stories

Liberty-Passport wars may end as products emerge

Ofcom to make it easier to change broadband service

Google set to build backbone of its 1Gbps fibre network

Nicira reveals network virtualisation details

MPs urge ISPs to take down terrorist material

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

42 minutes ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

6 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

9 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

9 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

10 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

11 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

12 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

12 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

12 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

13 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

13 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

13 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

13 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

14 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

17 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

18 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

18 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

19 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

20 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

21 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule

Latest in Networking

Ofcom to make it easier to change broadband service

Google set to build backbone of its 1Gbps fibre network

Nicira reveals network virtualisation details

Featured white papers

Six iPad tests for multimedia-grade Wi-Fi

Aruba Networks

Six iPad tests for multimedia-grade Wi-Fi

The University of Ottawa, Apple, Aruba Networks and others validate a multimedia grade Wi-Fi environment for scaling voice and video... Read more

Enterprise wireless networks add speed with 802.11n

Aruba Networks

Enterprise wireless networks add speed with 802.11n

This Aruba white paper explains the advanced technology introduced in the 'final' 802.11n certification, allowing enterprise network managers to understand its benefits and to plan their own upgrade... Read more

Solution Brief: Top 5 Reasons to Choose Blue Coat WAN Optimization

Blue Coat Systems

Solution Brief: Top 5 Reasons to Choose Blue Coat WAN Optimization

There's a pretty good chance your wide area network (WAN) looks like a mess right now. The rapid adoption of... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault