The U.S. Federal Trade Commission (FTC) has resolved a complaint brought by privacy advocates over Passport, Microsoft's set of services for authenticating Internet users and easing e-commerce purchases. Although the FTC did not uncover any major wrongdoing, it imposed some fairly stringent conditions on Passport, including biannual inspections by an independent third party for the next 20 years. The move should serve as a wake-up call to Microsoft and any other business that collects user information via the Web: failure to explain and implement consistent privacy policies can have substantial consequences.

Privacy Advocates Spurred Investigation

In July 2001, the Electronic Privacy Information Center (EPIC) and other privacy advocates asked the FTC to investigate how Microsoft and its partners use and protect information collected from Passport users.

Privacy advocates were concerned about numerous prompts in Windows XP for users to sign up for a Passport, which might have confused some users into thinking they needed a Passport to use the new operating system. They also wondered about the relationship between Passport and .NET My Services, Microsoft's proposed technology for allowing consumers to store personal information in a Microsoft-hosted repository and then expose this information to others, such as e-commerce sites, friends, or employers.

(Microsoft has since changed its plans for .NET My Services significantly: see "New Strategy Devised for .NET My Services" on page 20 of the Apr. 2002 Update.)

FTC's Concerns and Conditions

The FTC's investigation was completed in Aug. 2002. Although the agency did not cite Microsoft for any major violations, it noted the following concerns with Passport:

Risk of unauthorized access. Passport lacks sufficient safeguards to prevent unauthorized access. For example, users could be misdirected to a fake Passport site and tricked into entering their password, giving the owner of that site access to their account.

Temporary log used by support staff. Microsoft did not clearly explain that Passport support staff sometimes use a temporary log of user information stored at the Passport site to help resolve problems.

E-commerce safety exaggerated. Microsoft implied that having a Passport makes e-commerce transactions safer. The company claims it was referring only to Passport Express Purchase, which allows users to post e-commerce information (e.g., credit card number, shipping address) to participating Web sites via a secure form. This is safer than shopping at e-commerce sites that do not use secure forms.

Kids Passport misrepresented. Microsoft implied that Kids Passport prevented kids from inadvertently sharing information on the Web at large, when in fact it only works at sites that support Kids Passport.

In response to these concerns, the FTC imposed the following conditions on Microsoft for the next 20 years:

• Microsoft may not misrepresent, "expressly or by implication," anything about the personal information Passport collects, uses, and shares with partners.
• Microsoft must explain in writing the possible risks Passport presents to users' personal information (e.g., poorly trained managers or badly designed systems could expose the information) and address these risks through programs such as manager training.
• Microsoft must open Passport records to an independent third party within the next year, and at least every two years after that, to make sure its security program meets the FTC’s conditions.

Violations of these conditions could lead to fines or other sanctions.

Confusing Policies Drew Scrutiny

The FTC's conditions seem fairly strict, given the absence of any serious wrongdoing by Microsoft and the frequency with which many other Web sites, such as e-commerce and banking sites, collect sensitive information from users without triggering FTC investigations or oversight.

But the action spotlights deficiencies in the ways that Microsoft (and other major players on the Web) handle private information. Passport's privacy statement is nearly 6,000 words long (by way of comparison, this article is about 1,000 words long) and, like other Microsoft legal documents, such as End-User License Agreements, is filled with exceptions and confusing terminology.

For example, long-time users of Passport were recently surprised to find that Microsoft was sharing information they had provided to Passport, such as their e-mail address and year of birth, with Passport partners in certain circumstances. Although this practice was explained in the Passport privacy statement, many users did not know about it until Microsoft changed the Passport user interface to allow users to opt out of sharing this information. The opt-in boxes were automatically checked to allow sharing by default, which was consistent with the old privacy policy, but which led many users to conclude that Microsoft had compromised their privacy in some new way.

Such controversies strike at part of Microsoft's own Trustworthy Computing initiative, which dictates that users must be able to trust the integrity of the company providing computing services. Clearly, some privacy advocates didn’t trust Microsoft, and the FTC agreed in part, suggesting that Microsoft must do a better job of implementing and explaining privacy policies to meet its Trustworthy Computing goals.

Resources

To better understand how Passport works, see "A Closer Look at Passport" on page 12 of the Oct. 2001 Update.

Passport's privacy policy is at www.passport.com/Consumer/PrivacyPolicy.asp?lc=1033.

For background on Trustworthy Computing, see "Trustworthy Computing a New Priority" on page 25 of the May 2002 Update and the Sep. 2002 Research Report, "Security: The Foundation of Trustworthy Computing."

EPIC is at www.epic.org.