FTC Resolves Passport Complaint

The U.S. Federal Trade Commission (FTC) has resolved a complaint brought by privacy advocates over Passport, Microsoft’s set of services for authenticating Internet users and easing e-commerce purchases. Although the FTC did not uncover any major wrongdoing, it imposed some fairly stringent conditions on Passport, including biannual inspections by an independent third party for the next 20 years. The move should serve as a wake-up call to Microsoft and any other business that collects user information via the Web: failure to explain and implement consistent privacy policies can have substantial consequences.

Privacy Advocates Spurred Investigation

In July 2001, the Electronic Privacy Information Center (EPIC) and other privacy advocates asked the FTC to investigate how Microsoft and its partners use and protect information collected from Passport users.

Privacy advocates were concerned about numerous prompts in Windows XP for users to sign up for a Passport, which might have confused some users into thinking they needed a Passport to use the new operating system. They also wondered about the relationship between Passport and .NET My Services, Microsoft’s proposed technology for allowing consumers to store personal information in a Microsoft-hosted repository and then expose this information to others, such as e-commerce sites, friends, or employers.