Research
Article - Microsoft Settlement over FTC Investigation of Passport (December 2002)
|
Microsoft has become the latest company to be caught up in adverse publicity for its privacy practices, following a US Federal Trade Commission investigation relating to the online Passport authentication service. After consumer complaints alleging that Microsoft had misrepresented the security of its Passport service, the FTC conducted an investigation, finally reaching a settlement with Microsoft in August 2002.
This agreement between Microsoft and the US Federal Trade Commission emphasises the importance of making accurate representations to consumers about privacy practices, and is likely to lead to much greater scrutiny of privacy policies and statements about internet security practices in the future.
Passport is a core element of Microsoft’s .Net strategy, which aims to capitalise on Microsoft’s enormous Hotmail user base, making Microsoft the leading vehicle for online authentication of customer identities. The convenience that Passport offers is that it saves web users from having to re-enter their details each time they visit a web site. Instead, they simply enter and verify their Passport details and the information is provided from a Microsoft server (where it is held permanently) to the relevant web site operator. Microsoft has marketed Passport in conjunction with other Microsoft programs and services, such as Windows XP, and through its Internet portals such as ninemsn in Australia.
A coalition of consumer groups claimed that Microsoft was misrepresenting its privacy and security practices relating to Passport. Passport’s privacy policy promised users ‘a high level of Web Security by using technologies and systems designed to prevent unauthorised access to your personal information’. Consumer groups raised concerns over the validity of Microsoft’s claims that user privacy and security was protected in the process of signing up for passport services. The coalition was led by the Electronic Privacy Information Centre (EPIC) and was joined by other groups including the Centre for Digital Democracy, Computer Professionals for Social Responsibility, Consumer Federation of America, Electronic Frontier Foundation, Junkbusters Corporation and the Privacy Rights Clearinghouse.
Three Passport services were the subject of the Federal Trade Commission’s investigations, following by the consumer groups’ complaints in July 2001: Passport Sign-In, Passport Express Service (Passport Wallet), and Kids Passport. Passport Sign-in allows users to sign into participating sites with the same member identification. Passport Wallet works in a similar way to Passport Sign-in, allowing users to purchase goods and services on participating websites with stored credit card information. Passport Kids allows parents to restrict access to their children’s personal information by participating web sites.
The FTC investigated the claims that Microsoft had made a number of misrepresentations regarding its Passport services, and made four key findings:
- The FTC voiced concerns over representations relating to the superior quality of Passport security and privacy in comparison to other on-line authentication services when in fact, the security provided by Passport was comparable to that provided by other services.[1]
- Further, whilst Passport’s privacy policy had represented that personally identifiable information would not be held by Microsoft, Passport collected and held such information.[2]
- It was also found that Kids Passport did not give parents control over the information that participating websites could collect once a child had signed up to the service.[3]
- Despite its claims, the FTC found that Microsoft had failed to implement sufficient measures to ‘prevent unauthorised access to the Passport system; detect possible unauthorized access; monitor the Passport system for potential vulnerabilities; and record and retain system information.....(for) security audits’.[4]
Nevertheless, the FTC did not find any actual security breaches during its investigations. The FTC argued however that it was acting before such breaches emerged.
As a result of the settlement negotiated by the FTC, Microsoft has had to change its privacy policy statement on current services to reflect the Commission’s concerns. Microsoft will also in future be prohibited from making similar statements concerning privacy and security. For the next five years Microsoft is also obliged to provide the FTC with all advertising material and other documentation relating to the collection of personally identifiable information, or that might question Microsoft’s observance of its obligations under the settlement. Consent Orders relating to the settlement require that Microsoft must develop better protection for the use of personal information in Passport by building in protections for the use of personal information, including for email addresses, persistent identifiers in cookies, and identifiers that are embedded in hardware. Microsoft must also have its security measures checked and verified by an independent third party. Microsoft is bound by the Orders for 20 years, and must have its security technologies audited every two years.
The coalition of consumer groups that initially raised the concerns relating to Passport welcomed the Settlement and consequent Orders. Marc Rotenberg, Director of EPIC responded to the Consent Order by commenting:
‘We’re just, in fact, at the beginning of the FTC’s oversight of Microsoft’s online services... (t)his is a very big development... The FTC has essentially agreed with us, the privacy organisations, as to our original petitions. Both in terms of online privacy and also as a legal precedent, it’s a very significant outcome’.
However, EPIC remains concerned about a number of privacy issues, and in a statement issued before the FTC, EPIC argued that the settlement did not address all of the privacy hazards associated with the passport system.[5] EPIC alleged that since the original complaint was filed in July 2001, Microsoft had been involved in further security breaches.[6] Specifically, EPIC cited reports of a flaw in Windows XP, Office 2000, and other Microsoft products could enable a malicious actor to use a web page or email to send commands to a user’s computer[7]and that Microsoft has been investigating expanding Passport into a credit card authentication system.[8] EPIC also highlighted concerns that in some circumstances, consumers are compelled to use Passport in order to access other services, with EPIC arguing that this is a reason for more comprehensive constraints on Microsoft’s development of Passport. EPIC also argued that Microsoft should be required to notify users of products such as Windows XP that a Passport is not essential to access on the Internet.
EPIC’s four further recommendations to the FTC are that:
- The Consent Orders should be modified to permit more transparency relating to the security and privacy risks in the Passport system. For example, EPIC suggested that biennial audits of Passport’s security and privacy policy should be made public, and that Passport users should have access to their full Passport profiles;
- The FTC should ensure Microsoft’s compliance with the EU-US Safe Harbour requirements;
- The FTC should place constraints on the range of services that Passport can provide;[9]
- The FTC should examine other authentication systems including AOL’s Screen Name Service and Project Liberty.[10]
The Microsoft decision is significant both for Microsoft and for online businesses. It demonstrates that despite the substantial resources invested in privacy measures following the appointment of Richard Purcell as Microsoft’s Chief Privacy Officer last year, a diverse technology business such as Microsoft is still vulnerable on privacy issues. It also demonstrates that even under a Republican appointed chairman, Timothy J. Muris, the FTC is likely to continue to pursue privacy issues. While the FTC is no longer advocating new privacy legislation, it appears committed to using its existing powers when privacy issues arise. As Muris said when announcing the decision:
‘Good security is fundamental to protecting consumer privacy...(c)ompanies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It’s not only good business, it’s the law. Even absent known security breaches, we will not wait to act.’
|
Tim Dixon,
Galexia Associate
[1] Complaint 012 3240 In the Matter of Microsoft Corporation United States of America Federal Trade Commission, 3
[2] Ibid, 4
[3] Ibid, 5
[4] Ibid, 2
[5] No 012 3240 Submission by the Electronic Privacy Information Centre to the FTC, Washington DC in the Matter of Microsoft Consent Order, 9 September 2002: <http://www.ftc.gov/os/comments/microsoftcomments/epic.pdf>
[6] Ibid
[7] Microsoft Warns About Security Holes, BBC News, Aug 23 2002 at <http://news.bbc.co.uk/1/hi/technology/2211571.stm>
[8] Ibid
[9] Ibid, 2
[10] Ibid