Microsoft reached a settlement with the Federal Trade Commission Thursday to beef up the security of its Passport Internet service and better inform its 200 million users that the service tracks, records and temporarily stores all the Web sites they have recently visited.
UNDER TERMS OF THE SETTLEMENT, Microsoft’s privacy and security practices will be under FTC scrutiny for 20 years. (MSNBC is a Microsoft - NBC joint venture.)
Although Microsoft said it believed the security of Passport was up to par when the service was launched in 1999, “things have changed since then,” said Brad Smith, Microsoft senior vice president and general counsel.
The settlement “sets a high bar” for the level of security to which Microsoft, and the industry, must adhere, Smith said. “We accept responsibility for the past and will focus on living up to this high level of responsibility in the future,” Smith said, adding that “a level of regulation, in effect, is being created by this case.”
The Passport service is linked to the company’s Windows operating system and is a core technology in Microsoft’s future plans for expanding its the Internet business with its .NET initiative. Passport users can entrust the service with loads of personal and financial information, using the system as a kind of digital wallet, which can be readily tapped by other services as the user allows.
But privacy groups and consumer advocates raised a series of red flags about Passport, noting potential security and privacy risks that Microsoft was either concealing or making misleading statements about. Those groups brought formal complaints to the FTC which resulted in an investigation.
As a result of that investigation, the FTC found Microsoft had, indeed, made deceptive claims about the strength of its security and had failed to fully inform users about how much tracking information Passport gathered and stored about their travels on the Internet.
Although the FTC didn’t find any instances of actual security violations, the agency wasted no words in ordering the system’s security short-comings to be beefed up. Microsoft’s claims about security were misleading at best, deceptive at worst, said FTC Chairman Timothy Muris.
“When people make security promises ... they need to keep them,” Muris said. “It’s good business, it’s the law, and we’ll take action against companies that do not keep their promises.”
A consortium of Microsoft rivals, led by Sun Microsystems, dubbed the “Liberty Alliance” also intends on launching a digital wallet type service that could come under scrutiny by the FTC.
“If I were them, I’d read the order carefully,” Muris said.
Microsoft’s security and privacy measures will be subject to an independent third-party audit every two years for the next 20 years, according to the settlement. If the company fails those audits it will be fined $11,000 per violation, per day.
PROFILING OR PERFORMANCE
Perhaps the most disturbing aspect of the FTC’s findings was that Microsoft was tracking and storing all web sites visited by Passport users.
In its official findings, the FTC said that Passport “did collect personally identifiable information other than that described in its privacy policy. In particular, Passport collected, and maintained for a limited period of time, a personally identifiable record of the sites to which a Passport user signed in, along with the dates and times of sign in, which customer service representatives linked to a user’s name in order to respond to a user’s request for service.”
Microsoft defended the practice Thursday during a news conference saying that the collection of such information speeds up the customer-service process. So the practice “remains intact,” Smith said. The only change is that Microsoft now fully discloses that such information is kept.
That information is sometimes stored on Microsoft’s computers for months, but more typically 10 days, Smith said. More importantly, “we have never shared this information with anyone. Not for free, not for a price, not even with our partners,” Smith insisted.
And the only time the information is even linked with a person’s name is when that person calls into customer service for help, Microsoft noted.
The changes and terms that Microsoft must operate under pleased the Electronic Privacy Information Center, which was among the first to lodge a complaint with the FTC.
The FTC action “shows that Microsoft’s Passport not only had security risks but also can facilitate profiling,” said Chris Hoofnagle, the group’s legislative counsel.
“I think this (FTC finding) underscores the need for legislation so we can say positively that profiling individuals is an invasion of privacy,” Hoofnagle said.
Initially Microsoft tried to dismiss the claims by EPIC and others as “speculations” and “misrepresentations” and portray the groups as naïve about the technologies and their uses.
The consent decree, which now goes out for public comment before it is brought before a judge to rule on its public-service merits, prohibits any misrepresentation of information practices in connection with Passport. However, the settlement reaches further, and includes “other similar services” that Microsoft might roll out.