pl.net prisaf 11-8-2002

Posted on 11-81-2002

Microsoft `Agrees' To Privacy Safeguards
By JOHN SCHWARTZ, NY Times, 9 Aug02

Settling charges brought by the US Federal Trade Commission, Microsoft
acknowledged yesterday that it had not properly protected the privacy and
security of people who provided personal information through the company's
online identification services. The company agreed to shore up the security
of its system, known as Passport, as well as to be more truthful with users
about what it does with their personal data, and to obtain an outside audit
of its practices every two years.

Passport allows a computer user to enter personal information once, storing
it on Microsoft's servers with a user name and password, and then employ
the same user name to sign on to numerous participating Web sites and even
to shop.

The F.T.C. detected no actual security breaches, and it said Microsoft had
not shared consumer data improperly with other companies. Rather, the
chairman, Timothy J. Muris, said, the company was not meeting the levels of
privacy protection and security that it had promised users of Passport.
"Good security is fundamental to protecting consumer privacy," Mr. Muris
said at a news conference in Washington. "It's good business, it's the law,
and we'll take action against companies that don't keep their promises."
Microsoft agreed to be monitored for 20 years, and Mr. Muris said the
commission would be able to impose substantial civil penalties if the
company failed to meet the conditions laid out in the consent order.

Marc Rotenberg, executive director of the Electronic Privacy Information
Center, a high-technology policy and advocacy group in Washington, said,
"This is a groundbreaking decision concerning the F.T.C.'s future role in
protecting online privacy." The center spearheaded a coalition of groups
that filed a complaint in July 2001 contending that Microsoft's privacy
practices, and especially the new Windows XP operating system and services
like Passport, "are designed to obtain personal information from consumers
in the United States unfairly and deceptively." Mr. Muris cited that
complaint yesterday as the spark for the F.T.C. investigation of Microsoft.

The commission focused on four problems with Passport. Microsoft, it said,
lied about the effectiveness of its measures to protect users' personal
information — including credit card numbers collected for the Passport
Wallet service, which is used for online shopping. The commission said
Microsoft had falsely asserted that purchases made with Passport Wallet
were "safer or more secure" than purchases made at the same site without
Passport; in fact, the same level of security generally existed. The
company also did not tell the truth when it said that it did not collect
any personally identifiable information beyond that described in its
privacy policy, the commission said. In fact, Microsoft's technical support
staff would routinely tie personally identifiable information to the user's
sign-in history, and hold on to that data for months. Finally, the special
version of Passport for young people, Kids Passport, was falsely described
as giving parents control over the information that Web sites collected on
their children, when there were no special privacy-protection features in
the service, the F.T.C. said.

Representatives of Microsoft said that the settlement would make their
services stronger. Under the conditions set by the commission, the company
will have a "federally reviewed and independently verified service" that
should give users "more confidence than ever" when dealing with Microsoft,
said Brad Smith, the company's senior vice president and general counsel.
"We believe we are on a path to meet, and we will work to exceed, the high
bar that the F.T.C. has established" for protecting privacy and security,
he said. Alluding to Microsoft's long and bitter struggle against antitrust
regulators, Mr. Smith said that its cooperation with the Federal Trade
Commission in this case represented "a more constructive public dialogue
with government."

Microsoft has given Passport a strong marketing push. Initial versions of
its Windows XP operating system repeatedly urged new users to enroll in
Passport, and anyone who received a free e-mail account through Microsoft's
Hotmail was automatically signed up. The company said yesterday that new
versions of XP would not include the hard sell for Passport, which had been
criticized by privacy advocates and by companies hoping to promote
competing systems for managing identity on the World Wide Web.