Posted on 11-81-2002
Microsoft
`Agrees' To Privacy Safeguards
By JOHN SCHWARTZ, NY Times, 9 Aug02
Settling charges brought by the US Federal Trade Commission,
Microsoft
acknowledged yesterday that it had not properly protected the
privacy and
security of people who provided personal information through
the company's
online identification services. The company agreed to shore
up the security
of its system, known as Passport, as well as to be more truthful
with users
about what it does with their personal data, and to obtain an
outside audit
of its practices every two years.
Passport allows a computer user to enter personal information
once, storing
it on Microsoft's servers with a user name and password, and
then employ
the same user name to sign on to numerous participating Web
sites and even
to shop.
The F.T.C. detected no actual security breaches, and it said
Microsoft had
not shared consumer data improperly with other companies. Rather,
the
chairman, Timothy J. Muris, said, the company was not meeting
the levels of
privacy protection and security that it had promised users of
Passport.
"Good security is fundamental to protecting consumer privacy,"
Mr. Muris
said at a news conference in Washington. "It's good business,
it's the law,
and we'll take action against companies that don't keep their
promises."
Microsoft agreed to be monitored for 20 years, and Mr. Muris
said the
commission would be able to impose substantial civil penalties
if the
company failed to meet the conditions laid out in the consent
order.
Marc Rotenberg, executive director of the Electronic Privacy
Information
Center, a high-technology policy and advocacy group in Washington,
said,
"This is a groundbreaking decision concerning the F.T.C.'s future
role in
protecting online privacy." The center spearheaded a coalition
of groups
that filed a complaint in July 2001 contending that Microsoft's
privacy
practices, and especially the new Windows XP operating system
and services
like Passport, "are designed to obtain personal information
from consumers
in the United States unfairly and deceptively." Mr. Muris cited
that
complaint yesterday as the spark for the F.T.C. investigation
of Microsoft.
The commission focused on four problems with Passport. Microsoft,
it said,
lied about the effectiveness of its measures to protect users'
personal
information — including credit card numbers collected for the
Passport
Wallet service, which is used for online shopping. The commission
said
Microsoft had falsely asserted that purchases made with Passport
Wallet
were "safer or more secure" than purchases made at the same
site without
Passport; in fact, the same level of security generally existed.
The
company also did not tell the truth when it said that it did
not collect
any personally identifiable information beyond that described
in its
privacy policy, the commission said. In fact, Microsoft's technical
support
staff would routinely tie personally identifiable information
to the user's
sign-in history, and hold on to that data for months. Finally,
the special
version of Passport for young people, Kids Passport, was falsely
described
as giving parents control over the information that Web sites
collected on
their children, when there were no special privacy-protection
features in
the service, the F.T.C. said.
Representatives of Microsoft said that the settlement would
make their
services stronger. Under the conditions set by the commission,
the company
will have a "federally reviewed and independently verified service"
that
should give users "more confidence than ever" when dealing with
Microsoft,
said Brad Smith, the company's senior vice president and general
counsel.
"We believe we are on a path to meet, and we will work to exceed,
the high
bar that the F.T.C. has established" for protecting privacy
and security,
he said. Alluding to Microsoft's long and bitter struggle against
antitrust
regulators, Mr. Smith said that its cooperation with the Federal
Trade
Commission in this case represented "a more constructive public
dialogue
with government."
Microsoft has given Passport a strong marketing push. Initial
versions of
its Windows XP operating system repeatedly urged new users to
enroll in
Passport, and anyone who received a free e-mail account through
Microsoft's
Hotmail was automatically signed up. The company said yesterday
that new
versions of XP would not include the hard sell for Passport,
which had been
criticized by privacy advocates and by companies hoping to promote
competing systems for managing identity on the World Wide Web.
|