The US FTC (Federal Trade Commission) has reached a settlement with Microsoft
over misrepresentations of the privacy and security of the company's Passport internet sign-on service, Passport Wallet and Kids Passport.

After a year-long investigation, the agency concluded that the Passport services did not provide the security required to store sensitive user information, and collected more personal user information than stated in the company's privacy policy.

"We believe that Microsoft made a number of misrepresentations regarding the security of Passport, the information it stores, the security of online purchases using Passport Wallet and the information collected on websites using Kids Passport," said FTC Commissioner Timothy J Muris.

Checkups ordered

The FTC has ordered Microsoft to cease misrepresenting the information collected by the services, implement and maintain an information security program and have its security program certified by an independent specialist every two years for the next 20 years.

The settlement represents a significant development concerning government regulation of information technologies in the US.

"Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so," Muris said.

In a statement Microsoft said that it thoroughly co-operated with the FTC in its review and that the agreement "reinforces Microsoft's commitment to improving security, and we will meet and work to exceed this high bar".

European effect

It is not yet known whether the FTC judgement will have any affect on the
European Commission probe into Passport privacy issues, but Smith said that it would be up to the EC to decide if the new measures abated their concerns.

"We will of course be energetic in providing (the EC) with information on the settlement and ultimately they will have to decide if this order addresses the privacy issues they have in mind," Smith said.

The FTC initiated its investigation following a complaint filed in July 2001 by the Epic
(Electronic Privacy and Information Centre) claiming that Microsoft falsely represented the privacy and security of user information collected by Passport.

Passport is a single sign-on service that stores users' information, allowing them to surf a number of websites without having to re-enter data, and is central to the company's .Net web services initiative.

Despite concerns raised by privacy groups such as Epic that the system gives Microsoft too much control over sensitive user data, the company has repeatedly testified to the privacy and security of the system. The security concerns are even more crucial for Passport Wallet, which stores user credit card numbers and billing information for use in e-commerce transactions.

Although the agency said that it did not detect any breaches in Passport's security, it did say that it found "inadequacies" in the security that could be avoided.

Furthermore, the agency said that Microsoft collected some user information without notifying users.

"(Microsoft) violated their privacy policy by collecting more information than they said they would collect," said J Howard Beales, director of the FTC's Bureau of Consumer Protection.

Private property

At issue was the fact that Microsoft collected and maintained for a limited period of time information on which websites customers signed into and did not mention this practice in its privacy policy. The software maker said that this data was only collected for customer service purposes, however, and that it has recently updated its privacy policy to reflect the practice.

"Most importantly, we have never shared this information with anyone. We have not shared it for free, for a price, and not even with our partners," said Brad Smith, Microsoft senior vice president and general counsel.

Because Kids Passport was advertised as allowing parents to have complete control over what information websites would be able to access about their children, the misrepresentation in this case was particularly egregious, the FTC said.

Microsoft said it will more clearly state the security and privacy features of its products in the future.

"We understand the importance of online network security and appreciate that it constantly evolves," Smith said. "We've never claimed infallibility and in hindsight we wished we had held ourselves to a higher bar one or two years ago."

Smith added that the case will set new standards for the whole industry, and reflects the US government's heightened interest in ensuring network security.

The settlement is a consent agreement, the FTC said, and does not constitute an admission of wrongdoing. However, each violation of the order carries an $11,000 (£7,226) civil penalty.