THE FEDERAL TRADE Commission (FTC) said Thursday that it has reached a settlement with Microsoft Corp. over misrepresentations of the privacy and security of the company's Passport Internet sign-on service, Passport Wallet and Kids Passport.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
After a year-long investigation, the agency concluded that the Passport services did not provide the security required to store sensitive user information, and collected more personal user information than stated in the company's privacy policy.

"We believe that Microsoft made a number of misrepresentations regarding the security of Passport, the information it stores, the security of online purchases using Passport Wallet and the information collected on Websites using Kids Passport," FTC Commissioner Timothy J. Muris said during a conference call Thursday.

The FTC has ordered Microsoft to cease misrepresenting the information collected by the services, implement and maintain an information security program and have its security program certified by an independent specialist every two years.

"Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so," Muris said.

In a statement released Thursday, Microsoft said that it thoroughly cooperated with the FTC in its review and that the agreement "reinforces Microsoft's commitment to improving security, and we will meet and work to exceed this high bar."

The FTC said that it initiated its investigation following a complaint filed in July 2001 by the Electronic Privacy and Information Center (EPIC) claiming that Microsoft falsely represented the privacy and security of user information collected by Passport.

Passport is a single sign-on service that stores users' information, allowing them to surf a number of Websites without having to re-enter data, and is central to the company's .Net Web services initiative. Despite concerns raised by privacy groups, such as EPIC, that the system gives Microsoft too much control over sensitive user data, the company has repeatedly testified to the privacy and security of the system. The security concerns are even more crucial for Passport Wallet, which stores user credit card numbers and billing information for use in e-commerce transactions.

Although the agency said that it did not detect any breaches in Passport's security, it said that it found "inadequacies" in the security that could be avoided.

Furthermore, the agency said that Microsoft collected some user information without notifying users, such as log-in data.

"(Microsoft) violated their privacy policy by collecting more information than they said they would collect," J. Howard Beales, director of the FTC's Bureau of Consumer Protection, said during the conference call.

Because Kids Passport was advertised as allowing parents to have complete control over what information Web sites would be able to access about their children, the misrepresentation in this case was particularly egregious, the FTC said.

Beales noted, however, that Microsoft was not found to be selling or sharing user information collected by the Passport services.

The settlement is a consent agreement, the FTC said, and does not constitute an admission of wrongdoing. However, each violation of the order carries an US$11,000 civil penalty.

Microsoft will be holding a conference call on the settlement at 12:30 EST.