/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBy Andy Sullivan
WASHINGTON: Microsoft Corp. agreed on Thursday to submit to 20 years of U.S. government oversight of its online identity service in order to settle charges that it misled consumers about security and privacy standards. Microsoft's Passport service, which aims to make online shopping easier by storing passwords and credit-card numbers, came under scrutiny by the U.S. Federal Trade Commission last year after privacy groups said it would give the software giant unprecedented control over users' personal information.
FTC officials said they found that Microsoft did not adequately protect users' personal information, and that the service tracked users' Web-browsing habits without their knowledge. The company also falsely claimed that it would enhance the security of Internet transactions, the FTC said. "They were saying that they had reasonable and appropriate security procedures. We thought those promises were deceptive," FTC Chairman Timothy Muris told reporters, adding that he was unaware of any breaches to the system.
Microsoft agreed to stop making false claims about Passport's data-collection practices and security protections, and agreed to set up an enhanced computer-security system that must pass independent review every two years, for a period of 20 years. Microsoft paid no fines, but would face fines of $11,000 per count if it does not maintain the security program, an amount that could add up quickly given the service's 200-plus million users.
Microsoft says it’s older and wiser
A Microsoft official said there were "lessons that can be learned" from the FTC action and that the company would improve its description and disclosure of Passport's features. "We've learned from the dialogue with the FTC and we will work to meet the high bar they are setting," said Microsoft General Counsel Brad Smith.
Tracking information collected by Passport would only be used for customer service needs and would be purged after 10 days in most cases, he said.
Activists who asked the FTC last summer to examine Passport said the settlement was the most significant victory for online privacy to date. "Frankly, we're pleased," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which led the consumer coalition. "In some areas the FTC went further than we anticipated." Jason Catlett, president of privacy consulting firm Junkbusters Corp., said the most significant aspect was that the FTC decided to investigate in the first place.
"Finding that Microsoft has bad security is like shooting at a sitting duck," Catlett said. "What is significant is not that they hit the duck, but that they took the shot." Microsoft, hit by break-ins to its network and criticism over its security, made "trustworthy computing" its top priority earlier this year after chairman Bill Gates called for more emphasis on security. Smith said the company built Passport on what it thought was the most secure technology available at the time.
The Association for Competitive Technology, a technology group that has supported Microsoft in the past, said the agreement seemed excessive but would set new standards for the entire industry. Passport faces pressure on other fronts. European Union authorities have taken at a hard look at the service, concerned that it does not comply with privacy laws and tell users how their personal information is used. A group of high-tech firms calling itself the Liberty Alliance, led by Sun Microsystems Inc is planning a similar identity service.
Most Passport users signed up involuntarily when they set up a free Hotmail account, or bought the new Windows XP operating system, and few are active users, said Gartner analyst Avivah Litan. The settlement could help Microsoft by building trust in the system, she said. "Consumers use Passport right now because they have to," Litan said.
One FTC source said Microsoft was eager to settle the case because it did not want further problems with Passport, which is at the core of the company's .NET initiate to move to Internet-based services. "They caved," the source said.
© Reuters