The US Federal Trade Commission (FTC) has reached a settlement with Microsoft over misrepresentations of the privacy and security of the company's Passport Internet sign-on service, Passport Wallet and Kids Passport.
"We believe that Microsoft made a number of misrepresentations regarding the security of Passport, the information it stores, the security of online purchases using Passport Wallet and the information collected on Web sites using Kids Passport," FTC commissioner Timothy Muris said.
The FTC has ordered Microsoft to cease misrepresenting the information collected by the services, implement and maintain an information security program and have its security program certified by an independent specialist every two years for the next 20 years.
The settlement represents a significant development concerning government regulation of information technologies. "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so," Muris said.
In a statement released on Thursday, Microsoft said that it thoroughly cooperated with the FTC in its review and that the agreement "reinforces Microsoft's commitment to improving security, and we will meet and work to exceed this high bar".
The FTC said that it initiated its investigation following a complaint filed in July 2001 by the Electronic Privacy and Information Center (EPIC) claiming that Microsoft falsely represented the privacy and security of user information collected by Passport.
Passport is a single sign-on service that stores users' information, allowing them to surf a number of Web sites without having to re-enter data, and is central to the company's .Net Web services initiative. Despite concerns raised by privacy groups, such as EPIC, that the system gives Microsoft too much control over sensitive user data, the company has repeatedly testified to the privacy and security of the system. The security concerns are even more crucial for Passport Wallet, which stores user credit card numbers and billing information for use in e-commerce transactions.
Although the agency said that it did not detect any breaches in Passport's security, it said that it found "inadequacies" in the security that could be avoided.
Furthermore, the agency said that Microsoft collected some user information without notifying users.
"Most importantly, we have never shared this information with anyone. We have not shared it for free, for a price and not even with our partners," said Brad Smith, Microsoft senior vice president and general counsel.
Because Kids Passport was advertised as allowing parents to have complete control over what information Web sites would be able to access about their children, the misrepresentation in this case was particularly egregious, the FTC said.
Microsoft said it will more clearly state the security and privacy features of its products in the future. "We understand the importance of online network security and appreciate that it constantly evolves," Smith said. "We've never claimed infallibility and in hindsight we wished we had held ourselves to a higher bar one or two years ago."
Smith added that the case will set new standards for the whole industry, and reflects the US Government's heightened interest in ensuring network security.
When asked how the FTC settlement will affect a European Commission (EC) probe into Passport privacy issues, Smith said that it would be up to the EC to decide if the new measures abated their concerns.
"We will of course be energetic in providing the EC with information on the settlement and ultimately they will have to decide if this order addresses the privacy issues they have in mind," Smith said.
The settlement is a consent agreement, the FTC said, and does not constitute an admission of wrongdoing. However, each violation of the order carries a $US11,000 civil penalty.