Microsoft Corporation has agreed to settle Federal Trade Commission charges regarding the privacy and security of personal information collected from consumers through its "Passport" web services. As part of the settlement, Microsoft will implement a comprehensive information security program for Passport and similar services.
"Good security is fundamental to protecting consumer privacy," said Timothy J. Muris, Chairman of the Federal Trade Commission. "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act."
Microsoft, a provider of software, services, and Internet technologies for personal and business computing, operates three related Internet services: Passport Single Sign-In (Passport); Passport Express Purchase (Passport Wallet); and Kids Passport. Passport collects personal information from consumers and allows them to sign in at any participating website with a single name and password. Passport Wallet collects and stores consumers' credit card numbers, and billing and shipping addresses, and enables consumers to use the stored information when making purchases at participating Web sites. Kids Passport allows parents to create Passport accounts for their children that can limit the collection of personal information by participating Web sites.
Microsoft's Passport privacy policies included statements such as, "Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information" and "Your Passport is protected by powerful online security and a strict privacy policy." The Kids Passport privacy policy included statements such as, "Microsoft Kids Passport allows parents to consent to the collection, use and sharing of their children's information with Passport participating sites. . . . You can choose to allow Passport to share all of the information in your child's Passport profile with a participating site or service, or you can limit the information shared to just a unique identifier or age range. . .."
The Commission initiated its investigation of the Passport services following a July 2001 complaint from a coalition of consumer groups led by the Electronic Privacy Information Center (EPIC).
According to the Commission's complaint, Microsoft falsely represented that:
- It employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet;
- Purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet when, in fact, most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions;
- Passport did not collect any personally identifiable information other than that described in its privacy policy when, in fact, Passport collected and held, for a limited time, a personally identifiable sign-in history for each user; and
- The Kids Passport program provided parents control over what information participating Web sites could collect from their children.
The proposed consent order prohibits any misrepresentation of information practices in connection with Passport and other similar services. It also requires Microsoft to implement and maintain a comprehensive information security program. In addition, Microsoft must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional every two years.
In addition to EPIC, the coalition of consumer groups that filed the complaint regarding the Passport services are: the Center for Digital Democracy, Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, Consumer Federation of America, Consumer Task Force for Automative Issues, Electronic Frontier Foundation, Junkbusters Corporation, Media Access Project, NetAction, Privacy Rights Clearinghouse and U.S. PIRG. The Commission's action today is also consistent with a recent decision by the Children's Advertising Review Unit of the Better Business Bureau (CARU) regarding the Kids Passport service.
The Commission vote to accept the proposed consent order and place a copy on the public record was 5-0. The FTC is accepting public comment on the proposed order for 30 days, until September 9, 2002, after which the Commission will determine whether to make it final. Comments should be sent to: FTC, Office of the Secretary, 600 Pennsylvania Ave., N.W., Washington, D.C. 20580.
NOTE: The consent agreement referenced in this release is for settlement purposes only and does not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of $11,000.
(File No.0123240, M03)
Contact Information
Office of Public Affairs
202-326-3657
Bureau of Consumer Protection
202-326-3240