Feds Chide Microsofts Passport

FTC acts in response to complaints about security and privacy terms in Microsoft's Passport services.

The Federal Trade Commission Thursday issued a proposed consent order with Microsoft Corp. over complaints that the company falsely represented the security and privacy provisions in its Passport family of services.

As part of the order, Microsoft must submit to a bi-annual review of its security program for Passport by an independent third party. The order also would prohibit the company from making any further misleading statements about its policies and procedures. It also requires Microsoft to implement and maintain a comprehensive security program for the Passport services.

During a year-long investigation into the Passport service spurred by a complaint filed by the Electronic Privacy Information Center, the FTC found that Microsoft, of Redmond, Wash., not only misrepresented the level of security afforded by its services, but that it also collected more consumer information than it said it would.

"We believe that Microsoft made a number of misrepresentations," said Timothy Muris, chairman of the FTC in Washington. "When you make security promises, or privacy promises, as Microsoft did, you have to keep them. We thought they were deceptive."

Passport is an online single sign-on service that allows users to carry their security credentials from one site to another. Its affiliated Wallet service stores user credit card numbers for easy access during online purchases. There is also a Kids Passport service, which the FTC said didnt give parents the promised amount of control over how much personal information sites collected on their children.

As part of the order, the FTC can do an independent review of Microsofts security and privacy procedures, in addition to the third-party review.

"We got the relief we wanted and feel that its a strong order," Muris said.

The order is out for public comment until Sept. 9, after which the FTC will vote on whether to make it final.

Were Microsoft to violate the order, it could incur penalties of $11,000 per violation, per day, Muris said.

"Clearly the FTC is setting a high bar when it comes to security and privacy," said Brad Smith, Microsoft senior vice president and general counsel. "Security that seemed reasonable when we launched Passport in 1999 doesnt seem so now. Weve learned from our dialogue with the FTC."

Microsoft officials will further respond to the FTCs action at a press conference later today.

Related Stories:

  • Deal Links Visa, MasterCard Accounts to Passport
  • Tech Analysis: Liberty Alliance or Passport?
  • Commentary: The Problems With Identities
  • More Security Coverage