Microsoft Admits to Privacy Errors With Passport

Microsoft has admitted that it has not properly protected the privacy and security of people who provided personal information through Passport as it settled with the Federal Trade Commission (FTC).

The company agreed to beef up the security of Passport and be more open with customers about what it does with their personal data. The company also agreed to allow an outside audit of its practices every two years. In a significant concession, Microsoft agreed to be monitored for 20 years.

The FTC admitted that it had found no actual security breaches, and agreed that Microsoft had not shared consumer data improperly with other companies. But FTC chairman Timothy J. Muris said Microsoft was not meeting the levels of privacy protection and security that it had promised users of Passport.

Microsoft was deemed to have lied about the effectiveness of its measures to protect users' personal information — including credit card numbers collected for the Passport Wallet shopping service. It also said Microsoft had falsely claimed that purchases made with Passport Wallet were "safer or more secure" than purchases made at the same site without Passport. But the FTC ruled: "In fact most consumers received identical security at those sites, regardless of whether they used Passport Wallet to complete their transactions.”

The software company was also found to have lied when it said that it did not collect any personally identifiable information beyond that described in its privacy policy when in practice Microsoft's technical support staff would routinely tie personally identifiable information to the user's sign-in history, and hold on to that data for months.

"Good security is fundamental to protecting consumer privacy," said Muris. "We’ll take action against companies that don't keep their promises. Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law."

The FTC ruling came out of a complaint in July 2001 contending that Microsoft's privacy practices, and especially the new Windows XP operating system and services like Passport, "are designed to obtain personal information from consumers in the United States unfairly and deceptively."