Microsoft Corp. will have to increase security and privacy for personal information collected by its Passport single sign-on Web services and be subject to independent compliance audits for Passport every two years under a settlement announced Thursday by the U.S. Federal Trade Commission (FTC).
In a case that began last year when privacy groups raised concerns about inadequate security in several versions of Passport, the FTC Thursday announced that Microsoft has agreed to stop misrepresenting the security of Passport and the kinds of personal information it collects about users.
"Privacy and security promises must be kept," said FTC Chairman Timothy Muris at a news conference in Washington announcing the settlement. "It's good business, it's the law, and we'll take action against companies that do not keep their promises."
Under the settlement, Microsoft has agreed to implement a comprehensive information security program for its Passport products, which include Passport, Passport Wallet and Kids Passport. The company will also have to undergo a compliance audit by a qualified third party every other year to ensure that the security and privacy of Passport are maintained.
No security breaches were uncovered by the FTC's investigation, but the potential for problems was present in the software, Muris said.
Specifically, the FTC said Microsoft misrepresented the security and privacy provided by parental controls in the version of Passport aimed at children, called Kids Passport. The controls apparently didn't allow parents to limit the personal information used or collected about their children, according to the FTC.
The agreement stipulates that Microsoft is prohibited from making any such misrepresentations in the future about the privacy and security controls related to Passport.
"When you make security promises as Microsoft did, they were in effect saying they had reasonable and effective security measures," Muris said. "We felt those promises were deceptive."
The company also apparently collected more user information than it said it was collecting, including a history log of Passport sites and the times when they were visited by users.
Although no fines were imposed as part of the settlement, the company would be subject to fines of US$11,000 per violation, per day if it is found to violate the terms of the agreement.
Normally, administrative cases such as this don't carry fines, Muris said. But in this case, the potential for fines is included, Muris said.
"We got the relief that we wanted here," he said. "Certainly we want the world to be aware, when companies make these promises, they must keep them. We have other investigations under way."
The FTC didn't weigh in on the allegation that Passport was too closely tied into the Windows XP operating systesm, saying that issue is part of ongoing antitrust action against the company.
"We thought that was an inappropriate place for us to travel," Muris said.
In a conference call following the FTC announcement, Microsoft general counsel Brad Smith said the company cooperated fully in the FTC investigation and has recently put "specific processes into place" to assure compliance.
"Clearly, the FTC is setting a high bar, not only for Microsoft but for our industry when it comes to privacy and security," Smith said. "A level of security that seemed reasonable when we launched Passport in 1999 no longer seems reasonable."
Smith said the company will work to "exceed the high bar the FTC has established. " Asked why Microsoft didn't simply disclose all of the uses for the information it collected from the outset, he said the company just made a mistake.
"If we were perfect, we would never have made any mistakes," he said. "In hindsight, we've all learned a lot in the last few years. Security is an ongoing process. Everything about this is an ongoing process."
Jason Catlett, director of Junkbusters Corp., a privacy group in Green Brook, N.J., called the settlement a "substantive remedy" that dealt directly with investigating the allegations against Microsoft.
"It's very significant that the FTC went in with security auditors and found information being collected and security procedures that were grossly deficient," he said.
The only thing Catlett thought was missing from the settlement was a requirement that Microsoft destroy the information that it collected using deceptive means.
"I would have preferred that they force Microsoft to disgorge the data, but it is a substantive remedy," he said. "Anyone concerned about privacy would commend the commission for doing it."
The investigation began last year after several privacy groups, including the Washington-based Electronic Privacy Information Center, complained that Microsoft wasn't adequately protecting consumers using the Passport services.