Passport is an online user-authentication service, currently being launched through Windows XP and the emerging .Net platform. Users create a profile by supplying a variety of personal information, which is stored on Microsoft’s servers. Users can then use their profile to access participating sites with one single log-on action. Participating sites can access users’ information on Microsoft’s servers, removing the need for each site to maintain its own authentication software. However, the real benefits for participating sites are the ability to collect and use the information in profiles for research, targeted advertising and personalised web content. One site can share information with another, even if the user has not visited the latter site.
Recently, 13 American electronic consumer watchdogs filed a complaint with the US Federal Trade Commission, alleging that Passport’s privacy deficiencies amounted to unfair and deceptive trade practices. They alleged that, after supplying the personal information in a user’s profile to Microsoft, the user loses all control over who has access to that information and for what purpose.
The privacy statements of both Passport and participating sites provide that policy changes can be made without notice, and continued use after a policy change constitutes consent to the changes. The complaint alleges that the ability to amend privacy policies makes the consent process “illusory”. The FTC complaint also alleges that Microsoft retains information long after consent has been withdrawn, as exiting users must wait up to a year for their profiles to be deleted.
Some of Microsoft’s privacy protection measures are themselves alleged to be deceptive. The “Kids Passport” is promoted as a way of protecting children’s privacy online by requiring parental consent for information to be released, but the FTC complaint alleges that in order to do this, parents must themselves create a profile including supplying credit card details. This enables Microsoft to gather and make available to others, further and unnecessary personal information.
Very interesting issues arise in respect of New Zealand’s Privacy Act 1993. In TechLaw’s view personal information is “collected” whenever a user supplies information to create or update their profile. If that user is in New Zealand at the time, personal information is collected in New Zealand, and Microsoft must comply with the Privacy Act. It is highly unlikely that Passport complies with the requirements of the information privacy principles established under the act.
Similarly, any New Zealand-based participating site would be subject to the act whenever they access information from users’ profiles. Principle 2 requires personal information to be collected directly from the individual concerned, except in certain specified instances, none of which are likely to apply. Further principles govern the storage, retention, use and dissemination of that information.
In TechLaw’s view, while Passport has obvious benefits to both users and participating sites, it raises a number of significant privacy concerns. Users need, more than ever, to be aware of the risks and read the fine print before supplying personal information. New Zealand-based participating sites need to be aware that our Privacy Act probably applies to them, and therefore additional liabilities and responsibilities for the collection, use and retention of personal information will apply.
Parkinson is a partner in Clendon Feeney’s information technology team and Ockleston is a solicitor in the firm’s general commercial team. This article, together with further background comments and links to other web sites, can be downloaded from www.clendons.co.nz. Questions and comments are welcome to Averill Parkinson.