FTC presses Passport

 

Gallery

By Matt Whipp

Posted on 9 Aug 2002 at 15:19

Microsoft and the FTC reach a 20-year agreement that will see the company face security audits every two years.

Following complaints about Microsoft's single sign-in Passport account, the Federal Trade Commission and Microsoft yesterday agreed an order that will result in changes to the way Passport is described, changes within SP1 for XP and the adoption of a 'comprehensive information security program', which will undergo a third-party security audit within a year, and bi-annually thereafter.

Brad Smith, general counsel for Microsoft, said in the conference call yesterday that the new measures, 'raise the bar for Microsoft and the entire industry,' and that 'the industry will need to keep pace with the precedent this case sets.'

The phrase 'raising the bar' was repeated often during the call, and Microsoft clearly feels that if it is to be picked on, then other companies should be subjected to the same scrutiny of security, and meet the new standards it has been forced to set.

The complaints were filed in July 2001 by a group of consumer bodies led by the Electronic Privacy Information Centre (EPIC) and related to Passport, Passport Wallet and Kids Passport. They questioned whether the levels of privacy and security employed throughout Passport and Passport Wallet are 'reasonable and appropriate' as Microsoft described in its Privacy Statement.

The Commission also upheld complaints that Microsoft falsely represented that purchases made with Passport were more secure, that it did not collect any personally identifiable information other than that described in its privacy policy and that the Kids Passport provided parental control over what information Web sites could collect from children.

Microsoft will implement a number of changes, including changes to the way it describes its Passport services, changes to the upcoming SP1 for Windows XP - it will 'no longer provide Passport prompts' (currently XP prompts new users to sign up five times).

With regard to its collection of personally identifiable information, Brad Smith insisted that this will continue - but that this policy will be described more clearly. He said that the logs kept of Passport users' activities included only the sites visited and the times of entering and leaving, but not what they did there. This information is not personally identifiable, he said, until a user asks for help, because -for example - they can't sign in to a site. The tracking is 'for customer representatives to offer support,' he added, 'We have never shared this information with anyone.'

Timothy J Murie, Chairman of the FTC, said: 'Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law.'

Even so, a spokesperson for Microsoft underlined its commitment to Passport, a key part of its MSN, Hotmail, Microsoft Developer Network services and its emerging .NET technologies. 'Single sign-on can provide a more secure experience for consumers than the model we see today, where people have one username and password at multiple sites, where they are only as secure as the weakest site they authenticate to.

'We have already announced our intention to move the Passport service to the Kerberos authentication standard, which will enable Kerberos clients to talk to Kerberos servers
directly. We also have a roadmap forward that tracks new security technologies like Kerberos, smart cards, digital certificates and biometrics.'