The noose around Microsoft Passport tightened a bit more this week when a privacy advocacy group asked the attorneys general of all 50 U.S. states to investigate whether the service exposes consumers to fraud, junk email and "identity theft." In a letter sent to the states, the Electronic Privacy Information Center (EPIC) wrote that the federal government's unwillingness to act has allowed Microsoft to continue using unfair and deceptive trade practices that track and profiles its users while inadequately protecting private information, including credit card numbers.
"Microsoft's Passport service and related 'Wallet,' 'Kids Passport,' 'Hailstorm,' and '.Net Services' unfairly and deceptively gather personal information and expose consumers to the release, sale, and theft of their personal information," the letter reads. "Immediate state action is necessary to protect consumers and ensure Microsoft does not continue to improperly collect personal information."
EPIC says it contacted the states because its repeated requests to the Federal Trade Commission (FTC) have gone unanswered.
The letter continues. "The privacy and security \[in Passport\] risks include: online profiling made possible by the requirement that individuals sign on to Passport before viewing web content, an increase in the amount of unsolicited commercial e-mail from the sharing of e-mail addresses with Passport-affiliated sites, and stolen credit card data from numerous security holes in the Passport and Wallet systems. The vulnerability of Passport combined with its pervasion of the Internet creates serious risks to personal information sacrificed by consumers to gain access to services integrated with Microsoft authentication software under the belief that Microsoft is adequately protecting their data."
Microsoft denies that Passport is a risk and says that does not share personal information with third parties unless its users voluntarily use Passport to access third party sites. I'm not sure what that means, frankly, and I'm equally troubled by a comment made by Microsoft spokesperson Rick Miller, who said that Passport security was "impossible" to guarantee. "It's not a Passport thing, it's an Internet thing," Miller said. If this is true, then perhaps the entire Passport concept is flawed. Consumers would use Passport for its convenience, but this convenience is easily outweighed by security risks. Presumably, Passport will come under tighter internal scrutiny given Microsoft's recent security shift.
In related news, some of the bigger companies in the Liberty Alliance, which seeks to create an open alternative to Passport, have been quietly urging Microsoft to join. Representatives from United Airlines and General Motors say that they've been talking to Microsoft regularly about this for some time, and would like to see the software giant meld Passport's authentication system with that of the Liberty Alliance, so that there is a standardized way of identifying people online. Microsoft says it is considering the offering and could join the Liberty Alliance under "the right circumstances."