This morning, the Federal Trade Commission (FTC) announced a settlement with Microsoft regarding consumer-privacy violations in the Microsoft .NET Passport service. The FTC says that the company made several misrepresentations about Passport's security, the amount of personal information collected from users, and how much control parents have over their children's online personal information. Microsoft also faces similar charges in Europe.
The FTC began its investigation in July 2001 after privacy groups complained that the service deceived consumers into believing that Microsoft would keep personal information secure. The groups also charged that Microsoft required Windows XP users to sign up for the service to take advantage of certain OS features.
"We are pleased to announce that the FTC has reached a settlement with Microsoft, dealing with the privacy and security of personal information," FTC Chairman Timothy J. Muris said during a press conference this morning. "The settlement focuses on Microsoft's \[.NET\] Passport, Passport Wallet, and Kids Passport services."
According to the settlement's terms, Microsoft can't make misrepresentations about .NET Passport security and information gathering, the security of online purchases, the amount and kinds of personal information that the company collects, and the amount of control parents have over information collected about their children. If the company violates any of these terms, it faces "substantial civil penalties" of up to $11,000 per violation per day, Muris said. The settlement also requires Microsoft to create a formal and reasonable security program and to undergo a security audit by an independent third party every 2 years to ensure that the company is in compliance.
Muris noted that no .NET Passport security vulnerabilities occurred during the FTC's investigation, but that the service had the potential to be compromised. "When you make security promises, as Microsoft did, you need to keep them," Muris said. "Microsoft was deceptive about \[.NET\] Passport's security capabilities and the amount of personal information \[it\] collected. The company did not share personal information with other companies, however."