[DotGNU]Microsoft Settles U.S. Charges Passport Service Misled Public

[Seth Johnson]

(Forwarded from Digital Bearer Settlement List)

-------- Original Message --------
Date: Fri, 9 Aug 2002 09:49:01 -0400
From: "R. A. Hettinga" <address@hidden>


> http://online.wsj.com/article_print/0,,SB1028814666796661120,00.html


The Wall Street Journal

August 9, 2002

Microsoft Settles U.S. Charges Passport Service Misled
Public

By NICHOLAS KULISH and REBECCA BUCKMAN
Staff Reporters of THE WALL STREET JOURNAL

WASHINGTON -- Microsoft Corp. settled federal charges that
the company misled consumers about both the security and
privacy of its Passport Internet authentication service.

Passport collects personal information from consumers and
allows them to sign in at any participating Web site with a
single name and password.

Passport Wallet stores consumers' credit-card numbers, and
billing and shipping addresses, and enables consumers to use
the stored information when making purchases at certain
sites.

Kids Passport allows parents to create Passport accounts for
their children that can limit the collection of personal
information.

Source: FTC

The settlement, which could have far-reaching implications
for the users of Microsoft's 200 million Passport accounts
world-wide and the company's Web-based .NET strategy, also
requires the software company to tighten security standards
and disclose fully its privacy policies. Under the
settlement, the Federal Trade Commission will oversee
elements of Microsoft's privacy and security implementation
for 20 years.

While it is the latest round in Microsoft's continuing legal
trouble, including the continuing antitrust cases both here
and in Europe, the settlement affects more than just
Microsoft itself.

Asked at a news conference Thursday whether rival services
such as those linked to the Liberty Alliance, a consortium
of blue-chip companies originally organized by Microsoft
rival Sun Microsystems Inc., would be affected, FTC Chairman
Timothy Muris answered, "If I were them, I'd read the order
carefully."

Microsoft's Passport Internet service is designed to speed
online-authentication for people as they visit various Web
sites by letting them use one user name and one password.
The FTC found that Microsoft collected more information
about Passport users than it disclosed, keeping track of
which sites users visited and when they visited them. The
company said the data were held only for customer-service
reasons, such as helping people figure out why they couldn't
access certain sites.

Microsoft held that information for as long as 90 days, even
though the company has long said it doesn't compile much
personal information about Passport users. Under the
settlement, Microsoft will continue to keep such
customer-activity logs, officials said, though the practice
will now be fully disclosed in the Passport privacy policy.

The agency also found Microsoft claimed a higher standard of
security than it actually met, and didn't maintain proper
procedures to prevent or detect possible unauthorized access
to the Passport system. Now, Microsoft will put into place a
"comprehensive information security program" for Passport,
which will include third-party auditing.

In a statement, Sun, a frequent critic of Passport, called
the settlement "a long-awaited, necessary first step" to
protect consumers' personal information and security. Sun
also sells some computer-identity technology, though the
company said it doesn't "take ownership of customers'
names," as it alleges Passport does.

Bruce Schneier, the chief technical officer of Counterpane
Internet Security Inc., a Cupertino, Calif.
security-services company, said he applauded the FTC's
action. But he noted that even though Microsoft has been on
a companywide, security-improvement kick lately -- sparked
by a widely disseminated memo from company Chairman Bill
Gates earlier this year -- he said he had seen "no reduction
in the number of software bugs, no improvement in the way
Microsoft handles security flaws. I've seen lots and lots of
rhetoric," he said.


ONGOING LEGAL WOES5

See complete coverage6 of the Microsoft antitrust case,
including related articles, more than three years' worth of
court filings and other documents, and a chronology dating
back to the 1980s, available at wsj.com/microsoft7

Microsoft officials, however, said the FTC is demanding
significant changes in how it oversees and documents
Passport security, and it will comply. "We will focus on
living up to that high level of responsibility in the
future," Microsoft General Counsel Brad Smith said.
Microsoft also agreed to pay $11,000 a day for each future
violation.

Microsoft shares rose $1.82, or nearly 4%, to $48.91 in 4
p.m. trading on the Nasdaq Stock Market, where the shares
are trading sharply off the 52-week high of $70.72.

The FTC investigation came in response to complaints made a
year ago by a coalition of consumer groups led by the
Electronic Privacy Information Center.

"The FTC went quite far in this order," said Marc Rotenberg,
executive director of EPIC. "It makes Microsoft more open
and more accountable to its customers in the use of personal
information."

The settlement represents another setback for Passport, a
service Microsoft has recently built up as the linchpin of
many of its consumer Internet initiatives. For example,
everyone who signs up for Microsoft's free Hotmail e-mail
service also automatically gets a Passport.

The system was supposed to be the gateway to a series of new
Web services -- involving everything from accessing health
records online to booking travel -- called "Hailstorm,"
which were unveiled last year. Big companies that would have
been involved in Hailstorm eventually balked, however, at
giving Microsoft control of their customer information. That
project is now being retooled.

Indeed, Microsoft -- whose software runs the vast majority
of personal computers -- has been struggling to address
privacy concerns about Passport and .NET for more than a
year, particularly after it built support for Passport into
its new Windows XP product.

A year ago, at around the same time that EPIC filed its
initial complaint, Microsoft announced it was reducing the
amount of information gathered from consumers who sign up
for a Passport and splitting off Passport's "wallet"
function, which allows people to more easily pay for things
online. And Microsoft said Thursday that it will weaken
Passport's links to Windows in a new Windows XP update due
out in a few weeks, though that move wasn't specifically
related to the FTC settlement, a company official said.


-----------------
R. A. Hettinga <mailto: address@hidden>
The Internet Bearer Underwriting Corporation
<http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and
antiquity, [predicting the end of the world] has not been
found agreeable to experience." -- Edward Gibbon, 'Decline
and Fall of the Roman Empire'