Microsoft Reaches 'Passport' Settlement

Microsoft Corp. agreed under a federal settlement Thursday to tighten lax security of the Passport Internet service used by more than 200 million consumers and endure two decades of U.S. government oversight into how it operates such systems.

Passport, which is closely tied to Microsoft's flagship Windows XP software, is integral to its most important upcoming technology services, including its NET initiative (pronounced "dot-net"). Using the service, consumers could entrust Microsoft or other organizations to centrally hold their personal information - such as credit card numbers or medical records - and make it available whenever needed.

The chairman of the Federal Trade Commission, Timothy Muris, said pointedly that the settlement with Microsoft affects its current Passport technology "or any other similar service."

Responding to a formal complaint by privacy groups, the FTC determined that Microsoft made deceptive claims and misrepresented the security surrounding the design and use of Passport, which promises consumers a single, convenient method for identifying themselves across different Web sites.

Muris said Microsoft's promises about Passport's security and safety were deceptive, and Microsoft collected more information from consumers than it reported.

"When people make security promises ... they need to keep them," Muris said. "It's good business, it's the law and we'll take action against companies that do not keep their promises."

Muris noted that the FTC did not uncover any security breaches involving Passport customers.

Microsoft agreed to pay $11,000 per violation every day for future violations.

Microsoft's top lawyer, Brad Smith, said the agreement "puts specific processes in place to assure our customers that we are meeting a high bar for security and privacy protection."

"We wish we had held ourselves to an even higher bar," Smith said, adding that, "We accept responsibility for the past and will focus on living up to this high level of responsibility in the future."

Marc Rotenberg, the head of the Washington-based Electronic Privacy Information Center, which organized the complaint in July 2001, described the settlement as "the most significant Internet privacy case to date," because it involved such a prominent technology company and such a widely used Internet service.

Customers using Windows XP found it difficult to avoid using Passport. The software prompts consumers: "You need a Passport to use Windows XP Internet communications features (such as instant-messaging, voice chat and video), and to access Net-enabled features."

Privacy groups, led by EPIC, had complained that Passport represented unfair and deceptive trade practices, alleging that Microsoft inadequately explained how it would track consumers' visits across its Web properties and make it difficult not to use the system or later to stop using it.

Microsoft had previously said the complaint by the privacy groups was "replete with factual errors, misrepresentations and speculations that demonstrate fundamental misunderstandings of (Microsoft's) products, services and technologies."

In the settlement, Microsoft agreed not to make future misrepresentations about the information it collects and to abide by specific security requirements for operating Passport. It also agreed to undergo independent audits every two years for the next
20 years to ensure compliance with the FTC agreement.

Microsoft last year slightly reduced the amount of information consumers must provide to sign up for a Passport account.

In November, Microsoft acknowledged a serious flaw in the "e-wallet" feature of its Passport technology that could have allowed hackers to steal credit card numbers and personal information of about 2 million customers.

It temporarily shut down access by all consumers to their virtual wallets during several days for repairs to the network and testing. That move inconvenienced buyers at roughly 70 e-commerce Web sites that support Microsoft's wallet technology, called "Express Purchase."

By Ted Bridis