Within the scope of Microsoft's wider antitrust problems, the company's recent settlement with the Federal Trade Commission (FTC) regarding privacy concerns with the .NET Passport service might not rate as dramatic news. But by admitting that it hasn't done enough to respect and protect users' privacy, Microsoft ultimately will better serve its customers and engender trust in a service that so far hasn't been a success. News of the settlement arrived roughly a year after the FTC began its investigation of Microsoft. Here's what happened.
In July 2001, 13 consumer privacy groups complained to the FTC that the privacy policies Microsoft was employing in .NET Passport were inadequate, potentially allowing the company to share confidential information about its 200 million users with third parties. The groups stated further that the security Microsoft employed in .NET Passport was inadequate and that a successful attack by a malicious intruder could expose millions of users' credit card, address, and social security information, along with other confidential data. Finally, the groups said that Microsoft was unfairly requiring users of its Windows XP OS—then in beta—to subscribe to .NET Passport to access certain XP features, such as Windows Messenger's file-sharing capability. This requirement, they said, was clearly an indication that Microsoft's illegal monopolistic practices remained unchanged.
During the past year, the FTC investigated these claims with Microsoft's full cooperation. And about 2 weeks ago, the agency announced a landmark settlement in which the software giant agreed that its .NET Passport privacy and security measures weren't adequate. According to the terms of the agreement, which will remain in force for 20 years, the FTC states that Microsoft deceived customers about .NET Passport's security features, the amount of information the company collects from users, and the amount of control parents have over their children's personal information online. Specifically:
- Microsoft claimed that users' ".NET Passports \[are\] protected by powerful online security technology and a strict privacy policy," when, according to the FTC, the company wasn't doing enough to protect users' privacy.
- Microsoft claimed that using .NET Passport wallet for online purchases was "faster and more secure" than using a credit card, which isn't the case.
- Microsoft collected personal information that the company didn't specify in its privacy statement, including personally identifiable records about the sites .NET Passport users visited along with the dates and times they did so.
- Microsoft advertised Kids Passport as a service that would let parents control their children's online privacy. In actuality, Microsoft collected information about Kids Passport users and passed the information to .NET Passport-enabled Web sites.
According to the settlement with the FTC, Microsoft agreed to stop misrepresenting .NET Passport security features and how the company collects information; the company faces fines of $11,000 per violation per day if it violates the agreement. Microsoft must also hire a third-party consulting firm to assess .NET Passport's security risks both immediately and every 2 years during the time the settlement remains in force. The company says that it has already resolved some of the concerns listed in the settlement by bulking up .NET Passport's security features and ensuring that Kids Passport works as advertised.
Interestingly, the FTC settlement didn't address one of the privacy groups' key complaints—about XP and .NET Passport bundling—and the commission had no comment about this charge when it announced the settlement. FTC Chairman Timothy J. Muris did point out during a press conference explaining the settlement that the agency didn't uncover any security vulnerabilities during its yearlong investigation but rather found only the potential for compromise. Muris also noted that Microsoft never shared any private customer information with third parties.
What does the FTC settlement mean to you? If you're a current .NET Passport customer, it means that .NET Passport and any personal information you store with the service will be more secure than it was previously. In my opinion, .NET Passport will undergo major changes or be dropped entirely in the near future, and Microsoft's agreements regarding the service will be rendered moot as a result. Given Microsoft's earlier changes to .NET My Services (formerly code-named HailStorm)—which was originally planned as a consumer-oriented set of services connected with .NET Passport—and the company's interest in interoperability with the standards-oriented Liberty Alliance Project authentication server, Microsoft clearly is reassessing the role .NET Passport will play in future .NET implementations. But either way, your online data will be safer than it was before the FTC moved in. Wasn't that the point behind the investigation and resulting settlement?
