MS Passport is an on-line service which allows subscribers to use their e-mail address and a single password to sign in to any Passport-participating web site or service. The service currently has more than 200 million subscribers.
Microsoft retains users’ personal information, such as credit card details, and makes it available when required for on-line transactions. Microsoft uses Passport authentication for the MSN Messenger and HotMail services, for the Microsoft Developer Network on-line access and also for Microsoft Reader purchases.
Privacy groups, including EPIC and Junkbusters, accused Passport of collecting more information than it admitted to the consumer, and claimed that Microsoft was using the service to profile customers in an “unprecedented” way.
The groups also alleged that Microsoft’s trade practices were unfair and deceptive, as the company claimed to offer a higher standard of security to its customers than it actually could. A further complaint was that Microsoft Kids Passport did not comply with the Children’s Online Privacy Act.
The FTC investigation found that Microsoft had misled its subscribers over its security standards and so had misrepresented the company’s ability to protect the subscribers’ personal data. The FTC also determined that the MS Passport service was tracking subscribers’ web browsing habits without their knowledge.
As regards Kids Passport, the FTC asserted that the web materials were not as clear as they should have been in describing the capabilities and the limitations of the Kids Passport service. Of particular note was the fact that it only permitted users to control information provided to sites that are Kids Passport sites.
The FTC also discovered that it has been possible for some children to circumvent the parental controls that Kids Passport provides.
Microsoft has released a statement confirming that amendments have been made to its privacy statement and to Kids Passport in response to the points raised by the FTC. Under the settlement agreement between the parties, Microsoft is required to stop making false claims about its data collection practices and to fully disclose its privacy polices.
Microsoft is also under an obligation to tighten its security standards by setting up a security system which will have to pass an independent check every two years.
Microsoft will not have to pay a fine unless it fails to comply with the terms of the agreement, which will be binding on the company for 20 years.