Privacy advocates attack Microsoft Passport settlement

The FTC, which launched an investigation into Passport’s security and privacy practices a year ago following a complaint filed by EPIC, found that Microsoft misled consumers by overstating the privacy and security standards of the Passport, Kids Passport and Wallet authentication services.

The FTC and Microsoft finally settled the investigation in August with a consent agreement, which orders the software giant to cease the misrepresentation of the service and to adopt higher privacy and security standards. Microsoft also agreed to biannual audits for the next 20 years.

EPIC claims in a letter sent to the FTC that, although the agreement would “go far in improving security and privacy”, Passport is still experiencing security breaches. The group also argues that “consumers are resistant to authentication systems, and that a majority of Passport users enrolled simply because Passport was necessary for access to some other service.”

Despite these facts, the group claims Microsoft “has attempted to expand Passport into an authentication system for credit card purchases, and government entities have considered using Passport as an authentication agent for e-gov services.”

EPIC recommends that the FTC should require greater transparency and limit Passport’s functions to reduce security risks.

Finally, EPIC suggests that Microsoft’s security assessments should be made public, and that the FTC should “ensure that Microsoft is complying with the EU-US Safe Harbor, and that specifically, access to the entire Passport profile for correction and deletion is possible.”