Q&A: Microsoft’s Agreement with the Federal Trade Commission on Passport

REDMOND, Wash., Aug. 8, 2002 — The Federal Trade Commission (FTC) in Washington, D.C. announced today an agreement with Microsoft concerning the Passport authentication service. To answer questions about the agreement, PressPass spoke with Brad Smith, Senior Vice President and General Counsel and Brian Arbogast, the Microsoft corporate VP responsible for Passport.



Brian Arbogast, Corporate Vice President


Brad Smith, Senior Vice President and General Counsel

PressPass: What exactly is the agreement with the FTC?

Smith: Last August the FTC approached us about how we described some of our privacy and security measures in Passport. And for the last year we have worked to provide the FTC with information about our policies and security measures and to answer their questions. At the end of the process they had four specific concerns. This agreement addresses their concerns and puts specific processes in place to assure our customers that we are meeting a high bar for security and privacy protection. It also governs the way we communicate with consumers about our service going forward.

PressPass: What, exactly, is Passport?

Arbogast: Passport is an online service that makes it possible for you to use your e-mail address and a single password to sign in to any Passport-participating Web site or service.

PressPass: What did the FTC say you did wrong?

Smith: Much of the discussion with the FTC focused on what should be considered “reasonable” online security measures. The FTC’s complaint asserts that we should have taken additional security steps earlier in the operation of the Passport service. We understand this concern. While we always believed that we were employing reasonable and appropriate security measures, we recognize that network security constantly evolves. A level of security that seemed reasonable when we launched Passport in 1999 does not seem so reasonable by today’s norms. Hence, even though we know of no instance where a Passport user’s information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar. Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future.

PressPass: What does this agreement mean for the future of Passport?

Arbogast: We have been working to raise the bar for Internet security and privacy and believe that the agreement with the FTC will raise it further — for both ourselves and industry. The agreement will help reinforce the industry’s commitment to improving security, and we are committed to meeting and working to exceed this standard. We realize some of our statements in the past could have been clearer and in some cases less enthusiastic. We’ve already changed them, and are working to complete an independent audit which will give our customers added confidence that we are meeting this high bar.

PressPass: What exactly are you committing to as a result of this order?

Arbogast: At a high level, we are committing to not only meet a high bar for security and privacy for our service, but to prove that we are meeting the bar that has been set. For example, we will document the comprehensive information security program that protects the security, confidentiality, and integrity of the personal information collected from our customers. We will also ensure that a third-party professional firm reviews, advises us, and ultimately certifies that our information-security program is designed and operates with sufficient effectiveness to provide reasonable assurances that the security, confidentiality, and integrity of every Passport user’s information is protected. We will also ensure that all of the statements we make about the service are accurate and clear. Finally, we will strengthen training for all the managers involved with Passport, to ensure that they understand and comply fully with this order.

PressPass: Let’s go through the four concerns of the FTC point by point. First, the FTC said that you failed to implement and document procedures to prevent, detect, monitor or document unauthorized access.

Smith: We have always believed that the security measures deployed at Passport have been reasonable and appropriate relative to industry standards and norms. But we recognize that security needs have evolved, and a level that we considered reasonable when we launched the service in 1999 is no longer reasonable today. We have continued to advance and improve the service’s security and privacy. In some cases, this has meant introducing new technologies, and in other cases it has meant creating new processes and procedures. The FTC’s complaint asserts that some of these technologies and procedures should have been in place and fully documented from Passport’s inception. We understand this concern, and we are confident that we are on a path to meet the current high bar for security and that this will be confirmed when the third-party audit we agreed to conduct is completed.

PressPass: Second, the FTC asserts that you were incorrect in your statement that purchases using a Passport Wallet are safer or more secure than purchases made without a Wallet.

Smith: What we were intending to convey was that using Passport Wallet at a Passport Wallet site is often “safer” and “more secure” than making a credit card purchase at another site that did not utilize the same encryption technologies to protect user credit card data. Passport Wallet sites are required to employ encryption technologies that clearly are safer than providing credit card information in the clear. The FTC’s complaint asserts that some people may have thought we were comparing a Passport Wallet purchase and a non-Wallet purchase made at the same site, and that at most sites encryption is used whether you use a Wallet or not. While it is worth noting that many Passport Wallet merchants did not adopt these encryption technologies until they were added as support for the Passport Wallet, we have recognized the FTC’s point and have already changed the language in our advertising.

PressPass: The FTC also claims that you collected some information that was not mentioned in your privacy policy.

Smith: The FTC made a very thorough review of our Passport privacy statement, as well as our related policies and procedures. After this review, the FTC Complaint asserts that only one thing was not adequately described. That is a temporary log that we keep and use to permit our customer service representatives to support Passport users who have contacted our support team. It’s important to note that no personal information has been shared with anyone else or misused in any manner as a result of these temporary logs. The FTC Complaint itself recognizes that the log is only “linked to a user’s name in order to respond to a user’s request for service.” We have already changed our Privacy Statement to clearly describe this temporary log and its limited use. We believe that our privacy commitment to consumers has always been strong, and we are heartened by the fact that that this one readily correctable omission was the only issue identified over the course of this in-depth review by the FTC.

PressPass: The Complaint says that Kid’s Passport claimed to provide parents with certain controls that it does not provide.

Smith: The FTC’s Complaint asserts that our original Web materials relating to Kids Passport were not as clear as they should have been in describing the capabilities and the limitations of the Kids Passport service, particularly in that it only permits users to control information provided to sites that are Kids Passport sites. It also asserts that it has been possible for some children to get around some of the parental controls that Kids Passport does provide. While we believed at the time that we were making a fair representation of the features and limitations of our service, we understand the FTC’s concerns. We have taken steps to make the parental controls provided by Kids Passport more “kid-proof,” and we have revised the description of Kids Passport in our Web materials and privacy statement to clarify the points raised by the FTC. In fact, Kids Passport recently received certification from TRUSTe, an independent non-profit initiative whose mission it is to build trust and confidence in the Internet.

PressPass: How long will you be under this order?

Smith: The order lasts for 20 years, but we plan to continue third-party audits of the Passport service indefinitely as part of our normal operations and as a good tool to give partners and consumers assurance that the operations of the Passport service continue to meet a high bar.

PressPass: What do you see as the long-term significance of this FTC/Microsoft Agreement for industry?

Smith: We appreciate that governments will continue to consider Internet security and privacy a high priority, and we share that priority. In the end, we believe that a coordinated response to online security and privacy issues offers the greatest hope for promoting trust online and for fostering the growth of a vibrant online economy. Industry and government will be most successful in promoting and protecting online security and privacy if these efforts are grounded in dialog and cooperation. The agreement with the FTC reflects this principle.