On July 26, 2001, and again on Aug. 15, a consortium of organizations led by the Electronic Privacy Information Center (EPIC) and collectively referred to as EPIC filed a request with the
Federal Trade Commission (FTC) to investigate
“privacy implications of Microsoft products and services,”
and in particular, Microsoft Corp.s efforts to provide consumers with a uniform method of doing business on the Internet. Simultaneously, the group launched an aggressive media campaign designed to raise concerns over legal issues regarding the implementation details of Microsofts products, and, although privacy parties cannot actually initiate a legal proceeding by filing a complaint with the FTC, it is readily apparent to Microsoft that these groups actual interest is in using the trappings of a legal procedure to generate press attention for their own agendas and their own philosophical opposition to the technology itself, in whatever form it might be implemented.
More important, both the original and the supplemental allegations made by EPIC are replete with factual errors, misrepresentations and speculations that demonstrate fundamental misunderstandings of the products, services and technologies they challenge, as well as the legal standards for proving an unfair or deceptive trade practice under section 5 of the FTC Act. Indeed, the complaints repeatedly allege
“unfair and deceptive trade practices”
solely on the basis that EPIC disagrees with or is dissatisfied with private-sector efforts to protect consumer privacy.
It would, of course, be deceptive if Microsoft Corp.s privacy statement included specific statements about its products or services that were untrue, but, even though it has obviously scoured through the companys products and Web materials with great care, EPIC has not pointed to any specific content that is untrue or misleading. The EPIC complaint reflects a dislike for products and services that permit consumers to choose to store their personal information on a single server, especially one operated by Microsoft, but it has not and cannot identify any information Microsoft has provided about that service which is false or omits material information.
Microsoft has continuously sought to improve its products and services in ways that protect user privacy. The Microsoft Passport service update announced recently has been in the works since well before the original complaint was filed — in some cases, these improvements have been planned for many months. It is not only inaccurate but naive for EPIC to allege that these changes were developed overnight in response to its July 26 complaint.
Microsoft welcomes frank, in-person dialogue with privacy advocates, and in fact the company has an open line of communication with several leading organizations. Microsoft shares their goal of building a trusted Internet for consumers and business users, and our future success with Passport is dependent on our ability to protect the privacy of our users. Wed prefer such an open discussion with privacy advocates, but they have not reached out to us and have stated publicly that they have no desire to talk to Microsoft until the FTC has decided whether to act on their complaint. They seem intent on bringing their issues to the press and to government regulators.
Passport and
“
HailStorm
”
Put Users in Control of Their Personal Information
Consumers today can choose to enter and re-enter authentication information every time they make a transaction. Alternatively, consumers can choose to store that authentication information with Passport and transfer it by deliberately and intentionally signing in at participating Passport sites, thereby choosing to share their Passport information with those sites on a case-by-case basis. The
“HailStorm”
initiative will expand this concept to allow users to control with whom they share a broader range of information types. EPIC has not identified any respect in which it is
“unfair”
or
“deceptive”
to provide this more convenient choice to consumers who prefer it and who decide to utilize it. EPIC would prefer to deny consumers this opportunity largely because it has a different idea of how to best protect consumer privacy.
In addition, contrary to the suggestions made in the complaint, Passport does not use the personal information stored in a Passport profile for any purpose other than the operation of the Passport service. Of course, once a user chooses to share any Passport data with a participating site, that sites use of the data is subject to the sites own practices as described in the sites privacy statement. Although Passport requires participating sites to post a privacy statement that meets certain minimum standards, it is made very clear to users that the privacy practices of Passport-participating sites will vary and that they should review the privacy statement for each participating site before choosing to sign in, to ensure that they are comfortable with how each site or service will use the information it collects.
Windows Does Not Require Any User to Create or Use a Passport Account
The EPIC complaint falsely suggests that Microsoft has
“unfairly”
tied Passport to the Microsoft Windows XP operating system, to
“HailStorm”
and to other Microsoft products or services. In fact, Passport is an option, not a requirement, for the use of Windows XP. A Passport is needed only if the user wants to use Internet services that employ Passport as the authentication mechanism (such as Windows Messenger). The actual behavior of the current public RC1 version of Windows XP is as follows: The second time the user connects to the Internet a small yellow
“balloon”
appears that invites the user to use Messenger. That balloon does not interrupt what the user is doing in any manner. If the user clicks on the balloon, the Passport registration wizard starts. The user can cancel the wizard, and Windows XP will continue to work as before. However, because a Passport is needed to sign into Messenger, users that cancel the wizard will not be able to use Messenger. Whats more, PC manufacturers can choose to disable this experience for users if they want.
Kids Passport Protects the Privacy of Children and Meets the Requirements of COPPA
At the heart of Kids Passport is affirmative parental consent that oversees the use of a childs information on a site-by-site basis. Parents must deny or give limited or full consent for the collection, use and disclosure of any child information, and parents can change the consent selections at any time. The sites using Kids Passport will not collect, use or disclose a childs information except in accordance with a parents consent decisions.
Kids Passport meets or exceeds all requirements of the Childrens Online Privacy Protection Act (COPPA). Kids Passport was designed from the start as a mechanism to protect childrens privacy and to fully comply with the requirements of COPPA. In fact, in designing and implementing Kids Passport, Microsoft worked closely with FTC staff to make sure that it met the letter and the spirit of the law and the implementing regulations.
The Kids Passport parental consent mechanism not only is used by Microsoft sites to comply with COPPA, but is also available as a tool to assist other Web sites in their COPPA-compliance efforts. It is ironic that EPIC would choose to allege violations of COPPA with respect to a service that has significantly raised the bar for protecting childrens privacy and has established Microsoft as the company that has gone the furthest to develop a comprehensive COPPA solution for itself and other sites on the Internet.
The supplemental complaint suggests that it is somehow a violation of COPPA to tell parents to review the privacy statements of a site before granting consent for that site to collect and use personal information from their children. It is obviously very important for parents to be fully informed about a Web sites privacy practices before they give consent for their children to provide personal information to the site. In fact, it would be irresponsible and contrary to the spirit of COPPA for Microsoft to suggest that parents should give consent for a particular site to collect and use personal information from their children without the parent first understanding how that site would use the information. In suggesting otherwise, the supplemental complaint erroneously cites a specific provision of the COPPA regulations. In fact, the complaint quotes language that is not part of the FTC final rule implementing COPPA. Instead, it is a statement, taken out of context, from the supplementary information included with the rule, which discusses situations in which multiple parties collect information through a single Web site. But this is not how Kids Passport works. Rather, the Kids Passport service collects certain information from parents and children on the http://kids.passport.com/ domain as part of the account creation process. Some participating Passport sites may collect additional information on their sites (e.g., in a contest or promotional offer). But there are no cases where Kids Passport collects additional information from a user on a participating site. Thus, neither the
“multiple party”
scenario nor the language cited in the complaint has any applicability to the Kids Passport service.
Indeed, the complaint seems to suggest that COPPA requires Microsoft to create a single amalgam privacy statement for all the COPPA-regulated sites that may become Kids Passport participants. But COPPA does not irrationally require that any such confusing amalgam be created. Instead, COPPA is satisfied by, and Passport conveniently provides ready access to, the actual privacy statements of participating sites.
Moreover, it is important to remember that sites directed at children have an independent legal obligation to fully comply with COPPA. The failure of any such site to comply with the law, whether or not it implements Kids Passport, will subject such a site to legal action.
Deleting Passports
There is no legal requirement that users must be able to delete an account. Moreover, Microsoft has never made any claim that users can immediately delete a Passport, so the complaints assertion that not providing this feature is somehow deceptive is completely meritless. In
addition, the complaint is simply wrong in asserting that users cannot delete the personal information in a Passport account. Today, users can black out most of the information in a Passport profile by going to Member Services and changing the fields to a series of X or other arbitrary characters. And if a user insists that a Passport account be completely deleted, that can be done manually on a case-by-case basis. A future upgrade to Passport (currently scheduled for February 2002) will contain an automated, user-accessible way to completely delete a Passport.
However, it is important to understand that deleting a Passport may have a number of unintended consequences, including those that could diminish a users individual privacy. For example, users who delete their Passport account will no longer be able to authenticate themselves to sites and services that use Passport as the authentication mechanism, and therefore may no longer be able to access their personal information stored by Passport-enabled sites. They would thereby lose the ability to access and control the use of personal information associated with those accounts. As a result, it would be a disservice to users to make it easy to casually delete a Passport without a full understanding of the consequences. In this respect, as in others, Microsoft has continuously sought the best balance in its effort to protect and enhance users privacy.
Alleged Security Defects in Passport
Microsoft takes security very seriously. Passport employs multiple layers of the most advanced security technologies and systems that are designed to prevent unauthorized access to users personal information. These measures include the storage of Passport information in a secure, access-controlled database at Microsoft. This database is not connected directly to the Internet and is protected by hardware devices that deny unauthorized requests for data. Sensitive data is strongly encrypted before it is stored on disk in Passport databases, and strong encryption is used to protect passwords and personal information when sent over the Internet.
The complaint and the supplemental complaint make several general allegations about the lack of security of Passport. However, the complaint fails to cite a single statement by Microsoft that is untrue or
“deceptive”
in any way. More important, the complaint fails to back up its general allegations with specific examples. The general claims made by Kormann and Rubin, and repeated in the supplemental complaint, have been previously addressed by Microsoft ( http://www.passport.com/Press/RubinKormann.asp ). Despite Passport having millions of users and engaging in billions of authentications, the complainants have been unable to cite any example of Passport data actually being compromised.
Microsoft and Windows are registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
For more information, press only:
Tonya Klause, Waggener Edstrom, (703) 724-9733, [email protected]
Rapid Response Team, Waggener Edstrom, (503) 443-7070, [email protected]
