Microsoft Settles Net Privacy Claim

Microsoft Corp. agreed to a landmark 20-year settlement with the Federal Trade Commission on Thursday, resolving a sweeping claim that the software giant falsely promised 200 million consumers that their personal information was secure and private when stored in its Passport online identity service.

Microsoft agreed to improve Passport’s security, test the new measures’ effectiveness, fix any breaches and submit to regular audits by an independent firm. Any misleading statements could bring fines or other punishment to the Redmond, Wash.-based company.

“Privacy and security promises must be kept,” FTC Chairman Timothy Muris said. “Microsoft made a number of misrepresentations.”

Passport stores information about the identity of computer users and sometimes their credit card numbers and e-mail addresses, so consumers don’t have to reenter the data as they move from one site to another.

Microsoft requires Passport for use of its Hotmail e-mail system and some other services. The company abandoned plans last year to require Passport registration for other functions, but it still touts it as a gateway to enhanced services in development.

After a year’s investigation, the agency accused the world’s most powerful software company of:

* Asserting that credit card and other sensitive information assembled by Passport would be guarded by “powerful online security technology,” when it didn’t have high security.

* Boasting that Passport enabled faster and safer online purchases, when most purchases would have been just as safe without it.

* Telling parents that a children’s version of Passport would stop Web sites from harvesting such personal information as full names, when it didn’t.

* Failing to disclose in the service’s privacy policy that Microsoft was logging and storing data about which Web sites Passport users visited.

The FTC reached no conclusion on whether Microsoft intended to deceive its customers, and it said it found no security breaches. An independent researcher last fall showed that Passport was vulnerable to a hack through Hotmail, and Microsoft fixed the problem.

Microsoft said its missteps were unintentional and that it had kept information about user habits on hand only in case Passport subscribers called with a problem.

“The FTC is setting a high bar not only for Microsoft, but for our entire industry,” Microsoft general counsel Brad Smith said. “We believe consumers will benefit.”

Smith said that Microsoft looked forward to more constructive dialogue with government representatives. Since a January declaration by Chairman Bill Gates, security has been a top concern at the company, he said.

Microsoft also hopes to reach an agreement to end the European Union’s investigation of Passport, Smith said. The FTC action is by far the most aggressive to enforce the terms of privacy policies and other claims on business Web sites, even when those policies are read infrequently by Web surfers.

“The FTC is sending a signal to the entire online services industry that every single [business] is going to be held to a strict standard,” Prudential Securities legal analyst James Lucier said. Microsoft has changed the claims in its privacy policy for Passport and sends fewer automatic suggestions that computer users log in. Otherwise, consumers will see little immediate difference in their experience, Microsoft and FTC officials said.

The investigation began as Microsoft was readying the Windows XP operating system for release last year. The nonprofit Electronic Privacy Information Center and a dozen other groups complained to the FTC that Microsoft was implying that PC owners needed Passport to use Windows XP.

Instead, Passport was an optional service that Microsoft could tap to monitor user behavior. The software company could then charge merchants and consumers for services based on what it learned about its users. And Passport-affiliated Web sites had varying privacy policies, so users couldn’t be sure what each one would do with the Passport data.

Although the FTC’s findings were less serious than the original accusations, consumer advocates exulted over the settlement.

“The FTC over the years has been a bit skittish,” EPIC Executive Director Marc Rotenberg said.

“We have laws for video rental records and banking records, but the United States really doesn’t have a typical privacy law for Internet activities. This indicates that the FTC is prepared to use its authority in unfair and deceptive practices to protect privacy on the Internet.”

Microsoft shares rose $1.82 to $48.91 on Nasdaq.