Privacy group urges states to halt Microsoft's Passport
By Brian Sullivan
(Jan. 29, 2002)
Saying the federal government isn't doing enough to ensure consumer privacy, the Electronic Privacy Information Center (EPIC) has sent an open letter to the attorneys general in all 50 states to stop what it claims are Microsoft Corp.'s unfair and deceptive business practices surrounding the company's Passport service.
In the letter to the attorneys general, the consumer privacy group said it chose to go to the states because of its frustration with the lack of action by the Federal Trade Commission (see story). "We have repeatedly urged the Federal Trade Commission to investigate this matter in two separate filings, but the commission has failed to act," said the letter, which was signed by Marc Rotenberg, EPIC's executive director; Chris Hoofnagle, legislative counsel; and Nathan Mitchler, law clerk.
In a telephone interview Tuesday morning, Hoofnagle said the first time the FTC pursued a company for negligent privacy violations was this month. In contrast, the states have a long history of investigating and prosecuting privacy violations, he said.
Among EPIC's objection to Passport are the following:
It can be used to profile users' browsing and shopping behaviors.
Microsoft has said it wants all Internet users to hold a Passport account.
Passport's security flaws could expose subscribers' personal information, including credit card numbers.
By tying Passport to other services, such as Hotmail and online customer support, Microsoft has already acquired more than 200 million Passport accounts.
Microsoft this afternoon denied EPIC’s charges and said the privacy organization “completely misrepresented Passport.”
“Really nothing has changed in terms of their complaint and our assurance that their claims are totally unfounded,” said Tonya Neff Klause, spokeswoman for Waggener Edstrom, which represents Microsoft. “They must have totally missed Microsoft’s fall federation announcement.”
Last September, Microsoft announced that it would alter Passport’s authentication system to interoperate with similar services from competing companies (see story).
“Microsoft is committed to putting people in control of their personal information,” Klause said.
Hoofnagle said Microsoft has begun to push Passport on a variety of different fronts to gain subscribers. For instance, he said, some functions of Microsoft Money applications, its personal finance software, are available now only to Passport subscribers. An increasing number of Web sites that have partnerships with Microsoft have also begun to require Passport registration, thus removing consumer choice, he said.
Hoofnagle also said that because it has been shown that Passport has some security flaws, Microsoft's claim that all information is private and secure is a deceptive business practice and the company should stop making such claims.
While EPIC doesn't expect an immediate response to its letter to the state attorneys general, Hoofnagle said it was the best strategy the group could pursue. The states have much tougher privacy legislation, he said, pointing to a California law that bans unconstitutional seizures of private information by both governments and businesses as an example.
He also said that the state officials may be more willing to act because being seen as a protector of consumer rights is always a benefit at election time, and most of the state attorneys general are elected.