Privacy advocates filed an updated complaint with the Federal Trade Commission on Wednesday charging that Microsoft’s Passport service harms the privacy and security of “over 100 million” computer users, and that, consequently, it constitutes an “unfair and deceptive” trade practice.
Passport — a “sign-in service” that allows Internet users to log on to participating services without re-entering information each time — is integrated into Microsoft’s upcoming Windows XP operating system. It is also central to Microsoft’s own Internet services, such as Hotmail and MSN, and it is part of the company’s .Net initiative.
The new filing (PDF) amends the groups’ July complaint (PDF) to the FTC, in which they said that Passport’s proliferation in Windows XP would allow the company to “profile” consumers online.
In the new filing, the Electronic Privacy Information Center, Junkbusters and other privacy groups say that after tinkering with the system and reading a lot of press reports about XP, they found more objectionable things.
They discovered, for example, that “Passport provides no mechanism for users to cancel their account and permanently delete their personal information from Microsoft servers.”
The complaint adds that people “who have requested that their personal information be removed from Microsoft servers have been told by the company they will have to wait one year for their accounts to expire” — which the groups say is not acceptable.
They also state that “Microsoft is attempting to eliminate anonymity on the Internet to enable .Net, a distributed computing platform…. If unchecked, Microsoft’s distributed computing platform will result in users being required to identify themselves to merely surf the Internet.”
At a press conference at the National Press Club in Washington, Marc Rotenberg, EPIC’s executive director, said that “it’s not our goal to unnecessarily delay the launch of XP,” but the fact that they have found all these problems with Passport indicates that “there might be a lot more here that we don’t know about, which is why we need the FTC.”
The FTC is only empowered to prevent “deceptive” practices on the part of companies. In their statements on Wednesday, the groups tried to explain why they thought Microsoft’s privacy policies were unlawfully deceptive.
As Jason Catlett, the president of Junkbusters, put it: “They’re saying it’s going to be secure when it’s not. They’re plainly on the wrong side of the FTC act. They’re collecting information under false pretenses by misleading consumers, and that’s just illegal. They should be on the right side of trade practices law — but that might sound like a lot to ask of a company like Microsoft.”
Microsoft, naturally, disagreed. “Microsoft shares EPIC’s views that privacy is important,” spokeswoman Tonya Klause said, but the groups’ complaints are “unfounded.”
Responding to their specific concerns, Klause noted that the next release of Passport — version 2.0, which will be out “within weeks” — will feature an account-deletion feature. She added that Passport only asks for the barest of information from users — an e-mail address and a user’s country, state and zip code. All of the .Net services are completely “opt-in,” she noted.
And to the extent that one of those extended .Net services (such as the online wallet service, called MyWallet) asks for more than an e-mail address and a zip code, “this information is completely private, secure, not mined, sold, rented, or ever used for secondary purposes. It’s not mined at all, period.”
Considering this, she said, the groups’ comments “demonstrate a misunderstanding of the products, services and technologies that they’re attempting to challenge. EPIC continually alleges unfair and deceptive trade practices when what’s at issue, really, is a difference over the best way to implement privacy — which is an ongoing discussion.”
Klause’s claim does have merit: Reading the groups’ complaint, it is indeed possible to find instances where they misunderstand the technical issues, or exaggerate the nature of Microsoft’s sins.
For example, the privacy advocates take issue with XP’s support of digital rights management, which is a scheme built into the system to protect against the copying of audio, video and other copyrighted content.
“Microsoft concedes that this system will be used to monitor Internet users and has stated that XP will enable an ‘aggressive Internet surveillance program … that searches for unauthorized distribution of eBook content 24 hours a day, seven days a week,'” the complaint said.
But that citation is taken dangerously out of context — it suggests that XP will monitor “Internet users,” when in fact the entire paragraph (from a Microsoft site) says that an “intelligent Internet search tool” will scour the Internet for copied e-books. This type of thing might be anathema to free-loving Internet users, but it really doesn’t have anything at all to do with Passport or XP.
Klause added that the groups didn’t bother to look at the sections of the Windows Media Player privacy statement that describe Microsoft’s anti-piracy procedures, which she insists do maintain a user’s privacy.
When pressed, some of the privacy advocates admit that their quarrel with Passport is really more over its existence than its implementation. Catlett said he thinks Microsoft’s current behavior is “deceptive” and, therefore, illegal. But even if the company does make the concessions privacy advocates are demanding in this complaint, “there would still be very large concerns over their very large database.”
“You have to ask if it’s possible to have a system like Passport that’s secure,” he said. “A better architecture would be one where instead of having all the personal information in some gigantic database, personal information is stored on someone’s PC and only goes out when a person consents. There are architectures like that but MS didn’t try to use it.”
He said the central database “imposes a privacy risk, and when you add Microsoft’s horrendous record on security, that’s not a good thing.”
But Klause said that a central database is necessary for some of the services being proposed for .Net. “Central architecture allows roaming and connectivity to the information on any device at any time,” she said. “You should note, too, that individual PCs could never have the kind of security that you could implement on a database.”
That’s a statement with which many will disagree, but many things in computer security and privacy are up for debate, Klause said. “We welcome a frank and in-person dialogue with the privacy advocates who have to date not bothered to reach out to us,” she added. “They seem intent on bringing their issues to the press. We share their concerns about consumer privacy.”
But Catlett insisted that Microsoft’s practices would be best curbed by a regulatory agency. “We hope that they will quickly order Microsoft to make some changes,” he said. “I don’t know how likely it is. The FTC is the de facto protector of privacy and if they drive past this bleeding corpse on the sidewalk, they’re obviously asleep at the wheel.”