All kinds of restrictions for Microsoft and its single sign-on...
By Joe Wilcox
Microsoft on Thursday agreed to make sweeping changes to its Passport authentication system as part of a settlement agreement with the Federal Trade Commission.
The settlement addresses allegations that Passport collects too much information, uses unfair or deceptive practices, and fails to adequately protect the privacy or security of personal information, particularly of children. The FTC's investigation and settlement came in response to a series of complaints made against Passport last summer, said agency chairman Timothy Muris.
Passport is Microsoft's online authentication system, which allows customers to use single sign-in to access multiple web services. The idea behind Passport is simple: Microsoft collects and stores an ID, password and other personal information such as a shipping address or credit card number.
This electronic 'wallet' then travels around the web with a consumer, making it easier to engage in a range of online transactions, such as banking, making travel plans or subscribing to an online publication. AOL Time Warner and Sun Microsystems have backed services using a similar concept.
Microsoft uses Passport authentication for its MSN Messenger and Hotmail email services, Microsoft Developer Network online access, and Microsoft Reader e-book purchases, among other product and service offerings. The service also is a cornerstone for .Net, Microsoft's slowly evolving web services strategy.
But critics have assailed the plan on several fronts, particularly privacy and security, and the FTC on Thursday agreed on some points.
"We believe that Microsoft made a number of misrepresentations, dealing with, one, the overall security of the Passport system and personal information stored on it; two, the security of online purchases made with Passport Wallet; three, the kinds of personal information Microsoft collects of users of the Passport service; and four, how much control parents have over the information collected by websites participating in the Kids Passport program," Muris said during the conference call.
As part of the settlement agreement, Microsoft has changed its privacy statements to accurately reflect what information is collected and how it is used, Brad Smith, Microsoft's general counsel, said in a separate conference call.
In an eight-page settlement released Thursday, Microsoft also agreed not to engage in unfair or deceptive practices and to protect the security and privacy of personal information.
The settlement "prohibits Microsoft from misrepresenting its privacy and security practices," Muris said. "The settlement... also requires Microsoft to establish a programme to protect the security, confidentiality and integrity of its customers' personal information."
Microsoft is bound by the agreement for 20 years, which is the customary time period for settlements of this type.
"We're just, in fact, at the beginning of the FTC's oversight of Microsoft's online services," said Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), in a separate conference call. "This is a very big development."
Joe Wilcox writes for ZDNet.com