The FTC, which launched an investigation into Passport’s
security and privacy practices a year ago following a complaint
filed by EPIC, found that Microsoft misled consumers by overstating
the privacy and security standards of the Passport, Kids Passport
and Wallet authentication services.
The FTC and Microsoft finally settled the investigation in
August with a consent agreement, which orders the software giant to
cease the misrepresentation of the service and to adopt higher
privacy and security standards. Microsoft also agreed to biannual
audits for the next 20 years.
EPIC claims in a letter sent to the FTC that, although the
agreement would “go far in improving security and privacy”,
Passport is still experiencing security breaches. The group also
argues that “consumers are resistant to authentication systems, and
that a majority of Passport users enrolled simply because Passport
was necessary for access to some other service.”
Despite these facts, the group claims Microsoft “has attempted
to expand Passport into an authentication system for credit card
purchases, and government entities have considered using Passport
as an authentication agent for e-gov services.”
EPIC recommends that the FTC should require greater transparency
and limit Passport’s functions to reduce security risks.
Finally, EPIC suggests that Microsoft’s security assessments
should be made public, and that the FTC should “ensure that
Microsoft is complying with the EU-US Safe Harbor, and that
specifically, access to the entire Passport profile for correction
and deletion is possible.”
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
