October 23, 2001

Dear Chairman Muris,

On July 26, 2001, we submitted a complaint to the Federal Trade Commission endorsed by fifteen leading consumer advocacy groups detailing the serious privacy implications of Microsoft Windows XP and Microsoft Passport, and alleging that the collection and use of personal information by the company would violate Section 5 of the FTCA. On August 15, 2001, the groups submitted a supplement to the FTC further detailing the specific ways in which Microsoft XP and Passport would harm the consumer interests you have been charged with protecting.

On October 25, 2001, Microsoft, the world’s largest software company, will release Windows XP. Already, the vast majority of consumers use a version of Microsoft operating systems, and it is expected that Windows XP will be used by millions of consumers. Despite detailing numerous privacy issues associated with XP in the July and August filings, the FTC has taken no public action to protect consumers and has failed to address the allegations set forth in our complaint.

Microsoft attempted to address the privacy risks presented in Passport by requiring Passport-affiliated sites to use the Platform for Privacy Preferences (P3P). As we have detailed in the past, P3P is not a privacy-enhancing technology.(FN1) Additionally, the Gartner Group commented that including P3P on Passport-affiliated sites is a "short-term solution that offers no real benefit to consumers."(FN2) Further, employing P3P on affiliate sites does not address the core issue presented by collection of consumers’ information by Microsoft. Microsoft’s ability to track, profile, and monitor the 165 million Passport users has far-reaching and profound implications for privacy protection in general and in particular with regard to the growth of electronic commerce.

Microsoft announced plans to make Passport more open to other companies, and falsely claimed this as an improvement in privacy. Although this change may address other legal concerns, it does not address the major privacy and unfairness objections in the groups complaint.

Since filing our August supplement, a series of serious security lapses has occurred involving Passport and the platform on which the service is maintained. The security lapses further support our claims that Microsoft’s guarantees of privacy and security are deceptive and unfair to consumers. Further, Microsoft’s failure to disclose the actual risks associated with the collection and use of personal information in the Passport service constitutes an unfair and deceptive trade practice. It is now clearer than ever that the FTC must therefore take action under Section 5 to safeguard consumer interests.

By the end of September, security incidences with Microsoft’s IIS led the Gartner group to recommend those running the "high risk" Microsoft IIS web server software should switch to non-Microsoft solutions.(FN11) Despite these events, users of Microsoft XP will be nagged to sign up for Passport in the second through sixth attempts to connect to the Internet.(FN12)

We urge the FTC to immediately take action on our July and August filings. We once again write to ask the FTC to protect consumers from the harmful consequences of the impending release of Windows XP. We renew our call for the remedies included in our earlier filings, which included:

As Microsoft has failed to take remedial action to remedy the harm to consumer privacy that we first identified with our original filing, we further request that:

We look forward to your response to these issues.


Jeff Chester
Executive Director
Center for Digital Democracy

Gabriela Schneider
Policy Analyst
Center for Media Education

Coralee Whitcomb
Computer Professionals for Social Responsibility

Ken McEldowney
Executive Director
Consumer Action

Frank Torres
Legislative Counsel
Consumers Union

Chris Hoofnagle
Legislative Counsel
Electronic Privacy Information Center

Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation

Jason Catlett
Junkbusters Corp.

Andrew Schwartzman
President & CEO
Media Access Project

Audrie Krause
Executive Director

Beth Givens
Privacy Rights Clearinghouse

Ed Mierzwinski
Consumer Program Director

Senator Ernest Hollings
Senator John McCain
Representative William Tauzin
Representative John Dingell

FN1. Electronic Privacy Information Center & Junkbusters, Pretty Poor Privacy: An Assessment of P3P and Internet Privacy, June 2000, http://www.epic.org/reports/prettypoorprivacy.html.
FN2. Arabella Hallawell, Commentary: Passport needs better privacy, CNET News.com, August 23, 2001, at http://news.cnet.com/news/0-1003-201-6952893-0.html.
FN3. Byron Acohido, Expert hacks Hotmail in 1 line of code, USA Today, August 30, 2001, page 1B.
FN4. Vito Pilieci, Hackers post code opening access to Hotmail content, Ottawa Citizen, August 21, 2001, page B1.
FN5. Brian McWilliams, Windows 2000 Port Invites Intruders, Newsbytes, August 26, 2001, at http://www.newsbytes.com/news/01/169408.html.
FN6. Robert Lemos, Microsoft sews up Hotmail hole, ZDNet News, August 21, 2001, at http://www.zdnet.com/zdnn/stories/news/0,4586,5096001,00.html.
FN7. Joris Evers, Microsoft Sees Red: Worm Infects Its Own Servers, IDG News Service, August 9, 2001, at http://www.pcworld.com/features/article/0,aid,57584,00.asp.
FN8. Robert Lemos, Nimda still a global threat, CNET News.com, September 24, 2001, at http://news.cnet.com/news/0-1003-200-7285499.html.
FN9. Paul Festa, Microsoft closes window to customer data, CNET News.com, October 10, 2001, at http://news.cnet.com/news/0-1005-200-7475010.html.
FN10. David Berlind, Microsoft.com error reveals IDs, passwords, ZDNet, October 16, 2001, at http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2818129,00.html.
FN11. John Pescatore, Commentary: Another worm, more patches, CNET News.com, September 20, 2001, at http://news.cnet.com/news/0-1003-201-7239473-0.html.
FN12. Windows XP: Battle over the Internet, ZDNet News, October 17, 2001, at http://chkpt.zdnet.com/chkpt/xlink130/http://www.zdnet.com/zdnn/stories/news/0,4586,2818238,00.html.