Microsoft Passport Investigation Docket
- EPIC Urges FTC Investigation of WhatsApp Sale to Facebook: EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger. (Mar. 6, 2014)
- EU: Microsoft to Modify Passport. In a report (PDF) on online authentication services, the EU Working Party on Data Protection has identified several areas where Microsoft's Passport will be modified in order to comply with EU privacy rules. The report also discusses the Project Liberty system, and establishes guidelines on the implementation of future online authentication systems. In July and August 2001, EPIC and a coalition of consumer advocacy groups filed complaints with the FTC detailing the privacy risks associated with Passport. Those complaints resulted in an investigation and consent order with Microsoft. For more information, see the EPIC Microsoft Passport Investigation Docket, EPIC's Microsoft Passport Page, and EPIC's Liberty Alliance Page. (Jan 30)
- FTC Announces Action Against Microsoft Passport. The Federal Trade Commission (FTC) has settled a privacy enforcement action against Microsoft for violations associated with the Passport identification and authentication system. The agreement (PDF) requires that Microsoft establish a comprehensive information security program for Passport, and that it must not misrepresent its practices of information collection and usage. In July and August 2001, EPIC and a coalition of consumer advocacy groups filed complaints detailing the privacy risks associated with Passport. For more information, see the FTC's complaint (PDF), the EPIC Passport Investigation Page and the EPIC Sign Out of Passport Page. (Aug. 8)
- EU Officials Launch Investigation of Microsoft Passport. The New York Times reports that the European Commission is investigating the Microsoft Passport online identification and authentication program for privacy violations. EPIC filed complaints in July and August 2001 alleging that the Microsoft Passport system facilitates online profiling, and that the company has engaged in unfair and deceptive trade practices. Microsoft officials have stated that the goal of the system is to create a profile of every Internet user, to upsell individuals to subscription accounts, and to engage in ad targeting of Passport members. For more information, see the EPIC Sign Out of Passport Page. (May 28)
- Microsoft Backs Down, Privacy and Security Risks Bury Hailstorm. Microsoft has abandoned its Hailstorm or "My Services" platform because of privacy and security risks inherent in centralized storage of personal information. EPIC, along with fifteen leading consumer organizations, sent a series of complaints to the Federal Trade Commission in July and August 2001 detailing the privacy risks in the Microsoft Hailstorm system. For more information, see the EPIC Sign Out of Passport Page. (Apr. 11)
- Another Passport Hole Discovered. The newest exploit in Microsoft's .NET initiative allows access to Passport accounts through Hotmail. EPIC, in filings to the Federal Trade Commission and State Attorneys General, has detailed the risks of Passport and its numerous security holes. These filings are available on the Sign Out of Passport Page. (Feb. 12)
- EPIC Urges State AGs to Pursue Microsoft Passport. In a letter sent to state attorneys general across the nation, EPIC has urged authorities to protect citizens from the privacy and security risks of Microsoft Passport through the use of state laws against unfair and deceptive trade practices. For more information, see the EPIC Sign Out of Passport Page. (Jan. 29)
- EPIC Urges Congress to Question Microsoft Settlement Panel on Passport. EPIC has sent a letter to the Senate Judiciary Committee urging members to question witnesses at a hearing on the Microsoft antitrust settlement about the role that the settlement can play in addressing the security and privacy risks of Passport. Microsoft has positioned itself to make Passport the tollbooth to the Internet, but the antitrust settlement does not address how the company may use Passport to control access to content and e-commerce. (Dec. 11)
- Groups Urge Congress to Question Muris on Passport. EPIC and Junkbusters have sent a letter to members of the House Subcommittee on Commerce, Trade, and Consumer Protection urging them to question FTC Chairman Timothy Muris on the agency's efforts to protect consumers from Microsoft Passport. The FTC has not taken public action to protect consumers from Microsoft Passport despite receiving three filings from a coalition of fifteen consumer groups detailing the privacy implications of the system. Muris is scheduled to appear before the Committee on Wednesday to address issues challenging the FTC. (Nov. 5)
- Groups Renew Call for FTC Action on Microsoft XP. EPIC and a coalition of consumer and privacy groups have renewed their calls for FTC action to protect consumers from the privacy risks associated with Windows XP and Passport. In a letter sent to the FTC, the groups criticized the FTC for not upholding its statutory duty to protect consumers in light of planned release of Windows XP. More information on the groups' previous FTC complaints is stored on the EPIC Microsoft Passport Page. (Oct. 23)
- Privacy Groups File Updated Complaint at FTC, Allege Microsoft Passport Constitutes an "Unfair and Deceptive Trade Practice." At a press conference on August 15 at the National Press Club, EPIC, Junkbusters, the Center for Media Education, and other organizations announced the filing of an updated complaint (PDF) with the Federal Trade Commission containing new allegations about Microsoft Passport, and urged the Commission to open an investigation. Last month, the organization filed the original complaint (PDF) that was acknowledged (PDF) by the FTC. (Aug. 15)
- EPIC, Privacy Groups File Complaint at the FTC Regarding Windows XP. In a formal complaint (PDF) filed with the Federal Trade Commission, privacy and consumer groups allege that Microsoft is engaging in unfair and deceptive trade practices through the information collection capabilities of its new operating system. (Jul. 26)
In July and August 2001, EPIC and a coalition of fourteen leading consumer groups filed complaints with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA), which prohibits unfair or deceptive practices in trade.
The groups alleged that Microsoft violated the law by linking the Windows XP operating system to repeated exhortations to sign up for Passport; by representing that Passport protects privacy, when it and related services facilitate profiling, tracking and monitoring; by signing up Hotmail users for Passport without consent or even the ability to opt-out; by representing that the system complies with the Children's Online Privacy Protection Act; by not allowing individuals to delete their account; and by representing that the system securely holds individuals' data.
The groups requested that the FTC initiate an investigation into the information collection practices of Windows XP and other services, and to order Microsoft to revise XP registration procedures; to block the sharing of Passport information among Microsoft properties absent explicit consent; to allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity; and to enable users of Windows XP to easily integrate services provided by non-Microsoft companies for online payment, electronic commerce, and other Internet-based commercial activity.
In April 2002, testimony from the Microsoft antitrust trial revealed that the company was attempting to profile users. According to a business plan introduced into evidence in the Microsoft antitrust trial, the company's "dream" with the Passport online identification and authentication system was to "create the largest and most leveragable database of profiles on the planet" and "[a] subscription relationship with every user on the Internet."
The testimony also showed that while Microsoft was urging individuals to reveal personal information, the company had no idea of how it was going to provide promised Hailstorm services. Responding to a June 2001 e-mail from his supervisor regarding provision of a base set of Hailstorm services, Vice President David Cole stated that "there's nobody that really knew how that was going to work or how that could possibly work."
Cole later testified that Microsoft's goal was to encourage "users to consume personalized content and services and therefore they need to sign up for a Passport." After collecting personal information, Microsoft's strategy was to leverage "contextual understanding for emergence." That is, Microsoft intends to use the personal data in order to improve profiling for ad targeting, and eventually to upgrade the individual to a paid membership account.
- Letter to State Attorneys General, January 29, 2002. This letter urges state authorities to protect consumers using state prohibitions against unfair and deceptive trade practices.
- Letter to the Senate Judiciary Committee, December 11, 2001. This letter urges members of the Committee to question witnesses on the role that the Microsoft settlement will play in protecting consumers from the privacy and security risks posed by Microsoft Passport and associated services.
- Letter to the House Subcommittee on Consumer Protection, November 5, 2001. This letter urges members of the Committee to question FTC Chairman Tim Muris on the FTC's failure to take public action against Microsoft.
- Letter to FTC Chairman Timothy Muris urging immediate FTC action to protect consumers from the privacy risks associated with Microsoft Windows XP and Microsoft Passport, October 23, 2001.
- Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief (PDF), In Re Microsoft. This is a supplement filed with the Federal Trade Commission detailing security flaws in the Passport system, issues with Kids Passport compliance with the Children's Online Privacy Protection Act, and other new information that emerged after the filing of the original complaint.
- Acknowledgment from FTC (PDF). This is a letter from the FTC acknowledging the receipt of the Complaint and Request for Injunction.
- Complaint and Request for Injunction, Request For Investigation and for Other Relief (PDF), In Re Microsoft. This is a complaint filed with the Federal Trade Commission detailing how Microsoft has violated Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.
Participants in the FTC Complaint
- The Electronic Privacy Information Center (EPIC) is a non-profit, public interest research organization incorporated in the District of Columbia. EPIC's activities include the review of government and private sector polices and practices to determine their possible impact on the privacy interests of the American public. Among its other activities, EPIC has prepared reports and presented testimony before Congress and administrative agencies on the Internet and privacy issues.
- The Center for Digital Democracy (CDD) is a non-profit organization that represents the interests of citizens and consumers with respect to new media technologies.
- The Center for Media Education (CME) is a national nonprofit, nonpartisan organization dedicated to creating a quality electronic media culture for children, their families, and the community. CME's report "Web of Deception" (1996) first drew attention to potentially harmful marketing and data collection practices targeted at children on the Internet and laid the groundwork for the Children's Online Privacy Protection Act.
- Computer Professionals for Social Responsibility (CPSR) is a public-interest alliance of computer scientists and others concerned about the impact of computer technology on society.
- Consumer Action is a 30 year-old, San Francisco-based non-profit education and advocacy organization. It works on a wide range of consumer and privacy issues in conjunction with its national network of 6,500 community-based organizations.
- The Consumer Federation of America (CFA) is a non-profit association organized in 1967 to advance the interests of consumers through advocacy and education. CFA's current membership is comprised of over 280 national, state, and local consumer groups throughout the United States, which, in turn represent more than 50 million consumers.
- The Consumer Task Force for Automotive Issues (CTFAI) was co-founded by Ralph Nader and Remar Sutton. CTFAI monitors auto fraud activities for consumer groups, attorneys general, and plaintiff firms. CTFAI has particular interest in consumer privacy since using the Internet is a common practice for consumers looking for information on cars and loans.
- The Electronic Frontier Foundation (EFF) is a non-profit organization based in San Francisco, California. EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology; to educate the press, policy makers and the general public about civil liberties issues related to technology; and to act as a defender of those liberties.
- Junkbusters is a privacy advocacy and consulting company based in New Jersey and incorporated in Delaware.
- The Media Access Project (MAP) is a non-profit, public interest law firm that promotes the public's First Amendment right to hear and be heard on the electronic media of today and tomorrow.
- NetAction is a San Francisco-based nonprofit organization that promotes use of the Internet for grassroots citizen action, and educates policy makers on technology policy. In 1997, NetAction launched a campaign that mobilized Internet users to pressure the Justice Department to enforce antitrust laws against Microsoft.
- The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer information and advocacy program based in San Diego, California.
- U.S. Public Interest Research Group (USPIRG) serves as the national association of state PIRGs, which are independent, non-profit, non-partisan advocacy organizations around the country. U.S. PIRG and the state PIRGs have a long-standing interest in data privacy and data protection and have published a series of reports on privacy-related topics, including identity theft.
- The Consumer Project on Technology (CPT). CPT was created by Ralph Nader in 1995, to investigate consumer concerns with new technologies, including Internet, software and other information technologies. CPT and Mr. Nader played an important role in pushing for the Department of Justice to bring antitrust actions against Microsoft and other companies, and CPT investigates a number of consumer protection and intellectual property issues, as documented on its web site.
- Consumers Union (CU), the publisher of Consumer Reports, is an independent, nonprofit testing and information organization serving only consumers. CU is a comprehensive source for unbiased advice about products and services, personal finance, health and nutrition, and other consumer concerns. Since 1936, CU's mission has been to test products, inform the public, and protect consumers.
In March 2002, Dutch European Commission member Erik Meijer submitted a series of questions to the Commission regarding Microsoft Passport. Meijer questions to the body raised many of the same issues included in EPIC complaints to the U.S. Federal Trade Commission.
Meijer posed six questions to the Commission. The first regarded whether the Commission was aware of Microsoft Passport and its collection of personal information. The second illustrated that failure to enroll in Passport could result in exclusion from Internet sites, that deleting a Passport account is impossible, and that the password system could be cracked easily. The third raised the risk that individuals using public computer terminals may inadvertently pass on their information to the next user, and that Microsoft is poised to begin charging for the Passport service. The fourth asks whether it is lawful for Microsoft to build databases of personal information and if Passport is registered with national data authorities. The fifth asks whether European law enforcement agents can access personal information within Passport without notice and consent to the user. The sixth asks whether there is a new call for regulation to prevent abuse of personal information by Microsoft.
Frits Bolkestein issued an answer on behalf of the Commission on May 7, 2002. Bolkestein assured Meijer that the commission "is looking to this as a matter of priority, in concertation with national data protection authorities, as regards the system's compatibility (or not) with EU data protection law." Bolkestein summarized the requirements for building a database of personal information consistent with EU data protection law. These include a requirement that Microsoft have a specific, legitimate purpose for collection of the data; a right of access to the information collected; the requirement that consent be freely given when required; and notice to national data protection authorities. The Commission plans to make a report on Microsoft Passport by the end of 2002.
The European Commission's executive body also confirmed in news reports on May 27, 2002 that it was investigating Microsoft's compliance with European Union data protection laws.
- First orientations of the Article 29 Working Party concerning on-line authentication services, EU Article 29 Working Party, July 2, 2002.
- EU experts gather data on Web privacy problems, Reuters, June 14, 2002.
- EU to rule on .Net privacy issues on July 1, IDG, June 13, 2002.
- Microsoft Defends .NET Passport, Washington Post, June 11, 2002.
- EU targets Microsoft over data privacy, CNET News.com (Reuters), June 11, 2002.
- Microsoft Denies Investigation In Europe Over Privacy Laws, Wall Street Journal, June 11, 2002.
- Commission Concerned About Microsoft's Passport, Euractiv.com, May 30, 2002.
- La Commission européenne enquête sur Microsoft XP et "Passport" pour cause de violation de la vie privée, Droit et Nouvelles Technologies, May 29, 2002.
- Microsoft Faces European Commission Inquiry on Privacy Concerns, New York Times (Bloomberg), May 28, 2002.
- MS privacy policies under EU probe, Reuters, May 26, 2002.
- EU to Investigate Passport Privacy Concerns, Slashdot, May 25, 2002.
- Answer given by Mr Bolkestein on behalf of the Commission (MS Word format), European Commission, E-0718/02EN, May 7, 2002.
- Microsoft promises 'substantial' .NET changes, Euractiv.com, January 30, 2003.
- EU says Microsoft will alter Passport, CNET, January 30, 2003.
- Commissioner Frits Bolkestein Web Page.
- Parliamentary questions by Erik Meijer (GUE/NGL) to the European Commission, E-0718/02, March 4, 2002.
- EU Parliament Member Erik Meijer Web Page.
- European Commission Press Room.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,