Privacy Groups Take Aim at Passport

Privacy groups lined up to bash Microsoft Corp.'s Passport user authentication service Wednesday, filing an updated complaint with the Federal Trade Commission.

Thirteen organizations, headed by the Electronic Privacy Information Center, supported the action, alleging that Microsoft is in violation of Section 5 of the FTC Act because of its data collection, sharing and security practices with Passport.

"We think it's in the public interest for the FTC to examine Passport and its associated services and try to assess its impact in the marketplace," said Marc Rotenberg, executive director of EPIC, in Washington.

The groups originally filed a complaint to the FTC on July 26. The updated complaint states that Microsoft's response to that complaint was not sufficient and lodges several new complaints about Passport, Windows XP and .Net.

Among the groups' complaints:

Passport still requires too much personal information--e-mail address, state, ZIP code and country--than is necessary. Its privacy standards, including requiring Passport-affiliated merchants to support the Platform for Privacy Preferences, or P3P, are insufficient. Windows XP will disable privacy and security programs like Black Ice and Zone Alarm while at the same time deploying digital rights management features that can track and monitor Internet users. Also, disabling Passport in Windows XP is too difficult, and most XP users will have to register for Passport to gain Internet access. Passport transfers users' personal information to Web sites they visit and provides no mechanism for users to cancel their accounts and delete personal information from Microsoft's servers.

The complaint also alleges that .Net services would prevent user anonymity; that Passport can easily be hacked, threatening the security of user information; and that Microsoft's Kids Passport service does not comply with the Children's Online Privacy Protection Act because it requires children's e-mail addresses for registration and it violates some procedural issues with regard to links to privacy policies.

"There are probably a lot more issues that we haven't uncovered yet," said Jason Catlett, president of Junkbusters Corp., of Green Brook, N.J., which is one of the groups filing the complaint. "We don't have the ability to conduct a complete audit of their data collection and sharing practices. That's why we want the FTC to investigate."

"It's very important to keep in mind that there are more than 100 million registered users of Passport, and 90 percent of the operating system market is Microsoft," said Rotenberg. "Given our concern with online privacy and the potential impact of all the information they're collecting, we believe there's a need for action."

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in ExtremeTech.