Microsoft must implement a comprehensive security program for its Passport online authentication services, under a settlement agreement with the Federal Trade Commission announced Thursday.
The agreement also bars Microsoft from misrepresenting its information practices in connection with Passport, including what personal data is collected about users.
"While we have always believed that Passport provided reasonable security, we recognize that security norms evolve," said Brad Smith, Microsoft vice president and general counsel, in a conference call with reporters. "The FTC is raising the bar for Microsoft and the industry to do even more on security and privacy issues. We will work to meet and exceed that bar," he said, adding that there has been no security breach of Passport.
Under the FTC order, Microsoft must have a program designed to ensure security, confidentiality and integrity of personal information collected about Passport users. The company also must have a third-party professional firm audit the program every two years.
Microsoft said it will formalize and document the security program it has for Passport, ensure third-party security audits and strengthen training for all managers involved with Passport to make sure they understand and comply with the order.
"Good security is fundamental to protecting consumer privacy," said Timothy Muris, FTC chairman, in a statement. "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business; it's the law. Even absent known security breaches, we will not wait to act," he said.
The FTC, whose order is effective for 20 years, launched its investigation of Microsoft's Passport after privacy groups filed a complaint last July about the service, which allows consumers to use a single sign-on for various Web sites.
Jason Catlett, president of Green Brook, N.J.-based consumer privacy firm Junkbusters, one of the companies that filed the complaint, said he was pleased with the FTC order.
"The FTC looked under the hood of Microsoft's back office, and what they found was very unpleasant," he said. "They sent a message to all companies that claim to handle personal information securely that they need to live up to those standards. There are areas of our original petition that they didn't address, but what they did do is highly significant and should substantially improve the privacy of Americans online."
Microsoft collected temporary logs to allow customer service representatives to help Passport users who called the company's support team, he said. The information was never shared with other companies and is only used by customer representatives, but the original privacy statement did not fully describe that, he said.