Microsoft has agreed to tighten the security of its .NET Passport internet service as part of a settlement with the US Federal Trade Commission (FTC) over charges that the system was not as secure as claimed and violated the privacy of users.
Passport is used by an estimated 200 million people worldwide, and stores personal information such as users' passwords and credit card numbers, making it easier for consumers to identify themselves when logging on to a range of websites.
But privacy groups led by the Electronic Privacy Information Centre filed a complaint in July 2001 claiming that Microsoft deceived users by inadequately explaining how it would track their visits to its websites.
The company is still being investigated by the European Commission over whether the Passport system complies with European data protection laws.
Announcing the US settlement yesterday, Mr Timothy Muris, chairman of the FTC, said he had informed the Europeans of the deal. Mr Muris said he believed Microsoft had made deceptive claims and misrepresented the security of personal information contained on its system.
He said the company had collected more personal information than it reported such as a detailed history of who logged into which Passport websites and when. However, he stressed that although the potential for a security breach had existed, none had actually taken place. "We were able to act before the potential became reality," he said.
Microsoft had previously argued the complaint was "replete" with factual errors and misrepresentations, and demonstrated a fundamental misunderstanding of its products and services.
But Mr Brad Smith, its general counsel, said yesterday: "We wish we had held ourselves to an even higher bar. We accept responsibility for the past and will focus on living up to this high level of responsibility in the future."
Under the terms of the settlement, Microsoft will be prohibited from misrepresenting its privacy and security services, and will have to establish a programme to protect the confidentiality of customers' personal information.
For the next 20 years, it will also be required to submit to independent bi-annual audits to verify that it is complying with the requirements and will face fines of $11,000 a day if it does not.
The complaint also raised another issue that Passport was too closely tied into Microsoft's Windows XP operating system, making it difficult for users of one to avoid the other. However, the FTC did not pursue the matter because it is closely tied to Microsoft's antitrust legal wrangle.
Last November, the Passport system was shut down for two days after a Seattle-based programmer found a weakness that could have enabled hackers to steal users' credit card numbers. - (Financial Times Service)