Charging that Microsoft Corp. plans to use its forthcoming Windows XP operating system and .Net initiative to “unfairly and deceptively” obtain personal information from consumers, the Electronic Privacy Information Center (EPIC) and other privacy groups filed a complaint with the U.S. Federal Trade Commission (FTC) Thursday urging the agency to force Microsoft to change its practices.
The groups are concerned that Microsoft’s Passport authentication system, a central component of both .Net – a complex plan that includes services dealing with personal information – and Windows XP, has “the potential to track, profile and monitor users of the Internet … (with) far-reaching and profound implications for privacy,” according to the complaint.
Passport is a single sign-on system that gives users access to a variety of services and Web sites with just one password. User information stored by Passport includes name, address, age, phone number, e-mail address, preferences and even includes payment information for online transactions. Passport will be a central feature of the “Hailstorm” system, a main component of .Net, in which customers’ personal information will be stored on Microsoft servers and then provided to the user upon request, for a fee.
Though Microsoft does include options in Passport that allow users some control over the personal information that is disclosed to third parties, the information is still under Microsoft control, a situation the groups do not find encouraging.
When a user logs on to the Internet with a computer running Windows XP, the operating system attempts to force users into unnecessarily signing up for and disclosing information to Passport, the complaint reads. Under Windows XP, when a user connects to the Internet, a dialog box appears telling them that they need a Passport in order to use Windows XP communication features like instant messaging, voice chat and video, according to the complaint.
“Although it is technically possible to use XP without providing personal information, in practice it is simply too difficult because of Microsoft’s efforts to collect that information. Essentially the average user is required to give out personal information,” said Jason Catlett, president of Junkbusters Corp., one of the groups involved in the complaint, on a conference call held Thursday.
Microsoft also shares user information between sites in its Microsoft Network (MSN) family of Web sites and tracks users of its Hotmail e-mail service, the complaint said.
The combination of confusing and misleading options and information in both Windows XP and Passport “(makes) it difficult if not impracticable for consumer to exercise control over their personal information.” the groups wrote.
This becomes an even more serious problem when e-commerce is added to the equation, the groups said. The Passport system could lead to fraud if someone else has access to your computer and you’ve signed onto Passport, leaving your payment options available to them, said Richard Smith, chief technology officer for the Privacy Foundation, also on Thursday’s conference call.
Addressing the group’s concerns would not be a massive undertaking for Microsoft, Marc Rotenberg, executive director of EPIC said on the call.
“Microsoft could stop some of the issues we protest fairly easily. For example by allowing services to operate with a pseudonym,” he said.
And these groups are not the only interested parties, Rotenberg said.
“Several state attorneys general have contacted us and they are very interested. Microsoft has also contacted us; they would like to talk with us. But at this point our interest is to pursue with the complaint,” Rotenberg said.
To combat the problems the groups see in Windows XP, Passport and .Net, they asked the FTC to investigate Passport’s information collection practices; to order that Microsoft revise the Windows XP registration procedures so that consumers are clearly informed that Passport is not required to get online; to order Microsoft not to share Passport information with MSN sites without explicit user consent; to order Microsoft to include anonymizing or semi-anonymizing techniques in Windows XP; and to allow users to easily use other online payment services with Windows XP.
“The Passport policy now reassures users, but Microsoft should warn users of the risks. That’s a typical role the FTC plays. It can require a company to be more forthcoming about risks,” EPIC’s Rotenberg said.
The other groups involved in the complaint are The Center for Digital Democracy, The Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, The Consumer Federation of America, The Consumer Task Force for Automotive Issues, The Electronic Frontier Foundation, The Media Access Project, NetAction, The Privacy Rights Clearinghouse and the U.S. Public Interest Research Group.
Microsoft has come under fire from two other corners this week. On Tuesday, New York Senator Charles Schumer called for Senate investigations and asked state attorneys general to consider enjoining the release of Windows XP due to anticompetitive business practices in the operating system [see story – Senator calls for investigation of Windows XP]. On Wednesday, InterTrust Technologies Corp. expanded its lawsuit against Microsoft claiming that Windows XP’s product-activation technology infringes on InterTrust patents [see story – InterTrust further expands suit against Microsoft].
EPIC, in Washington can be reached at http://www.epic.org/. Microsoft Canada, in Mississauga, Ont., can be reached at http://www.microsoft.ca. The complaint is located online at http://www.epic.org/privacy/consumer/MS_complaint.pdf
(Joris Evers, IDG News Service correspondent in Amsterdam, contributed to this report.)