EPIC logo

January 29, 2002

Dear State Attorney General,

The Electronic Privacy Information Center (EPIC) urges you to take action to protect consumers against unfair and deceptive trade practices raised by Microsoft Corporation's Passport service and related "Wallet," "Kids Passport," "Hailstorm," and ".Net Services."  These systems unfairly and deceptively gather personal information and expose consumers to the release, sale, and theft of their personal information.  Immediate state action is necessary to protect consumers and ensure Microsoft does not continue to improperly collect personal information.

We have repeatedly urged the Federal Trade Commission to investigate this matter in two separate filings, but the Commission has failed to act.  We therefore urge you now to initiate an investigation under your statutory authority.

Passport is a system that enables unprecedented profiling of individuals' browsing and online shopping behaviors.  Microsoft has indicated that the company's goal is to have every Internet user possess a Passport account, thus raising the possibility that Passport may become the tollbooth that controls Internet access and online ordering for millions of consumers in your state.  By tying Passport to the Microsoft Hotmail E-Mail system, on-line customer support services, over 100 of the largest online retailers, and to numerous exhortations to subscribe in the Windows XP Operating System and Microsoft home site, Microsoft already has acquired over 200 million Passport accounts.

The privacy and security risks include: online profiling made possible by the requirement that individuals sign on to Passport before viewing web content, an increase in the amount of unsolicited commercial e-mail from the sharing of e-mail addresses with Passport-affiliated sites, and stolen credit card data from numerous security holes in the Passport and Wallet systems.  The vulnerability of Passport combined with its pervasion of the Internet creates serious risks to personal information sacrificed by consumers to gain access to services integrated with Microsoft authentication software under the belief that Microsoft is adequately protecting their data.

Although Microsoft has continually expanded its partnership with online retailers and services it has done little to improve the protection of consumers' personal information or provide a reasonable explanation of how the collected data is used or may be used in the future.  Instead Microsoft's current privacy policy and click-through agreements fail to provide an understandable explanation of the company’s use of personal data and present a false sense of security.

Furthermore, Microsoft continually represents that its Passport service offers consumers a secure method for storing personal data and credit card numbers. However, in November a computer programmer illustrated a serious flaw in the Passport Wallet service that could affect 200 million users.[1] By exploiting the flaw, a user's entire Passport account, including credit card numbers stored in the database, could be made public. Microsoft recognized the problem and disabled the Wallet service in order to patch the flaw.  Since its introduction, consumers using Passport and Windows have been exposed to two major Internet viruses, and personal information in Passport was compromised numerous times.  Serious questions remain about the security of the Passport and .Net services yet Microsoft continues to collect personal information.

In addition to the unwarranted collection of consumer data, Microsoft offers no method to delete a Passport registration.  Microsoft claims that Passport gives users control of their personal information.  However, the most basic aspect of control—the right to take back one’s personal information—is not accommodated by the Passport system.

We notified the Federal Trade Commission (FTC) of Passport's alleged violations of Section 5 of the Federal Trade Commission Act in a formal complaint on July 26, 2001 and in an updated complaint on August 15, 2001.  These complaints, endorsed by fifteen leading consumer advocacy groups, describe the serious privacy implications of Microsoft .Net Passport, and related .Net Services.  These complaints urged the FTC to begin a formal investigation; however, the FTC has not taken action.

Events since the filing of our complaint with the FTC have made extraordinarily clear that Windows XP and Microsoft Passport raise far-reaching and fundamental privacy and security concerns for American consumers.

Microsoft's failure to make public known security risks in Windows XP and Passport and provide a reasonable degree of control of personal information violates state law that prohibits unfair deceptive trade practices. In light of the FTC's reluctance to address this clear violation of Section 5 of the FTC Act even after the widely disclosed security flaws, we urge you to investigate the privacy and security risks of Microsoft Passport.  The privacy and security of personal information of consumers of Microsoft products depends upon immediate action.



Marc Rotenberg
Executive Director

Chris Hoofnagle
Legislative Counsel

Nathan Mitchler
Law Clerk

Enclosures (2)

In Re Microsoft, Complaint and Request for Injunction, Request For Investigation and for Other Relief.

In Re Microsoft, Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief.


Senator Ernest Hollings
Senator John McCain
Representative William Tauzin
Representative John Dingell
Timothy Muris, Chair, Federal Trade Commission
Sheila Anthony, FTC Commissioner
Mozelle W. Thompson, FTC Commissioner
Orson Swindle, FTC Commissioner
Thomas B. Leary, FTC Commissioner

[1] Microsoft leaves its Wallet wide open, ZDNet News, Nov. 2, 2001; Microsoft Shuts Down Passport Service To Fix Flaw in Credit-Card Security, Wall Street Journal, Nov. 5, 2001.