November 5, 2001
On November 7, FTC Chairman Timothy Muris is scheduled to testify before the Subcommittee on Commerce, Trade, and Consumer Protection. We urge committee members to use this opportunity to question the FTC's role in protecting consumers from the privacy and security risks posed by Microsoft XP and Passport. Despite repeated warnings regarding the threat to consumer privacy, the FTC has yet to take public action to address the issue.
On July 26, 2001, we submitted a detailed complaint to the Federal Trade Commission endorsed by fifteen leading consumer advocacy groups describing the serious privacy implications of Microsoft Windows XP and Microsoft Passport, and alleging that the collection and use of personal information by the company would violate Section 5 of the Federal Trade Commission Act. On August 15, 2001, we submitted a supplement to the FTC further detailing the specific ways in which Microsoft XP and Passport would harm the consumer interests that Timothy Muris as Chairman of the FTC is charged with protecting. In anticipation of the October 25, 2001 release of Windows XP, we again wrote Chairman Muris to urge immediate action.
Microsoft has continued to represent that its Passport service offers consumers a secure method for storing personal data and credit card numbers. However, since our most recent letter to the FTC, a computer programmer illustrated a serious flaw in the Passport Wallet service that could affect 200 million users. By exploiting the flaw, a user's entire Passport account, including credit card numbers stored in the database, could be made public. Microsoft recognized the problem and disabled the Wallet service in order to patch the flaw. But questions remain about the security of the Passport system.
In light of these facts, we urge committee members to ask Chairman Muris why his agency has not begun a public investigation into information collection practices of Microsoft through Passport and associated services. Protection of consumer interest demands immediate FTC action.
1. Microsoft Shuts Down Passport Service To Fix Flaw in Credit-Card Security, Wall Street Journal, Nov. 5, 2001.
2.Stealing MS Passport's Wallet, Wired, Nov. 2, 2001.
3.Microsoft leaves its Wallet wide open, ZDNet News, Nov. 2, 2001.
4.Letter to FTC Chairman Timothy Muris urging immediate FTC action to protect consumers from the privacy risks associated with Microsoft Windows XP and Microsoft Passport, October 23, 2001.
5. Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief (PDF), In Re Microsoft. This is a supplement filed with the Federal Trade Commission detailing security flaws in the Passport system, issues with Kids Passport compliance with the Children's Online Privacy Protection Act, and other new information that emerged after the filing of the original complaint.
6. Complaint and Request for Injunction, Request For Investigation and for Other Relief (PDF), In Re Microsoft. This is a complaint filed with the Federal Trade Commission detailing how Microsoft has violated Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.
7. EPIC Microsoft Passport Page.