In re Microsoft

Citation: In re Microsoft, Inc., File No. 012-3240 (proposed consent order accepted Aug. 8, 2002).

Factual Background
In August 2002, Microsoft agreed to settle FTC charges concerning the privacy and security of information collected through its Passport websites. Microsoft's Passport privacy policies claimed, among other things, that "Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information."

FTC's Complaint
The FTC's proposed complaint alleges that Microsoft misrepresented that it maintained a high level of online security by employing reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services.

The complaint also alleges that Microsoft misrepresented that purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet, even though most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions. In addition, the proposed complaint alleges that Microsoft misrepresented that it did not collect any personally identifiable information other than that described in its privacy policy, even though Passport collected and held, for a limited time, a personally identifiable sign-in history for each user. Finally, the complaint alleges that Microsoft misrepresented that its Kids Passport service provided parents with control over the information their children could provide to participating websites when children were in fact permitted to edit or change certain fields of personal information and change account settings set by the parent.

Consent Order
The consent order prohibited Microsoft from making any misrepresentations about its information practices or the extent to which its products or services maintain, protect, or enhance the privacy and confidentiality of consumers' information. The order also required Microsoft to implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In addition, every two years Microsoft must have its security program certified by an independent professional as meeting or exceeding the standards in the consent order.