In re Microsoft, Inc., File No. 012-3240 (proposed consent order accepted Aug. 8, 2002).
Factual Background Edit
In August 2002, Microsoft agreed to settle FTC charges concerning the privacy and security of information collected through its Passport websites. Microsoft's Passport privacy policies claimed, among other things, that "Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information."
FTC's Complaint Edit
The FTC's proposed complaint alleges that Microsoft misrepresented that it maintained a high level of online security by employing reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services.
Consent Order Edit
The consent order prohibited Microsoft from making any misrepresentations about its information practices or the extent to which its products or services maintain, protect, or enhance the privacy and confidentiality of consumers' information. The order also required Microsoft to implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. In addition, every two years Microsoft must have its security program certified by an independent professional as meeting or exceeding the standards in the consent order.
- ↑ Passport is an online authentication service that allows consumers to sign in at multiple websites with a single username and password. Passport Wallet and Kids Passport are add-on services that provide online purchasing and parental consent services.
- ↑ Specifically, the proposed complaint alleges that Microsoft failed to implement and document procedures that were reasonable and appropriate to: (1) prevent possible unauthorized access to the Passport system; (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.