Blogs | Privacy and data protection | Data protection standards | Privacy and confidentiality

Microsoft Passport does not comply with European privacy rules

By EDRi · February 12, 2003

Microsoft has agreed to change its Passport authentication system, after the publication on 29 January of a very critical review by the united EU privacy commissioners. Besides the Microsoft .NET Passport system, the commissioners, united in the so-called Article 29 Working Party, also examined the Liberty Alliance Project. The review concludes with general guidelines for future on-line authentication systems.

In order to comply with EU privacy rules, Microsoft agreed to substantially modify the Passport system, “involving in particular a radical change of the information flow”.

Passport is a system that centralizes authentication and information sharing for users on the internet. The system stores user information such as addresses, ages, phone and credit card numbers and other personal details in a large central database. With one click, users can transfer their personal information to participating websites.

The most important consequence of the agreement is that users “will be informed and empowered to decide as to which data they want to provide and under which conditions these data will be processed by Microsoft or by the participating websites”.

Microsoft will have to enable users to decide on a site-by-site basis whether they want to communicate their profile data or not. Some of the changes involve giving information to users on how to open a Passport account without using their real e-mail address. Microsoft will have to reconfigure the user profile to allow users to fill out the fields they choose, while leaving others blank. All changes have to be made according to an agreed time line.

USA based privacy and consumers organisations, led by the Electronic Privacy Information Center (EPIC), previously filed a complaint in 2001 with the United States Federal Trade Commission (FTC) regarding Passport and other Microsoft products. The FTC ruled in 2002 that Microsoft made false security and privacy promises about Passport.

Microsoft has made no formal statement regarding the issue but a Microsoft spokesperson responded to the agreed changes of Passport saying that “data protection is a dynamic process”.

Simultaneously, other complaints about Microsoft are pending with EU anti-trust regulators. A long running investigation involves the bundling of Windows Media Player and alleged abuse of dominance in the server market linked to Windows 2000. EU competition commissioner Mario Monti recently announced to present conclusions in the first half of 2003. A completely new complaint was filed this week by the Computer & Communications Industry Association, representing a number of large technology and media corporations, regarding the bundling of applications with Windows XP and the misuse of a dominant market position by Microsoft.

Article 29 Data Protection Working Party: ‘Working document on on-line authentication services’ (29.01.2003)
http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp68_en.pdf

EPIC archive on Passport
http://www.epic.org/privacy/consumer/microsoft/passport.html

Computer & Communications Industry Association (CCIA) v. Microsoft
http://www.ccianet.org/ms_eu.php3