Coalition Letter to FTC on Windows XP and Passport

October 23, 2001
Dear Chairman Muris,
On July 26, 2001, we submitted a complaint to the Federal Trade Commission endorsed by fifteen leading consumer advocacy groups detailing the serious privacy implications of Microsoft Windows XP and Microsoft Passport, and alleging that the collection and use of personal information by the company would violate Section 5 of the FTCA. On August 15, 2001, the groups submitted a supplement to the FTC further detailing the specific ways in which Microsoft XP and Passport would harm the consumer interests you have been charged with protecting.
On October 25, 2001, Microsoft, the world’s largest software company, will release Windows XP. Already, the vast majority of consumers use a version of Microsoft operating systems, and it is expected that Windows XP will be used by millions of consumers. Despite detailing numerous privacy issues associated with XP in the July and August filings, the FTC has taken no public action to protect consumers and has failed to address the allegations set forth in our complaint.
Microsoft attempted to address the privacy risks presented in Passport by requiring Passport-affiliated sites to use the Platform for Privacy Preferences (P3P). As we have detailed in the past, P3P is not a privacy-enhancing technology.(FN1) Additionally, the Gartner Group commented that including P3P on Passport-affiliated sites is a "short-term solution that offers no real benefit to consumers."(FN2) Further, employing P3P on affiliate sites does not address the core issue presented by collection of consumers’ information by Microsoft. Microsoft’s ability to track, profile, and monitor the 165 million Passport users has far-reaching and profound implications for privacy protection in general and in particular with regard to the growth of electronic commerce.
Microsoft announced plans to make Passport more open to other companies, and falsely claimed this as an improvement in privacy. Although this change may address other legal concerns, it does not address the major privacy and unfairness objections in the groups complaint.
Since filing our August supplement, a series of serious security lapses has occurred involving Passport and the platform on which the service is maintained. The security lapses further support our claims that Microsoft’s guarantees of privacy and security are deceptive and unfair to consumers. Further, Microsoft’s failure to disclose the actual risks associated with the collection and use of personal information in the Passport service constitutes an unfair and deceptive trade practice. It is now clearer than ever that the FTC must therefore take action under Section 5 to safeguard consumer interests.

In August, a programmer was able to crack both Hotmail and Passport through cross-site scripting twice in one month. The exploit would allow anyone to gain access to Passport identification and credit card data with a single line of code.(FN3)

Again in August, code was posted on the Internet that gave others the ability to read Hotmail users’ e-mail.(FN4)

Newsbytes reported in August that a programmer accessed Microsoft’s Corporate network over a six-day period through a hole in Windows 2000. Microsoft, citing company policy, refused to confirm or deny whether the network was accessed.(FN5) Microsoft is migrating the Hotmail E-mail service from Unix systems to Windows 2000.(FN6)

In August, the Code Red Worm, a virus that only spreads through the use of Microsoft products, infected Microsoft’s own Hotmail servers. Hotmail is now a service that requires a Passport.(FN7)

In September, the NIMDA virus, which propagated through Microsoft’s Internet Information Server (IIS), infected an estimated 1.3 million computers.(FN8)

In October, an error on Microsoft’s customer support web site allowed anyone with an Internet browser to view customers’ names, purchase histories, addresses, e-mail addresses, and phone numbers.(FN9)

Most recently, an error on Microsoft’s Certified Partners page, a Passport service, made usernames and passwords available on the Internet in plain text.(FN10) Anyone could have used this information to gain complete access to others’ Passports and Hotmail E-mail accounts.

By the end of September, security incidences with Microsoft’s IIS led the Gartner group to recommend those running the "high risk" Microsoft IIS web server software should switch to non-Microsoft solutions.(FN11) Despite these events, users of Microsoft XP will be nagged to sign up for Passport in the second through sixth attempts to connect to the Internet.(FN12)
We urge the FTC to immediately take action on our July and August filings. We once again write to ask the FTC to protect consumers from the harmful consequences of the impending release of Windows XP. We renew our call for the remedies included in our earlier filings, which included:

An investigation into the information collection practices of Microsoft through Passport and associated services;

Order Microsoft to revise the XP registration procedures so that purchasers of Microsoft XP are clearly informed that they need not register for Passport to obtain access to the Internet;

Order Microsoft to block the sharing of personal information among Microsoft areas provided by a user under the Passport registration procedures absent explicit consent;

Order Microsoft to incorporate techniques for anonymity and pseudo-anonymity that would allow users of Windows XP to gain access to Microsoft web sites without disclosing their actual identity

Order Microsoft to incorporate techniques that would enable users of Windows XP to easily integrate services provided by non-Microsoft companies for online payment, electronic commerce, and other Internet-based commercial activity;

Provide such other relief as the Commission finds necessary to redress injury to consumers resulting from Microsoft’s practices as described herein; and

Begin an investigation to determine whether Passport complies with the requirements of the Children’s Online Privacy Protection Act.

As Microsoft has failed to take remedial action to remedy the harm to consumer privacy that we first identified with our original filing, we further request that:

Microsoft be required to disgorge any personal information collected fraudulently and deceptively through XP and Passport.

We look forward to your response to these issues.
Sincerely,

Jeff Chester
Executive Director
Center for Digital Democracy

Gabriela Schneider
Policy Analyst
Center for Media Education

Coralee Whitcomb
President
Computer Professionals for Social Responsibility

Ken McEldowney
Executive Director
Consumer Action

Frank Torres
Legislative Counsel
Consumers Union

Chris Hoofnagle
Legislative Counsel
Electronic Privacy Information Center

Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation

Jason Catlett
President
Junkbusters Corp.

Andrew Schwartzman
President & CEO
Media Access Project

Audrie Krause
Executive Director
NetAction

Beth Givens
Director
Privacy Rights Clearinghouse

Ed Mierzwinski
Consumer Program Director
U.S. PIRG

Cc:
Senator Ernest Hollings
Senator John McCain
Representative William Tauzin
Representative John Dingell

Footnotes

FN1. Electronic Privacy Information Center & Junkbusters, Pretty Poor Privacy: An Assessment of P3P and Internet Privacy, June 2000, http://www.epic.org/reports/prettypoorprivacy.html.

FN2. Arabella Hallawell, Commentary: Passport needs better privacy, CNET News.com, August 23, 2001, at http://news.cnet.com/news/0-1003-201-6952893-0.html.

FN3. Byron Acohido, Expert hacks Hotmail in 1 line of code, USA Today, August 30, 2001, page 1B.

FN4. Vito Pilieci, Hackers post code opening access to Hotmail content, Ottawa Citizen, August 21, 2001, page B1.

FN5. Brian McWilliams, Windows 2000 Port Invites Intruders, Newsbytes, August 26, 2001, at http://www.newsbytes.com/news/01/169408.html.

FN6. Robert Lemos, Microsoft sews up Hotmail hole, ZDNet News, August 21, 2001, at http://www.zdnet.com/zdnn/stories/news/0,4586,5096001,00.html.

FN7. Joris Evers, Microsoft Sees Red: Worm Infects Its Own Servers, IDG News Service, August 9, 2001, at http://www.pcworld.com/features/article/0,aid,57584,00.asp.

FN8. Robert Lemos, Nimda still a global threat, CNET News.com, September 24, 2001, at http://news.cnet.com/news/0-1003-200-7285499.html.

FN9. Paul Festa, Microsoft closes window to customer data, CNET News.com, October 10, 2001, at http://news.cnet.com/news/0-1005-200-7475010.html.

FN10. David Berlind, Microsoft.com error reveals IDs, passwords, ZDNet, October 16, 2001, at http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2818129,00.html.

FN11. John Pescatore, Commentary: Another worm, more patches, CNET News.com, September 20, 2001, at http://news.cnet.com/news/0-1003-201-7239473-0.html.

FN12. Windows XP: Battle over the Internet, ZDNet News, October 17, 2001, at http://chkpt.zdnet.com/chkpt/xlink130/http://www.zdnet.com/zdnn/stories/news/0,4586,2818238,00.html.

Jeff Chester Executive Director Center for Digital Democracy	Gabriela Schneider Policy Analyst Center for Media Education
Coralee Whitcomb President Computer Professionals for Social Responsibility	Ken McEldowney Executive Director Consumer Action
Frank Torres Legislative Counsel Consumers Union	Chris Hoofnagle Legislative Counsel Electronic Privacy Information Center
Lee Tien Senior Staff Attorney Electronic Frontier Foundation	Jason Catlett President Junkbusters Corp.
Andrew Schwartzman President & CEO Media Access Project	Audrie Krause Executive Director NetAction
Beth Givens Director Privacy Rights Clearinghouse	Ed Mierzwinski Consumer Program Director U.S. PIRG