Slashdot Mirror
MS Settles With FTC Over Passport Privacy Complaints
There will be a number of stories out shortly (here's an early one) noting that Microsoft has settled with the FTC over privacy complaints relating to Microsoft Passport. Short summary: Microsoft made lots of false representations about the security of Passport, and collected more information than it disclosed in its privacy policy, and now must be penalized in the usual Microsoft fashion - they must promise not to do it again. The FTC's settlement page has the complaint and settlement documents. We've covered this extensively - All Your Bits Are Belong to Us, EPIC's complaints about the integration of Windows XP and Passport, Microsoft Defends Passport, EPIC pushing state attorneys general to act against Passport, etc. In fact EPIC has an entire page devoted to Passport. The FTC settlement requires two main things: that Microsoft adopt basic security practices (what were they doing before?), and that Microsoft be audited by a third-party to assure compliance - perhaps it will be TrustE, since Passport's privacy policy remains approved by TrustE.
Trusted computing my ass... There can be no trust if trust has not been developed.
We had to destroy the sig to save the sig.
"and now must be penalized in the usual Microsoft fashion - they must promise not to do it again."
I hope Bill Gates wasn't crossing his finger behind his back...
Better make sure and force him into a pinky swear and swear his soul to the dark lord.... er, too late, nevermind.
that makes me want to give up. I mean, over, and over, and over, and over again big companies (esp. Microsoft) do Bad Things(tm), get caught, and essentially get lightly scolded.
Now if I pulled shit like this I'd be up on fraud charges so fast that the whiplash would likely kill me. Assuming the lawyers hadn't eaten me alive first. But as it turns out that's only true because I'm not completely filthy stinking right.
*sigh*
I mean, I know it's nothing new, and I realize that I probably shouldn't be surprised, but c'mon.... it's just bloody depressing. How can things possibly get better if there's effectively no incentive for companies to behave? Clearly relying on a sense of honor or ethics just isn't working.
I'm going to go kick my cube wall for a while... at least then I'll feel like I'm accomplishing something.
Behold the Power of Cheese!
As we've seen lately, 3rd party auditing of *anything* only means that *2* companies are covering information up. Sorry, I still don't trust Passport.
It is a mistake to consider the ignorance of the average consumer equivalent to not caring about security. Some people really don't know.
Any sufficiently advanced technology is indistinguishable from a rigged demo.
See, the thing is this: knowledgable people who care about security don't use passport, sure. But when the first thing that an XP install asks you for after you boot it for the first time is to get a passport account then plenty of people who care about security but aren't in the know about information security sign up (after all, Passport sounds so... official) and the common consumer gets screwed.
That's the audience. And once enough of them are on board then the rest of us start being faced with choices like: "If I want to use cool service X I'll need to sign up for a passport because there's no other way to get it". That's the plan.
Behold the Power of Cheese!
What are you talking about? Joe user has no idea what any of this is about. It's probably just the big bad gubmint picking on a successful business again. They're just jealous. Don't expect the masses to rise up against Microsoft when they don't even have the foggiest idea what's going on. This stuff doesn't get much mainstream play, and when it does, it's dumbed down to the point where it no longer makes much sense anyway.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
The target audience is everyone. Whether you care about security or not, if Microsoft can create a demand by legislation (such as the Hollings bill) that would mandate DRM and thus some sort of identity verification scheme, or by convincing the majority of hardware/software makers to use their scheme, then you'll be stuck with it whether you like it or not. I think the former option is a lot more likely really. I seriously doubt they could get a majority to agree on anything. Congress, however, is open for business.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
I have the unfortunate luck of developing a Passport site. Here is an e-mail they sent out to all Passport Sites:
a ug02/08-08passport.asp and will be pointed to from several Microsoft sites.
From: passexec@microsoft.com [mailto:passexec@microsoft.com]
Sent: Thursday, August 08, 2002 10:20 AM
To: *****
Subject: Passport Resolves Issues with the US FTC
Very soon you will be hearing about an agreement between the United States Federal Trade Commission (FTC) and Microsoft regarding the Passport service. As a Passport participating site I wanted to contact you directly in order to provide you with information about this development.
This agreement is really about two things: making sure our statements about the service are clear and accurate, and ensuring we are meeting a very high bar with regard to online security.
We recognize that if we are going to be true to the high bar we set, we must take responsibility for the past and lead into the future. We realize some of our marketing statements in the past could have been clearer and in some cases less enthusiastic. We've already changed them and are working to complete an independent audit of our information security program which will give our customers added confidence that we are meeting this high bar.
I want to assure you that this is not an indication that the service itself is unsound. As you know, network security constantly evolves. What was reasonable in 1999 would not be reasonable by today's norms. While we believe we have always employed reasonable and appropriate security measures (in fact we know of no instance where a Passport user's information has ever been compromised), we understand the FTC's concerns and in hindsight wish we had held ourselves to an even higher bar.
We recognize the role of the government in this effort and we worked closely with the FTC to address these issues. This has been a far-reaching and thorough process and we have had an ongoing dialog with the FTC that has lasted several months and resulted in this agreement. We are committed as a company to being a leader in this field.
As a result of this experience, as odd as it seems to say this, I believe that the Passport service is better and more worthy or your trust than ever. You should know that:
We will meet and hope to exceed the high standards set by this agreement
We have planned for some time to conduct regular 3rd party audits of our service, and now we will provide the results of those audits to the FTC. These assessments will help give you and your customers the added confidence that we are living up to our commitments to run top quality services.
The allegations in the complaint are made in the past tense. We have made continuous improvements to the Passport service, and many of the FTC's concerns had already been dealt with as part of our normal service updates. I want to ensure you that we remain committed to improving and enhancing Passport.
I am sure that many of you are already thinking about what you will need to tell your customers. While I am sure that everyone's situation is unique I would encourage you to link to the information that we will be posting on Microsoft.com. This will include both a formal statement and a less formal interview with me that goes into more detail on the issues surrounding this agreement and its impact. We hope that these resources will assist you in speaking to your customers. When published, this information will be at http://www.microsoft.com/presspass/features/2002/
Thank you for taking the time to read this mail. I am very invested in continuing to earn your trust as both a business partner and a consumer of our service and I hope that I have been able to communicate to you how committed we are to making Passport the highlight of our Trustworthy Computing Initiative.
If you have any further questions, please do not hesitate to contact me via this email address.
Sincerely,
Brian Arbogast
Corporate Vice President
Microsoft Corporation
What are you talking about? MS made mistakes all the time. They just never suffered for them because Bill's money bin is very deep and he's got some very good liars working for him.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
I'm watching MSNBC and I don't seem to notice the news.....
Get your Unix fortune now!
... and the life savings of the entire middle class, with hardly a peep of protest from those affected, this sort of anti-consumer protection, or better said, government wink-wink-nudge-nudge "don't get caught doing that again" tactics for allowing this sort of atrocious behavior to slide relatively unaffected and unchanged, again and again, is unlikely itself to change in any measurable way.
At least, not until things become so intolerable that the masses overcome their conditioned apathy and subservience, and actually rise up in anger and demand real accountability and real reform. Unfortunately, by then I suspect things will have gone so far the non-violent reform will be difficult, if not impossible, and I sure don't want to be anywhere near the United States when that time comes.
Every great power in history was brought to its knees, and ultimately destroyed, by its own internal, unchecked, and uncorrected corruption. It is extraordinarilly unlikely that the United States will be any different, or somehow immune to this kind of historical tide, and with every such expose it becomes ever more clear that we in the United States have nearly reached that threshhold already.
I mean, hell, the upper crust just got done pilfering the life savings and retirement of the entire middle class, and yet no signficant reform or change has taken place, and the very people so affected can't be bothered to protest or be caught dead carrying a plackard in a public place demanding change, much less actually get involved in the political process and work for peaceful change. Unless this changes, and soon, this trend will not be corrected until it is far too late.
This despicable behavior with regards to Microsoft is appalling and extreme, but it is only a symptom of a much greater, more fundamental, and much more deeply entrenched malaise that affects our entire political culture, and likely spells the beginning of the end of American society as we know it.
It isn't going to be any foreign enemy, or "terrorists" who bring down our country, it is going to be our own inaction in the face of ever wider, ever more flagrant, and ever more destructive corruption. It saddens me greatly to have lived to see such a day.
The Future of Human Evolution: Autonomy
It's pathetic when the U.S. Government can take a hard line on terrorism in traditional forms, but is cowed by a multinational corporation that has been demonstrated to be involved in monopolistic forms of terrorism. The FTC is basically giving up because they're tired of trying to fight Microsoft. What sort of precedent does this set for the Standard Oils of the new millenium?
This government has bowed to corporate interests at every turn. I'd be happy to see a list of cases where individual freedom was held in higher esteem than corporate interests. This is yet another side effect of the US's desire to remain an economic superpower. It has changed from a Representative Democracy to a colossal beauracratic corporation. Perhaps we should call it The United States of America Inc.?
Remember folks, a government that tramples the rights of the citizen is a tyrannical government. There is no leeway for arguement in that.
One password to rule them all,
....
in the darkness,
one password to bind them.
To the race of men Borgates gave them
passwords which would give them power
over e-mail log-ins and on-line shopping
sites.
But there was one password crafted by the
dark lord Borgates which controlled them
Get your Unix fortune now!
Throuhout this case, I've been most impressed ith the coalition that was formed between the plaintiff organizations. It's reasuring to see such coalitions formed in support of issues where until recently it seemed a losing battle was being valiently fought by a few small groups with no unifying structure arounmd them. Regardless of how meager this victory seems, it's important that the issue was addressed in that it galvanized these organizations and brought them together in a way we have rately seen thus far. I hope we see these organizations continueto work closely in the future.
--CTH
--Got Lists? | Top 95 Star Wars Line
Oh, that I had mod points. This is probably the most insightful post I've read in a long time (possibly ever) on Slashdot.
It's amazing to me how many people (especially those *in* the US) can't see this coming. How many people think that the US is, and always will be, indestructable. Sure, we can make great speeches and pull together for terrorism, but our government ``for the people'' is being run for the advancement of large corporations instead. I've always wondered what was going to befall this country, and government corruption seems like it will top the list.
Karma: Marginal (mostly due to the border around the website)
Microsoft by itself will continue to do what it has always done best: look out for its own self interest. They are a commercial company with responsibilities mainly to the shareholders. It is the American Government/authorities (and to a lesser extent, the European Union) that have let us (the consumers, users, etc.) down time, and time again with all things related to Microsoft (and other companies which behave like Microsoft). If we don't pressure out governments to take active steps to protect us against monopolistic practices we should not be surprised that these practices continue. Of course, things are never as straight forward as they seem and I realise that governments are also trying to protect jobs and the economy: the computer industry (and Microsoft plays an extremely important part in that industry, if we like it or not) provides jobs for millions. However, the negative aspects of this kind of behaviour, in the long run, will hurt us more. When will they realise this.
What does it matter? Anyone using Mozilla can't register with Hotmail or Passport anyway. Go ahead, click on the register link.
.NET Passport no longer supports the Web browser version you are using. Please upgrade to a current Web browser, such as Microsoft Internet Explorer version 4.0 or later, or Netscape Navigator version 4.08 or later.
Microsoft®
"and that Microsoft be audited by a third-party to assure compliance - perhaps it will be TrustE, since Passport's privacy policy remains approved by TrustE."
I remember this big stink a few years ago about Microsoft having the majority stake when TrustE was founded.
Heck just look at the Privacy Statment at WebTV/MSNTV.
You say things that offend me and I can deal with it. Can you?
Its sometimes very difficult to fathom just how big the United States is, and how many different people live here. And its also hard to fathom that the general population of /. sits in a much higher caste than the average American. Its real easy for us to sit in an ivory tower and deride the rich, attack big companies, belittle the technology have-nots and laugh at the unintelligent. We all have 401(k) accounts, and we feel the sting of losing a couple of thousand dollars in the stock market because of some greedy CEO. And its real easy for us to extend that to the entire country, and assume that becuase the dot-com bubble burst, and the economy isn't doing as well as it used to, and your average HTML writer can't go out and get $100,000 that our country is doomed to failure.
The problem with that thinking is that there are lots more people out there without 401(k) accounts, and that didn't lose a single penny in the stock market, because they don't have any money to invest. They don't care about Microsoft, and they don't care about Enron, because neither of those companies have anything to do with them working two shifts and feeding their kids, or harvesting their crops. They're not calling for reform, because they haven't been wronged. What you call apathy is what they call ignoring things that are not important.
As for the downfall of American society - The downturn of an economy, and the corruption of CEOs and the back scratching of companies - these are not new concepts in US history. There is nothing new under the sun - just new generations, and new scams. Far greater evils have beset corporate America in the past 226 years, and if nothing else, the country has shown a tendancy for survival.
But when you've got your food on the table,and your surround sound stereo with the Simpsons Season 2 DVD playing at full blast, its nice to look out and have something to rally against. Because it is my belief that human beings are always at feeling their best when they are on the defensive - something hard wired into our instincts, I guess.
In this case, Microsoft was unethical and sneaky. And its good to cast a watchful eye toward the corporations lest they wrong us. But to rant and rave and call this the end of American society - well... if you were wronged then please do all you can to reform the system. But don't play the victim and blame all of society's ills on the lack of interest of the American public - its quite possible that they have more important things to worry about.
Do you have Linux and a DotPal? Click here now!
Read the news. The Federal Government just made doing what the CEOs of Enron et al did a federal offense, meaning real jail time.
1 101020805-332031,00.html
I do read the news, and the measures which have been taken are laughable and incomplete. Ralph Nader, the guy who finally got the automotive industry to belatedly incorporate basic safety designs into automobiles in the United States decades after they knew better, and chose not to for financial reasons, offers a detailed analysis of just how widely Congress dodged the entire issue, and how profoundly superficial and ineffective the law you cite really is.
In short, its a superficial measure designed to smooth the ruffled feathers of those few who dare, or rather bother, to speak aloud their outrage.
http://www.time.com/time/magazine/article/0,9171,
You'll have to forgive us if we slack off a bit; after outlasting communism and dealing with a world that alternatly hates us and wants us to be their best friend, we as a counry have earned a little corruption and selfishness.
Or, to put your argument in a more individual light:
"You'll have to forgive me if I slack off a bit; after outlasting my competing coworkers and dealing with an office that alternately hates me and wants to be my best friend, I as a person have earned a little cancer and self-destructiveness."
Corruption isn't some self-indulgence you earn as a result of hard work, it is a cancerous, destructive force that tears a society apart and undermines basic, civil society and the social contract that holds it together, so unless you are arguing that America has earned the destruction it is bringing down upon itself, your argument falls to pieces.
As for the notion of 'needing something to fight against' as a justification for injustice or corruption, so that the next generation has something to occupy their time, I think the absurdity of your words stand upon their own. Indeed, your rhetoric is a perfect example of the kind of conditioning our culture has been subjected to for the last several decades which has resulted in the apathy and submissiveness of our populace which is allowing these sorts of destructive behavior to flourish, virtually unapposed.
The Future of Human Evolution: Autonomy
I mean, hell, the upper crust just got done pilfering the life savings and retirement of the entire middle class, and yet no signficant reform or change has taken place, and the very people so affected can't be bothered to protest or be caught dead carrying a plackard in a public place demanding change, much less actually get involved in the political process and work for peaceful change.
1) As you said, this JUST HAPPENED, and then you go on to lament that no reform or change has taken place. Unless you hadn't noticed, several other companies are being audited and investigated for similar actions. What do you want to happen? These things didn't just happen overnight, and they can't be fixed overnight. We are talking about things that happened 2, 3 years ago.
2) These events affected more than the middle class, they affected pretty much everyone because it shot our economy further to hell. Maybe those people aren't out protesting, or trying to get into politics (?) because they are out working to feed their families. I have heard of people who had to come out of retirement and go back to work because their retirement money was wiped out.
3) Unless you haven't noticed, we have this minor little thing called A WAR going on. And maybe another one waiting in the wings. That is probably taking up more than a few resources.
My beliefs do not require that you agree with them.
Arbogast's integrity, or even that of Microsoft as a whole, is irrelevant. Despite the high feelings of a lot of the posters in this topic, the problem with Passport isn't that we can't trust Microsoft: the problem with Passport is the scheme itself. Nobody should be trusted with that kind of personal data in a central repository, and nobody should ever be able to suck that kind of data out of a repository (central or not) without the active participation of the user. Automatic authentication and personal data mining is in and of itself a bad thing: one breach, one moment of carelessness by any party to any of the transactions and you're hosed. The very idea is the antithesis of security and privacy, and the only thing that having a person of integrity in that position can do is make it worse by lulling some people into trusting it.
While I'm at it, I'm going to use some information that they used at their site in a slightly different order:
- First, the FTC said that [Microsoft] failed to implement and document procedures to prevent, detect, monitor or document unauthorized access.
-
Hence, [Microsoft knows] of no instance where a Passport user's information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar.
Now whack me on the back of the head with a two-by-four if I'm wrong, but given that they had been lax in monitoring for security violations, is it any shock that they don't know that we^w someone violated them seven ways from tuesday?Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Who is it we're at war against this week?
Eurasia?
No, we're at war with Eastasia. We've always been at war with Eastasia.
~~~
FTC
Office of the Secretary
600 Pennsylvania Ave., N.W.
Washington, D.C. 20580
RE: Microsoft Passport Settlement
To Whom It May Concern:
I am writing to inform you of my disappointment with the recent Microsoft Passport Settlement.
This settlement charged Microsoft with false representation on several parts, but my concern deals with the fact that the settlement lacks a penalty. Instead, it includes:
(I) ... shall not misrepresent in any manner ... its information practices ...
a. They should have been following this from the beginning, not waiting until after they get caught.
b. They should not have to sign an agreement to obey the law.
c. This is basically saying "Don't do it again."
(II) ... establish and maintain a comprehensive information security program ...
a. They must have had such a program, or one very similar, already in place if there was originally any security at all.
(III) ... obtain ... an assessment and report from a ... third-party professional ...
a. It should be further stated that the third party must not have done work with Microsoft prior to, during, or in between these assessments other than this specific series of assessments, thereby avoiding any potential bias in the assessments.
b. Furthermore, it should be added that the third party must not receive any payment, gift, or benefit from Microsoft other than the exact dollar amount, which should be stated clearly in the agreement, for payment of the assessment, which cannot be raised or lowered without the FTC's approval. This measure is necessary to assure that there will be no form of bribery or additional compensation between Microsoft and the third party.
(IV) ... upon request make available to the Federal Trade Commision ...
a. I currently have no complaints on this section.
(V) ... deliver a copy of this order to all current and future ...
a. I currently have no complaints on this section.
(VI) ... notify the commission ... of any change in the corporation ...
a. I currently have no complaints on this section.
(VII) ... file ... a report ... setting forth ... the manner and form in which they have complied with this order.
a. I currently have no complaints on this section.
(VIII) This order will terminate 20 years ...
a. I currently have no complaints on this section.
The measures set forth in this agreement are essentially those that prohibit the reoccurrence of such a violation that inspired this very agreement. Nowhere in the agreement is there any penalty for violation of a federal law, such a fine or prison term. If a fine is pursued, then it should be a set amount, relative to the gross profits of the company, so that future violations by any company, regardless of the size or nature of the company, could be treated similarly and on similar terms and without bias or discrimination.
Thank you for taking the time to give serious consideration to the issues I have presented. I hope that justice will prevail.
Signed,
[hand signed here]
--
TodayTM BillyJoelTM GoogleTMd for StitchTMes due to WindowsTM while RollerbladeTMing with an AppleTM and a PopsicleTM
The worst part is that I don't think it is being done on purpose (at least not the aggregate effect). It's just that corporations survive only through making money, and those that are alive today are the ones making the most profit for their shareholders, CEO's, etc. In the future, they will try and get even more profits. It's not that they are not looking at the eventual demise or that they are not looking out for the masses, it's that they looking out for themselves.
It's the same thing with the polittians...it's not that all politians want to screw the people and help corporations, it's that only those that have enough money get elected. Who has the more money to give? Corporations...they have to give in order to receive x-fold.
Corporations are also taking over the airways and press. They have money and they can drive out the independents, indoctrinate the masses, and as a result get more money.
It's a self-propagating, vicious cycle, it gets deeper and deeper, but it does it gradually so that people do not take notice, do not feel cheated to the point of doing something about it.
You do see side-effects though...all those shootings, kidnappings, raping, etc. It's the aggregate build-up of stress (as in pressure) showing its head.
What are you going to do though? It's not easy fixing it, or it would not have gotten to this point. It's almost like an organism that evolves so that it is stronger. You could educate the people and make them vote for independents, greens, whatever, but that is a lot of work for those who do see the problems, and we are too lazy, too impatient to do anything about it.
It is definitely out of control and should be dismantled.
Microsoft is part of the legacy of the 80's mentality which is "looking out for #1." This translates to "increasing the bottom line at any cost." This makes them reckless and dangerous. Damage has already been done, is being done and will continue to be done until they are halted.
They cannot be taken for their word as they have shown to be very deceptive already and continue to be so.
If testimony under oath was true, that if revealed, the vulnerabilities of MS Windows could represent a threat to national security, then MS should be abandoned by all national and state government systems as soon as possible. It's not "if" these vulnerabilities are found, it's "when" and the code to exploit such vulnerabilities can be developed anywhere on the planet.
I think the value of money pales in the face of national security and privacy concerns. The economy is already in trouble and we're not going to save ourselves by keeping predatory corporations afloat long enough to destroy themselves abruptly as other large companies have already done. An orderly shutdown is a much better approach.
Bill Gates and all those in control of Microsoft should resign.
I'm not convinced that splitting up Microsoft is a good solution. Look how well it worked for Ma Bell--we ended up with the Baby Bells, and then devolved from that into the current morass of ethically (and financially) bankrupt telecommunications companies.
No, I can handle Microsoft's monopoly status. But let's start regulating them like one.
!#@%*)anks for hanging up the phone, dear.
Am I the only person who see a conflict of interest? How can Federal courts make impartial judgements, in the best interest of the common person, while being a client of Microsoft?