Update: FTC, Microsoft reach settlement on Passport probe

Computerworld - Microsoft Corp. will have to increase security and privacy for personal information collected by its Passport single sign-on Web services and be subject to independent compliance audits for Passport every two years under a settlement announced today by the U.S. Federal Trade Commission (FTC).
In a case that began last year when privacy groups raised concerns about inadequate security in several versions of Passport, the FTC today announced that Microsoft has agreed to stop misrepresenting the security of Passport and the kinds of personal information it collects about users.
"Privacy and security promises must be kept," said FTC Chairman Timothy Muris at a news conference in Washington announcing the settlement. "It's good business, it's the law, and we'll take action against companies that do not keep their promises."
Under the settlement, Microsoft has agreed to implement a comprehensive information security program for its Passport products, which include Passport, Passport Wallet and Kids Passport. The company will also have to undergo a compliance audit by a qualified third party every other year to ensure that the security and privacy of Passport are maintained.
No security breaches were uncovered by the FTC's investigation, but the potential for problems was present in the software, Muris said.
Specifically, the FTC said Microsoft misrepresented the security and privacy provided by parental controls in the version of Passport aimed at children, called Kids Passport. The controls apparently didn't allow parents to limit the personal information used or collected about their children, according to the FTC.
The agreement stipulates that Microsoft is prohibited from making any such misrepresentations in the future about the privacy and security controls related to Passport.
"When you make security promises as Microsoft did, they were in effect saying they had reasonable and effective security measures," Muris said. "We felt those promises were deceptive."
The company also apparently collected more user information than it said it was collecting, including a history log of Passport sites and the times when they were visited by users.
Although no fines were imposed as part of the settlement, the company would be subject to fines of $11,000 per violation, per day if it is found to violate the terms of the agreement.
Normally, administrative cases such as this don't carry fines, Muris said. But in this case, the potential for fines is included, Muris said.
"We got the relief that we wanted here," he said. "Certainly we want the world to be aware, when companies make these promises, they must keep them. We have other investigations under