13 August 2002
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html


[Federal Register: August 13, 2002 (Volume 67, Number 156)]
[Page 52723-52724]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]



[File No. 012 3240]

Microsoft Corporation; Analysis to Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.


SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis to 
Aid Public Comment describes both the allegations in the draft 
complaint that accompanies the consent agreement and the terms of the 
consent order--embodied in the consent agreement--that would settle 
these allegations.

DATES: Comments must be received on or before September 9, 2002.

ADDRESSES: Comments filed in paper form should be directed to: FTC/
Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. Comments filed in electronic form should be 
directed to: consentagreement@ftc.gov, as prescribed below.

Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC 
20580, (202) 326-3240.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f) and section 2.34 of 
the Commission's Rules of Practice, 16 CFR 2.34, notice is hereby given 
that the above-captioned consent agreement containing a consent order 
to cease and desist, having been filed with and accepted, subject to 
final approval, by the Commission, has been placed on the public record 
for a period of thirty (30) days. The following Analysis to Aid Public 
Comment describes the terms of the consent agreement, and the 
allegations in the complaint. An electronic copy of the full text of 
the consent agreement package can be obtained from the FTC Home Page 
(for August 8, 2002), on the World Wide Web, at ``http://www.ftc.gov/
os/2002/08/index.htm.'' A paper copy can be obtained from the FTC 
Public Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580, either in person or by calling (202) 326-2222.
    Public comments are invited, and may be filed with the Commission 
in either paper or electronic form. Comments filed in paper form should 
be directed to: FTC/Office of the Secretary, Room 159-H, 600 
Pennsylvania Avenue, NW., Washington, DC 20580. If a comment contains 
nonpublic information, it must be filed in paper form, and the first 
page of the document must be clearly labeled ``confidential.'' Comments 
that do not contain any nonpublic information may instead be filed in 
electronic form (in ASCII format, WordPerfect, or Microsoft Word) as 
part of or as an attachment to e-mail messages directed to the 
following e-mail box: consentagreement@ftc.gov. Such comments will be 
considered by the Commission and will be available for inspection and 
copying at its principal office in accordance with section 
4.9(b)(6)(ii) of the Commission's rules of practice, 16 CFR 

Analysis of Proposed Consent Order to Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from Microsoft 
Corporation Microsoft Corporation (``Microsoft'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Comments received, and will decide 
whether it should withdraw from the agreement and take appropriate 
action or make final the agreement's proposed order.
    Microsoft develops, manufacturers, license, and supports a myriad 
of software products, sells hardware devices, provides consulting 
services, trains and certified system developers, and offers a variety 
of online services. This matter concerns allegedly false or misleading 
representations made in connection with three related Microsoft 
services: the Passport Single Sign-In service (``Passport''); Passport 
Express Purchase (generally referred to as ``Passport Wallet''); and 
Kids Passport (referred to collectively as the ``Passport services''). 
Passport is an online authentication service that allows consumers to 
sign in at multiple Web sites with a single username and password. 
Passport Wallet and Kids Passport are add-on services that provide 
online purchasing and parental consent services.
    The Commission's proposed complaint alleges that Microsoft 
    (1) that it maintained a high level of online security by employing 
sufficient measures reasonable and appropriate under the circumstances 
to maintain and protect the privacy and confidentiality of personal 
information obtained from or about consumers in connection with the 
Passport and Passport Wallet services;
    (2) that purchase made at a Passport Express Purchase site with 
Passport Wallet are safer or more secure than purchases made at the 
same Passport

[[Page 52724]]

Express Purchase site without using the Passport Wallet;
    (3) that Passport did not collect any personally identifiable 
information other than that described in its privacy policy, when, in 
fact, Passport collected, and maintained for a limited period of time, 
a personally identifiable record of the sites to which a Passport user 
signed in, along with the dates and times of sign in, which customer 
service representatives linked to a user's name in order to respond to 
a user's request for service; and
    (4) that the Kids Passport service provides parents with control 
over the information their children could provide to participating 
Passport sites and the use of that information by such sites.
    The proposed consent order applies to the collection and storage of 
personal information from or about consumers in connection with the 
advertising, marketing, promotion, offering for sale, or sale of 
Passport, Kids Passport, Passport Wallet, any substantially similar 
product or service, or any multisite online authentication service. It 
contains provisions designed to prevent Microsoft from engaging in 
practices similar to those alleged in the complaint in the future.
    Specifically, Part I of the proposed order prohibits 
misrepresentations regarding Microsoft's information practices, 
     what personal information is collected from or about 
     the extent to which respondent's product or service will 
maintain, protect or enhance the privacy, confidentiality, or security 
of any personally identifiable information collected from or about 
     the steps respondent will take with respect to personal 
information it has collected in the event that it changes the terms of 
the privacy policy in effect at the time the information was collected;
     the extent to which the service allows parents to control 
what information their children can provide to participating sites or 
the use of that information by such sites; and
     any other matter regarding the collection, use, or 
disclosure of personally identifiable information.
    Part II of the proposed order requires Microsoft to establish and 
maintain a comprehensive information security program in writing that 
is reasonably designed to protect the security, confidentiality, and 
integrity of personal information collected from or about consumers. 
The security program must contain administrative, technical, and 
physical safeguards appropriate to Microsoft's size and complexity, the 
nature and scope of its activities, and the sensitivity of the personal 
information collected from or about consumers. Specifically, the order 
requires Microsoft to:
     designate an employee or employees to coordinate and be 
accountable for the information security program;
     identify material internal and external risks to the 
security, confidentiality, and integrity of customer information that 
could result in the unauthorized disclosure, misuse, alteration, 
destruction, or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks. At a 
minimum, this risk assessment will include consideration of risks in 
each area of relevant operation, including: (1) employee training and 
management; (2) information systems, including network and software 
design, information processing, storage, transmission and disposal; and 
(3) prevention, detection, and response to attacks, intrusions, or 
other systems failures;
     design and implement reasonable safeguards to control the 
risks identified through risk assessment, and regularly test or monitor 
the effectiveness of the safeguards' key controls, systems, and 
procedures; and
     evaluate and adjust its information security program in 
light of the results of testing and monitoring, any material changes to 
its operations or business arrangements, or any other circumstances 
that Microsoft knows or has reason to know may have a material impact 
on its information security program.
    Part III of the proposed order requires that Microsoft obtain 
within one year, and on a biannual basis thereafter, an assessment and 
report from a qualified, objective, independent third-party 
professional, using procedures and standards generally accepted in the 
profession, certifying that: (1) Microsoft has in place a security 
program that provides protections that meet or exceed the protections 
required by Part II of this order; and (2) Microsoft's security program 
is operating with sufficient effectiveness to provide reasonable 
assurance that the security, confidentiality, and integrity of 
consumer's personal information has been protected.
    Parts IV through VII of the proposed order are reporting and 
compliance provisions. Part IV requires Microsoft's retention of 
materials relating to its privacy and security representations and to 
its compliance with the order's information security program. Part V 
requires dissemination of the order now and in the future to persons 
with responsibilities relating to the subject matter of the order. Part 
VI ensures notification to the FTC of changes in corporate status. Part 
VII mandates compliance reports within sixty (60) days after service of 
the order and at such other times as the Federal Trade Commission may 
require. Part VII is a provision ``sunsetting'' the order after twenty 
(20) years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the agreement and proposed order or to modify their 
terms in any way.

    By direction of the Commission.
C. Landis Plummer,
Acting Secretary.
[FR Doc. 02-20473 Filed 8-12-02; 8:45 am]