FTC Files and Settles Complaint Against Microsoft

August 8, 2002. The Federal Trade Commission (FTC) brought and settled an administrative complaint [6 pages in PDF] against Microsoft alleging violation of Section 5(a) of the Federal Trade Commission Act (FTCA) in connection with Microsoft's privacy and security practices. The complaint focuses on Microsoft's sign-on and online wallet services named Passport and Passport Express Purchase.

For example, the complaint alleges that Microsoft "represented, expressly or by implication, that it maintained a high level of online security by employing sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers in connection with the Passport and Passport Wallet services", whereas, in fact, Microsoft "did not maintain a high level of online security ..."

The FTC and Microsoft simultaneously entered into an Agreement Containing Consent Order [8 pages in PDF]. Microsoft admitted to no violations of federal law. Microsoft will pay no fine. However, the agreement, which has a twenty year duration, imposes numerous requirements for Microsoft's information security program.

The FTC has statutory authority under many statutes regarding privacy. For example, recently the Congress has given it authority to regulate financial privacy (under the Gramm Leach Bliley Act) and children's privacy (under the Children's Online Privacy Protection Act). However, this action is based on no specific grant of authority regarding privacy practices. It is based on the broad Section 5(a) of the FTCA.

This action demonstrates a willingness on the part of the FTC to take action against companies based on their actions related to consumer privacy, even in the absence of legislation that specifically addresses that conduct. This action alleged violation of Section 5(a) of the FTCA, which is codified at 15 U.S.C. § 45. It provides, in part, that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."

This action is also notable to the extent that the complaint does not allege any instance of consumer harm. For example, in another recent FTC action involving the security of consumer personal information, involving Eli Lilly, the company actually disclosed the e-mail addresses of hundreds of consumers who used the drug Prozac. See, administrative complaint [PDF] and Agreement Containing Consent Order [PDF] in that action. In contrast, in the present action, there is no allegation that the security of any consumer personal information has been compromised.

This action is a major victory for the Electronic Privacy Information Center (EPIC), and other groups, which filed a pair of complaints with the FTC regarding Microsoft's privacy practices and its Passport service.

The EPIC and others submitted their original complaint [PDF] to the FTC on July 26, 2001, and an updated complaint [PDF] on August 15, 2001. Both complaints pertained to Microsoft's Passport and privacy, and alleged violation of Section 5 of the FTCA. See also, story titled "EPIC Complains about Microsoft Passport" in TLJ Daily E-Mail Alert No. 250, August 16, 2001, and story titled "EPIC Complains to FTC About Windows XP" in TLJ Daily E-Mail Alert No. 236, July 27, 2002.

Microsoft put a pleasant spin on the action. It stated in a release that it "reached an agreement" with the FTC, without mentioning either that a complaint had been filed, or that it had been accused of violating federal law.

At least one group was not pleased with the FTC's action. Steve DelBianco, VP of the Association for Competitive Technology (ACT), stated in a release that this is a "wakeup call for the entire industry".

He said that "This complaint and order effectively sets a new standard for making privacy and security promises to consumers. ... The bar has been raised when the FTC requires a twenty year consent order without a single actual breach of security or privacy. While we applaud the commission’s decision to hold the industry to the highest standards, we are worried about a consent order that seems disproportionate to the actual findings of the investigation.

He also asserted that the EPIC had "fabricated dozens of accusations". He concluded that "While Microsoft has both the financial and legal wherewithal to survive this kind of ``witch hunt,´´ a smaller e-commerce company would not be so lucky. Just the hint of a government investigation in today’s climate could be devastating to an un-established e-commerce company in the process of building a trusting relationship with its customers."

Harris Miller, President of the Information Technology Association of America (ITAA), stated in a release that "the 'net' effect of this decision is to raise the bar for all companies doing business in cyberspace."