The US government has forced Microsoft to implement stronger security in its Passport identity system for .Net Web services.
The Federal Trade Commission (FTC) has decreed Microsoft misrepresented the security of Passport, and has asked it to strengthen it.
The company will have to undergo a compliance audit by a qualified third-party every other year to ensure that the security and privacy of Passport are maintained. It's a blow for the company, as Passport is a key element of its .Net strategy.
The FTC said Microsoft misrepresented the security and privacy provided by parental controls in the version of Passport aimed at children, called Kids Passport. The controls didn't allow parents to limit the personal information used or collected about their children, says the FTC.
The agreement stipulates that Microsoft is prohibited from making any such misrepresentations in the future about the privacy and security controls related to Passport.
Microsoft has agreed to implement a comprehensive information security program for Passport products, which include Passport, Passport Wallet and Kids Passport.
No security breaches were uncovered by the investigation, which began last year following complaints from privacy groups.
Though no fines were imposed, Microsoft would be subject to fines of $11,000 per violation, per day if it is found to violate the agreement.
“Privacy and security promises must be kept,” said FTC Chairman Timothy Muris. “It's good business, it's the law, and we'll take action against companies that do not keep their promises.”
The company also apparently collected more user information than it said it was collecting, including a history log of Passport sites and the times they were visited by users.
Asked why Microsoft didn't simply disclose all the uses for the information it collected from the outset, Microsoft general counsel Brad Smith said the company "just made a mistake". “If we were perfect, we would never have made any mistakes," he said. "In hindsight, we've all learned a lot in the last few years. Security is an ongoing process. Everything about this is an ongoing process.”