ettling charges brought by the Federal Trade Commission, Microsoft acknowledged yesterday that it had not properly protected the privacy and security of people who provided personal information through the company's online identification services.
The company agreed to shore up the security of its system, known as Passport, as well as to be more truthful with users about what it does with their personal data, and to obtain an outside audit of its practices every two years.
Passport allows a computer user to enter personal information once, storing it on Microsoft's servers with a user name and password, and then employ the same user name to sign on to numerous participating Web sites and even to shop.
The F.T.C. detected no actual security breaches, and it said Microsoft had not shared consumer data improperly with other companies. Rather, the chairman, Timothy J. Muris, said, the company was not meeting the levels of privacy protection and security that it had promised users of Passport. "Good security is fundamental to protecting consumer privacy," Mr. Muris said at a news conference in Washington. "It's good business, it's the law, and we'll take action against companies that don't keep their promises."
Microsoft agreed to be monitored for 20 years, and Mr. Muris said the commission would be able to impose substantial civil penalties if the company failed to meet the conditions laid out in the consent order.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, a high-technology policy and advocacy group in Washington, said, "This is a groundbreaking decision concerning the F.T.C.'s future role in protecting online privacy."
The center spearheaded a coalition of groups that filed a complaint in July 2001 contending that Microsoft's privacy practices, and especially the new Windows XP operating system and services like Passport, "are designed to obtain personal information from consumers in the United States unfairly and deceptively." Mr. Muris cited that complaint yesterday as the spark for the F.T.C. investigation of Microsoft.
The commission focused on four problems with Passport. Microsoft, it said, lied about the effectiveness of its measures to protect users' personal information — including credit card numbers collected for the Passport Wallet service, which is used for online shopping.
The commission said Microsoft had falsely asserted that purchases made with Passport Wallet were "safer or more secure" than purchases made at the same site without Passport; in fact, the same level of security generally existed.
The company also did not tell the truth when it said that it did not collect any personally identifiable information beyond that described in its privacy policy, the commission said. In fact, Microsoft's technical support staff would routinely tie personally identifiable information to the user's sign-in history, and hold on to that data for months.
Finally, the special version of Passport for young people, Kids Passport, was falsely described as giving parents control over the information that Web sites collected on their children, when there were no special privacy-protection features in the service, the F.T.C. said.
Representatives of Microsoft said that the settlement would make their services stronger. Under the conditions set by the commission, the company will have a "federally reviewed and independently verified service" that should give users "more confidence than ever" when dealing with Microsoft, said Brad Smith, the company's senior vice president and general counsel.
"We believe we are on a path to meet, and we will work to exceed, the high bar that the F.T.C. has established" for protecting privacy and security, he said.
Alluding to Microsoft's long and bitter struggle against antitrust regulators, Mr. Smith said that its cooperation with the Federal Trade Commission in this case represented "a more constructive public dialogue with government."
Jeffrey D. Neuberger, a lawyer in New York City who specializes in privacy and technology issues, said that even though customers would see no change in the company's services, "there will be a difference in the way their information is treated." But he added the settlement would have implications far beyond Microsoft's business practices. "Where this case is significant," Mr. Neuberger said, "is what it says to other companies in the industry: `If you say something in your privacy policies you'd better live up to it.' "
Microsoft has given Passport a strong marketing push. Initial versions of its Windows XP operating system repeatedly urged new users to enroll in Passport, and anyone who received a free e-mail account through Microsoft's Hotmail was automatically signed up. The company said yesterday that new versions of XP would not include the hard sell for Passport, which had been criticized by privacy advocates and by companies hoping to promote competing systems for managing identity on the World Wide Web.
