13 August 2002
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html
-------------------------------------------------------------------------
[Federal Register: August 13, 2002 (Volume 67, Number 156)]
[Notices]
[Page 52723-52724]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr13au02-44]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 012 3240]
Microsoft Corporation; Analysis to Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint that accompanies the consent agreement and the terms of the
consent order--embodied in the consent agreement--that would settle
these allegations.
DATES: Comments must be received on or before September 9, 2002.
ADDRESSES: Comments filed in paper form should be directed to: FTC/
Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580. Comments filed in electronic form should be
directed to: consentagreement@ftc.gov, as prescribed below.
FOR FURTHER INFORMATION CONTACT: J. Howard Beales, III, FTC, Bureau of
Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC
20580, (202) 326-3240.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f) and section 2.34 of
the Commission's Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for August 8, 2002), on the World Wide Web, at ``http://www.ftc.gov/
os/2002/08/index.htm.'' A paper copy can be obtained from the FTC
Public Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. Comments filed in paper form should
be directed to: FTC/Office of the Secretary, Room 159-H, 600
Pennsylvania Avenue, NW., Washington, DC 20580. If a comment contains
nonpublic information, it must be filed in paper form, and the first
page of the document must be clearly labeled ``confidential.'' Comments
that do not contain any nonpublic information may instead be filed in
electronic form (in ASCII format, WordPerfect, or Microsoft Word) as
part of or as an attachment to e-mail messages directed to the
following e-mail box: consentagreement@ftc.gov. Such comments will be
considered by the Commission and will be available for inspection and
copying at its principal office in accordance with section
4.9(b)(6)(ii) of the Commission's rules of practice, 16 CFR
4.9(b)(6)(ii)).
Analysis of Proposed Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order from Microsoft
Corporation Microsoft Corporation (``Microsoft'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Comments received, and will decide
whether it should withdraw from the agreement and take appropriate
action or make final the agreement's proposed order.
Microsoft develops, manufacturers, license, and supports a myriad
of software products, sells hardware devices, provides consulting
services, trains and certified system developers, and offers a variety
of online services. This matter concerns allegedly false or misleading
representations made in connection with three related Microsoft
services: the Passport Single Sign-In service (``Passport''); Passport
Express Purchase (generally referred to as ``Passport Wallet''); and
Kids Passport (referred to collectively as the ``Passport services'').
Passport is an online authentication service that allows consumers to
sign in at multiple Web sites with a single username and password.
Passport Wallet and Kids Passport are add-on services that provide
online purchasing and parental consent services.
The Commission's proposed complaint alleges that Microsoft
misrepresented:
(1) that it maintained a high level of online security by employing
sufficient measures reasonable and appropriate under the circumstances
to maintain and protect the privacy and confidentiality of personal
information obtained from or about consumers in connection with the
Passport and Passport Wallet services;
(2) that purchase made at a Passport Express Purchase site with
Passport Wallet are safer or more secure than purchases made at the
same Passport
[[Page 52724]]
Express Purchase site without using the Passport Wallet;
(3) that Passport did not collect any personally identifiable
information other than that described in its privacy policy, when, in
fact, Passport collected, and maintained for a limited period of time,
a personally identifiable record of the sites to which a Passport user
signed in, along with the dates and times of sign in, which customer
service representatives linked to a user's name in order to respond to
a user's request for service; and
(4) that the Kids Passport service provides parents with control
over the information their children could provide to participating
Passport sites and the use of that information by such sites.
The proposed consent order applies to the collection and storage of
personal information from or about consumers in connection with the
advertising, marketing, promotion, offering for sale, or sale of
Passport, Kids Passport, Passport Wallet, any substantially similar
product or service, or any multisite online authentication service. It
contains provisions designed to prevent Microsoft from engaging in
practices similar to those alleged in the complaint in the future.
Specifically, Part I of the proposed order prohibits
misrepresentations regarding Microsoft's information practices,
including:
what personal information is collected from or about
consumers;
the extent to which respondent's product or service will
maintain, protect or enhance the privacy, confidentiality, or security
of any personally identifiable information collected from or about
consumers.
the steps respondent will take with respect to personal
information it has collected in the event that it changes the terms of
the privacy policy in effect at the time the information was collected;
the extent to which the service allows parents to control
what information their children can provide to participating sites or
the use of that information by such sites; and
any other matter regarding the collection, use, or
disclosure of personally identifiable information.
Part II of the proposed order requires Microsoft to establish and
maintain a comprehensive information security program in writing that
is reasonably designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers.
The security program must contain administrative, technical, and
physical safeguards appropriate to Microsoft's size and complexity, the
nature and scope of its activities, and the sensitivity of the personal
information collected from or about consumers. Specifically, the order
requires Microsoft to:
designate an employee or employees to coordinate and be
accountable for the information security program;
identify material internal and external risks to the
security, confidentiality, and integrity of customer information that
could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks. At a
minimum, this risk assessment will include consideration of risks in
each area of relevant operation, including: (1) employee training and
management; (2) information systems, including network and software
design, information processing, storage, transmission and disposal; and
(3) prevention, detection, and response to attacks, intrusions, or
other systems failures;
design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures; and
evaluate and adjust its information security program in
light of the results of testing and monitoring, any material changes to
its operations or business arrangements, or any other circumstances
that Microsoft knows or has reason to know may have a material impact
on its information security program.
Part III of the proposed order requires that Microsoft obtain
within one year, and on a biannual basis thereafter, an assessment and
report from a qualified, objective, independent third-party
professional, using procedures and standards generally accepted in the
profession, certifying that: (1) Microsoft has in place a security
program that provides protections that meet or exceed the protections
required by Part II of this order; and (2) Microsoft's security program
is operating with sufficient effectiveness to provide reasonable
assurance that the security, confidentiality, and integrity of
consumer's personal information has been protected.
Parts IV through VII of the proposed order are reporting and
compliance provisions. Part IV requires Microsoft's retention of
materials relating to its privacy and security representations and to
its compliance with the order's information security program. Part V
requires dissemination of the order now and in the future to persons
with responsibilities relating to the subject matter of the order. Part
VI ensures notification to the FTC of changes in corporate status. Part
VII mandates compliance reports within sixty (60) days after service of
the order and at such other times as the Federal Trade Commission may
require. Part VII is a provision ``sunsetting'' the order after twenty
(20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the agreement and proposed order or to modify their
terms in any way.
By direction of the Commission.
C. Landis Plummer,
Acting Secretary.
[FR Doc. 02-20473 Filed 8-12-02; 8:45 am]
BILLING CODE 6750-01-M