MESSAGE
| DATE | 2001-10-23 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [hangout] FTC begged to ensure consmer rights
|
http://www.epic.org/privacy/consumer/microsoft/ftcletter10.23.01.html
October 23, 2001
Dear Chairman Muris,
On July 26, 2001, we submitted a complaint to the Federal Trade Commission
endorsed by fifteen leading consumer advocacy groups detailing the serious
privacy implications of Microsoft Windows XP and Microsoft Passport, and
alleging that the collection and use of personal information by the company
would violate Section 5 of the FTCA. On August 15, 2001, the groups
submitted a supplement to the FTC further detailing the specific ways in
which Microsoft XP and Passport would harm the consumer interests you have
been charged with protecting.
On October 25, 2001, Microsoft, the world's largest software company, will
release Windows XP. Already, the vast majority of consumers use a version
of Microsoft operating systems, and it is expected that Windows XP will be
used by millions of consumers. Despite detailing numerous privacy issues
associated with XP in the July and August filings, the FTC has taken no
public action to protect consumers and has failed to address the
allegations set forth in our complaint.
Microsoft attempted to address the privacy risks presented in Passport by
requiring Passport-affiliated sites to use the Platform for Privacy
Preferences (P3P). As we have detailed in the past, P3P is not a
privacy-enhancing technology.(FN1) Additionally, the Gartner Group
commented that including P3P on Passport-affiliated sites is a "short-term
solution that offers no real benefit to consumers."(FN2) Further, employing
P3P on affiliate sites does not address the core issue presented by
collection of consumers' information by Microsoft. Microsoft's ability to
track, profile, and monitor the 165 million Passport users has far-reaching
and profound implications for privacy protection in general and in
particular with regard to the growth of electronic commerce.
Microsoft announced plans to make Passport more open to other companies,
and falsely claimed this as an improvement in privacy. Although this change
may address other legal concerns, it does not address the major privacy and
unfairness objections in the groups complaint.
Since filing our August supplement, a series of serious security lapses has
occurred involving Passport and the platform on which the service is
maintained. The security lapses further support our claims that Microsoft's
guarantees of privacy and security are deceptive and unfair to consumers.
Further, Microsoft's failure to disclose the actual risks associated with
the collection and use of personal information in the Passport service
constitutes an unfair and deceptive trade practice. It is now clearer than
ever that the FTC must therefore take action under Section 5 to safeguard
consumer interests.
In August, a programmer was able to crack both Hotmail and Passport through
cross-site scripting twice in one month. The exploit would allow anyone to
gain access to Passport identification and credit card data with a single
line of code.(FN3) Again in August, code was posted on the Internet that
gave others the ability to read Hotmail users' e-mail.(FN4) Newsbytes
reported in August that a programmer accessed Microsoft's Corporate network
over a six-day period through a hole in Windows 2000. Microsoft, citing
company policy, refused to confirm or deny whether the network was
accessed.(FN5) Microsoft is migrating the Hotmail E-mail service from Unix
systems to Windows 2000.(FN6) In August, the Code Red Worm, a virus that
only spreads through the use of Microsoft products, infected Microsoft's
own Hotmail servers. Hotmail is now a service that requires a
Passport.(FN7) In September, the NIMDA virus, which propagated through
Microsoft's Internet Information Server (IIS), infected an estimated 1.3
million computers.(FN8) In October, an error on Microsoft's customer
support web site allowed anyone with an Internet browser to view customers'
names, purchase histories, addresses, e-mail addresses, and phone
numbers.(FN9) Most recently, an error on Microsoft's Certified Partners
page, a Passport service, made usernames and passwords available on the
Internet in plain text.(FN10) Anyone could have used this information to
gain complete access to others' Passports and Hotmail E-mail accounts.
By the end of September, security incidences with Microsoft's IIS led the
Gartner group to recommend those running the "high risk" Microsoft IIS web
server software should switch to non-Microsoft solutions.(FN11) Despite
these events, users of Microsoft XP will be nagged to sign up for Passport
in the second through sixth attempts to connect to the Internet.(FN12)
We urge the FTC to immediately take action on our July and August filings.
We once again write to ask the FTC to protect consumers from the harmful
consequences of the impending release of Windows XP. We renew our call for
the remedies included in our earlier filings, which included:
An investigation into the information collection practices of Microsoft
through Passport and associated services; Order Microsoft to revise the XP
registration procedures so that purchasers of Microsoft XP are clearly
informed that they need not register for Passport to obtain access to the
Internet; Order Microsoft to block the sharing of personal information
among Microsoft areas provided by a user under the Passport registration
procedures absent explicit consent; Order Microsoft to incorporate
techniques for anonymity and pseudo-anonymity that would allow users of
Windows XP to gain access to Microsoft web sites without disclosing their
actual identity Order Microsoft to incorporate techniques that would enable
users of Windows XP to easily integrate services provided by non-Microsoft
companies for online payment, electronic commerce, and other Internet-based
commercial activity; Provide such other relief as the Commission finds
necessary to redress injury to consumers resulting from Microsoft's
practices as described herein; and Begin an investigation to determine
whether Passport complies with the requirements of the Children's Online
Privacy Protection Act.
As Microsoft has failed to take remedial action to remedy the harm to
consumer privacy that we first identified with our original filing, we
further request that:
Microsoft be required to disgorge any personal information collected
fraudulently and deceptively through XP and Passport.
We look forward to your response to these issues.
Sincerely,
Jeff Chester Executive Director Center for Digital Democracy
Gabriela Schneider Policy Analyst Center for Media Education
Coralee Whitcomb President Computer Professionals for Social Responsibility
Ken McEldowney Executive Director Consumer Action
Frank Torres Legislative Counsel Consumers Union
Chris Hoofnagle Legislative Counsel Electronic Privacy Information Center
Lee Tien Senior Staff Attorney Electronic Frontier Foundation
Jason Catlett President Junkbusters Corp.
Andrew Schwartzman President & CEO Media Access Project
Audrie Krause Executive Director NetAction
Beth Givens Director Privacy Rights Clearinghouse
Ed Mierzwinski Consumer Program Director U.S. PIRG
Cc: Senator Ernest Hollings Senator John McCain Representative William
Tauzin Representative John Dingell
Footnotes
FN1. Electronic Privacy Information Center & Junkbusters, Pretty Poor
Privacy: An Assessment of P3P and Internet Privacy, June 2000,
http://www.epic.org/reports/prettypoorprivacy.html. FN2. Arabella
Hallawell, Commentary: Passport needs better privacy, CNET News.com, August
23, 2001, at http://news.cnet.com/news/0-1003-201-6952893-0.html. FN3.
Byron Acohido, Expert hacks Hotmail in 1 line of code, USA Today, August
30, 2001, page 1B. FN4. Vito Pilieci, Hackers post code opening access to
Hotmail content, Ottawa Citizen, August 21, 2001, page B1. FN5. Brian
McWilliams, Windows 2000 Port Invites Intruders, Newsbytes, August 26,
2001, at http://www.newsbytes.com/news/01/169408.html. FN6. Robert Lemos,
Microsoft sews up Hotmail hole, ZDNet News, August 21, 2001, at
http://www.zdnet.com/zdnn/stories/news/0,4586,5096001,00.html. FN7. Joris
Evers, Microsoft Sees Red: Worm Infects Its Own Servers, IDG News Service,
August 9, 2001, at
http://www.pcworld.com/features/article/0,aid,57584,00.asp. FN8. Robert
Lemos, Nimda still a global threat, CNET News.com, September 24, 2001, at
http://news.cnet.com/news/0-1003-200-7285499.html. FN9. Paul Festa,
Microsoft closes window to customer data, CNET News.com, October 10, 2001,
at http://news.cnet.com/news/0-1005-200-7475010.html. FN10. David Berlind,
Microsoft.com error reveals IDs, passwords, ZDNet, October 16, 2001, at
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2818129,00.html.
FN11. John Pescatore, Commentary: Another worm, more patches, CNET
News.com, September 20, 2001, at
http://news.cnet.com/news/0-1003-201-7239473-0.html. FN12. Windows XP:
Battle over the Internet, ZDNet News, October 17, 2001, at
http://chkpt.zdnet.com/chkpt/xlink130/http://www.zdnet.com/zdnn/stories/news/0,4586,2818238,00.html.
--
Brooklyn Linux Solutions
http://www.mrbrklyn.com
http://www.brooklynonline.com
http://www.nylxs.com
http://www.nyfairuse.org
1-718-382-5752
http://www2.mrbrklyn.com/mp3/brooklyn_national_antheum.mp3 For Jim ---
____________________________
New Yorker Linux Users Scene
Fair Use -
because it's either fair use or useless....
|
|
