(August 8, 2002) - The Federal Trade Commission (FTC) today announced it has reached an agreement with Microsoft Corp. related to its Passport authentication service. The agreement addresses security and privacy issues.

"We have been working to raise the bar for Internet security and privacy, and believe that the agreement with the FTC will raise it further - for both ourselves and industry," said Brian Arbogast, corporate vice president responsible for Passport at Microsoft. "The agreement reinforces Microsoft's commitment to improving security, and we will meet and work to exceed this high bar."

The agreement calls for the formalization, documentation, and independent audit of Passport's security procedures, to give the FTC as well as customers and partners the clear indication that Microsoft is meeting a high standard for online security.

"We cooperated fully with the FTC in a very thorough review, which included issues that are legally novel and technologically complex," said Brad Smith, senior vice president and general counsel at Microsoft. "Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future."

The FTC had four specific concerns over Passport. First was the concern that Microsoft had failed to implement and document procedures to prevent, detect, monitor or document unauthorized access. "We recognize that security needs have evolved, and a level that we considered reasonable when we launched the service in 1999 is no longer reasonable today," said Smith. " We have continued to advance and improve the service's security and privacy. In some cases, this has meant introducing new technologies, and in other cases it has meant creating new processes and procedures."

The FTC had asserted that Microsoft was incorrect in its statement that purchases using a Passport Wallet are safer or more secure than purchases made without a Wallet. Smith explained that the intent of the statement was to convey that sites using Passport Wallet are required to use encryption techniques that are safer than using credit cards in the clear. The language used in advertising Passport Wallet has since been changed.

The FTC also objected to the temporary log that Microsoft keeps to help customer service representatives support Passport users who have contacted Microsoft. The log and its limited use are now described in the Passport privacy statement, satisfying the FTC's concern.

Finally, the FTC complaint said that Kid's Passport claimed to provide parents with certain controls that it does not provide. "We have taken steps to make the parental controls provided by Kids Passport more "kid-proof," and we have revised the description of Kids Passport in our Web materials and privacy statement to clarify the points raised by the FTC," Smith commented.

The FTC agreement with Microsoft is in effect for the next 20 years. Microsoft plans to continue third-party audits of the Passport service indefinitely as part of its normal operations.