To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,10002697,00.htm

Microsoft Passport compromise after EU scrutiny
With global consequences

By Matt Loney

Published: Friday 31 January 2003

Microsoft has reached an agreement with the European Union to implement a package of changes in its .Net Passport online authentication service, to prevent the service from running afoul of EU data protection laws.

Although the changes came about as a result of a yearlong dialogue between the company and the European Union, they will be implemented globally, said Matt Lambert, director of government affairs for Microsoft EMEA.

The main changes should give Passport users more control over how their personal data is shared with partner sites such as auction company eBay and music service Pressplay.

"At the moment, when people sign up for Passport they are given a number of options about what personal information they want to be shared with partner sites - the bare minimum is an email address and password," said Lambert.

Under the agreed changes, he said, Passport users would get "increased options about level of information they want to be shared with partnering sites".

In the sign-up form, Microsoft will also provide guidance to help users create secure passwords and add a link to European Commission's website on data protection.

"They have information there about laws outside the EU, so you will be able to make an informed judgement about what information you're happy [to be shared with sites in different countries]," said Lambert.

Jonathan Todd, a spokesman for the European Union's executive body, said the changes made it unlikely Passport will break EU data protection rules. "There would not seem to be any reason to take any form of sanctions against the company,'' he said at a news conference.

"My understanding is that the member states' authorities are now all satisfied that the system will be adapted to the requirements of EU data protection legislation as reflected in their own national legislations,'' Todd said.

But a working group of EU data regulators said it will continue to monitor both the Passport system and the Liberty Alliance Project, a rival authentication system backed by Sun Microsystems.

Speaking to silicon.com sister site ZDNet UK, Lambert said Microsoft is concerned about protecting customer data. "That information is held by Microsoft but not used for any purpose other than authentication," he said. "We have gone along the road of having a very high level of protection of data with Passport. We have tried to be ahead of the legal requirement."

However, the EU still has unresolved questions about privacy protections in Microsoft software.

"In particular, two issues need further consideration," said EU spokesman Todd. These are, he said, the "current electronic advertisement communication within Hotmail" and the use of identifiers both in the .Net Passport system and by the Liberty Alliance Project.

Reuters contributed to this report.