3/99 – Microsoft UserId Investigation Results
Investigation Results – Analysis of Processes
Investigation Results – Product Registration
Investigation Results – Product Support
Investigation Results – Nature of Privacy Breach
Investigation Results – Privacy Statement
Investigation Results – Conclusion
Original Complaint
Investigation Results
On March 12, 1999, Jason Catlett, President of Junkbusters emailed Susan Scott asking that TRUSTe initiate an investigation of a perceived breach of the TRUSTe License Agreement by Microsoft. As with any Watchdog complaint, TRUSTe enacted its escalation process to investigate the complaint. After a thorough review of Microsoft's alleged violation of its privacy policy, TRUSTe has determined that Microsoft has not violated its TRUSTe license.
However, in TRUSTe's opinion, the investigation confirmed that the technology "bug" already acknowledged by Microsoft did transfer Hardware IDs to the Microsoft secure server regardless of whether users chose to send this information or not. While this event does not fall within the boundaries of the TRUSTe License Agreement, it did, in TRUSTe's opinion, compromise consumer trust and privacy.
Analysis of Processes
Microsoft's Windows 98 on–screen registration process has two purposes: (To download a PowerPoint presentation that illustrates this explanation, click here.)
Product Registration
First, customers are given the option of supplying contact information (name, address, etc.) that may be used by Microsoft to inform users about future products or services. During this part of the registration, the customer is given the option of selecting whether any of his or her registration information will be sent to third parties. Additionally the customer is informed that this information will be transferred to Microsoft for the purpose of product support and information about new products and services. If the customer chooses to register, Windows 98 creates a Microsoft ID number (MSID) that is placed as a "cookie" – a small text file placed on the customer's hard drive by a server that acts like an identification card and can only be read by Microsoft's server – on the customer's hard drive.
Product Support
Second, customers are given the option of providing computer system information to Microsoft. This information is intended for use by Microsoft's product support unit in order to assist the customer with support issues. The customer is able to review the system inventory and then has the option of sending this inventory to Microsoft with the rest of the product registration information. In addition, if the customer's computer possessed an Ethernet network card, a Hardware Identification Number (HWID) was generated.
When the customer clicks on the "register" button, Windows then transfers the contact information, MSID and HWID to a secure server at Microsoft. Once there, Microsoft transfers the MSID information and contact information to the database that serves Microsoft.com. The HWID information remains on the secure servers and is not transferred or utilized by Microsoft.com. Customers are notified by e–mail that they may access and modify their contact information at Microsoft.com using the Profile Center – a special site that explains to users how their volunteered information may or may not be used. Customers utilizing the Profile Center may additionally elect whether they would like to receive other mailings, services etc., from Microsoft through the Profile Center.
Nature of Privacy Breach
One privacy breach was revealed in TRUSTe's investigation: a "bug" existed that transferred the HWID to Microsoft's server, even if the consumer opted out of such transfer. This breach of privacy has since been corrected and did not at any time involve the Microsoft.com Web site. Microsoft has acknowledged this breach publicly.
Privacy Statement
The privacy statement governing Microsoft.com is posted at the site and accessible from the home page and the Profile Center. This privacy policy carries the TRUSTe trustmark.
In this case, TRUSTe's certification process covers data that is collected specifically by Microsoft.com, a TRUSTe licensed site. Upon reviewing past Microsoft.com privacy statements, TRUSTe determined that Microsoft.com had indeed disclosed that registration information would be collected and that the MSID and HWID would also be collected. In addition, the privacy statement explained the uses of this information in conformance with TRUSTe's "use" principle.
Conclusion
TRUSTe has determined that Microsoft.com was in compliance with all TRUSTe principles. Had TRUSTe determined that Microsoft.com had violated its stated practices, TRUSTe would have conducted an audit to ascertain that sufficient remedies had been put in place.
While the complaint itself does not pertain to the Web site, TRUSTe believes that is important to note that the transfer of Hardware IDs to the Microsoft secure server without customer consent did, in TRUSTe's opinion, compromise consumer trust and privacy.
Original Complaint
Dear Susan, I write to ask for information on TRUSTe's position on recent privacy incidents at Microsoft. As I'm sure you are aware from news reports, Microsoft's products and procedures have revealed personally identifiable information inappropriately and in some cases contrary to representations made by Microsoft to the consumer. The company claimed these were inadvertent errors, and has announced several measures they intend to take to fix them. A list of Junkbusters' demands appears in http://www. junkbusters.com/microsoft.html#demands. Microsoft have addressed some but not all of them.
The demand that is most relevant to TRUSTe is the need for an independent auditor to supervise the destruction of the illicitly–collected information, and to check company's information practice for other threats to privacy. Microsoft have told me early in the week they would consider this, but have yet not committed to it. Independent audit has long been a component of TRUSTe's program, so this case raises an important question: will TRUSTe require independent audit to verify compliance of a company's stated repairs to a known defect?
One of the long–standing complaints against the DMA's procedures is that as soon as a company says they will cease a questionable practice, the DMA ceases to consider complaints against them. Independent audit is an illusive protection if it is not invoked, even in a case where dangers have already been identified and effectiveness and sincerity of the company's efforts to protect privacy must be called into question.
I note that Microsoft, which is a sponsor of TRUSTe is listed in the list of licensees as Microsoft.com http://www.truste.org/users/users_lookup.html#M. Does this indicate that the company as a whole is not subject to TRUSTe's licensing terms, merely the web sites it operates?
I hope that TRUSTe will respond with statements of both its general policy and its specific intentions for this case.
Sincerely,
Jason Catlett
President
Junkbusters Corp.
