In the letter, the consumer privacy group said it chose to go to the states because of its frustration with the lack of action by the Federal Trade Commission (FTC). "We have repeatedly urged the FTC to investigate this matter in two separate filings, but the commission has failed to act," said the letter, which was signed by Marc Rotenberg, EPIC's executive director, Chris Hoofnagle, legislative counsel and Nathan Mitchler, law clerk.
Hoofnagle said the first time the FTC pursued a company for negligent privacy violations was this month. In contrast, the states have a long history of investigating and prosecuting privacy violations, he said.
Among EPIC's objections to Passport are:
- It can be used to profile user's browsing and shopping behaviour
- Microsoft has said it wants all Internet users to hold a Passport account
- Passport's security flaws could expose subscribers' personal information, including credit card numbers
By tying Passport to other services, such as Hotmail and online customer support, Microsoft has already acquired more than 200 million Passport accounts.
In the past Microsoft has denied claims by EPIC and other groups that Passport engages in deceptive business practices and unfairly gathers personal information. In addition, Microsoft has said these groups, and specifically EPIC, are playing to the media rather than working with the company to resolve problems.
However, Hoofnagle said Microsoft has begun to push Passport on a variety of different fronts to gain subscribers. For instance, he said, some functions of Microsoft Money applications are only available now to Passport subscribers. An increasing number of Web sites that have partnerships with Microsoft have also stipulated Passport registration, thus removing consumer choice, he said.
Hoofnagle also said that because it has been shown that Passport has some security flaws, Microsoft's claim that all information is private and secure is a deceptive business practice and the company should stop making such claims.
While EPIC doesn't expect an immediate response to its letters, Hoofnagle said it was the best strategy the group could pursue. The states have much tougher privacy legislation, he said, pointing to a California law that bans unconstitutional seizures of private information by both governments and businesses as an example.
He also said that the state officials may be more willing to act because being seen as a protector of consumer rights is always a benefit at election time and most of the states attorneys general are elected.