Here is an e-mail message Microsoft sent to all web sites that use the Passport system. The message lies about the significance of the FTC order. In particular, the email says “... we know of no instance where a Passport user's information has ever been compromised”. In fact, Passport has in the past been shown to have zero security. See the Nov. 2, 2001 Wired Magazine article, Stealing MS Passport's Wallet [wired.com]. The article says “Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers-- and all...”

Very soon you will be hearing about an agreement between the United States Federal Trade Commission (FTC) and Microsoft regarding the Passport service. As a Passport participating site I wanted to contact you directly in order to provide you with information about this development.

This agreement is really about two things: making sure our statements about the service are clear and accurate, and ensuring we are meeting a very high bar with regard to online security.

We recognize that if we are going to be true to the high bar we set, we must take responsibility for the past and lead into the future. We realize some of our marketing statements in the past could have been clearer and in some cases less enthusiastic. We've already changed them and are working to complete an independent audit of our information security program which will give our customers added confidence that we are meeting this high bar.

I want to assure you that this is not an indication that the service itself is unsound. As you know, network security constantly evolves. What was reasonable in 1999 would not be reasonable by today's norms. While we believe we have always employed reasonable and appropriate security measures (in fact we know of no instance where a Passport user's information has ever been compromised), we understand the FTC's concerns and in hindsight wish we had held ourselves to an even higher bar.

We recognize the role of the government in this effort and we worked closely with the FTC to address these issues. This has been a far-reaching and thorough process and we have had an ongoing dialog with the FTC that has lasted several months and resulted in this agreement. We are committed as a company to being a leader in this field.

As a result of this experience, as odd as it seems to say this, I believe that the Passport service is better and more worthy or your trust than ever. You should know that:

We will meet and hope to exceed the high standards set by this agreement

We have planned for some time to conduct regular 3rd party audits of our service, and now we will provide the results of those audits to the FTC. These assessments will help give you and your customers the added confidence that we are living up to our commitments to run top quality services.

The allegations in the complaint are made in the past tense. We have made continuous improvements to the Passport service, and many of the FTC's concerns had already been dealt with as part of our normal service updates. I want to ensure you that we remain committed to improving and enhancing Passport.

I am sure that many of you are already thinking about what you will need to tell your customers. While I am sure that everyone's situation is unique I would encourage you to link to the information that we will be posting on Microsoft.com. This will include both a formal statement and a less formal interview with me that goes into more detail on the issues surrounding this agreement and its impact. We hope that these resources will assist you in speaking to your customers. When published, this information will be at http://www.microsoft.com/presspass/features/2002/a ug02/08-08passport.asp and will be pointed to from several Microsoft sites.

Thank you for taking the time to read this mail. I am very invested in continuing to earn your trust as both a business partner and a consumer of our service and I hope that I have been able to communicate to you how committed we are to making Passport the highlight of our Trustworthy Computing Initiative.

If you have any further questions, please do not hesitate to contact me via this email address.