Microsoft Corp. has agreed to make changes to its Kids Passport service, an online system that seeks to obtain parental consent before allowing web sites to collect and disclose the names, addresses, and online identities of children. The software giant’s decision came after one watchdog agency’s report claimed the company misrepresented itself to parents. eSchool News first broke the story in August 2001.

The Children’s Advertising Review Unit (CARU), a division of the Better Business Bureau that monitors certain web sites for compliance under its own regulatory guidelines and those imposed by the Children’s Online Privacy Protection Act (COPPA), said Microsoft should make the changes to better inform parents about the consequences and limitations of using Kids Passport, which CARU claims was not designed specifically for children.

Kids Passport, an extension of Microsoft’s .NET (“dot-net”) Passport program, is a vehicle for children under 13 to obtain parental consent easily before registering on more than 300 participating web sites, some of which independently collect and disclose personally identifiable information—including eMail addresses, first and last names, mailing addresses, and birth dates.

The software giant said it developed .NET Passport as a medium for participating sites to exchange personal information, thus allowing visitors to create single user profiles, which would let them log on to any number of sites without having to constantly repeat the registration process.

By extension, Kids Passport allows parents to give their consent just once, and this consent would enable children to log on to all participating sites. Microsoft promotes the service as a way for parents and children’s web site operators to ease the administrative burden of complying with COPPA, which requires parents to give their consent before a web site can collect personally identifiable information from their children.

But according to CARU, Microsoft’s Kids Passport service also gave parents the false impression that it would better protect kids’ privacy online.

“After extensively reviewing the Kids Passport service, CARU found that certain information presented by Microsoft about what the service would do for children and how parents could control their children’s online activities through the use of the service was inadequate and confusing,” CARU’s report said.

For instance, the organization’s critique said Kids Passport was misleading because its advertising content implied that kids who participated in the program would be granted access only to those sites designed specifically with children in mind. CARU, however, said that was not the case.

At the time of its inquiry, CARU found that “none of the 12 sites that were then Kids Passport-participating sites and services was designed specifically for children.” According to the report, all of the sites—which the company touted as child-oriented—in fact were general-interest sites. These sites included mainly names from the Microsoft family of online services, including MSN Calendar, MSN Chat, and the company’s free Hotmail eMail service.

Offering children access to such widely used services made it impossible for Microsoft to ensure that children were not revealing the types of personally identifiable information that its Kids Passport had vowed to protect, thus allowing people—possibly predators—to initiate online or offline contact with children. This possibility was not accurately disclosed to parents, CARU said.

Also, the organization complained that the privacy statements of several participating sites, which COPPA requires, either did not exist or were difficult to understand. “Microsoft does not endorse or even review the privacy policies of each [participating site],” CARU said. “Neither does Microsoft ensure that the individual [sites] conform to [its own] posted privacy policies.”

A major problem with the inconsistent privacy policies of participating sites is that parents never truly know how much information their children will be asked to divulge. CARU said Microsoft was unclear about the differences that exist between a Kids Passport profile and a standard .Net Passport profile. Also, the amount of information gathered depends on which participating site the child chooses to register from, CARU said.

In response to CARU’s report, Microsoft has agreed to several major revisions.

First, Microsoft no longer will claim that its product helps protect or control online privacy. The company also has agreed to clear up language concerning the types of sites that are available through the program. Microsoft will no longer tout participating sites as specifically child-oriented and will include some mention of general-interest content.

Microsoft also said it will provide two separate privacy policies, one for its .NET Passport service and one for Kids Passport. The latter will explain that Microsoft does not monitor the privacy policies of participating sites, but merely provides a single location where parents can turn to grant or deny consent for participating sites that collect sensitive personal information from children.

What’s more, all participating MSN sites will explain how children’s personally identifiable information will be collected and distributed by way of a separate statement for parents, according to the agreement. Microsoft said it will revise its online screens so that parents who wish to grant consent will be better informed of the consequences that exist with the disclosure of personal information. The company also will revise its help screens so parents will be able to navigate the site and obtain a passport for their children more easily.

Furthermore, Microsoft said it will warn parents that children have the power to edit their online profiles to include more detailed information, such as their name and address. Also, the company will make clear that children can obtain .NET Passports without parental consent whenever they encounter a participating site that does not require users to specify their age. Sites that do require age verification will disallow children who identify themselves as under 13 from using profile-sharing preferences.

Concerns over Microsoft’s Kids Passport first materialized last August, when eSchool News reported that 12 organizations—including the Center for Media Education—had filed separate complaints with the Federal Trade Commission alleging the service violated COPPA.

Detractors claimed Microsoft’s service did not comply with the law because it did not offer a universal privacy policy for all participating sites, but required parents to review the polices of each site individually. Also, they said, Microsoft did not draw enough attention to its own privacy policy so parents and kids could understand what they were signing up for and how personal information was to be distributed.

While the FTC has made little progress of its own regarding the complaints, CARU—one of three independent Safe Harbors commissioned by the agency to help ensure that online organizations are in compliance with COPPA—has had more success.

“CARU is a self-regulatory agency working within the framework of a very clear law,” said Kathryn Montgomery, president of the Center for Media Education. “It is critical to have a law on the books that sets up very clear requirements.”

Throughout the controversy, Microsoft has stood by its policies and the dissemination of its privacy information. But the company said it understands CARU’s concerns regarding the need for clearer language.

“We believe our policies accurately state the information parents need to make informed decisions,” a Microsoft spokesman said. “[But] in our discussions with CARU it became clear that there could be some misunderstanding around the language, and we are happy to make changes in cooperation with CARU to ensure that we are being clear and concise.”

The changes are expected to be fully implemented by September.


Kids Passport

.NET Passport

Children’s Advertising Review Unit

Federal Trade Commission

Center for Media Education