As first reported by CNET News.com, the outside audit of Hotmail comes after the service was pulled offline late last month, when it was discovered that any account could be accessed without a password as long as a user's name--commonly found in a Hotmail email address--was known. Microsoft patched that problem the same day, but since then another bug has been uncovered, one that makes it possible to generate false passwords to crack open Hotmail accounts. The company is now investigating the latter problem.
Microsoft and the Web privacy program Truste have touted the voluntary audit as testimony to the success of industry efforts to improve Net privacy. Still, the scope and outcome of the audit will not be revealed, raising questions among consumer groups.
"We are moving ahead with the third-party review of the Hotmail incident, and are working closely with Truste on this process, but can't comment on any specifics of the review," Microsoft spokeswoman Carol Sacks, said today.
The online industry and the Clinton administration have endorsed so-called privacy seal programs as an effective way to safeguard Net users' anonymity without government regulation. But as more Net users provide valuable personal information in exchange for goods and customized Web content, privacy advocates say that better laws are needed to shield privacy because industry guidelines don't come with strong enough enforcement.
Learning of the audit's nature, Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures, fired off a letter to Microsoft and the Federal Trade Commission calling for the report to made public. Otherwise, he says, Hotmail's 40 million registered users will have no assurance that their email accounts are safeguarded.
"If the audit isn't made public, then Truste should be called 'Trust Me' because the consumer has not independent confirmation that their personal data stored by Hotmail is safe," Catlett said today. "If they are going to hide the audit report, it defeats the whole purpose."
Responding to Catlett via email, Microsoft's chief operating officer, Bob Herbold, said that the company is prohibited by American Institute of Certified Public Accountants (AICPA), which governs major auditing firms, from revealing the detailed report.
"The results of the report are restricted to the parties who have mutually agreed to the review procedures, Truste and Microsoft, due to AICPA rules governing the review," Herbold stated in the email, which was provided to CNET.
"Also, in keeping with AICPA guidelines, we cannot publish or reveal the contents of the engagement agreement or procedures for the review. I trust that you understand that the integrity of the review is of utmost importance to both Microsoft and Truste," the email said.
The Truste seal usually applies to the use of personal information collected from surfers, but licensees also have to ensure that they will "help protect the security" of the information they store. When Truste receives complaint, as it did with Hotmail, it pledges to investigate the matter, which could result in an onsite compliance review by a certified public accounting firm, the revocation of the site's trustmark license, or a complaint to the FTC, depending on the violation.
Still, Truste's guidelines don't state whether the details of the investigation will be published, although it has published the conclusions of past investigations. And the Hotmail audit was only suggested by Truste--not ordered--so it is not overseeing the review.
"The big difference to keep in mind here is that we never got to the stage where we mandated Microsoft to do the audit. If that had been the case, then we might be in a different situation. We hope it can be made public," said Truste spokesman David Steer.
"People should trust the review because a Big Six firm has been called in," he added. "This is about getting a company to validate that a fix that was put in place at Hotmail."
But Catlett and other advocates argue that privacy seal programs are only as good as consumers' faith in them. That is why Catlett is calling on Truste to take formal action and "compel" Microsoft to make changes to its system, and for full disclosure of the audit.
"Microsoft must inform Hotmail users accurately of the extent of its vulnerabilities, and stop representing the service as safe," Catlett stated in his letter.
"The name of the firm and the partner responsible should be immediately announced to the public," he added. " The instructions should require the auditing firm to publish its opinion on the Web no later than a week after its delivery to Hotmail."
Despite the criticism, Truste maintains that consumers will benefit from the audit.
"The process going on is a very good thing," Steer said. " It's important to Truste to make sure the process works."
Play video
There are currently no comments for this post.