Below you will find the final disposition of the Complaint filed against Windows Live (Microsoft). I am accepting the complaint as closed and will not be taking further action as I accept TRUSTe’s position that the representations made by Microsoft are legally binding representations and therefore are properly taken as truthful.
We note the following:
First, it is important to recognize that neither the reporter, Glenn Caleval, nor the Secure Surfing Organization is “anti-Microsoft” and that this complaint process has not been conducted out of some wish to embarrass or victimize the company. If you wish to know What we really think about Microsoft, read the article.
1. The time limits represented to TRUSTe of 30 days, 60 days and one year appear no where in the privacy policies of Windows Live, Windows Live ID or any other Microsoft privacy policy that we could discover.
2. The limitation on the Windows LiveID of one full year of inactivity is mixed with a frankly weasel condition “eventually is made available.” Understand that the only way that Microsoft can not make a user id available is if they keep it in their records. This means that if you use your real name to register, Microsoft could be holding on to your name in its files literally decades after you stopped using it. This is in our view a form of identity theft. The only way to avoid it is to NEVER use your real name or any name that can reasonably connected to you, when you register with any of Microsoft free services.
3. References to “closing” accounts is not legally equivalent to “deleting” all account information. Note that for Hotmail accounts the response indicates “all content is deleted.” It then states that all “connection logs” will be deleted. It does not state that all information related to the account or about the account holder is deleted. This means that Microsoft could delete all Hotmail emails belonging to the closed account but retain the records of the user account itself. Note that in the statement regarding Windows Live accounts it does not even commit to deleting the content.
4. TRUSTe is satisfied that a commitment to “close” accounts rather than deleting all user account information meets TRUSTe’s privacy standards. And an exemplar of lack of transparency, namely failure to publish the time limits in the publicly available privacy policies, also is consistent with TRUSTe’s standards. Together these findings by TRUSTe suggest that TRUSTe does not have standards for the protection of user privacy that measure up to recognized privacy principles. It seems we have learned more about TRUSTe than we have about Windows Live and Microsoft.
We further claim that where a statement is legally vague, such as in “eventually” or “close account,” that the vagueness is intentional. Taking care to specify “connection logs,” while not addressing actual user account information demonstrates care of crafting the words. In this case that care results in it being fully compliant to retain all user account data such as name, address or anything else provided as part of the account, so long as the emails and logs are deleted. It certainly appears to be an intentional loop-hole. Where it is unintentional, a fully ethical organization will re-frame the language to eliminate uncertainty.
We will further contact Microsoft directly to determine if the company is willing to adjust its privacy policies to address these weaknesses, as it is sure that further work through TRUSTe is futile. They, TRUSTe, are apparently earning their living by watching out for privacy standards. Yet they cannot take the time or have the requisite intellectual skills to examine the language of the responses they receive in any way that actually demonstrates they are doing that work. Instead it is left to citizens on the web to parse the responses for weaknesses in privacy standards.
TRUSTe, it appears is heavy on the “e” and light on the trust. Therefore, in the coming days we will directly write to Microsoft for clarification on these important issues accepting the fact that TRUSTe has left open only a bureaucratic path of appeal when the first questions have not even been canvassed.
In the meantime, here is the conclusion to this complaint process:
==============================
Thank you for the recent Watchdog you submitted against www.live.com. The Web site has cooperated with TRUSTe and has responded to your complaint as indicated below.
TRUSTe has ascertained from our privacy escalation contact at Microsoft that they have a batch process that runs periodically and automatically removes information for inactive accounts that are older than a certain number of days.
Here are the settings in use, according to the relevant Privacy Manager at Microsoft:
“Hotmail accounts:
* 30 days without sign-in account goes into a “closed” state, and all content is deleted. The account can be re-opened after that, but the content cannot be recovered.
* 60 days without sign-in all connection logs for the Hotmail account will have been automatically deleted.
The Windows Live ID registered to the Hotmail address (formerly known as the Passport account):
* If the Windows Live ID is not used to sign into any service for one year it is automatically closed, and eventually is made available to the he next user that wishes to create or register an ID to that e-mail address.”
The scheme our Microsoft contact described to TRUSTe constitutes a legally binding representation and warranty under our privacy program certification which we feel is reliable. TRUSTe is therefore satisfied that these measures meet our privacy program requirements.
Our contact expressed concern when we informed him that you indicated receiving contradictory information from another Microsoft staff member who said that accounts are never removed. Our contact requested any documentation you can provide (such as the e-mail exchange, phone # called and contact name etc.) so they can determine what additional training is warranted. We would appreciate your help. If forwarding this information, please write back to this e-mail address with the subject line intact.
Additionally, our Microsoft escalations contact stated that the new owner is indeed using the account as a Passport account for logging into other services, even if they have not enabled the e-mail portion of their account. Therefore, although we understand your concern regarding receiving User Unknown errors writing to that e-mail address, it is not indicative of whether or not that userID has since started being used by someone else.
We believe this resolves your complaint and are therefore closing this Watchdog. If you feel that this matter should not be closed because there is still an unresolved issue within the scope of TRUSTe’s program and you would like to appeal our decision, please email appe...@truste.com, keeping the subject line intact. To learn more about the appeals process, please visit:
http://www.truste.com/why_TRUSTe_privacy_services/online-privacy-watchdog.html
