An article from CNet points out that Microsoft is operating under a Consent Decree with the Federal Trade Commission regarding the service.

In part, the consent decree states that Microsoft shall not "misrepresent in any manner... the extent to which Microsoft Passport will maintain, protect, or enhance the privacy, confidentiality or security of any personally identifiable information collected from or about their customers."

Some advocates claim that the introduction of the flawed reset service (last fall) is negligent in respect to this clause. Others are not as convinced, claiming that it may just have been stupid, but painful error.