In the Asia Vision Series features we dive into key industry trends and issues with our subject matter experts and visionaries the region. In this interview, Koh Buck Song, author and editor of more than twenty books and former political supervisor for Singapore broadsheet The Straits Times, speaks with Jeff Bullwinkel, associate general counsel and director of Corporate, External and Legal Affairs (CELA), Microsoft Asia Pacific & Japan. Bullwinkel is a former federal prosecutor with the US Department of Justice, as well as Microsoft’s most senior legal counsel in Asia. He shares the reasons behind his passion for law and driving policies around trust in technology.

People don’t use technology they don’t trust

As I think about my own choices around the technology I use, I think hard about how the companies behind them consider issues like privacy and security.

As digital technology becomes much more pervasive and consumers own multiple devices, trust in personal data privacy has also grown as an issue. This is not surprising when you know that people today have “more information on their smartphones than in their whole house”, noted Jeff Bullwinkel, associate general counsel and director of Corporate, External and Legal Affairs (CELA), Microsoft Asia Pacific & Japan. With the amount of data they are giving out about themselves, it is only natural for consumers to want to know that their information is properly managed, and not monetized without their knowledge or consent.

Data privacy is something deeply personal to Bullwinkel – the greater frequency of news headlines around cyber-threats is not just a professional concern, but something a parent of a teenage son and daughter who are heavy social media users would fear. Everyone is fair game in data theft, but he is quick to dismiss the notion that the young generation is more careless with data than others. “Young people are much more aware of privacy rights than we give them credit for. They care deeply about privacy, and the popularity of apps like Snapchat – built around the expectation that certain conversations are intended as both private and ephemeral – reflects that.”

In his role as Microsoft’s most senior legal counsel in Asia, Bullwinkel pushes the agenda of data privacy with a passion to rival that of the central character in “To Kill A Mockingbird” – the classic American novel by Harper Lee. The lengths to which the lawyer in the novel went to defend his client against seemingly unjust charges inspired Bullwinkel to pursue a career in the law since he was a child, and that was how he came to work as lawyer in New York City.

Some years later, he decided to pursue his longstanding interest in public service with the United States Department of Justice in the mid-90s under the Bill Clinton administration. His job then involved liaising with governments in Asia – including justice department officials in markets such as Australia, Hong Kong, Japan and Korea – mainly over cross-border collaboration opportunities to tackle international crime.

Fast forward to 2000, Bullwinkel reached a crossroads with an opportunity to take on an in-house role with Microsoft, a move he was hesitant to make at first as he had always imagined himself practising law in traditional settings such as firm or regulator rather than in a business environment. But talking to many people, including former government lawyers who had gone on to work for Microsoft, changed his mind.

At a personal level, he was drawn by the prospect of the contributions a lawyer could make as part of a bigger business team at Microsoft. “I was persuaded that it was a great place to be, precisely because people at Microsoft understand and value the role that lawyers and others who are doing government policy work can play.”  He hasn’t looked back since and, as he describes it, he “can’t imagine a better place than Microsoft for someone to pursue his interest in the law and public policy while at the same time striving ‘to empower every person and every organisation on the planet to achieve more.’”

The relevance of these issues has become more prominent as concerns about privacy heighten over incidents such as the revelations by former US government contractor Edward Snowden over government surveillance activities. Recognizing that they can no longer put off measures to ensure data privacy, governments across the globe have been steadily passing unified privacy laws, from just seven in the 1970s to more than 140 in the 2010s. For individuals, the growing threat of terrorism has also forced them to think about how much privacy they are willing to trade for a greater sense of security.

In an age in which home and work are becoming more and more intertwined, individual consumers need to make more informed decisions about services. At a personal level, there is a good way to handle the trade-off between privacy and the convenience and functionality offered by smart devices, as illustrated by Bullwinkel’s own personal approach to this question. Like many people today, he has lots of personal data at stake, contained in his many cloud-connected devices: a personal computer, a smartphone, a tablet and, on his wrist, a Microsoft Band 2.

How does he make his own personal technology choices? “For me, it’s less an issue of convenience and more a matter of the value that I would gain from a service. Do I trust the companies or the brands behind these services and products? What is their stance towards issues such as data privacy and security? At the end of the day, you have to balance all of this and think about whether it’s worth making the trade-off. For some services, these trade-offs are sometimes necessary and worthwhile in order to receive more useful information,” said Bullwinkel.

He sees a trend where people will gravitate towards quality and trust – moving towards services they are comfortable with, based upon the privacy policies of the companies that deliver those services. Today, mobile apps and messaging services are already increasingly touting encryption features as a competitive edge.

Looking to the future, Bullwinkel is convinced that protecting the free and safe flow of information will be a shared aspiration. “Everyone wants to live in a world that is secure and safe, one that respects national boundaries, but also where there are open markets and information can move freely.”

And, as more people play a bigger part in fostering an even more conducive environment of trust for the privacy of data, he is sure that much more benefit will come to everyone. “A government’s need to access information for law enforcement purposes and an individual’s or an enterprise’s interest in keeping their information private and secure are not incompatible. With justice, due process and greater transparency as the foundation, we can all move forward.”

Building trust in cloud in Asia

One of the things that our customers are focused on, is the question of data residency, data sovereignty, and the moving of data across borders.

For those working in the IT field, recent events have created an extraordinary opportunity for the industry to learn from, observes Jeff Bullwinkel, Associate General Counsel and Director of Corporate, External & Legal affairs at Microsoft Asia Pacific and Japan.

To illustrate this, Bullwinkel recalls Microsoft’s President and Chief Legal Officer, Brad Smith, commenting that a single month – January 2015 – encapsulates what an extraordinary time we live in: “Brad recounted that it was on 21 January 2015 that we unveiled Windows 10 and announced HoloLens to the world. But on the very same day, in a country in a different part of the world, it was a very different day.”

That day in January had started out like any other. However, as it unfolded, the police arrived at the home of one of our executives in Latin America. “They arrived at the door and asked that this executive appear in court. Why? Because they wanted Microsoft to produce Skype data relating to a customer in that country,“ says Bullwinkel.

However, the problem was that it would have been unlawful under U.S. law to provide the data.

Whilst that was an interesting day, it was only the beginning of more eventful incidents to come. Less than a week later, the whole world was transfixed by the horrifying events in Paris, by the attack on Charlie Hebdo and its employees there.

That sparked the largest manhunt in France in two decades, and as the sun began to rise in the US, the FBI contacted Microsoft with an emergency request. Some of the terrorists who were at large had used Microsoft email accounts.

“They served a lawful order and we reviewed it.  In precisely 45 minutes we gave the requested information to the FBI, so they could turn it over to the French authorities in Paris,” says Bullwinkel.

Closer to Asia, a similar incident had occurred in 2014, he recounted, when a lone gunman held hostage 18 staff and customers in a Sydney café during a 16-hour standoff with police. Law enforcement agencies were keen to check if the gunman had any terrorist links, based on information that might be available online. Again, Microsoft responded within a very short time. “Once we receive a lawful government request, we move quickly to verify if it is indeed legitimate cause for us to proceed,” says Bullwinkel.  And in the aftermath of the recent terrorist attacks in Paris in November 2015, we received a total of 14 requests from law enforcement authorities, and responded to those requests in an average time of under 30 minutes.

These have been just some of the events that have sparked a robust global debate on two closely related priorities that Bullwinkel says are “sometimes in tension but not incompatible.”  More specifically, he comments that “we need policy frameworks that allow governments to fulfil their vital function to protect national security while at the same time respect the privacy of personal data.”

Bullwinkel and others within Microsoft’s Corporate, External & Legal Affairs Department around the world have been working closely to push for clearer and more updated laws.

For example, in February 2016, Microsoft’s Brad Smith spoke before the US Congress to highlight the gap between today’s technology and regulations that are frequently out-of-date. To drive home the point, during the congressional hearing Smith displayed IBM’s first computer built in 1986, which featured dual floppy drives, a monochrome screen and 256KB of RAM. He placed it next to a Surface tablet – which has 355,000 times more storage memory than the floppy disk.

https://youtu.be/mA9Dzn-YvQg

“This was to highlight the stark contrast – technology has moved forward in leaps and bounds, but many regulations in the industry have stood still for the past 30 years. The law now needs to catch up,” says Bullwinkel.

For many governments, their concerns revolve around data sovereignty as well as data access and flows – who gets access to data and how they can use it, especially across borders. A potential game-changer for greater regional cooperation in this area is the Trans Pacific Partnership (TPP), an agreement signed by 12 Pacific Rim countries (accounting for 800 million people and 40 percent of global GDP) to boost economic growth by enhancing trade and innovation in areas such as e-commerce. The TPP is expected to take two years to ratify.

If data – along with people, goods and services – can move across national boundaries more easily under the TPP, this will mean more opportunities. For example, in a country like Vietnam that is becoming a knowledge-based economy, this will allow entrepreneurs to become more productive by being more connected digitally, including through the cloud.

For Bullwinkel, the TPP is “an exciting development”, because of the potential it will open up for everyone as governments establish a framework for freer data flows across countries. This is crucial because a key proposition of cloud computing is its economies of scale, and setting up data centers in every country would defeat this purpose.

Promoting the free flow of data across borders brings with it the need to contribute to the ongoing discussion about the potential tension between security and privacy interests.  For example, how can law enforcement around the world balance the need for access to data with reasonable expectations of data privacy? This is where Microsoft is working hard to set the pace, based on its belief in the intrinsic duty of a corporate citizen. “We believe as a company that we have not only the ability, but also the responsibility to support law enforcement as they carry out their important security functions,” says Bullwinkel. “But that support must be provided in accordance with law and in a manner that respects due process and privacy interests as well.”

Trust as competitive advantage

A service will not survive for long if it does not pay attention to user expectations.

Think about any piece of technology you’ve used today. It could an automated teller machine (ATM), a mobile payment service, or even an online shopping service. What all of these have in common is the user’s trust that they will work as they should and securely too.

“Data is the new currency, but as with other forms of currency it will have value only if the right protections are in place. That is why new opportunities will flow from data-driven innovation over the long term only if people can trust that their data is secure and being used in ways they understand and accept,” says Jeff Bullwinkel, associate general counsel and director of Corporate, External, Legal Affairs at Microsoft Asia Pacific and Japan.

Trust in the cloud will be a crucial factor for what Microsoft calls “Industry 4.0”, an era in which digital transformation is driven much more by ubiquitous computing powered by cloud technology.

“In my role as a legal counsel, I speak to many customers and find that more businesses are recognizing that ensuring security of their data is crucial to continue attracting and retaining customers,” says Bullwinkel. “A top priority for us is to put our customers’ minds at ease in adopting cloud technology, and in how they can trust us to offer them a more secure environment than they could ever create at home or in the workplace.”

In the current landscape, trust has become a critical competitive advantage for technology providers. This is where certifications and standards have become increasingly important in helping customers decide whom to trust.

Bullwinkel highlights how Microsoft was the first major cloud provider to adopt ISO/IEC 27018. This standard was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.

Over the last several years, questions regarding the privacy of personal data have often come up in the context of government access, and that’s addressed by ISO 27018, Bullwinkel notes:  “When enforcement officials make a lawful request for customer data from Microsoft, we are committed to transparency and limit what we disclose. Because it is clear to us that our customers own, and therefore should control, their own data, we will not disclose data hosted in our cloud services to enforcement officials unless we receive a lawful governmental order,” he adds.

In line with Microsoft’s commitment to transparency, the company launched the Microsoft Transparency Hub, which publishes regular reports about requests for customer data made by law enforcement agencies.  Bullwinkel notes that the company’s approach to government access to data is entirely in line with the global standard in ISO 27018.

More generally with regard to standards, he adds:  “Cloud is increasingly seen as an enabler of an organization’s journey to digital transformation. Wider industry adoption of standards will bring even more companies to the cloud eventually, as these standards will affirm new levels of clarity, transparency and consistency,” he notes.

To drive the message of Microsoft’s cloud security across, Bullwinkel and his team in Asia have set their sights on demonstrating the advantages of the cloud in a sector which is typically seen as being heavily regulated: financial services, which includes banks and insurance companies. “We thought that if we could help our customers in that specific sector to embrace the cloud, then most of our customers in other sectors would feel comfortable doing so too, because regulation in this industry is quite strict.”

So far these efforts have been fruitful, as Bullwinkel notes that many banks and insurers across Asia – including in Australia, Hong Kong, Japan, the Philippines, Singapore and Thailand – have now embraced the cloud.

The work by Bullwinkel’s team has also been helped by the fact that many companies are now more aware of Microsoft’s longstanding efforts in enhancing security. This includes the company’s yearly investment of US$1 billion to enhance cybersecurity in myriad ways, ranging from the development and deployment of best-in-breed software and services to the creation of the highly secure infrastructure that makes up the company’s 100 data centers across some 40 countries.

As for offensive capabilities, Microsoft’s Digital Crimes Unit (DCU) has been taking the fight against cybercriminals seriously. It has established five Cybersecurity Centers in Asia (China, India, Japan, Korea, and Singapore), which serve as an extension of the company’s Cybercrime Center headquarters in Redmond, Washington, USA. The DCU is made up of a team of international legal and internet security experts employing the latest tools and technologies.

“A service will not survive for long if it has not been very attentive to the expectations of its users,” points out Bullwinkel. “Technology providers need to understand that trust has become a competitive edge and work towards being a trusted enabler of digital transformation.”

Jeff Bullwinkel
Associate General Counsel and Director of Corporate, External & Legal Affairs,
Microsoft Asia Pacific & Japan

Jeff Bullwinkel is based in Singapore and oversees Microsoft’s legal and corporate affairs teams across the region. This includes supporting commercial transactions and providing regulatory counsel to business groups on public policy issues such as intellectual property rights, privacy, Internet security and safety, competition, and international trade. Bullwinkel joined Microsoft in 2000 and was initially based in Hong Kong, where he managed the company’s public policy activities in the Asia Pacific region.

Koh Buck Song

Koh Buck Song is an author who has written and edited over twenty books, and a consultant in branding, communications strategy and corporate social responsibility in Singapore. He drove the positioning of Singapore as a “global entrepolis” as former Head of Marketing, Corporate Communications and Strategic Planning at the Economic Development Board from 1999 to 2005. Buck Song was also a former a political supervisor for The Straits Times. He graduated from the University of Cambridge and the University of London in the United Kingdom, and from the John F. Kennedy School of Government at Harvard University in the US, where he was a Mason Fellow and earned a master’s degree in public administration.