Q&A: Knowledge is Power for Internet Privacy and Security

REDMOND, Wash., Nov. 27, 2000 — Opening an Internet connection to surf the Web or exchange email is how hundreds of millions of people keep track of the world around them. But clicking on the links in a Web page or the attachment in an email also could unlock a back door to your personal information and the contents of your computer without your knowledge or consent.

Many businesses use anti-virus software, firewalls and other technology tools to guard their computer networks against snooping or attacks. For everyday consumers and other non-technical Internet users, however, details about basic privacy and security protections can be more elusive.

Microsoft Corp. stepped into the gap this month by launching a new Web site, Safe Internet ( http://www.microsoft.com/privacy/safeinternet/ ), that answers consumers’ most common questions about protecting their information online. The site also describes many varieties of software tools for enhancing privacy and security so that potential buyers can better determine what they need before they invest. Safe Internet complements another new Microsoft Web site for parents and children called Stay Safe Online ( http://www.msn.staysafeonline.com/ ), which promotes education, adult supervision and technology as the three keys to ensuring that kids have positive experiences on the Internet.

PressPass spoke with Richard Purcell, Microsoft director of corporate privacy, and Steve Lipner, manager of the Microsoft Security Response Center, to find out more about the objectives behind the consumer privacy and security Web site.

PressPass: What is the difference between privacy and security issues on the Internet?

Lipner: The distinction between privacy issues and security issues can be tough to discern, because the two are somewhat joined at the hip. A breach in security can lead to a privacy breach, but they’re not necessarily one and the same. Also, measuring security is generally more objective than measuring privacy. Security is really an issue of how your information is protected from unauthorized or unexpected access, while privacy is more of an issue of how outside operators obtain access to your information and what they do with it.

Purcell: Privacy is more subjective, since it’s largely behavior-driven, and it is more of a continuum. Some people’s level of concern about privacy is relatively low, and other people are upset if somebody so much as knows their Internet Protocol (IP) address. Security can be thought of as whether a lock is on the door or not, while privacy is more about whether or not somebody is peeking in through the blinds, and whether you care or not.

Everyone has their own preferred level of privacy. Microsoft doesn’t want to determine on people’s behalf what those levels should be, but instead give people enough information and flexible tools to help them make their own decisions.

PressPass: Most at-home Internet users are concerned about privacy and security, yet many of them lack adequate information about how to make their Web experiences safer. What are some of the hidden risks associated with going online, and how can people guard against these risks?

Lipner: I think it’s important for people to understand that from a security perspective, being online and browsing the Internet is really quite safe. People need to take basic precautions associated with using their computers, such as having anti-virus software installed, keeping it up to date, and using strong, distinct passwords wherever they operate. If you do those things, you tend to be pretty secure.

Purcell: The privacy risk from being online has to do with people identifying you and getting information about you, including your behaviors, without your knowledge or consent. What you can do about that is use the proper security methods that Steve mentioned, as well as use security and zone settings in your Internet browser that prevent unauthorized data collection. Also, people should be aware that the way they behave while they’re online can be a big factor in privacy. For example, visiting an Internet chat room is not inherently risky, but what you choose to disclose about yourself in that chat room can open you up to some risks. And no amount of security or privacy software can protect you from that.

There’s a responsibility for consumers to exhibit an appropriate set of behaviors that are consistent with the medium, which means they need to understand the way the medium works. The same standards apply when you’re in the middle of a crowded restaurant — you need to behave in a certain fashion and remember that other diners may be able to hear your conversation. Businesses also must act appropriately to respect people’s privacy, which means fully disclosing all data collection before the moment of collection and providing consent mechanisms that are clear and easy to use. If consumers don’t understand what information is being collected, or don’t have a choice about how it will be used, they should steer clear of providing the information.

PressPass: When consumers feel safe using the Internet, what are the economic and social benefits? What are the costs to society when people
don’t
feel safe on the Web?

Lipner: The Internet and electronic commerce have revolutionized the economy and many aspects of life today. At some level, that’s all based on people’s confidence that their information will be kept secure and private. So I think the key is that technology suppliers like Microsoft and Web site operators have an obligation to take the steps that will allow customers to feel safe.

Purcell: Microsoft’s position is that there are tremendous economic and social upsides to an interconnected society. That has been demonstrated time and time again, such as with the advent of the telephone — there was an economic and social benefit from the interconnectedness that it provided.

Electronic commerce and information-based systems are creating cost efficiencies that are driving down the cost of services to consumers. That’s incredibly important, because good products are becoming cheaper for people. The tradeoff, of course, is that this is all based on information, and we have to build a secure environment that ensures that people use those services so prices can continue to be driven downward. The danger is that if people don’t trust that their information is secure and private, then they won’t use those services and we will fail to take advantage of an enormous opportunity to become more efficient.

PressPass: How will Microsoft’s new privacy and security Web site help consumers safeguard themselves against malicious and illegal activities in cyberspace?

Lipner: In terms of security, we talk about three components in the Microsoft corporate strategy. One is to treat security as an absolute priority in building our products. The second is to provide customers with the solution-oriented information they need in order to use those products in a secure fashion. The third component is to work as a member of the community to address broader issues associated with security policy, government regulations, infrastructure protection and the like. Microsoft’s new consumer security and privacy Web site fits into the second of these priority areas by providing customers with concrete information that they can put into practice and feel confident about operating on the Internet more securely. The message, from a security perspective, is that you can operate on the Internet securely if you take certain routine precautions, and the Web site outlines those basic practices. On the security side, it’s mostly about virus protection and passwords.

Purcell: Microsoft is helping people get up to speed about the technology of the Internet, which has moved faster than the ability of the consumer marketplace to digest it all. We’re trying to tilt the playing field a little bit more toward the consumer and give them the advantage of more information so they can feel more secure and confident in choosing services that are being offered. We want to help them feel that their decisions and actions are well informed.

The Web site provides a central gateway for people to find information about privacy and security that is available on the Internet. It allows people to compare different opinions and look at different products in order to balance their needs against the wide array of information that’s available out there. The site doesn’t only present a Microsoft view; it’s our attempt to make sure that people have information from many points of view. We hope that people will use that information to make better decisions about how they take advantage of all the powerful and revolutionary services being delivered so efficiently over the Internet.

PressPass: What groups of Internet users do you hope to reach with the information on the new site?

Lipner: In the business world, companies typically have people on staff who are involved with setting up privacy and security measures to safeguard the company’s systems. So this Web site is geared toward everyday people who don’t have an IT department looking after their information.

Purcell: We want to make sure that those people who are intimidated or confused by various issues around privacy and security have access to as much information as they need to help them make decisions and take part in the information service economy. For the most part, the site is geared toward non-technical Internet users in order to help empower them to use the Internet confidently. Whether you’re a parent, a teacher, a business worker, someone who is new to the Internet or someone who uses the Internet but doesn’t have a lot of technical knowledge — you’ll find something useful in here for real-world use of Internet services. We want to provide everyone with the basic tools to control their own information, not try to tell consumers what is best for them.

PressPass: How much responsibility for safeguarding the Internet rests with the technology industry, and in what ways do you think software providers can have the greatest impact on Web privacy and security?

Lipner: It’s a three-legged stool. First, industry in general — not just the technology industry — has a responsibility to respect consumers’ concerns about privacy and security. Companies also have a huge economic incentive to engender trust among consumers; without that, they’re never going to succeed in establishing a viable presence on the Internet and persuading people to do business with them. Second, the technology industry, and specifically software, can go a long way toward devising both privacy- and security-enabling technologies that help address people’s concerns. There is a built-in economic incentive for companies to deliver those tools. The third leg of the stool is that consumers have a responsibility to learn about the nature of the medium in which they’re participating and to take precautions to ensure they’re safe on the Internet.

Microsoft is doing its part by acting responsibly as a company with respect to consumer needs for security and privacy. Also, we are providing tools that enable consumers to safeguard their information on the Web. With respect to this new Web site, it’s a manifestation of our commitment to educate consumers so that they can confidently make informed decisions. We want consumers to feel comfortable on the Web, and we want the use of it to expand. It’s a good thing economically, not only for Microsoft’s business, but also for society at large and as a driver of the global economy.

PressPass: It seems clear that there are limits to how much privacy is possible on such a universal communications medium as the Internet. What dangers are likely to always be part of using the Web?

Purcell: You give up privacy in many ways every day. Think about your bank account: You’re allowing the bank to know how much money you’re receiving, how much money you’re paying out and whom you’re paying. You sacrifice some of your privacy in order to get the kinds of convenient services the bank offers to help you manage your money, move money around more easily and keep your money secure. The issue, really, is about data protection as opposed to true privacy. Do you trust that your bank will limit that loss of privacy to the bank and the people who work there, or will it further erode your privacy by not protecting that data properly and sharing it with other people? So certainly there are limits to how much privacy is possible. You can’t conduct business and have relationships, whether personal or in business, without a certain loss of privacy. The question is, will those people with whom you share your information provide an adequate and reasonable level of protection of that information.

Lipner: From a security perspective, our main goals are really to ensure that people have confidence in their use of the Internet and that they have the information to justify that confidence. The technology is secure enough for most people’s information, provided they exercise reasonable precautions. What we want to do is give them the information to help them exercise those precautions.

Sending a credit card number to a Web site that uses the Secure Sockets Layer (SSL) protocol for transmission is considerably more secure than handing a credit card to a server at a restaurant, which is something that most people have absolutely no concerns about. But in the restaurant, you’ve just given your credit card to a stranger. A credit card transaction on a Web site also is considerably more secure than giving your credit card number to a telemarketer on the other end of the phone.

PressPass: The Web has grown so vast and pervasive over the past decade, yet the underlying technology that powers the Internet is a mystery to most people. How has that sense of mystery contributed to people’s concerns about privacy and security?

Lipner: The technology behind the Internet is very complex, and so a lot of people may tend to see it as sort of like magic. Because people don’t understand all of how it works, and because it’s so new, I think it’s probably a little frightening. But as people get more and more accustomed to using the Internet, their confidence will grow.

Purcell: When I was really young, my grandfather would talk on the phone in a fairly normal voice for local calls, but he would start shouting for long-distance calls because the person on the other end was that much farther away. We’re kind of in that same era with Internet technology, in terms of people not really knowing just how it works and trying to figure out how best to work with it. That’s why Microsoft is taking the initiative with this new Web site to educate people so that their confidence can grow.

PressPass: What would you tell consumers who are reluctant to invest a lot of money in security and privacy technology tools? How is Microsoft working to bring Internet security and privacy within everyone’s reach?

Lipner: A computer is just like any other appliance or major piece of equipment that you buy, such as a car — there’s a certain amount of maintenance required. For most users, the main security tool they need is anti-virus software. Once they’ve installed the software, they also need to keep it up to date. It’s like getting a flu shot every year so that you’re protected from all the new strains that keep coming out. If consumers are connected to the Internet through a digital subscriber line (DSL) or cable modem, they should spend the extra money to invest in some sort of personal firewall.

PressPass: What are Microsoft’s top priorities for improving the security and privacy features in its products in the coming year?

Purcell: Our commitment is to provide people with the appropriate and reasonable amount of information they need to make good decisions about how they use the Internet, to control their information and to secure their computing resources. Microsoft is doing all it can to build privacy- and security-enabling technologies into our software platforms and applications, so that simply using our products ensures you better information about privacy and a higher degree of control over your data. Also, Microsoft is investing in industry-wide privacy standards that will allow consumers to establish their own privacy preferences. These standards will enable consumers to decide what level of privacy is appropriate for them.

Lipner: We are making the security stronger and easier to use. We also recognize that people have different opinions about the appropriate level of security and privacy for their information, so the products we build can be used with varying levels of security and privacy. We are committed to letting our customers make that choice for themselves and providing them the information to make an informed choice.

Related Posts