Peter Cullen (right), Microsoft chief privacy strategist, and Zoe Strickland, chief privacy officer, U.S. Postal Service, accept HP Privacy Innovation Awards, New Orleans, Oct. 28, 2004.
EDITORS’ NOTE, Nov. 4, 2004
— The date of Bill Gates’ Trustworthy Computing e-mail in the first paragraph below has been corrected since original publication of this article.
REDMOND, Wash., Oct. 28, 2004 — When Microsoft Chairman and Chief Software Architect Bill Gates sent out his call-to-action e-mail for Trustworthy Computing (TwC) in January 2002, he told the company’s employees that Microsoft must “lead the industry to a whole new level of trustworthiness in computing.” This meant leading the industry in four specific areas — what Microsoft calls the four pillars of TwC: privacy, security, reliability and business integrity.
As Microsoft continues to work toward this goal, an award the company received today demonstrates significant progress toward that first pillar: privacy. The International Association of Privacy Professionals (IAPP), the world’s largest association for individuals in the profession of privacy, selected Microsoft and the U.S. Postal Service to receive the 2004 HP Privacy Innovation Awards. Co-sponsored by the IAPP and HP, the awards are given to one commercial organization and one government or not-for-profit organization a year, each of which, according to organizers, has shown “exemplary support for privacy issues and leadership integrating effective privacy protection throughout the entire organization’s business process.”
The IAPP judges based on the level of innovation, thought leadership and their success integrating privacy programs into their overall business strategy.
PressPass caught up with Peter Cullen, Microsoft’s chief privacy strategist, to learn how Microsoft has embraced privacy and, in the process, changed the way it does business.
PressPass: How does Microsoft define privacy?
Cullen: There’s no simple definition of privacy, but we have adopted a few simple rules. As a product and services provider, we believe Microsoft has an obligation to keep the personal identity and information of our customers safe and confidential, and — just as importantly — to give our customers control over how that information is used. They need to be able to easily determine what types of personal information we gather from them, and then each customer should set the parameters for how we can use that information to provide them the products, services and Web experiences they value. As a products and services developer, we also have an obligation to offer our customers technologies that allow them to help guard their privacy — to, for example, reduce unwanted spam e-mail, help guard against scam artists who try to trick them into providing private information, and ensure that children only correspond online with people approved by mom and dad.
PressPass: So is Microsoft providing one level of privacy for all customers?
Cullen: We think about it a bit differently. We are creating privacy standards that all customers can expect Microsoft to maintain. But when it comes to the specific level of privacy customers receive — how we can use their personal information or how restrictive their e-mail filter should be — they need to be the ones who are in charge. What one person thinks is adequate privacy, another person might think invasive or overly restrictive.
Certainly there are areas in which most, if not all, of our customers want the highest level of privacy; online protections for children may be the best example. But this doesn’t alter the fact that the best way to help ensure that we provide the specific privacy protections every customer wants is to provide them the tools and information they need to be in control of the privacy of their own information.
PressPass: How high are the stakes when it comes to privacy in the IT industry?
Cullen: The stakes are extremely high for the IT industry and many retailers. More than half — 51 percent — of consumers surveyed last fall by Jupiter Research/Ipsos who don’t shop online said they would begin doing so once privacy and security of their credit card and personal information improved.
But the stakes are high for consumers and businesses, too, as their reliance on the Internet and IT tools continues to grow — and, particularly, as the “personal” Internet made possible by .NET and Web services becomes more prevalent. Privacy is essential for consumers and businesses to realize the conveniences promised by these services. People must trust that their personal information is being used appropriately and in a way that provides specific value to them.
PressPass: How would you describe the consumer climate when it comes to privacy?
Cullen: The IT industry is coming together and working hard to build consumer confidence with new technology tools and business practices designed to increase consumer privacy. But privacy threats remain a daily concern. Spyware is directly responsible for more than a third of application crashes reported to us. And despite new tools we’ve developed to combat unsolicited commercial e-mail, spam remains the No. 1 complaint among Microsoft’s e-mail customers.
Increasing the challenge is the general sense of distrust that many people have these days with virtually all public and private institutions. The increasing problem of identify theft and other online and offline privacy threats have compounded this distrust — so much so that the 2004 Yankelovich State of Consumer Trust Report found that nearly a third of U.S. consumers are concerned that the personal information collected by businesses will be hacked and used to steal their identity. Only about one in 10 feels retail businesses are doing everything they should to protect their personal information.
PressPass: How is Microsoft working to build and maintain customer trust?
Cullen: All four pillars of Trustworthy Computing — privacy, security, reliability and business integrity — are integral for Microsoft to create a computing experience in which customers have complete trust and faith, an experience that they take for granted, like when they put a letter in the mail box.
Unfortunately, there’s no easy way to attain this level of trust when it comes to privacy protections. There’s no one feature or set of features that can be added to — or removed from– software, online services or a company’s business practices. It must be woven into the DNA of your company for it to work.
PressPass: What do you mean be weaving privacy into the DNA of a company?
Cullen: At Microsoft, it has meant adopting new internal standards and procedures that make privacy a daily responsibility of all employees. We also have redoubled our efforts to develop technologies that enhance privacy and offer consumers a broad range of privacy-related educational resource. Just as importantly, we continue to work with others to establish rigorous privacy standards and best practices for the entire IT industry, and we are helping law enforcement and government agencies pursue legal and other remedies to some of today’s privacy challenges.
PressPass: What does the HP Privacy Innovation Award mean to Microsoft?
Cullen: We are deeply honored to receive this award, and hope that it demonstrates to our customers how serious Microsoft is about protecting their privacy. We also hope to show, along with the other companies who vied for this year’s award, how embracing rigorous privacy standards can be a competitive advantage, not just another operating expense.
We realize that building a strong privacy image for Microsoft not only is the right thing to do for consumers. It’s a key to any company’s long-term future, especially in the technology industry. Just look at the recent Privacy & American Business study. It found that more than 8 out of 10 consumers say they would stop doing business with a company if they heard or read that the company misused their information.
PressPass: Tell us about some of the privacy-enhancing technologies Microsoft has developed.
Cullen: The SmartScreen technology that we added to Hotmail and Microsoft Office System e-mail services now prevents nearly 3 billion spam e-mails a day from reaching customer inboxes. In fact, customers report receiving 90-95 percent less spam. SmartScreen uses “learning” technology developed by researchers from Microsoft Research that differentiates legitimate e-mail from spam, based on information voluntarily provided by Microsoft customers.
More recently, we released Windows XP Service Pack 2. Jerry Berman, president of the Center for Democracy and Technology said — and I’m quoting — it “may have the biggest impact for consumers” of all of the industry’s technical efforts to combat spyware. The list of privacy, security and other related enhancements in this update of the operating system is lengthy. There’s a built-in pop-up ad blocker, turned on by default, in Internet Explorer that cuts down on a key way consumers are enticed and tricked into downloading deceptive software. The new Internet Explorer Info-bar suppresses unsolicited downloads, another vehicle used to install deceptive software on your system, by removing dialog screens from the user’s view and preventing “pop-under” screens. These screens can hide behind “trusted” windows and trick people into downloading the unwanted software.
Also, the redesigned Authenticode dialog helps clarify descriptions provided during software downloads, and provides consumers a “Never Install” option for online publishers they don’t trust.
PressPass: What about parental controls?
Cullen: MSN Premium, Internet Explorer, Windows XP Media Center Edition, Xbox and other Microsoft products all offer industry-leading parental controls. For example, MSN Premium allows parents to receive weekly e-mail reports on their child’s online activity, create approved contacts for children to correspond with via instant messaging and limit what their children can view online, based on mom and dad’s personal preferences or ratings set by trusted organizations. Parents can restrict inappropriate video games and inappropriate DVDs, based on the same preferences, guidelines and rules as the Web controls.
PressPass: Do any of the technologies Microsoft has developed help businesses protect their digital records and information?
Cullen: Many of the spam and spyware technologies that help consumers also help businesses. But we have also developed technologies more specifically designed to address the privacy concerns of businesses. Windows Rights Management Services for Microsoft Windows Server 2003 and Information Rights Management technology in Microsoft Office 2003 allow businesses to control how documents created on their IT systems can be used. The technology allows the creator of a document to set rules for who can open the document or whether the document can be revised, forwarded or printed.
PressPass: How does Microsoft ensure its employees and its products maintain high standards of privacy?
Cullen: In a company as large as Microsoft, with more than 57,000 employees in 94 countries, change has to start with how employees are trained and end with how top executives are paid. And it does. We now offer three levels of privacy training for employees. Each caters to the employee’s job and how they use customer information or contribute to products. In terms of pay, the variable compensation of Microsoft’s top 600 employees now is based in part on how well their group or division attains privacy goals.
We also have created three levels of privacy-related staff. There’s a corporate privacy group, which I am a member of and which is responsible for managing privacy on a company-wide level. We also have dedicated privacy staff and privacy “champs.” The privacy staff members are full-time employees in each major business unit whose sole job is to direct privacy efforts within their unit. The privacy “champs” are several hundred staff members whose job responsibilities include ensuring that privacy protections are in place during the development of the products and services they work on. MSN maintains a network of more than 70 champs. The Windows group has 160 of these privacy leads.
Also, all Microsoft vendors who handle customer information must, through contract requirements, agree to maintain Microsoft’s privacy policies and standards, and key agency vendors are specially trained to implement Microsoft’s privacy policies and standards. We now also maintain only two global agency vendors and a small network of local vendors to manage e-mail campaigns for Microsoft. In the past, we had many more vendors.
PressPass: What changes has Microsoft made to its internal business practices?
Cullen: Most Microsoft products and services now have clearly defined policies that explain to customers what types of information we collect and how it can be used. Most that don’t already will soon. We also show customers how they can access their personal information and how to revise or remove it from our records. Additionally, we have created distinct, secure separations between the internal IT systems of different products and services to ensure customer information is secure and used only in ways that customers specify.
PressPass: How does Microsoft gauge how well its privacy protections are working?
Cullen: All new and existing applications, including internal business applications, are tested to ensure they must meet prescribed privacy standards. For example, each of the hundreds software components in Windows is reviewed to ensure it meets our internal privacy standards and contributes to customer trust. Other product and service groups use a similar process to ensure that they meet Microsoft privacy standards.
Our Application Software Assurance Program (ASAP) helps ensure the more than 1,800 applications that Microsoft develops and uses to run the company include the controls necessary to protect customer information. This program includes an online assessment tool that assigns every new application a risk-based rating, along with specific processes and protections that must be in place before an internal business group can begin using the application.
We are also close to completing our new Privacy Response Center (PRC). This company-wide initiative is consolidating how Microsoft responds to customer privacy concerns. We will soon have company-wide data on customer privacy concerns and how fast and accurately we responded. Already, product groups that have implemented the PRC standards are now responding to customers, on average, in less than 18 hours — well under our mandated 48-hour response time. Some groups are responding in less than 8 or 9 hours.
PressPass: Does Microsoft track external measurements?
Cullen: Industry honors such as the HP Privacy Innovation Award are one barometer. But we also monitor a number of ongoing and targeted customer studies. For example, a 2003 study we performed in partnership with Privacy & American Business and Harris Interactive found 57 percent of respondents believe Microsoft cares about the privacy of their information, and 58 percent have confidence that Microsoft will provide tools that control online security and privacy.
There are also independent metrics, such as the 2004 Customer Respect Study. Microsoft topped this study of the U.S.’s 100 largest companies, based on analysis by the Customer Respect Group and interviews with a representative sample of the adult Internet population. The attributes measured included respect for customer privacy, open and honest policies and values and respect for customer data.
PressPass: What is Microsoft doing in terms of privacy-related educational resources?
Cullen: We offer a wide range of online resources on Microsoft.com for consumers and businesses to learn how to enhance their privacy online, including the Maintain Your Privacy site ( http://www.microsoft.com/athome/security/privacy/default.mspx). This site offers articles on privacy topics such as how to tell if a Web transaction is secure and how to create strong passwords.
We also have teamed up with AT & T Corp., America Online Inc. and other industry leaders to create GetNetWise, a Web site that offers online resources that promote safe, secure and positive online experiences. More than 81,000 Web sites link to the GetNetWise site. For law-enforcement agencies that investigate computer-facilitated crimes against children, we co-sponsor ongoing training programs. More than 400 officials from more than 100 countries have participated.
PressPass: Is this the extent of Microsoft’s privacy-related industry collaboration?
Cullen: Far from it. Other examples: We were one of the prime contributors of technical and other resources to writers from the Center for Democracy and Technology who developed the influential report “Ghosts in Our Machines: Background and Policy Proposals on the Spyware Problem.”
We’re also premiere sponsors of independent privacy certification agencies, such as TRUSTe and BBBOnLine, and early adopters of technology standards developed by industry groups. One example: We offered industry-first privacy controls in Internet Explorer 6.0, based on Platform for Privacy Preferences (P3P) specifications.
PressPass: Should we look for additional privacy-enhancing practices or technologies from Microsoft in the coming years?
Cullen: The privacy protections we offer will evolve along with the threats our customers confront online or elsewhere with IT. The most promising new technology on the horizon is Caller ID for E-mail technology developed by Microsoft is a component of the Sender ID framework. This framework offers a way to reduce online scams such as domain spoofing and phishing by making it difficult for scam artists to send e-mail with deceptive or forged addresses. We have worked with others in the industry to revise the specification to ensure its compatibility with as many different e-mail providers and domains as possible. We recently published the revised framework specification to the Internet Engineering Task Force (IETF) standards body.