Chapter 04 Microsoft’s commitment to a trusted, responsible, and inclusive cloud

At Microsoft, creating a trusted, responsible, and inclusive cloud guides every decision we make about business engagement, technology development, public policy advocacy, and corporate philanthropy.

But we also know that there is more we can do to help bring about the policy changes needed to ensure that the social and economic benefits of cloud computing are broadly shared.

Everyone has a responsibility to play an active role in addressing the challenges that lie ahead

The task of creating a cloud for global good does not rest with policymakers alone. Everyone involved in developing and advancing cloud computing and the innovations and capabilities it makes possible has a responsibility to play an active role in addressing the challenges that lie ahead.

At Microsoft, our commitments include:

  1. Increased transparency. We believe that providing clear and relevant information about the issues covered in this document to customers, business partners, governments, and others is vital to the work of creating a cloud for global good. We will continue to focus on expanding transparency and one example is our Transparency Hub. On this site, we disclose key information about our operations, including environmental and workforce data, details about our supply chain and political engagement, and summaries of requests we receive for customer data from governments.
  2. Focused advocacy. We are dedicated to using our voice and our resources to push for the changes needed to deliver the benefits of the cloud to people around the world. Microsoft operates in more than 120 countries, and we have deep economic and social connections to the communities in which we live and work. We aspire to use our knowledge of local conditions in combination with our global experience to drive informed and sustainable policy decisions that serve the interests of our customers, local communities, and, ultimately, the global good.
  3. Strong partnerships. We will continue to work with governments, civil society, and industry on projects and programs designed to ensure that the benefits of cloud computing are available to all. We will also focus on increasing inclusion and expanding empowerment to people who still lack access to technology and the opportunities it enables. Building on the foundation of Microsoft’s long history of corporate giving, we will seek new ways to improve outcomes for more and more people around the world.
  4. Constructive conversations. We believe that the best—and only—way to realize the opportunities that cloud computing offers is through ongoing and inclusive discussions. We’ll use our resources to bring interested parties together to talk about how to address the challenges that we all face. And we will continue to create platforms where people and organizations at the local, regional, and global levels can raise concerns, share their best ideas, and work toward solutions.
  5. Ongoing research. We’ll work closely with leading researchers and academics to develop and share additional insights on cloud computing. To help policymakers understand the complex legal and economic implications of existing and emerging technology innovations, we will continue to facilitate evidence-based decision-making processes and support comprehensive and independent research across a broad range of disciplines and policy issues.

While commitments are important, they only matter if they are backed up by actions. Here are a few of the steps we are taking today to foster a trusted, responsible, and inclusive cloud.

A trusted cloud

We believe that to create a cloud for global good that empowers people around the world to achieve more, we must first earn the world’s trust. This requires a principled approach that is fundamentally dedicated to preserving values that are timeless and universal—values that achieve their most complete expression in a world in which people feel safe, and where privacy and freedom of expression are protected, national sovereignty is respected, and markets are open to fair and free trade and commerce.

The foundation for us to earn trust is built on our commitments in four key areas: privacy, compliance, security, and transparency.

Privacy

For people to trust the cloud, they must have confidence that the rights and protections that have long preserved the privacy of the personal information they commit to paper remain in place as their information moves to the cloud. At Microsoft, preserving the privacy of our customers’ data is one of our highest priorities.

We make privacy central to our work by focusing on it throughout our design and development processes, by offering our customers meaningful privacy choices and information, and through practices and procedures that guide how we manage and protect personal information our customers entrust to us. To ensure that we live up to our commitment to privacy, we have adopted a comprehensive set of six privacy principles.

These principles are based on more than 40 years of experience providing technology solutions across the world, and they reflect our support for key international privacy standards, including the Generally Accepted Privacy Practices (GAPP) created by the American Society of Certified Professional Accountants and the U.S. Trade Commission’s Fair Information Practice Principles (FIPPs). Our six privacy principles are:

  1. Control: We put customers in control of their privacy with easy-to-use tools and clear choices.
  2. Transparency: We are transparent about data collection and use so that people and organizations can make informed decisions.
  3. Security: We protect the data entrusted to us through strong security and encryption.
  4. Strong legal protections: We respect local privacy laws and fight for legal protection of privacy as a fundamental human right.
  5. No content-based targeting: We do not use email, chat, files, or other personal content to target ads.
  6. Benefits to customers: When we collect data, we use it to benefit customers and make their experiences better.

Privacy and data protection in our cloud services are built on functionality and operational practices that are designed to empower organizations and individuals to control the collection, use, and distribution of their information. This enables us to make privacy compliance commitments to our customers through certifications, attestations, and contractual agreements. For example, Microsoft was one of the first organizations to sign the European Union Model Clauses, which guarantee that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection law and meet the requirements of EU data protection directives.

Microsoft was also the first major cloud services provider to earn independent verification for ISO/IEC 27018, the world’s first international standard for cloud privacy. Developed by the International Organization for Standardization, ISO/ IEC 27018 establishes a uniform international approach for protecting the privacy of personal data stored in the cloud.

More recently, after the Safe Harbor agreement between the United States and the European Union was struck down, Microsoft was one of the first to be certified under the new EU-U.S. Privacy Shield, which strengthens the role of data protection authorities, clarifies data collection practices by U.S. security agencies, and introduces new rules for data retention and data transfer in Europe.

This combination of privacy principles, data processing agreements, and corporate privacy policies governs the collection and use of all customer and partner information at Microsoft and provides our employees with a clear and comprehensive framework that helps ensure privacy compliance throughout the company. We regularly review the privacy policies and codes of conduct that govern our online applications, and update them when changes are required to meet our customers’ evolving needs and expectations.

Compliance

We know that confidence in the cloud will take more than the articulation of principles. It is essential that we demonstrate how we live up to these principles. So, in addition to meeting the requirements and specifications of our internal processes and practices, we continually seek to meet—and exceed—the requirements of the broad range of government and industry data security standards that apply to the cloud services we offer.

Microsoft’s compliance framework is based on security requirements and specifications from sources including the National Institute of Standards and Technology’s Special Publication 800-53, ISO/IEC 27001:2013, AT 101 Service Organization Controls (SOC) 2 Trust Service Principles, the European Union Data Protection Directive, and the Payment Card Industry Data Security Standard (PCI DSS). We also use the ISO/IEC 27001:2013 approach to provide a mechanism for continual improvement.

Our compliance team works across operations, products, and service delivery groups—and with internal and external auditors— to help ensure that Microsoft is in compliance with all relevant regulatory, statutory, and industry obligations. We constantly monitor changes in the regulatory environment and adjust our compliance framework and audit schedule accordingly.

In addition to assuring that we are meeting or exceeding all relevant requirements, Microsoft’s compliance framework has enabled us to achieve important certifications and attestations for our cloud infrastructure, including ISO/IEC 27001:2013 certification, SSAE 16/ISAE 3402 SOC 1 Type I and Type II, AT Section 101 SOC 2 and 3 Type I and Type II attestations, and FedRAMP and FISMA certification and accreditation.

To truly provide customers with control of their privacy, we know that they must ultimately determine for themselves whether our cloud services satisfy their compliance requirements and expectations.

To help them evaluate the privacy capabilities and protections that we offer, we provide detailed information about our cloud services through the Microsoft Trust Center and our Microsoft Cloud Assurance site.

Security

Microsoft recognizes that for people, organizations, and governments to fully embrace cloud computing, they must be confident that we have achieved the highest levels of security for the cloud services and technologies we provide.

To reach this goal, we have adopted security policies and practices based on leading industry standards that reflect our more than two decades of experience as a leader in delivering online services and managing datacenters.

To help businesses take advantage of cloud computing to drive innovation and create competitive advantage, we have launched the Microsoft Cloud Assurance initiative to support our customers’ legal and compliance teams as they seek to balance security risks with performance and innovation goals that support business objectives.

To support governments as they implement cloud-based systems that offer the potential to transform how they operate and deliver services to citizens, we have developed a cloud security guide offering six policy principles that will provide the foundation for cloud-based technology infrastructures that are secure and resilient:

  1. Innovative: Cloud policies should set a clear path toward innovating and advancing the security and resiliency of their government services.
  2. Flexible: Cloud policies should be flexible and should enable governments to select the most suitable cloud types for delivering their services in a secure and resilient manner.
  3. Data-aware: Cloud policies should demonstrate data awareness by ensuring that assessments, categorization, and protection of data are commensurate with risk.
  4. Risk-based: Cloud policies should prioritize the assessment, management, and reduction of risk in the delivery of cloud services for governments.
  5. Standards-based: Cloud policies should leverage global standards as the basic requirements for increasing security and resiliency in government cloud services.
  6. Transparent: Cloud policies should establish transparent and trusted processes for developing compliance requirements and for evaluating the security and resiliency of cloud services.

The challenges that come with delivering secure and reliable cloud services will continue to evolve as technology advances. Our customers need to protect their systems, safeguard their information, and comply with fast-changing regulatory requirements that vary significantly from location to location.

An office where employees are using modern computer equipment.

Microsoft is continually revising, updating, and adapting our strategies, policies, and practices to meet these expectations.

Our promise is that we will do everything we can to anticipate new threats and stay ahead of changing regulatory frameworks. We want our customers to be confident that the cloud services we deliver are secure and can help them meet their own regulatory requirements.

Transparency

Finally, to maintain trust, we believe we must be transparent about how we store, protect, and use our customers’ data and about the requests we receive from governments, national security agencies, and law enforcement organizations to access data that we store on behalf of our customers.

For example, in response to concerns about government surveillance practices, we have made clear that we do not provide governments with direct and unrestricted access to our customers’ data. For any government to seize customer data stored in a Microsoft datacenter, it must present an appropriate warrant, court order, or subpoena that clearly identifies the specific target of an investigation. We reject requests that don’t meet these criteria, and we only provide the data specified in a valid legal order.

Other measures we’ve taken to meet our commitments to data privacy and security include expanded use of encryption across our services, choice and transparency in data location for enterprise customers, and strengthened legal protections for all customers.

Microsoft also has been a strong advocate for the concept that people’s rights should be preserved even as technology advances. We’ve consistently supported laws and policies that protect privacy, ensure that governments keep people safe, and respect national sovereignty in the cloud computing era.

This is why we’ve called for a new international legal framework to ensure that when governments seek information about private citizens, they do so pursuant to due process.

It’s also why we have challenged the U.S. government in court in four different cases. Through these proceedings, we have achieved the right to disclose more information about the number of national security orders for customer data that we receive from the U.S. government and the ability to notify customers of a so-called “National Security Letter” for their data.

In a third case, the United States Court of Appeals ruled in favor of our position when we questioned the validity of unilateral warrants from the government of one country ordering us to turn over customer email in our datacenters in another country. And, in a case that is still pending, we have challenged the frequent use and indefinite nature of U.S. government orders that prevent us from notifying customers of requests for their data.

Finally, to help inform the public debate about how best to achieve both privacy and security—and in keeping with our longstanding commitment to transparency—we publish a semiannual Law Enforcement Requests Report on our Transparency Hub, where we also clearly outline our practices for responding to government demands for customer data.

The report includes the number of demands we receive and the number of accounts or identifiers that may be affected, and it discloses how many demands we comply with and whether we provided content or noncontent data.

Due to a concerted effort by Microsoft and our industry partners, we are now permitted to publish data about the number of legal demands we receive from the U.S. government pursuant to national security laws.

A responsible cloud

A cloud for global good must also be a responsible cloud. We believe this requires a commitment to protect people from harm and abuse, promote and preserve human rights, and foster sustainable environmental practices.

Protecting our customers

To achieve its potential as a transformational technology that delivers benefits to all, it is critical that we work to create a cloud where users of every age and from any background can learn, explore, and work without fear of abuse, harm, or exploitation.

While this goal will be difficult to achieve, Microsoft is focused on helping protect people of all ages and abilities from a broad range of risks, including malware, online hoaxes, tech scams, online bullying, and sexual exploitation.

To promote the safe use of Microsoft devices and online services, we offer a range of safety features, including family safety settings. We also have strong prohibitions against abusive behavior on our online services in our terms of use, which are enforced by compliance response teams on services such as Xbox Live.

We promote online safety in other ways as well. For nearly 20 years, Microsoft has made online safety resources available to children and their parents, and we recently updated our materials with new interactive resources on the Microsoft YouthSpark Hub to empower young people to adopt safer online habits and practices.

Around the world, we work with governments and civil society organizations to support programs that are aligned with our vision for a safer cloud. Microsoft is involved in many other comprehensive initiatives around the world directed at protecting children online, including the International Telecommunication Union (ITU) and Child Online Protection (COP) initiative, which offers a blueprint for policymakers on how to draw up national initiatives to promote child safety online; ECPAT, a global network dedicated to ending child sexual exploitation and abuse; and the WePROTECT Children Online Initiative, which highlights new measures that the U.K. government is taking to fight the sexual exploitation of children online.

A broad range of groups across Microsoft works to create a safer cloud in other ways as well. For example, Microsoft’s Digital Crimes Unit (DCU)—an international team of more than 100 attorneys, investigators, scientists, and forensic analysts—focuses on fighting malware and protecting against online exploitation and tech support scams.

The DCU investigates fraud and tech scams targeting unsuspecting and nontech-savvy customers and works with law enforcement agencies, the U.S. Federal Trade Commission, and advocacy groups such as the American Association of Retired Persons (AARP) to educate consumers and take legal action against criminals.

One of the DCU’s most important and successful initiatives is PhotoDNA, a technology developed with Dartmouth College that helps identify and remove images of child sexual abuse on the internet. PhotoDNA is a powerful tool for fighting images of child sexual exploitation and is widely used by child advocacy organizations, law enforcement agencies, and leading internet companies including Facebook. At Microsoft, we use PhotoDNA to help disrupt the spread of child sexual abuse images through our cloud-based services including Bing, OneDrive, and Outlook.com. We have also made PhotoDNA available as a free cloud service, so other companies can detect and report illegal images of child sexual abuse.

Respecting human rights

Microsoft’s support for human rights reflects our longstanding commitment to empowering individuals around the world. We work to ensure that we respect human rights across all aspects of our business, and we seek to apply the power of technology to promote human rights globally.

Since endorsing the UN Global Compact in 2006, Microsoft has had a formal commitment to respect all human rights enumerated in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social, and Cultural Rights, and the ILO Declaration on Fundamental Principles and Rights at Work.

We have a wide range of policies, practices, and programs that guide our work to preserve the right to privacy and security, to protect free expression, to respect labor rights in our workforce and our supply chain, and to promote equality and diversity.

Building on these fundamental commitments, Microsoft was among the first companies to align its human rights work with the UN Guiding Principles on Business and Human Rights that were released in 2011.

Microsoft’s Global Human Rights Statement articulates our human rights commitments in line with the framework provided by the UN Guiding Principles, including issues related to governance, due diligence, and remediation. Since 2013, the Microsoft Technology and Human Rights Center has worked to prioritize and coordinate human rights due diligence, identify emerging risks and opportunities related to human rights, and promote harmonized approaches to human rights across the company. The Microsoft Technology and Human Rights Center also works to foster dialogue to advance understanding of the impact of information and communications technology on human rights.

Microsoft is also a founding member and sits on the board of the Global Network Initiative (GNI), a collaborative effort between technology companies, civil society organizations, socially responsible investors, and academics. GNI provides a set of principles and implementation guidelines regarding practical steps and policies that technology companies can adopt to advance freedom of expression and the privacy rights of their users when faced with government demands.

Environmental sustainability

To build a responsible cloud requires that we think about our impact on the environment. Microsoft has made important progress in this area since the start of this decade and is committed to achieving carbon neutrality and increasing its use of renewable energy. We have been tracking and reducing emissions since 2007, and in 2012, we achieved 100 percent carbon neutrality in our datacenters and across the company. Our internal carbon fee makes each business division responsible for the carbon emissions associated with its electricity use and air travel.

Desert landscape with wind turbines against a cloudless blue sky.

Funds generated by this fee go toward energy-efficiency improvements, renewable energy purchases, and carbon offset community projects. As a result, we’ve reduced carbon emissions by 9.5 million metric tons, purchased 14 billion kilowatt hours of green energy, and reduced energy consumption by 10 percent at our Redmond headquarters in the U.S. state of Washington.

While we’re proud of our progress, we recognize that even bigger steps will be needed in the future, as datacenters become the engine of global transformation. The cloud is enabling major advances in energy efficiency, resource management, and conservation efforts.

The Global eSustainability Initiative estimates that cloud computing can cut projected 2020 global greenhouse gases by as much as 16 percent, which would reduce total spending on energy and fuel by 1.9 trillion U.S. dollars. But creating a cloud that is as environmentally responsible as possible will require ongoing work and additional commitments. Today, Microsoft’s datacenters consume more power than a small U.S. state. There will come a time in the not-too-distant future when the datacenters that Microsoft and other technology companies operate will consume more energy than a midsized European nation.

Our commitment is to build and operate greener datacenters. To ensure that we meet our goal to continue to improve our environmental sustainability, we are transparent about how much energy we use and where and how we source our electricity.

As we move forward, we will increase the percentage of renewable energy powering our datacenter operations. Today, 44 percent of the electricity consumed by our datacenters comes from solar, hydro, or wind power. Our commitment is to pass the 50 percent threshold within two years and to reach at least 60 percent by early in the next decade. And we’ll continue to focus on research and development for cutting-edge technologies and projects that offer the potential to improve efficiency and create more clean energy at scale.

An inclusive cloud

In a world in which technology innovation is driving rapid and profound change, one of the most important challenges we face is to ensure that disruption is balanced by opportunity and that the benefits of change are broadly shared and equitably accessible.

This can only be achieved by creating an inclusive cloud that is available to everyone, everywhere, regardless of location, age, gender, ability, or income. At Microsoft, we believe that to create an inclusive cloud, we must make sure that reliable and affordable access to the cloud is universal.

We also need to ensure that people everywhere have access to educational opportunities that provide the skills and knowledge needed to thrive in the digital economy. And we must deliver technology that is accessible to people who have disabilities, as well as supporting businesses of every size.

Affordable and reliable access

Until very recently, the best way to predict people’s odds of living a healthy, prosperous life was to look at where they were born. Now, a better predictor is access to education and knowledge via affordable and relevant technology.

In the developed world today, 77 percent of people have access to cloud services. That number drops to just 31 percent in the developing world.[1] This disparity is partly due to prohibitively high broadband costs and an inadequate communications infrastructure. To bridge this divide, Microsoft is exploring a broad range of innovative technology solutions that can lead to affordable, universal broadband access for everyone.

One example is an initiative to take advantage of underutilized broadcast spectrum known as TV white spaces to extend low-cost, high-bandwidth connectivity to remote communities— something we are piloting in Africa and South East Asia.

By expanding our investment in this initiative and combining it with cloud services donations and community training programs in partnership with local governments and nonprofit groups, we intend to support more than 20 projects that utilize TV white spaces in over 15 countries around the world by the end of 2017.

Digital literacy and computing skills

As digital technology has proliferated, digital literacy has become a prerequisite for accessing essential services, connecting with people, participating in civic life, and fostering economic inclusion. And increasingly, computer programming skills and computer science knowledge are increasingly required to take full advantage of the economic opportunities that are emerging in the 21st century innovation economy. Unfortunately, schools and governments around the world are struggling to help their citizens acquire the skills and knowledge they need.

In the United States, for example, only about 4,300 of the country’s 37,000 high schools offer advanced placement computer science courses.[2] And just 22 percent of the students taking those classes are female, while only 13 percent are African-American or Hispanic.[3] To help ensure that everyone has access to the benefits of digital technology and cloud computing, Microsoft is committed to increasing access to basic digital literacy training by promoting computer science education in schools.

Through Microsoft Philanthropies, we work with nonprofit organizations, schools, governments, and other businesses to improve the basic level of digital skills for people of all ages and to expand access to computer science education courses and resources. And through our YouthSpark program, we are focused on making computer science education accessible to more young people around the word.

To further foster inclusion, we’ve also made a sweeping commitment to support nonprofit organizations that are working to empower others through services, training, advocacy, aid, relief, and support. In January 2016 we announced a commitment to advance the work of the nonprofit community by donating 1 billion U.S. dollars over the next three years. We plan to support more than 70,000 nonprofits worldwide by providing access to Microsoft cloud technology and other computing capabilities through donations or at a significant discount.

Including people with disabilities

To create a truly inclusive cloud, we know that we must make technology accessible to the more than 1 billion people around the world with disabilities. For those with disabilities, accessible technology can improve access to educational and employment opportunities, make the workplace more inviting and inclusive, make it easier to engage with governments and access public services, and connect with friends and families. But accessible technologies do not just benefit people with disabilities. By creating and building accessible technologies that work well for people with disabilities, we can improve our products for everyone.

To guide our work in this area, we have established three principles:

  1. Transparency: We are open with our plans to ensure that our products are accessible.
  2. Accountability: We prioritize inclusive design and accessibility in the development of all products and services.
  3. Inclusivity: We want everyone to be empowered— not only through our products, services, and technology but within our culture at Microsoft.

We recognize that we can only achieve accessibility if we make inclusivity central to our product design and development processes from the outset across visual, hearing, speech, mobility, and cognitive abilities.

This starts with the Microsoft Accessibility Standard (MAS), which supports leading global accessibility standards, including U.S. Section 508, ETSI EN 301 549, and ISO/IEC 40500 (WCAG 2.0) standards, and which guides product development and testing for all business operations at Microsoft.

Microsoft also works with governments and organizations around the world to deliver the benefits of digital technology to people with disabilities. For example, Microsoft is a signatory to the Global Initiative for Inclusive Information and Communications Technology (G3ict) Charter, which encourages governments to increase digital inclusion for citizens by incorporating accessibility criteria into their procurement policies.

And we publish information detailing our compliance with accessibility requirements suitable for public procurement of technology products and services in Europe (EN 301 549), Web Content Accessibility Guidelines (WCAG 2.0), and U.S. Section 508.

We also know that while progress has been made to make technology accessible, there is still more to be done. To achieve inclusivity will require close collaboration with other companies and with experts from a wide range of fields.

Our work to advance accessibility research includes a partnership with Team Gleason on eye-tracking technology that can help people with ALS communicate and control their wheelchairs using their eyes.

We’re also involved in research projects such as Cities Unlocked, which uses Microsoft 3-D soundscape technology to enable people with vision loss to move through urban environments more easily.

Supporting small businesses

One of the most important benefits of cloud computing is that it is making advanced capabilities once only available to large enterprises affordable and accessible to businesses of all sizes.

This is transforming the ability of small and midsized businesses to innovate, increase productivity, and expand into new markets. Because small and midsized businesses play such a vital role in driving economic growth and creating vibrant local communities, Microsoft is focused on ensuring that cloud capabilities are accessible to businesses of every size.

Our work includes skills training in partnership with governments, local communities, education providers, and other businesses to strengthen entrepreneurship and empower young people around the world to gain the knowledge they need to succeed in a cloud-enabled world.

We have also established a wide range of programs aimed at providing technology support, funding, and mentoring for entrepreneurs and startups. We now have more than 100 Microsoft Innovation Centers worldwide that serve as hubs to support students and entrepreneurs with expertise and resources and to provide training, startup incubation, and engagement in projects that help companies and governments solve local challenges.

Our Microsoft Accelerators provide the tools, resources, connections, knowledge, and expertise to help later-stage startups mature into enterprise-ready companies by scaling every aspect of their businesses. Microsoft BizSpark helps small, innovative software companies gain valuable experience and expertise in Microsoft technologies with no upfront costs.

In addition to these programs, we are also working to encourage governments to adopt policies that facilitate access to new technologies for businesses of all sizes. We believe that fostering the right conditions for the cloud to fuel the growth of small and midsized businesses will drive competitiveness, innovation, and economic growth and will help create prosperity for all.