Speech Transcript – Craig Mundie, Trusted Computing Forum 2001

Remarks by Craig Mundie
Trusted Computing Forum 2001
Nov. 6, 2001

The Internet and the various information technology networks that support it might constitute the most complex structure ever built by mankind. The Net has brought a world of knowledge to our fingertips, and powered the global economy to dizzying heights, but its introduction into our daily lives has also given new opportunities to those who would misuse this powerful medium, and its growth is challenging our ability to monitor, or even measure, how its being used.

This week Microsoft hosts the Trusted Computing event at its Mountain View, Calif., campus, providing a forum for some of the top thinkers in the industry to discuss the state of privacy and security in the new networked world.

In his opening day keynote, Craig Mundie, Microsofts chief technical officer overseeing privacy and security issues, discusses IT security today, the inherent chaos of growing infrastructure, and how the minds behind the technology must work together with the people who use it and the lawmakers who regulate it. Mundie sheds new light on this complex modern problem, and proposes a new taxonomy of goals and challenges to help the industry, citizens and policymakers make sense of it all.


CRAIG MUNDIE: Thanks, Richard, and good morning, everyone.

As Richard said, you know, my goal in talking to you this morning is to really establish a big framework for a dialogue that will go on over the next two and a half days. The context within Microsoft, I think, is an interesting place to start, and before I drill down into this, I want to give you a little understanding of the way that we think about this problem in our company now.

About six months ago, we came to the decision that while there was lots of independent focus on the issues of privacy and security within the company on a product by product basis or business unit by business unit basis, we were really dissatisfied at the top management level with our own ability to pull these things together into some uniform approach to some of these problems.

So my job at the company deals with a lot of the strategy and policy questions on a prospective basis, and Gates and Ballmer asked me to take the privacy and security issues and bring them together. And so I took the two groups that Howard Schmidt and Richard Purcell had been running in different parts of the company and we brought them together in this small group that I run with the intent to create a strategy in the area of security and privacy, but more broadly to ultimately deal with what I think is the real question, which is, as the title of this talk says, trustworthiness in computing.

The fundamental problem we all have is that computers are becoming an essential part of societys infrastructure and there will be no part of your life in the future that wont be touched daily by communications and computing capabilities.

I was part of the group at Microsoft that started a lot of our activities to put computing in things that we dont call computers. We started in earnest in 1992 to do that work and many of the things that are done in this campus, in fact, both on the service side, things like Hotmail, and on the product side, things like WebTV and Ultimate TV, are just an example that in our minds its been clear for almost ten years now that most of the computers that would be in your life in the future are not actually things that youll call a computer.

And so its been problematic enough, you could say, where were dealing with things where people go to a thing they call a computer and they interact or do something on the Internet or by some other method, but even there they were addressing something they thought was a computer. They were addressing something that they were conscious about in terms of communications and computing and the Internet.

But the reality is were moving in a direction where, in fact, if were successful and we do come to the point where we trust our computers, then, in fact, theyll evaporate into the background, that computing will become a piece of our infrastructure, a piece of daily life that we dont think about as explicitly as we do today. And I think, in fact, unless we focus on that objective, we wont really get there and ultimately then the benefit of putting all this intelligence in devices wont ultimately achieve what its capable of.

I think its almost important to look back in history and realize that society has gone through many series of reinvention or where do we have technology discontinuities, and this use of computing and ultimately computing in a connected world is just the latest such technology discontinuity. And it may be the most pervasive; it certainly will be perhaps the most rapid in terms of its diffusion within society and particularly on a global basis, but at the end of the day there have been other things that have had this effect: television and telephony and electricity and farming was replaced by the Industrial Revolution. Each of these things created a tremendous amount of angst and dislocation.

Even in our own lifetime many of you probably — at least if youre roughly my age actually can remember the introduction of the credit card. And for years now when people ask me about privacy issues with respect to computing, you know, I always wanted to point out that I even remember as a young person, when credit cards were introduced, there was all this questioning of whether you should use a credit card, whether or not it would be safe, wouldnt the bank know everything about you. And, of course, the answer was, yes, they did know a lot about you, but we ended up in an equilibrium without a huge amount of regulation around the world in how the banking industry was allowed to offer credit cards and people ultimately used them.

Why? Because the risk/reward tradeoff was balanced in an appropriate way. The benefit of having the use of a credit card was high enough in terms of the extension of credit or the convenience of using it instead of cash or checks for everything that people were willing to set aside what might have been their concerns about the ultimate encroachment on their personal life or information that was attendant in the mere act of using the credit card.

I think if you look at networks, on the other hand, we see other examples of despite best efforts by smart people to engineer really high quality solutions, these systems are among the most complex things that man has ever built, and as a result its unlikely to believe that theyll ever be completely perfect.

And so as we go through the rest of this talk Ill try to highlight what I think ultimately some of these balance points are between security and privacy.

If you think about again, even in our lifetime, the point when the telephone network in this country, and ultimately around the world, was changed from the rotary dialing system to the touchtone based or the multi-frequency tone based dialing system. And you may, in fact, remember that when that happened, and despite best efforts by a high quality company, Ma Bell and Bell Labs, to put that system in place, we created what really was the first publicized hackers, the phone freaks, the people with the blue boxes and the whistles that essentially would try to do things, either because they were just curious or because they wanted to see what they could do, or, in fact, some people were clearly more malicious. They were interested in stealing telephone service.

And it took a while to do the re-engineering of the phone network to mitigate that problem. And I dont think the people who designed it would have ever predicted that they would have that problem. In a way, you could say it was naive because, in fact, people are curious, or, in fact, malicious.

I think we have the same problem with this world we know today as computing and the Internet. We were all a bit na
ve. Weve grown up in an environment where the threat model that may exist is not fully understood, and, in fact, it doesnt emerge until you put the thing out there and have people go and touch it or use it or begin to experiment with it.

And so I think that computing in the large and the Internet as a technology base are really in kind of the stage that the telephone network was where clearly it had been great when we had rotary dialing. Clearly we had a technology breakthrough in terms of facilities with the tone-based dialing. But were sort of right there realizing that we too collectively perhaps have been a bit na
ve about what its really going to take to secure these networks relative to the threats that are really out there and potentially could be out there, and to some extent also the importance with which these things will play a role in all of our lives.

So with that as a backdrop, I wanted to talk now more specifically about where we are, what has changed in our environment both technologically and from a point of view of policy and business practices.

Microsoft, as I said, for a long time has had a focus on both the issues of privacy and security, and I think as time goes by people will come to understand just how much energy we really are attempting to put into that. But as I said before, when each of these things was dealt with independently, it was really hard to get consistent execution against these objectives or ensure that all the parts of the company dealt with it.

When they were brought together in my world I decided that, in fact, the goal that we wanted to pursue as a company was trustworthy computing, and that privacy and security were just two components of this ultimately much larger objective. And weve spent about the last six months ultimately in part preparing for this meeting today in not only being able to articulate better what does that mean to Microsoft in our own business practices and technical efforts, but ultimately is it something that we can share with people in this community so that they too can begin to think more comprehensively about what these problems are and what the balance points will be day by day, product by product, service by service.

Clearly, the effects of the terrorist attacks on September 11th have changed priorities for many people in the world. To some extent theyve changed ours at Microsoft, as for others. But it is clear that things, this tension that exists today and will always exist between privacy and security is no longer a theoretical issue that people are dealing with.

I mean, Ive been close to it now for quite a long time and I was surprised in the aftermath of September 11 how quickly you found that anytime you turn on the television or the radio you found somebody wanting to talk about this issue of the tradeoff between security and privacy.

And so each time you have an event like this, society begins going about the process of finding a new balance point. We accrue a lot of experience in a particular context and then something changes it. So the change can be a technology discontinuity. You could say the Internet brought us that and it created the first focus on the question of security versus privacy, both of these being looked at somewhat autonomously. But I think in the context that we live in today its clear that you cannot look at security and privacy independent of one another.

And further I contend that its no longer possible to look at this issue in the tangible world as something separate from the cyber world. In fact, the attacks on September 11 have made it very clear to those of us that have been close to this, to the underlying issue, that it was the use of the contemporary technologies and communications and computing that facilitated this worldwide terrorist set of cells; the terrorist network basically uses the latest technology in order to plan and execute these attacks on our society.

And so even though the response may, in fact, include elements of traditional warfare, I actually personally believe that this is not the last conventional battle, its the first battle in sort of the cyber wars. And as such, we really need to think about it that way. The mere fact that the United States and its allies, in trying to retaliate, if you will, or deal with the threat of terrorism on an ongoing basis, are sitting there saying, “Gee, if I dont have good intelligence, if I didnt have this way to intercept this communication, if I couldnt trace peoples records or movements or whatever to some extent, I wouldnt have any way to go about prosecuting this threat to our society” is a fundamentally different kind of problem than anything weve known as warfare or nation/state warfare in the past.

So I think that there are some interesting parallels and things that give me personally some angst, and I think as we talk about them in the days to come it will be interesting to think about that.

When we look at the aftermath of September 11, and people want to, of course, analyze how did we get in this state, I mean you can talk about the deep and long-term international policy questions and everything else, but there was also a clear failure of some of our traditional institutions in law enforcement and intelligence to move into this new world and think about are we using the technology at the same rate that the bad guys are. And the unfortunate answer is no.

The other thing that I think is interesting is people say, gee, we knew that those terror cells were out there and they were doing these things around the world in different ways, but frankly they never seemed to be that big a problem and we just let them continue to go, because no one was willing to come together and put a focused effort at either mitigating the underlying cause of this or dealing with the implicit threat that was there.

I think that this should be a lesson to all of us who are dealing with these issues of privacy and security now, and we should be very diligent.

To some extent, the evolution of hacking and worms and viruses in my mind are very, very akin to this cyber terrorist cell. Theyre networks of people. They operate outside at least what people think is a comfort zone within society, and arguably outside the law, at least where there are laws. Part of the problem we have today is that there is no uniformity, no harmonization of these laws and practices on a worldwide basis, just as there havent been in other areas of our society, and as a result it creates an environment where, in fact, people can lurk in cyberspace preparing to do more damage than theyve done. And I think it is clear to me that the people that are sitting around and developing these exploits against networks and network-based services, theres sort of the potential for us to treat them the way we treat the terrorist cells, which is, well, they havent really done anything too terrible yet, you know, well just keep watching.

The reality is I think were going to have to be more proactive to deal with this, and that then begs a lot of questions both technological and from a policy point of view.

So if you ratchet your view up to this question of is computing embedded in everything going to be a trustworthy part of our infrastructure, then you realize that privacy and security, in fact, are just part of this overall problem.

If you dont trust it, you wont ignore it, and ultimately for it to become an integral part of everybodys daily life, you really want it to recede from consciousness.

When you think today about telephony or electricity, you dont actually think about it very much. In fact, you only think about it when it doesnt work right. So if the power failed, then you have a problem. If you cant make a telephone call, then you have a problem. But other than that, its just there. Its just something you assume is a part of your life.

So the question is whats it going to take and how long is it going to take for the computing and telecommunications environment to achieve this status of being able to be ignored once its embedded in everything you do.

I think that there are three phases that were going to go through in going from the place we are today to Ill say this status of trustworthiness. First, we will have to continue as an industry to do a lot better in improving the designs of the underlying products and the implementation techniques that are used in deploying those products.

I think we also are going to have to change policy within businesses to emphasize security, and that these, in fact, will be good and appropriate Band-Aids for the perhaps somewhat self-inflicted wounds that we all have, but things will clearly improve.

In the medium term, though, I think the next big realization, certainly one that Microsoft itself has come to grips with in the last six to 12 months, is that many, many of the problems that we have today are human problems, as opposed to computer problems or design problems. It doesnt matter whether you buy a firewall product, which could be a perfect firewall, or you buy a computer system or deploy a service. The vast majority of the exploits that are available to people for these today come through human mistakes.

Now, arguably you could say that the systems are too complicated, that theyre beyond peoples ability to manage, and that may, in fact, be true. And if it is, then, in fact, necessity will become the mother of invention. We will created the mechanisms, must as we did in the telephone system and the power grid and every other utility that we depend on today to make those things achieve a level of manageability that makes that not the determinant of security or privacy. But we are clearly not there today. Whether its Microsofts products or other peoples products, the way in which these things are stitched together is still too formative, too young for us to have really matured a way to deal with the administration of them in an effective way.

So I predict that in the medium term well see new system-management mechanisms and new service strategies that will deal better with the unknowns and errors that are created simply by human errors.

And the third phase, the longer-term phase, will be what I think will be at least a decade-long effort at fundamental research and policy changes that lies ahead for all of us. Why do I think this is true? Well, one, as close as we are to it, and despite the huge investments that Microsoft makes in this space, I know how many things were not doing. And therefore other people hopefully better be doing them. Whether theyre in the academic environment, the government-funded research environment, were going to need more emphasis on long-term solutions to this than we currently have today.

I also think back just in our own world at how long its taken for what we know today last week as Windows XP to get to the point where it is, and we feel good about its progress in many of these areas, but still recognize the distance that we have to go there.

We started development of that product, originally called Windows NT, about 11 years ago. And so even if I knew all the right things today, and even if you thought that you could execute a program like that even as the way we executed the Windows NT development, deployment and testing, you know, you could say, “Well, its a ten-year problem at a minimum; perhaps maybe longer,” because were all leaving behind us a legacy, a tail that were dragging around, and, in fact, a lot of the problems that we have with our own technology relative to these issues of security and privacy in the hands of our customers is, in fact, that most of them dont run the latest stuff, that for either cost reasons or complexity reasons or stability reasons, people dont actually upgrade and that, coupled with problem number two here, theres no automated way to deal with this, the care and feeding of these systems, at least relative to security and privacy issues, is actually where most of the exploitable problems are today.

And so it becomes clear that we all have a big problem, and whether its our technology and products or whether its somebody elses, I contend that they all are basically at roughly the same state of development.

The problems that we face are actually quite difficult and, in fact, I contend that theyll become more difficult as time goes on. Some of the fundamental issues are that the processes, theres just too many of them, if you will. Theyre spreading out too fast and as a result as we connect them together were likely to see chaotic behavior, emergent behaviors from these systems.

Its happened in almost every other large-scale system that man has ever developed and deployed. You know, today the traffic systems of the world are still something that no one can quite characterize. I mean, just exactly where does a car have to break down on 101 out there to basically make the commute impossible? The same is true in every city today. Why? Because we only engineer the traffic systems at any given moment to deal with what we think the immediate requirement will be, and then when we outgrow it we really have a tough time predicting how it will behave.

I think the same is true of the Internet now as a connection mechanism for all the worlds things that we call computers. There are just so many of them, none of which were really fundamentally designed to work as part of some integrated whole. And probably you dont ever want to believe that they would be designed that way, but as such its a concept in computing that is not one that weve all known. Computing mostly grew up from a very centralized model of control, the glass house, the mainframe computers, and ultimately theres been a devolution from that out to computing at the edge in a form of personal computing, but now that edge is essentially going to be diffused out into everything else in your life, and so arguably were moving away from what has been the comfort zone of how we administer machines to a world where, in fact, they wont be able to be administered by professional IT managers.

Im not sure that statistic is exactly accurate, but I think were this year right near the crossover point where most of the microprocessors that have been delivered in the world as of this year accumulatively will have been delivered into products in an unmanaged environment, as opposed to all of the computers that have ever been delivered today.

And so if you think that most of the computers that we have today were delivered into a place where there was an IT professional who had something to do or had to deal with them as part of their job, you know, weve now got half of them there and half of them where there is nobody whose job is to care for these computer systems.

And arguably that ratio will only move more and move to the unmanaged side. As they become part of your telephones and televisions and cars and they all get hooked up, then, in fact, were going to have more and more problems.

So basically the people are losing ground to the computer. There are too few knowledgeable people and theres no reasonable hope that were going to get more of them.

The speed with which these systems actually operate and the scale at which they operate is really almost beyond human comprehension. So when you sit down and say, “Well, lets debug this or lets talk about how bad this problem could be or how many things can go wrong,” the answer is that its very hard for people to really wrap their mind around.

The way that we program computers today is actually unchanged in about 50 years, and as such its still too error prone, in my opinion, and so one could argue that we may not, in fact, make a fundamental breakthrough in the reliability of these systems and its contribution to privacy or security until, in fact, we learn a different way to built and program these things.

So were going to creak along, I think, as an industry for 10 or 20 years and then perhaps there will be some big changes. But I also think that there is some policy work that has to be done. This industry is a young industry. Its one that has grown up in a world of mostly de facto standardization as opposed to de jure standards, and its one where, in fact, the industry has largely been unregulated and a lot of the rapid growth I think people recognize comes from the fact that its an unregulated environment.

History has shown us that each time a new technology or a new activity has become really, really important to society, the first thing that society tends to want to do is regulate it. And then after decades now we look back and say,
“Gee, thats really critically important, but regulating it seems to have stifled it a bit, so lets deregulate it.”

And so I contend that computing in the large is right at the cusp or society having to decide,
“Well, do we regulate it or not,”
and if we do, will we shoot the goose that lays the golden egg every day in our economy and ultimately affects the economy at large, not just as a business itself, or will we take some more risks and let the goose keep running free for a while to see what happens. And I think that that is one of the biggest policy questions that faces people in the United States and ultimately around the world on a going-forward basis.

And, of course, when we look at the policy implications on this stuff and you look, for example, at electricity, you know, you realize today that electricity is a fairly well-perfected technology, and when you go down to the store today and you buy a lamp or a fan or a hair dryer, do you actually stop anymore and go down to the end of the cord and look for the UL sticker? No, you really dont. I mean, to some extent theyre all still there and law still requires that they be there, but you dont worry about it anymore; you just plug it into the wall and it just works.

And yet today the electricity problem, for example, in California is largely the effect of the unknown consequences of policy decisions, not technological decisions. And yet when the power goes out because you cant buy enough of it, it doesnt matter whether it failed for technical reasons or it failed for policy reasons; you just care because it isnt there. And so the real question that we have is how are we going to start to deal with this.

The other thing that makes it very difficult is that the legislative process, and you could say as a cousin to that the regulatory process is always one that lags to technological change or, in fact, business practice.

In a way, you could argue it has to be that way, that the law is backward looking. It has to look at history and experience in order to decide what should become the norm, but in a world thats moving very, very quickly, it becomes very difficult to know how far back do you look, how soon will it change.

So the analogy of saying, you know, its difficult to drive a car if youre looking in the rear-view mirror only, all right, is a very good analogy. If youre on a straight road, you can actually go a pretty good distance before you actually fall off the highway, but if the road is actually twisting a lot and looking only backward, it makes it pretty hard to stay on the road.

And so we clearly are on the twisty road and the question is how will we decide to drive.

Theres an old adage in business that if you cant measure it, you cant manage it. And at least at Microsoft, I came to the conclusion, as I took on this task of privacy and security strategy and in the larger sense trusted computing, I concluded that we didnt have a good way, even with our own company, to talk to each other and to figure out how to measure the issues around privacy, security and trust.

And so one of the things that I wanted to do in this speech, and which my colleagues will be happy to talk with you at more length about, is to create a taxonomy for the issues around trustworthiness in computing, and begin to use that as a way, at least for us, to keep score as to whether or not were doing the right thing, making the right tradeoffs and having a common basis for this dialogue.

And, of course, as we begin to look at this, we concluded, hmm, this is not a simple problem. It isnt just a question of wanting to do the right thing from a technology or security point of view; in fact, its quite diverse.

So the first thing we ended up developing was a list of the goals. We said,
“What is it that you want to achieve if you want people to trust computing?”
And we ended up deciding there were five fundamental concepts.

First was availability. What that means is the computer should always be there when you need it to be there. Its like electricity or the phone; you shouldnt have to think about it. It shouldnt break or fall over or blue-screen or whatever at just the wrong time.

The second is suitability. Is the way the thing is implemented, the way that it works really well suited to the purpose that you want or does it really feel like it was force fit into that environment? So in this world of rapidly evolving human interface concepts in the way that we write application programs, it isnt clear that weve always had a really good suitability match in these things.

The third was integrity, really, against data loss or alterations. When you give the computer something, you want to say, “Hey, make sure you always give it back, dont ever lose it, dont change it and be really good about that.”

The fourth area is privacy. We said once youve given the system something, then its access should be authorized by the end user either directly or implicitly by virtue of the contractual agreement they enter into with whomever theyve given the data to.

And then fifth was reputation, which really you could say is all about brand. At the end of the day, when people are given a choice between buying from company A or company B, whether its a product or a service, brand ultimately plays into that equation. People pay premium prices for quality. I mean, arguably certain companies, maybe well say Mercedes Benz, for example, says, “Look, you know, were all about conveying that we have a very high quality product and we stand behind this product,” and people will pay a premium for this car because of that combination of brand history and engineering.

And so I think the same will be true in the future more and more in the world of computing, not only with the underlying technological components but ultimately in the world we see coming, which is no surprise to anybody, the service component of this becomes an equally important question, both at the platform level and at the consumer services and business services level.

So we said, okay, these are the five goals. So how do you actually achieve these goals? And so we developed a set of means, and we actually concluded that you could group these now into only six different categories.

And so those were security. Interestingly, when we developed this taxonomy and after thinking about it quite a bit, we concluded that privacy was the goal but security is a means. Security is not in and of itself a goal. I think for this conference that in itself is an important thing to stop and think about.

Security is essentially a systems ability to resist unauthorized access. And as long as it achieves that, it helps to deliver against these goals. But security by itself is not the ultimate objective.

Quality is also not the ultimate objective. As I gave in the car example, there is an incredible spectrum of quality points that people have chosen to build and offer their products at. This is true in everything we have in our society today and ultimately that will be true within these computing and network service environments.

The next was development practices. The methods and philosophies that are used in building the products ultimately play into achieving these goals.

Operations: You need guidelines and benchmarks so that people who actually have to play some role in either designing, building, testing, deploying, operating, managing, auditing, you know, theres a potential for failure in every component of human endeavor associated with this. And so we have to ultimately come up and deal with the operational issues as well.

Business practices: What is the model? Is it for free? Is it for pay? You know, what kind of – how much do you end up getting down to the “you-get-what-you-pay-for” methodology in designing and operating these systems. So you have to think carefully about how you afford to deliver against all these objectives.

In the world that we saw now called the dot-com bubble where people said, “Hey, its all going to be advertiser supported; you know, if we just get enough eyeballs well get enough money and well be able to pay for that,” that was not a sustainable business model. And arguably even if these issues hadnt become paramount for people, it wasnt clear that if they had, that they would have had enough money to invest in the R & D to deal with all the other aspects of this problem. You know, they were barely squeaking by in that model where these were not really something they were very focused on.

And then policies, law, regulations, standards, norms: These are all means to achieving some of these goals.

Then the last step we concluded was, well, if you look at every one of these intersections, it all boils down to execution. You can screw it up.

So that really reduces to four specific issues that have to be managed against every one of these intersections.

One is the question of intent. What is it that the management really intended to do? Are they able to clearly state what that intent was? And then that will govern how well you can execute against some elements of this. And, in fact, is there a mismatch between intent and what people expect? And so a lot of the issues that we go around on the Internet today, whether its security or privacy related, is all the question of whether perception, you know, is reality or whether, in fact, expectations match what was really intended. And where theres angst it usually comes from the fact that theres a mismatch between expectations and reality. And so the fact that we havent had a good way to even talk about these things, let alone measure them, I think has contributed a lot to the uncertainty around some of these things.

The next was risks. Risks are the things that you cant completely perhaps predict, but they are what create liabilities because of this mismatch in expectations, when, in fact, intent is not achieved or the expected intent is not achieved.

Implementation: How do you actually put steps in place to deliver against that intent? Are you actually funding what you say you want to do or do you say something that sounds right but you dont actually put in place all the things necessary to achieve it?

And the last well call evidence. This you could think of as the basic mechanism to support auditing. Any time people really get to the point where they care deeply about something like business results, you know, for public companies, then, in fact, we come up with rules for how you can present your financial statements, that you must have auditors, that auditors have to be certified public accountants, that they have all kinds of rules that they go through, that you have record keeping responsibilities and theyre very uniform.

The reality is very little of the evidence necessary to support that kind of thing in this world of computing and communications, taken together as a new computing platform, exists. There are certainly no norms and certainly no regulations today that would dictate what a company has to do in record keeping or other evidentiary mechanisms in order to deal with the proof that, in fact, execution is really good against all these.

So compared to where we started, we said, “Oh, privacy, security,” you know, you look at this thing and say, “Okay, were deadly serious about it.” Our goal is to be a trusted vendor of technology and services as part of a worldwide community thats going to use this stuff. And then you go around and talk to them and we find how many people actually have a way to describe this problem, how many of them are managing their own business relative to all the things that are implied in this chart, and the answer is I dont even find anybody whos really, really comprehensively thought about this problem.

So let me just give you an example of how were starting to use this as a trust scorecard to manage both completeness in the way that we think about the problem and to find a balance, on any given day in any given situation, between all of these somewhat conflicting goals.

So what youll see here is that this is really a volume. Its a three-dimensional space in which youre doing this. You can think of it as a series of spreadsheets or in the sense of making a bunch of cells.

So if you take the goals and you say,
“Okay, heres the first plane to this three-dimensional space, and it has our five goals on it,”
and well take another one and say,
“Okay, heres the means. Against every one of these goals we have all these different means and they can play a role in achieving any of the goals.”
And then finally theres the question of execution in every one of those.

So now Ive got this space and I can take a question and I can plot it in this environment.

So, for example, lets talk about some of the things that have been very public questions lately. Ill call it Passport anxiety. Will my data be safe? Well, what do you think that really means? Well, lets just take one part of that. So if privacy is the goal, if thats what people think is the question of safety, and security is a means, then unauthorized access to the users data is a risk that we have to manage against. And so if you look at it on this, theres that one cell where you say, “Okay, Ive looked at all these issues and I see how they come together and Im going to make a bunch of tradeoffs.”

The reality is you actually have to look at almost every one of these cells and make a decision about what youre going to do if you ultimately say you can trust this service. You dont get to just look at that one cell and say, “Oh, I solved it in that space and therefore Ive dealt with the problem.”

So another one is, will my data be shared? So you come down and you look at another intersection of cells. And so you say if privacy is the goal, I only want to authorize data sharing, well, thats really a business-practice question. Have we really set the service up to be clear and offer the mechanisms? And if you really want to be sure, then do you have to be able to audit that so that if you make a representation that only authorized access is provided, how are you really sure thats happened? So do you start to have to have evidence? And so we go down and you can look at this box.

The reality is, as hopefully becomes obvious without any more examples, that every one of our businesses, and I contend ultimately every one of our businesses actually has to stop and look at all these things, and it doesnt matter whether youre a policy person, a regulator, a legislator, a business person, a technologist, what this should, at least to the extent you find it all credible, what it should make clear is that this is not a simple problem and that no simplistic approach to saying I just want to be private or I just want to be secure is in and of itself going to yield the desired results.

And so as a company, were actually trying to take this and use it as a scorecard, as an internal way of auditing our behavior of taking every business in the company and saying do we have a way of characterizing what we are trying to do, how were trying to do it, and proving to ourselves and perhaps arguably even to third parties that, in fact, we are up to the task or meeting our commitment.

To move on, Im going to have Suze Woolf, who works with me. Suze runs a group that for many years has helped me build what we call “Vision Demos.” One of the things weve learned is that when we start talking about these problems, that when you talk about them in a simple sense, every one nods their heads and says, “Yeah, sure, I get it. I know. I understand what youre talking about.” The reality is, as this prior set of graphs shows, these things are not really as simple as they seem to be.

And so we try to build demos, which range from building the Microsoft home starting in 1993 and 1994 where people could come in and in an immersive way say what would it be like to live in a home where I had computing embedded in almost everything. For us they become kind of working functional specs. Theyre built with smoke and mirrors to some extent, you know, because they predate in some cases by five or ten years when you actually could build real products or services that do these things, but they force you through the intellectual exercise of saying what is the experience that you want people to have.

And so we started about six months ago to build what this will be the first public demonstration of, which is a demonstration of what it might be like to operate in a world of the future where, in fact, weve evolved quite a bit past the point we are today and at least relative to the privacy issues that people have, how will the computer actually be an aid to solving this in a manageable way as opposed to what we have Ill say today is a problem, which is the computer is, in fact, a problem in managing your privacy.

And that is a very key transition. Microsoft at its core believes that the next 10 or 20 years, what Bill Gates lately has been calling sort of the real digital decade, you know, is a time where computers will go from being sort of not very helpful in achieving what you really want to where, in fact, theyre quite helpful in achieving what you want, whether the goal is solving a business problem, writing a document or ultimately, in fact, dealing with the contextual issues like privacy and security are in this environment.

So, Suze, why dont you go ahead and start going through this demo and then Ill kibbitz a little as you go.

SUZE WOOLF : Okay. So hopefully Im going to show you how our user here, who were going to call Joe Howard, can manage his privacy through policy statements that hes able to make in English sentences through software thats running on the local device and up in the cloud. It allows him to see what information is flowing and control it. And hopefully well ultimately allow the system to help relieve him of the constant burden of decision-making and being interrupted, and also to keep different aspects of his life private and separate.

So our protagonist Joe is an engineer at a company called Fabrican, and he and his coworkers are going to go off to a conference in Switzerland. And he gets a piece of mail sent to his coworkers. I should pause and say this is a modified version of the new MSN Explorer, to which weve added persona capabilities.

So anyway hes got this piece of mail. His coworkers have set up a shared calendar and theres a link to it in the mail.

Notice that when he goes to the shared calendar, this is actually hosted outside his company. Were calling this HostingServiceConsolidatedMessenger.com. Theyre using the .NET Framework. Its been authenticated through Passport, and so the person setting up the shared calendar controls who has access to it.

You should notice also that its got a rating by a third party auditor were calling Trust Rating here, so that Joe knows that whatever policies he has enforced hes able to map them to the site policy.

Also you can see that there is a person outside of the company who has just displayed free/busy information.

So this looks like a good idea and he goes to go in it. And it asks what hes going to share: Items from his .NET My Calendar service. Theyll be tagged as conferences and there are the dates.

And when he goes to join this calendar, he should get a policy alert and there it is, and what this alert is giving him is what service is requesting an access, to what data, for what purpose, which policy that hes set up is enforced — his calendar access policy — and what the consequences of allowing or denying access will be. In this case, its that person outside the company will be able to see this conference session.

Hes going to go ahead and allow this. And so now there he is. Its been added to the calendar, but there are no sessions in it, because he hasnt registered yet.

CRAIG MUNDIE: So just one thought here. One of the things which makes people, we think, comfortable is transparency in whats going on. Arguably, one of the issues that people have with the systems today is, in fact, it isnt completely transparent whats happening underneath the cover, and so all the issues that weve seen in the past around cookies, you know, I mean, many dont even know a cookie exists, let alone what was in it or what could be conveyed in it. And so were gradually putting Band-Aids on those problems with the P3P mechanisms and other things that will allow you to manage those cookies.

But you can say arguably that theres just a much bigger question, not about a single mechanism of a single app called the browser, all right, which is where the cookie phenomenon occurred, but in this world of what we call web services, where, in fact, as youll see as the demo goes on, where you have a world where computers are talking to other computers, programs are talking to other programs. Now, in fact, you dont have the luxury of assuming that you personally are in the middle of every transaction. In this case theres still some that you will be in the middle of, but if you want to get the benefit of having computers help you with this problem, then, in fact, youre going to have to have some way to tell the computer what the rules are. And today we dont have a good way to do that.

So as youll see as we go on here, this is about both creating transparency in the way that people see what is happening and making it as clear to them as possible, but also it begins to move us down a path where we can have the computers know what the rules are and play by those rules.

SUZE WOOLF : Okay, so hes going to go ahead and register for this conference. And he hasnt been to it before. Notice that this site actually has several auditing logos on it, which suggest that they have to have some common understanding of what the audit mechanisms are and what the different data representations are.

CRAIG MUNDIE: And that in itself is another interesting place to stop and think. I mean, its also, why is this conference important, you know, why are we bringing this sort of taxonomy and this demo forward today is really to spur discussion because today we have a lot of people who have gotten together in the world of XML and web services and said, “Oh, we should come up with ways so that you can have B2B transactions.” You know, I mean Microsoft, you can place an order on Microsoft electronically, we can fulfill it, we can bill you electronically and you get people out of the loop; my computer will talk to your computer.

But the reality is now were talking about a bunch of things related to security and privacy and all the other elements of trust, and we dont actually have any common technological basis to allow the exchange of this information.

So lets just say we were advanced and we had the — Ill call it the evidentiary records, you know, the audit trail. Well, what is an audit trail? What is the shape of an audit trail? No one really knows.

So I think partly what we want to talk about with the group in the next couple of days is how, for example, would we get together on an industry-wide basis and do for security and trust, all the aspects of trust what has been done in other segments of the industry at different levels of the computing hierarchy, ranging from network standards to language standards to protocol standards. Ultimately there are going to have to be I can say new protocols, new schemas that are developed that would actually facilitate this information exchange and the automation of this, because clearly theres no one product, no one service, no one Web site thats going to be able to meet this need, and yet no ones actually advanced a theory of how they can all interoperate.

SUZE WOOLF : Okay, so as I said, Joe hasnt been to this conference before, but he does have a policy set up around his professional information, from the graphics we call it, you know, what business is the company in, how big is it. He has no problem releasing that as long as hes assured that the site can match his policies around that information.

So he did receive a notification, not an alert — he didnt have to allow or deny it, but he knew that that information passed.

He could go inspect exactly what the sites intents are and how well they match up with his policies. In this case, it was being able to retrieve the information from his profile, share it with contacts and agents, store part of it, some or all of it, but not, for instance, combine it with information from other sources or data mine it. And those audits mean that they will, in fact, do that.

So he accepts this registration, and because he passed that professional information blot, theyre able to build a recommended session track for him. Now, of course, in real life youd want to go through and examine and edit this carefully, but well accept the whole package.

And its offering to write this back to his personal .NET My Services calendar in the cloud, tag this conference item so that it would end up shared back to that public calendar, and again he gets an alert.

Now, I should say we are showing you a lot of alerts. Maybe Joe is not entirely comfortable with this process yet, but later Ill show you how you could turn down the volume on some of the alerts.

So again whos asking, what data, what policy and what the consequences are if hes going to allow this.

So its copying to his calendar and when we go back to the site there it is.

So now weve got him registered, but his travel hasnt been set. The handy thing about sharing this information is that he can figure out what flights his coworkers are on and perhaps match their itineraries.

So this time its a credit card access, and he always gets prompted for that. But, of course, he then agrees to it. And one thing that the software is doing here, he has a policy agent thats actually monitoring all of those transactions. He always allows Margies Travel to charge his American Express card under this corporate credit card policy, so its suggesting that he may want to actually edit that policy.

So rather than edit the policy directly from here, hes going to view the transaction logs of all of his permissions. And so this is actually pretty sensitive information that hes going to reauthorize himself.

So here is a little piece of a huge list, but its been sorted so that the accesses to that card account under that policy, what the decisions were and so forth are all gathered up together, so it would be easy to see them.

If he did want to edit them, there is the policy statement as an English sentence. Here are the suggested policies that are related to it. And the group sets are already set, but one thing that software could do in the future is be watching your activities, suggest groups — I dont know about your work, but Im joining in using groups in a kind of ad hoc fashion all the time, and this could help me from having to manage the creation and destruction of groups all the time.

CRAIG MUNDIE : One of the points here is weve already seen this phenomenon a bit with just electronic mail and your inbox. People realized quite a few years ago that as the number of messages increased, you know, your desire to have help in managing that went up. And so the first thing that people tried to come up with was what we call inbox rules, you know, our inbox wizard or the assistant. And there have been many, many attempts at these things.

And what weve found when you did that is that you always ended up with a bimodal situation. If you made the rules simple enough, that everybody could just check the boxes for what they wanted to do. They were usually so simple that it didnt do anything interesting and therefore it wasnt very useful.

If on the other hand you made the rules or the mechanisms for writing the rules comprehensive enough that you could really deal with the edge conditions and everything else, then only programmers could actually write the rules and so no one could really write rules that were very useful, and that wasnt very helpful.

So while its only beginning to come to market in some limited ways this year in our products, what weve been focusing on now is essentially having the computer monitor your behavior over a long period of time and synthesize a set of rules that actually tend to mimic your own behavior. And over time you can adjust it by overriding it if it does something that wasnt exactly what you wanted, but instead of having to go in and explicitly do it, the whole goal is to have the computer do it.

In essence, what its doing is monitoring you could say almost like an audit trail of everything that you do in order to figure out what the right thing to do is.

Thats whats being manifest here is the realization that if we made it such that you had to really know a priori how to write all these rules and it was very complicated, most people would just never do it. And thats kind of the situation we have with the Internet today. The rules in some senses are too simple to get you really all the things you want, and if you made it more complicated, it would be too hard.

So we think that in the next few years the real leap will be to have enough sophistication of software that more often than not it can get what your intent really is by watching your evolution of behavior in these environments, and then offer you suggestions that, well, you know, you almost always do this, like let them charge your business travel to your American Express card, so why dont you just make them part of the group thats okay to do that, and then, as Suez said, you know, then you can choose what level of notification you want to get, which can range from none or I just want to stop ever so often and audit them.

So now whether you do it personally or, in fact, you take your audit log and send it over to the company and say, “Hey, company, heres what I think I authorize to do and it should be checked against something else,” now you can talk about data mining and a lot of other things at a level again of having computers and software do more things to help you.

But without these fundamental underpinnings, you know, you either dont end up with enough evidentiary record to do that or you end up with enough complexity that people reject the mechanisms. And so this is trying to show what we think will happen as computers get really smart about this.

SUZE WOOLF : So if Joe did, in fact, want to edit that policy, here, albeit an initially intimidating looking dialogue box, but changing the options is change the English sentence for what the permission is, whats allowed, around which kinds of data, for what time period, and heres where all the notifications could be cranked down or cranked up and whether you want suggestions from the agents. You might also want to be able to do a test run of a new policy to see if it conflicts with some of your other policies.

At any rate, Joe isnt actually going to change his policy at this point.

So weve got him registered. Weve got his travel. His colleagues know what hes up to. The last thing he wants to do is to go to rent a car. So there was a corporate link on that site and you can see that these sites through Passport knows him as J. Howard, presumably at Fabrican.com and that the offers on the site are primarily aimed at business travelers.

Now, in truth Joe has a side trip in mind while hes on this business trip and hed just as soon keep that separate from his business dealings. So hes actually going to switch personas to regular Joe, which signs him all the way out, signs him back in. These are two different Passport IDs; they dont know anything about each other. So and he does use the same company, but it is personalized now for recreational drivers.

Theyre also offering this controversial GPS tracking for a lower rate. The schemas that the auditors and those policies know about doesnt know anything about GPS tracking yet, although presumably if it was extensible they could and these policy managers could catch it, but thats farther in the future.

All right, so now that hes all set, he goes off to his conference and in fact while hes there hes only carrying his Pocket PC around, one of these, and he meets another fellow engineer named Kevin. And it turns out not only hes an engineer, but hes a fellow diving enthusiast. And I dont know if any of you are divers, but these guys are a very tight crowd.

So what Joe does is he beams his contact information over to Kevin and using another client application on the Pocket PC hes able to manage his policies around privacy and add Joe to his diving buddies trust group. So he starts Pocket Policy here and again this is for Joes sensitive information, and hes able to do that. So now he can add Kevin to his diving buddies and so presumably then Kevin would inherit all the privileges that accrue to the diving buddies, you know, access to the latest trips and so forth.

So not only did we show you the idea of policy management on a fairly sophisticated device, but because this could get pulled down from the cloud, it could be on a much lower level device as well.

CRAIG MUNDIE : Thanks a lot.

SUZE WOOLF : Youre welcome.


CRAIG MUNDIE : So hopefully you see that the goal here was to stop and make people think that even in something that appears to be quite natural, and we would hope that in a few years time from now you wouldnt think that it was all unusual to be able to do all these things. Clearly, the whole move into web services is moving in this direction, and clearly the technology to facilitate all this type of interaction, whether between Web sites or Pocket PCs or computers or your car or whatever it is, its all going to be there.

And so you could say at some point the problem we think we have now of privacy in browser-based applications pointed at Web sites, thats going to look trivial, all right, compared to the kinds of things that are going to be possible when this stuff really gets diffused into every aspect of your life, and, in fact, when it goes to this step where Im not personally mediating every interaction between my data and all the people who want my data. Im going to have to have the computer be a proxy for me or this thing is going to be come unmanageable. Im going to have to have the computer be a helper for me or this thing is going to be unmanageable.

And so all of these things tend to move us in a direction that say we need to make some real progress here, and its going to have a technological component, a policy component, and a business practices component that is going to have to come into play.

I think moving forward a little bit now I think there is a new assumption that if anything the events of September 11 made it pretty clear that more than ever you really need to assume that all of this is going to be taking place in a hostile environment. Weve always known that, in fact, the environment would be somewhat hostile, but its pretty clear that at everything from the nation state level down to corporations and individuals that everybody now has to make the assumption that they dont stand alone, they cant solve these problems in isolation. A business cant solve it independent of all the other businesses. A person cant logically solve this problem completely on their own behalf no matter how diligent I think they are. Not even a nation state is able to resolve these things to the benefit of its citizens anymore, because the Internet itself doesnt know any real geographic boundaries.

The ability to have problems as well as opportunities now extends beyond the traditional nation state borders, and just as the terrorists essentially operate outside of a nation state authority, so too does the Internet to some extent, and certainly the people who would want to wreak havoc in that environment can be just like the terrorists and can be outside of anything that we would think about as any of the traditional governmental institution.

So I think we need to seek some type of coordinated commercial, academic, governmental and international research and policy agenda, and today I can tell you firsthand that there is no nearly enough research being done certainly at the government level and not at the government sponsored level, and not even at the academic level to address many of these very difficult problems.

I think also there hasnt been adequate focus on the longer term policy issues, that if you think of the demo Suez just showed you and you project out five or six years about what will be required to manage that, I contend it would be a lot better to be having the policy discussions with an eye towards that set of problems than it is with just the retrospective view of whats happened in the publishing model of the Internet where the browser is primarily the vehicle for interaction.

We think that that era of the Internet is largely coming to its logical conclusion. Theres just so much you can do in a publishing environment. And clearly the business models of
“if we publish, well get eyeballs and be happy, happy, happy forever,”
you know, thats gone by the boards too.

So now people have to get serious about what are really sustainable business models, how are they going to make this investment, how are they going to have these long-term sustainable relationships with consumers, you know, whats the balance between transactions, advertising and subscription. Clearly that balance will end up being a lot more like it is in a world of cable television and your telephone than it was the idea that everything is going to be there just because you click on a link. So were very focused on that question.

So lets talk a little bit about the technical directions that I think are going to underlay all this.

The first, as I intimated during Suze’s discussion, is that more and more this is going to be about machine-to-machine processes. Today, the Internet, we call it Internet Version 2. Version 1 was the Internet, which was just about the plumbing, you know, TCPIP, simple applications, maybe e-mail. Version 2 is about browsing. So we know what the two killer apps of the Internet were. It was e-mail and browsing.

So the reality is most of the worlds programmers havent had anything to do yet with the Internet, because it was only a couple tiny little teams that did the browsers and the e-mail clients. And so despite a lot of scripting and things going on, the reality is the hardcore programmers, they havent gotten engaged yet. They couldnt. The platform really wasnt there to facilitate doing this, but now it exists. The notion of XML Web services, you know, many, many intelligent devices to program, the ability to bring all this together; thats the new world, the new frontier.

And so more and more people will write applications and those applications will, in fact, be the proxy for you doing what today you do by pointing and clicking in the Internet environment.

But that poses some new requirements. One is all the data needs to be self-describing so that when someone sits down and writes a clever new app like
“register me for this conference,”
all right, thats an app. Somebody is going to write that app. But they have to have the tools to write it and they have to have the mechanisms to figure out, okay, well Im sucking data from all these different Web sites, Im talking to the conference Web Site, Im pulling all these things together, how do I do that. And the answer is the data needs to be a lot more self-described than it was in the past.

It used to be most apps were written in the context of an application or a company, and as a result the systems analysts lets say in your company could sit down and say, “Oh, Ive divined the answer. I know exactly what the fields are. Were going to put them in the database. Were going to use them from this application.” That was essentially a stifling way to operate, because you ended up with a lot of data assets you couldnt do anything with after the fact, or you, in fact, lose track of the knowledge that allowed you to do innovative things.

So with self-describing data, which we think will become a characteristic of the next era, then, in fact, its unlimited what people can do with these data assets.

But then that takes you to the question of, okay, well now even if I can describe all the data, do I have some way of describing the security and privacy policies and processes with which I control peoples use of that data? That was implied in what Suze showed you, but its a quite deep problem when you think about it. You know, lets say I got all the data out there for car rentals or my calendar or whatever it is, but I dont really want to let everybody who just decides to write an app do anything they want with my data. And so we have many new technologies that are going to come to give people finer grained control over those applications and assets they operate on.

The second thing Suze’s demo was very important conceptually in another area was the area of controlling things by policies. Today, not very much of computing systems are done by policy. The way we convert policy into action computing is we hire a system administrator or a designer, and the business people who basically make the policy and declare the business intent, they go talk to some programmers and some systems analysts and some IT administrators and they say this is the policy I want and they go away and they wave their wands and do some incantations and they try to get the systems configured to achieve the policy objective.

And ultimately the errors that are made in the translation from statement of intent to actual administration is what creates either missed expectations or ultimately even worse vulnerabilities relative to security or privacy.

So while we think it will be essential for the end consumer to be able to have policy based ways of controlling access to his data and applications, similarly the entire organization, ultimately the network and the computer systems themselves will probably have to be more self-managed under policies just as we showed in the demo that the individual will use policies to control things.

Computing, just because of the scale and the diversity of it, will have to be more loosely coupled, self-configuring and I think self-organizing simply because there are too damn many computers and too few smart people and we dont really want to have a requirement for an IT professional to manage every computerized device in your life.

The other thing we believe is that more and more this will be again about pushing most of the computation out to the peer-to-peer interactions at the edge of the network, not in a centralized environment.

Basically when you move to this world of machine-to-machine interaction, the machines are so much faster than the people are that it makes it completely clear why timesharing failed in the first place. But the Web era, you know, the Internet Version 2, it kind of lulled people into thinking, “Well, maybe I could put everything back in the midst.” All right, but thats only because the people are so slow again and theyre just pointing and clicking, and then they have to read for a while.

So when the computers actually do the pointing and clicking and reading continuously and quickly, then, in fact, the load that will be placed on the central site, of course, would overwhelm it because each little processor at the edge is normally the same performance as the processor in the middle. You know, its just got a bunch of other scale assets around it like storage and memory.

And so it becomes clear for all the reasons that we have in the corporate world that most of the computing actually is done at the edge, that that will happen again, but then that requires that the center becomes the place for orchestration, for sharing the critical information that allows this peer-to-peer environment to work.

I mean, if you dont think this is whats going to happen, then just as a counterpoint think of Napster. Now, Napster had a few business model problems, okay — (laughter) — but from a technological point of view it was a tour de force of this new world. It was not a browser-based application. It used the browser environment to distribute itself so that people could get at it. It was essentially an application running at the edge that used a tiny little facility in the middle as a directory service to find the other people who had music to share, and other than that it was a completely peer-to-peer interchange of the data.

So that will be applied over and over again in myriad applications, but the speed with which that diffused into society, the facility with which it provided people to find what they want and get what they want, the fact that it never bottlenecked because, in fact, it was so completely distributed, you know, those are the hallmarks of the Internet of the future, and hopefully people will be more thoughtful about some of the policy, legal and business model issues, but dont be confused, it was the right architecture.

There will be new development, testing, operation and I contend auditing tools that need to be developed, most of which havent been started yet, and that the hardware and networking layers too will require more effort. Fail over and redundancy will become something that people just wont live without. These things will need to be impervious to physical modification. So there will be geographic distribution, so the physical loss of a particular piece of machinery or network connection wont actually be allowed to take the system down, and ultimately we have to deal with the traditional threat like theft and loss, where theres real human attempts to circumvent these protections. And so I think that will require more rigorous authentication.

Arguably, one of the biggest problems we have in the Internet today relative to defending against distributed Denial of Service attacks and prosecuting people who release worms and viruses is, in fact, that we dont have strong identity on the network, certainly at the low level.

If you look at the issues that were brought up when Intel tried to put a serial number in the chip, okay, you know, just because it had a potential use in this area, you know, people raised a big concern about that. Whether that was good or bad, you know, I mean it happened, but it now is yet another piece of the legacy that we have to deal with.

I think that we are going to have to have stronger identity in the network, where ultimately law enforcement will not be able to do its job, and so once we get to the point where we decide that we have stronger deterrents or want to have stronger legal deterrents, you know, if you cant enforce the law, it wont make any difference. And yet were building a huge legacy network out there that is fundamentally flawed. Why? For the same reason that those phone guys made the mistake when they put touchtone in the first time. They didnt quite think about how bad the bad guys could really be, and so they had to fix it.

And so were going to have to change the Internet again and put some mechanisms in to help with that, but part of the implication will be there will be more strong identity, more traceability. And so the people who are sort of the advocates of perfect privacy, you know, will get all anxious about that, but this is where its time to really get real. Maybe the September 11 events will force people to the realization that it doesnt matter whether its the cyber world or the tangible world, weve always had to find a balance and right now thats the task at hand. That is one of the opportunities of getting this group of people together for these three days is, in fact, to approach this problem with the idea that compromise will be required.

The specific things that were doing to put it up on the table, we have quite a few things, we have a new program we call the Strategic Technology Protection Program. This is one of those mid-range efforts I talked about earlier. We came to the conclusion — in fact, weve spent the last three years in an intense effort inside the company to ratchet up the quality of the product and services that we build. And Windows XP were quite proud of and we think it does represent a significant step forward in just absolute quality. I mean, you can read the reports and people say, “Boy, you know, I turn it on, it runs for months. It never blue screens, doesnt do anything untoward. Thats really a big improvement.”

We still know that theres a lot more to do and we will continue to do more, but now weve come to the conclusion that we end up with problems more frequently because weve made it too hard for people to administer the machines and upgrade the machines when the eventual problems do occur, and therefore we leave a big trail behind us of exploitable vulnerabilities that have been repaired in current products but have not been displaced in the marketplace or repaired in the marketplace.

And so were shifting our emphasis right now to creating a set of tools and services that will automate with respect to security, all right, the updating of these systems. We think ultimately that could be done in a broader way, but at least by moving the focus down to security updates, we think we can make a lot of progress quite quickly, and weve outlined a program over the next six months to really help people get secure and stay secure with both their legacy systems as well as the new technology.

In the product area theres been a lot more focus on very high quality mechanisms put in to make fairly strong, ultimately not unbreakable but very strong guarantees about protecting peoples intellectual property rights.

We have a new technology that will be coming out in the next year or so we call the Digital Asset Server because we realize that rights management isnt something that people care about with respect to just the music thats owned by the copyright holder or video, but, in fact, you care about all your data. As Suezs demo showed again, you know, theres all kinds of specific pieces of data that are your data, you care about that data. You dont want to actually erect a barrier and say, “Hey, my data, nobody can touch it.” You really want to control who gets to touch it and what they can do with it. Can they copy it, can they forward it, what can you do.

So we think everything ultimately wants to have rights management applied to it, and so were trying to create a uniform architecture and a uniform set of underpinnings that give people this ability to have fine-grained control over the use and distribution of digital assets.

Our business practices in terms of the .NET initiatives, the My Services things, you know, our goal is to give users control of their data, to have open protocols so that these things can be accessed from any operating system in any environment in any programming language.

The tools, the common language runtime for managed code in C# are ratcheting up the toolset, particularly for both personal computers and these non-PC devices so that people have just a better programming environment to try to minimized the number of errors that are made in writing these sophisticated applications.

The .NET framework for peer-to-peer computing, which is sort of the Napster analogy, or some of the things that we just showed here in the demo, will be something were putting a huge effort into supporting.

And the tools to build and deploy managed, distributed, secure web services. We remain super active in standards activities. I think we were certainly in a leadership position on P3P from an implementation point of view and we’re proud of what weve done there. But even putting that out has shown the community that they, in fact, arent always ready for the fact that consumers have this choice.

You know, Richard and I have met with people in the banking community and said, you know, they said,
“Well, wait a minute; now that youve done that, it actually shows that in our banking product and services that are regulated we dont actually tell people that much about what were doing with their data, and you guys are making it hard for us.”

And so I think it just shows theres always going to be this tension between business practices and the movement from the tangible world to the cyber world.

I remember about a year, maybe a year and a half ago both in Europe and the United States, I was in meetings with government leaders and it was at a time when there was a hue and cry for new privacy legislation, and people just were hell bent, were going to have some new privacy legislation. And if you wake up a year later, you realize, hmm, guess what, there was no privacy legislation. Why was that? Well, it became pretty clear — it is my simpleminded view — that you couldnt really write legislation that only dealt with the cyber world, and so when you tried to write, quote, the “new legislation” that distended against the theoretical threats or perhaps the more publicized threats of the new world, what happened was you got the old world people running in and saying, “Who, dont do that because that law youre writing for those new guys will actually have an adverse effect on us old guys, and we didnt really want that. And, hey, you know, youve been pretty happy with us the way we are, so maybe they wouldnt be so bad either.”

And I think that youre going to continue to see this play out over time, that the cyber world and the tangible world cant be decoupled, and yet the visibility that is afforded people in this open environment will, in fact, create some angst for people who have been doing the other stuff.

Society then will have to make a choice about whether the old way was good enough and will be adequate in the cyber world or whether, in fact, they were just having the wool pulled over their eyes and we should change something anyway.

But these will require very, very thoughtful conversations, and Id predict again why its important to have people like this meeting each other and talking about these things is because if you get hardcore about privacy, you know, youre going to screw up the security side. If you get hardcore about the security, youre going to screw up the privacy side. And if youre just digging your heels and you dont understand these issues and the give and take required, then you get stalemated, and that ultimately will not work in the service of either the consumers or the industry. And so were also very involved in long-term research around these things.

So cooperation will be required. I think its imperative that people dont think that they can leave the common efforts to somebody else, you know, theyll just adopt whatever gets done. The reality is there arent enough people who understand these issues in a deep way to give thoughtful suggestions about what we might do, and thats why we, in part, sponsored this conference. Its why we changed it from “Safenet” to “Trusted Computing” as the theme, because we want people to step all the way up and say, “Hey, what is it were really trying to achieve here, and therefore what are the implicit balances that have to be struck.”

I think this will take a long-term concerted industry wide effort. Clearly leadership companies will be able to make a difference, but no one company will be able to dictate an answer in this area. I think its important to participate in developing the standards, and as I said before, I think theres an area that is largely untouched, one that we intend to try to provide some leadership for, but I think its completely a green field right now, which is what are the specs and mechanisms going to be for interoperability with respect to audit and operation and analysis in the areas that are the foundations of security, privacy and ultimately all the other aspects of trust.

I think that Microsoft is clearly making greater efforts than we ever have to both self-certify all the aspects of the trust matrix relative to our product and services. Were also engaging and having audits done by third parties on a voluntary basis. And so much as again the demo implied where you had these little trust stickers like eTrust and other things, I think that these kinds of things will be important to people and were clearly going to be involved in helping to create and certify these things, and then let people examine what were doing, too.

And I think we have to recognize that the Internet, unlike most of the tangible world phenomena, you cant come up with a national solution. In fact, its actually always been a luxury to be able to get a national solution first or recognize that well Europe can have a little different solution than the United States. But in this Internet world where these things just go back and forth across a boundary, its a lot harder both to come up with a national solution thats workable, and certainly very hard to talk about operating any of these service and product businesses in a world where you actually have disparate legal requirements. Thats why the jurisdictional laws are really an issue and ultimately why we have to have international cooperation to deal with this stuff.

So why are we here? Well, ultimately were trying to increase focus on engineering trustworthy products and services. We are very focused on it as a company. We recognize it is essential to our ultimate success on a going forward basis. But we also recognize that we dont have a good way yet inside our own company to ensure uniform action, but were at least organized at the management committee level, my job, to ensure that we approach this in a consistent way across all of the Microsoft activities. But ultimately we also recognize that theres no good way to talk about this in the community at the level Ive described to you this morning.

So we want to agree on a common vocabulary, some framework. You dont have to like the one we gave you, but at least it should hopefully make you stop and think, you know, if you have a better one, hey, bring it on, bring it on. Wed be happy to look at it and borrow from it. But hopefully its a thoughtful opening offer.

We want to also help people distinguish between the technology and the policy issues. Many times I know that certainly when we look at the comments people make about Microsoft, our products or our services, its awfully easy to confuse privacy and security. As I pointed out, ones a means and the other is a goal. And its also very easy to try to confuse the issues of policy versus technical problems. And we contend that more often than not the company has exactly the right intent from a business practice and policy point of view; we may not yet be perfect in execution. In fact, arguably well never be perfect and neither will anybody else.

So the real question is when you arent perfect, what is your business policy, and practice to deal with mitigating the problems that come from imperfect products or people? And that we contend we do a good job at and well continue to try to get better at — which is not to excuse the idea that we wouldnt love to have the product be perfect, but were also pragmatic in recognizing that these are the worlds most complicated systems and it will continue to exhibit failures and failure modes that largely are unanticipated. I dont think we have to be super apologetic about that. I think the industry is going to exhibit this at a macro scale and therefore what we really need to do is be focused on how do we deal with the problems when they occur.

So another thing that were trying to do right now is get people together in the security community and focus on what are the right ways to deal with these things. Today, its so ad hoc. All right, it isnt even clear that the things that are being done are actually serving the interests that they claim to be serving. A lot of the mechanisms for vulnerability exposition and publication of exploits and other things arguably are not really conscientious processes, and wed like to get people together and agree on at least what we could do on a self-regulated basis to deal with these kinds of issues.

And then finally to determine what standards will be needed to automate and interoperate with these various aspects of trust, because the world were moving toward is one where almost — well, I should say the vast majority of the interaction on the Internet will be between two programs, not between people and servers. And so thats a very different world than the world that people think about today when they think about the browser and that model of interaction, and so its just going to require a huge effort.

So clearly we want your participation, both today and in the next two days and ultimately once you go home, and we want you to understand what our orientation is towards this.

So I want to thank you for your time and attention. Id be happy now to have a few minutes of discussion and answer questions. I think we have 15 or 20 minutes if you want to spend it. And if were done, then we can go have coffee and you can talk in the hallways.