The notion that Microsoft has secret access to all kinds of personal information -- or that it uses personal information in ways not expected by consumers -- could be the undoing of the company's .Net software-as-a-service strategy, Sutherland said. Unless Microsoft can dispel the sense of an Orwellian menace, people aren't going to trust that their information will be protected using services like Passport, which is key to .Net. A recent string of security breaches in Microsoft's products -- including the Windows XP operating system, the Mac Office suite, the Excel and PowerPoint applications, and the Internet Explorer browser -- doesn't help the company's case. These problems could give consumers and businesses good reason to worry that their personal information might inadvertently be made public. In this area, analysts warn, Microsoft has much work to do, particularly if .Net Web services are to be successful. "Their heart seems to be in the right place," said Kate Rears, a policy analyst with the Washington-based Electronic Privacy Information Center (EPIC). "They have extensive privacy policies for the products that they put out. But the unfortunate circumstance seems to be they've had some security breaches with their large, (widely used) products." Purcell is adamant that Microsoft is serious about protecting the personal information that's collected daily. That seriousness, he says, starts with a sound policy on privacy, in five main areas: notice, choice, access, security and enforcement. In the matter of notice, Microsoft is supposed to disclose to consumers or businesses the kind of information it collects and to explain how the data will be used. "Choice means that when data is being used for other purposes than the purpose you gave to me, you get a choice to say, 'Yes, please,' or, 'No, thank you,'" Purcell said. "You get a choice of opt out or opt in." Access means that consumers and businesses can modify or change the data collected about them, while security pertains to protecting data or transactions from unauthorised access, corruption or loss. "Enforcement indicates we watch over ourselves internally and make sure we are complying with these rules," Purcell said. "We also have third-party monitoring. We're a licensee of Truste, and they watch over and provide alternative dispute resolution in case a problem can't be resolved." Like other large companies conducting business on the Internet, such as AOL Time Warner and CNET Networks, the publisher of News.com and ZDNet UK News, Microsoft posts a privacy policy on its Web site. The software giant has also incorporated into Internet Explorer 6 the Platform for Privacy Preferences (P3P), a feature that helps track Web sites' privacy policies and gives consumers greater control over what information they reveal. The need to educate
But in the case of Microsoft, simply posting a privacy policy may not be enough to dispel the sense of Big Brother or to convince consumers that their personal information will be safeguarded. "Microsoft's battle is educating the user population about what information they are collecting and why," Sutherland said. "They have to be much more proactive," if for no other reason than the dot-com meltdown a year ago, when some bankrupt start-ups sought to sell personal data they had collected, he said. "There were a lot of questionable ethics" at that time, Sutherland said. "There were companies that promised information wouldn't be shared, and then it was. Microsoft is being painted with the same brush. People figure Microsoft will do whatever they can do to influence their users...If they didn't plan to use it, why collect that information?" The inconsistency in privacy policies among companies and the risk of unwanted disclosure are part of the reason EPIC wants lawmakers to step in. "That's why we and other security advocates would argue for legislation, particularly over e-commerce, that would create a standard," Rears said. Microsoft in some ways has been its own worst enemy. Early customers installing Windows XP were confronted with a new anti-piracy mechanism that contacted the company via the Internet to "lock" the software to the hardware. But optional product registration that followed immediately after activation bred worries that Microsoft was building a database of user information. "Product Activation does not collect any personally identifiable information," Purcell said. "It's only voluntary. It collects the country and the 'hash code', or value that is unique to your system." Still, other Microsoft product features create opportunities for revealing personal data that could give consumers cause for concern. Windows XP uses a bug report feature that optionally sends a report to Microsoft via the Internet after a program crash. That report forwards data dumped from memory, some of which could contain personal information. Microsoft also has backpedalled on some aspects of privacy. Concerns about the wording of its Passport privacy policy forced the company to revise the policy last year. The original policy granted Microsoft enormous control over customer communications. Ironically, privacy organisations say that Microsoft does stand above its peers when it comes to trying to safeguard personal information, despite the public's suspicions. "They are very committed in a very clear way to privacy," Truste's Maier said. "They are always pushing for higher standards, and I would say their policy is better than the average right now." Going the extra mile
Even EPIC, which has harshly criticised Microsoft regarding Passport, says the company has good privacy policy. But good is not good enough, at least for Microsoft, Rears said. EPIC has filed two complaints with the Federal Trade Commission about Passport privacy and security, last month also sending a letter to state attorneys general warning of potential problems with the authentication service. "Microsoft is so ever-present, and just about everybody uses something from Microsoft," Rears said. "If they're going to be out there on that large scale, they need to make sure their privacy policy just isn't OK. It has to be superb; it has to be the best. If Passport is going to have 200 million users, they've got to take the extra measure to protect people." For this reason, the ongoing security problems are a serious privacy concern, Rears warned. She praised a recent companywide email sent by Microsoft chairman Bill Gates urging that security be a top priority. "It's a good start," Rears said. Microsoft's challenge is the same as that facing other companies trying to offer services that are easy to use but also secure, Sutherland said. "I think a lot of consumers have given up on this one," he said. Purcell conceded that this is an area of great concern and one that Microsoft will be looking at as it refines its Web services strategy. "You've got to make it as easy as you can to implement it, but if you make it too easy, it's easy to overcome," Purcell said. "If you make it too hard to overcome, then it's too hard for the (customer) to use. Ease use in some ways works against security. You can make it really, really secure, but people aren't going to be able to get to it." The results of Microsoft's newfound emphasis on security and privacy won't be apparent for some time. Analysts and other observers expect more fine-tuning, however. "We'll know in a month, (after the internal security review)," Sutherland said.
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
