WGA Notifications was found to ping Microsoft every day. Do you feel that should be disclosed to users?
We have a basic promise that we will be as transparent as possible. In this case, we've spent a lot of time on the Windows Genuine Advantage Validation part that really transmits information and neglected the area of Notifications.
Microsoft has a big push for online services. Everything is going "Live." Is there a difference between online and offline when it comes to privacy? Cullen: We're building online services to the same set of standards around privacy as more traditional products. Also, think about the fact that even though software sits on your computer, it's still connecting to the Internet.
Windows Error Reporting, for example, has privacy built into it. When there is a problem with the system we want to know about that, because it is perhaps the only way that we can fix it. But we also understand that you need to have the choice about whether the information is sent. So, before it gets sent, you have to affirmatively say "please send".
So there is no need for special guidelines for online services?
When we the built the privacy standards, we thought about it in terms of products, and we also thought about it in terms of services, so it applies to every single one of our Web pages.
Is there much debate, or do you have to fight for certain things when you're working with product teams? Are there certain things that you really have put your foot down over?
One of the most gratifying things about Microsoft is that privacy is a core tenet of the company. It's part of the Trustworthy Computing Initiative, which was proclaimed by Bill Gates four-and-a-half years ago. I find privacy is actually a forethought as opposed to an afterthought. There are situations where we do provide counsel, but usually it is because the business unit really wants to do the right thing.
Windows Vista is coming down the pike, and Microsoft is touting it as its most secure operating system. Is it also one of the most privacy-centred operating systems?
That gets back to the standards that we've right built into the product. Vista went through the entire Security Development Lifecycle, which means that privacy is built right into it.
Do you often have to slap people for doing something bad, related to privacy?
It hasn't been my experience, no.
Maybe the WGA Notifications flap is the only example?
We've spent a lot of time on parts of that, and we'll do a better job of the rest of it. My experience is that people absolutely want to do the right thing all the time. In our company, there are over 350 people that have responsibility for privacy as part of their job, so it's a marvellously rich infrastructure that's inculcated right into the business unit.
Talkback
"We didn't spend the same amount of time on the notification side of it, which really transmits no information about the user back to Microsoft."
No one knows what info M$ collected on the daily call backs to their servers, nor what they did with the information. They may have collected your browser cache to see where you had been. The WGA is pure spyware and doesn't do much to add trust in M$.
Microsoft spend a lot of PR money to get people to turn on Automatic Updates which automaticly installs everything labeled as high priority updates because 'people can't be trusted with installing needed security updates themselves in time'. Not that much later the WGA thing shows up which is anything but a needed security update. Just shows that when dealing with commercial companies like Microsoft there's no such thing as a free ride. One might wonder what surprises are in store for 'free' services like Live Messenger. Guess the only real free nowedays is the Open Source version of free.