Posted by Peter Cullen
Chief Privacy Strategist

I have been actively engaged in privacy issues for over a decade, first at the Royal Bank of Canada and now as Chief Privacy Strategist for Microsoft since 2003.

During that time privacy has rarely received as much attention as it’s getting now.  Mainstream media from  Good Morning America to USA Today regularly have stories about everything from shifting online privacy policies to unauthorized collections and use of personal data.  At the same time, some in the tech industry have suggested that social networking and other new technologies are making privacy obsolete.

Given the high level of interest, I’m pleased to be in San Jose this afternoon to deliver the keynote address at the Computers, Freedom and Privacy conference.

Microsoft has been working on online privacy issues since launching MSN in 1994.  We’ve had our challenges along the way, but we’ve learned from our mistakes and privacy has become increasingly central to everything we do.

Earlier this year, in a speech at the University of Washington, Steve Ballmer said: “As a mature and responsible organization, we have got to lead with privacy.”

And this is very much Microsoft’s goal.  To apply what we’ve learned in the past around privacy to today’s rapidly evolving landscape of social media, information flows and the cloud.

One reason we are focused on privacy is because it still very much matters to our customers- it remains a matter of “trust.”

While social media may be pushing the boundaries around privacy and altering certain behaviors, heavy users of social media – including young people who some claim don’t know better --  value and fiercely protect their right to privacy.

A Pew Internet and American Life Project survey on “Reputation Management and Social Media” released at the end of May indicated that young people are actively working to protect their privacy online. 

Governments around the globe are also updating their privacy laws or implementing new privacy statutes where none previously existed.

These trends have put privacy under a microscope and sent companies worldwide a message that governments, consumers and civil society both expect and demand accountability around data privacy.

To Microsoft, accountability is not just an important concept in this world of exponentially growing data flows.  It is a critical governance principle that organizations need to live by.

A perceived lack of accountability is what has frustrated consumers, regulators and advocates with some of the recent high-profile privacy missteps. 

A “No harm, no foul,” approach is simply not going to cut it in the current environment.

Under an accountability governance model for organizations, a company must:

  • understand the risks to individuals that come with processing their data and mitigate  those risks
  • ensure that their processes do indeed safeguard their customer’s data, and
  • be transparent and answerable for their strategies to identify and mitigate risks.

Likewise, it is simply not enough to retrofit privacy protections into existing products and services. Rather, privacy protections must be incorporated into every aspect of product development, from design through deployment.

Fundamentally, innovators have a responsibility to mitigate risks in new technologies and services by architecting strong privacy and security safeguards throughout every product’s development and deployment cycle.

We are following these principles as we develop products and services and to help maximize the benefits of cloud computing while protecting privacy.

In the context of privacy the challenges of the cloud have a lot to do with where data sits and who has access to it. These challenges are not new, as consumer and business data have been sitting ‘off-premise’ in a variety of situations for years.

For privacy professionals, the cloud represents the latest evidence that technology will likely always outpace policy. For instance, the data aggregation enabled by the cloud not only creates rich targets for bad guys, but also heightens a range of privacy and jurisdictional issues.

Today, more than ever, policymakers and regulators need to think and act both locally and globally. The borderless state of cloud computing finds itself at odds with the world of physical boundaries and multiple sovereignties.

We believe that we need to think about these issues in the context of new responsibilities.

Not only does industry need to innovate and develop new technologies to protect the network, it needs to create better tools to empower users so they can choose how they want to interact with the cloud.

These truly are issues that no one company, industry or sector can tackle in isolation. So it is important to start these dialogues in earnest and include a diverse range of stakeholders from every corner of the globe.