Posted by Brad SmithGeneral Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft
Last Thursday, news coverage focused on a case in 2012 in which our investigators accessed the Hotmail content of a user who was trafficking in stolen Microsoft source code. Over the past week, we’ve had the opportunity to reflect further on this issue, and as a result of conversations we’ve had internally and with advocacy groups and other experts, we’ve decided to take an additional step and make an important change to our privacy practices.
Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.
Posted by John FrankDeputy General Counsel & Vice President, Legal & Corporate Affairs, Microsoft
We believe that Outlook and Hotmail email are and should be private. Over the past 24 hours there has been coverage about a particular case, so we want to provide additional context and describe how we are strengthening our policies.
In this case, we took extraordinary actions based on the specific circumstances. We received information that indicated an employee was providing stolen intellectual property, including code relating to our activation process, to a third party who, in turn, had a history of trafficking for profit in this type of material. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
Posted by Brad SmithGeneral Counsel & Executive Vice President, Legal & Corporate Affairs, Microsoft
Today we are updating our transparency reporting to provide new information relating to governmental demands for customer data. Beginning last summer, Microsoft, Google, and other companies filed lawsuits against the U.S. government arguing that we have a legal and constitutional right to disclose more detailed information about these demands. We contended that we should be able to disclose information about legal orders issued pursuant to U.S. national security laws such as the Foreign Intelligence Surveillance Act (FISA), which we had previously been barred from disclosing.
As a result of that litigation and after lengthy discussions, the Government recently agreed for the first time to permit technology companies to publish data about FISA orders. While there remain some constraints on what we can publish (more details on that below), we are now able to present a comprehensive picture of the types of requests that we receive from the U.S. Government pursuant to national security authorities.
Posted by Brendon LynchChief Privacy Officer, Microsoft
We at Microsoft focus on privacy protections for our customers every day of the year. On Jan. 28, we join others across private and public sectors around the world to mark Data Privacy Day (DPD) – which is also known as Data Protection Day in Europe where it began in 2006. In support of the day’s focus on educating and empowering people, I’ll be participating in a DPD panel discussion hosted by the National Cyber Security Alliance (NCSA) in Washington, D.C. on Jan. 28, and will share the results of a new Microsoft commissioned survey that measured online privacy perceptions among technology savvy individuals in the U.S. and four European countries (Belgium, France, Germany and the UK).
Our panel discussion will focus on “Notice and Consent: Innovating a New Path Forward,” where we’ll explore the complex opportunities and challenges that businesses, civil society and government must overcome to adapt traditional privacy models for the era of big data and the Internet of Things.
Last week, President Obama spoke about the role of the National Security Agency and announced some important changes to the surveillance practices of the U.S. government. We appreciate the steps the President announced, which represent positive progress on key issues including privacy protections for non-U.S. citizens. There is more work to do to define some of the details and additional steps that are needed, so we’ll continue to work with both the administration and Congress to advocate for reforms consistent with the principles our industry outlined in December.
This week, the World Economic Forum holds its annual meeting in Davos, Switzerland where these same issues of data privacy and reform of government surveillance will be on the agenda. We hope that these discussions will spur a focus on the international steps that governments can take together. While there is no substitute for American leadership and action on these issues, the time has come for a broader international discussion. We need an international legal framework – an international convention – to create surveillance and data-access rules across borders.
Posted by David HowardCorporate Vice President & Deputy General Counsel, Litigation & Antitrust, Microsoft
You may be wondering what happened to the YouTube app for Windows Phone. Last May, after we launched a much improved app on our platform, Google objected on a number of grounds. We took our app down and agreed to work with Google to solve their issues. This week, after we addressed each of Google’s points, we re-launched the app, only to have Google technically block it.
We know that this has been frustrating, to say the least, for our customers. We have always had one goal: to provide our users a YouTube experience on Windows Phone that’s on par with the YouTube experience available to Android and iPhone users. Google’s objections to our app are not only inconsistent with Google’s own commitment of openness, but also involve requirements for a Windows Phone app that it doesn’t impose on its own platform or Apple’s (both of which use Google as the default search engine, of course).
Posted by Peter CullenGeneral Manager, Trustworthy Computing, Microsoft
We live in an environment where the amount of data being generated is increasing at a staggering pace. With it we see a corresponding growth in the potential for important benefits, both to us as individuals and as a society, based on using this information.However, in this data-rich world it is becoming clear that today’s privacy frameworks cannot adequately protect consumer privacy; it has become critical that we evolve our thinking with respect to the ways societies protect the privacy of individuals while providing for responsible, beneficial data use.
Identifying frameworks that support the dual goals of privacy and responsible data use is the motivation for Microsoft’s collaboration with privacy stakeholders from around the world – across governments, private enterprise and civil society. Today, we are pleased to have been able to support the launch of two new white papers: “Data Protection Principles for the 21st Century” and “Data Use and Global Impact” which outline important new thinking on this topic.
Posted by Dan BrossSenior Director, Corporate Citizenship, Microsoft
We are proud to be included in the 2014 list of the World’s Most Ethical Companies, which was released by the Ethisphere Institute on Thursday.
Ethical and responsible business practices are the bedrock of our corporate governance practices. These practices are designed to promote the interests of shareholders, maintain checks and balances, strengthen accountability and foster responsible decision making.
Today, we are joining AOL, Apple, Facebook, Google, LinkedIn, Twitter and Yahoo in calling for reforms of government surveillance.
Since Microsoft was founded, we’ve believed technology is a powerful tool that can help people. In that belief we remain steadfast.
But we also recognize another important point. People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.
Last week we announced that we’re taking new steps to reduce the risk of government snooping. Today we’re joining with others across our industry to call on governments to adhere to specific principles with respect to surveillance.
Posted by Dr. Dennis SchmulandChief Health Strategy Officer, U.S. Health & Life Sciences, Microsoft
On Wednesday, University of Colorado Health (UCHealth), one of the state’s largest healthcare providers, announced its migration to Microsoft Office 365, a decision that was made in large part due to Microsoft’s long-standing commitment to data security and privacy and because the company supports HIPAA requirements beyond what other vendors provide.
Such cloud adoption within the healthcare industry is gaining momentum because the economic, clinician productivity and care team collaboration advantages of the cloud are undeniable. However, as was the case for UCHealth, there’s one fundamental concern that continues to weigh heavily on the minds of providers: Is patient data safe, secure and private in the cloud.
Posted by David FinnAssociate General Counsel & Executive Director, Microsoft Cybercrime Center
A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now – cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.
Posted by Paul NicholasSenior Director, Global Security Strategy & Diplomacy, Microsoft
On Thursday, Microsoft released a new study entitled The Cybersecurity Risk Paradox. The new report focuses on specific ways that social and economic factors affect cybersecurity outcomes worldwide. It is a follow-up study that builds on the earlier learnings of a study released last year entitled Linking Cybersecurity Outcomes and Policies.
In Linking Cybersecurity Outcomes and Policies, we took malware infection data from our Microsoft Security Intelligence Report and compared it to international socioeconomic statistics in three categories – digital access, institutional stability and regime stability. We were then able to identify the key social, economic and technological factors critical to enhancing cybersecurity.
Posted by Matt ThomlinsonVice President, Microsoft Security
On Friday, I participated in a panel entitled “Rebooting Trust? Freedom vs. Security in Cyberspace” at the 50th Munich Security Conference. During my presentation, I discussed Microsoft’s initiatives to protect customer data from government snooping, which Microsoft General Counsel & Executive Vice President Brad Smith recently announced. Brad outlined three areas where Microsoft would be taking action: expanding encryption across our services; reinforcing legal protections for our customers’ data; and enhancing the transparency of our software code. On Friday, we announced another step we are taking in implementing those commitments.
We will open an international Transparency Center in Brussels, which will offer government customers an increased ability to review our source code. The Brussels center will build upon on our long-standing program that provides government customers with the ability to review our source code, reassure themselves of its integrity and confirm there are no back doors. It is my hope to open the Brussels Transparency Center by the end of this year.
Posted by David FinnExecutive Vice President & Associate General Counsel, Microsoft Cybercrime Center
Last week, Microsoft hosted our first Cybercrime Enforcement Summit. More than 60 global law enforcement leaders and cybercrime experts met in Redmond for two days of closed-door sessions, discussing best practices and concrete steps to protect people online.
As I reflect upon the event, I think there are three key takeaways that will guide the efforts of all of those that attended:
1. Actions speak louder than words
We are entering a new era of collaboration where there is a shared recognition that only through strong partnerships can we not only keep pace with cybercriminals, but get ahead of them.
Posted by Jeff MeisnerEditor, Microsoft on the Issues
On Dec. 17, Microsoft’s Innovation & Policy Center in Washington, D.C. assembled panelists from the New America Foundation, Texas Instruments, the Institute for Complex Systems Simulation and Lerman Senter PLLC law firm to offer insight into the current state of affairs in the field of unlicensed spectrum use.
Panelists participated in a wide ranging conversation, which included topics such as the potential uses of spectrum white spaces, the state of standards work, the policy issues pending before the FCC and the potential economic value of unlicensed use in the TV band. The experts sorted through the myths and promises of TV white spaces in order to discover what it will take to make robust unlicensed TV band use a reality.
Posted by Frederick S. Humphries Jr.Vice President of U.S. Government Affairs, Microsoft
People from around the world are increasingly coming together to call for increased reform of government surveillance, and Microsoft sees Tuesday’s effort as a broad demonstration of that growing momentum. At Microsoft, we believe further reform is essential for our customers, our company and society at large – not only to help ensure the right balance between privacy and security, but to demonstrate our understanding that without liberty, we do not have security.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing, Microsoft
At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.
Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.
On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.
Posted by Anthony SalcitoVice President, Worldwide Education, Microsoft
I'm thrilled to announce a new benefit designed to empower students worldwide with the technological skills they need to compete in today’s (and tomorrow’s) workforce: it's called Student Advantage.
Beginning Dec. 1, any academic institution that licenses Office for staff and faculty can provide Office 365 ProPlus for students at no additional cost. Student Advantage makes it easy for qualifying institutions to provide students with the latest version of full Office at school and at home. Combined with Office 365 for Education plan A2, which is free for schools, Student Advantage gives students access to the same set of world-class productivity tools and services used by Fortune 500 companies all over the world.
Posted by Horacio GutierrezDeputy General Counsel & Corporate Vice President, Legal & Corporate Affairs, Microsoft
On Thursday, the Administration issued a call to America’s innovation community to help strengthen the patent system by providing the U.S. Patent and Trademark Office the information, tools and resources it needs to perform its vital function.
Microsoft applauds and supports these efforts. The U.S. patent system is the engine for our economy, incentivizing the creation of new technologies that are essential to America’s ability to compete in markets around the world. All stakeholders, including those of us in the private sector, have a key role to play in keeping this system healthy.
Today we have asked the Attorney General of the United States to personally take action to permit Microsoft and other companies to share publicly more complete information about how we handle national security requests for customer information. We believe the U.S. Constitution guarantees our freedom to share more information with the public, yet the Government is stopping us. For example, Government lawyers have yet to respond to the petition we filed in court on June 19, seeking permission to publish the volume of national security requests we have received. We hope the Attorney General can step in to change this situation.
Until that happens, we want to share as much information as we currently can. There are significant inaccuracies in the interpretations of leaked government documents reported in the media last week. We have asked the Government again for permission to discuss the issues raised by these new documents, and our request was denied by government lawyers. In the meantime, we have summarized below the information that we are in a position to share, in response to the allegations in the reporting:
Not surprisingly, we remain subject to these types of legal obligations when we update our products and even when we strengthen encryption and security measures to better protect content as it travels across the web. Recent leaked government documents have focused on the addition of HTTPS encryption to Outlook.com instant messaging, which is designed to make this content more secure as it travels across the internet. To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.
Posted by Jacqueline BeauchereChief Online Safety Officer, Microsoft
To mark Safer Internet Day (SID) 2014, Microsoft asks people to “Do 1 Thing” to stay safer online and to make that one thing part of their daily digital routines.
As part of this campaign, on Monday we’re launching a new interactive website Safer Online, where individuals can share their “Do1Thing” promise; learn what others are doing to help protect themselves online, and get instant tips to enhance and better protect their digital lifestyles.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals, organizations (including nation-states), and society at large, and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns. Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. In my Rethinking Cyber Threats and Strategies paper I discuss a framework for categorizing and assessing cyber threats, the problem with attribution, and possible ways for society to prevent and respond to cyber threats. In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I proposed one possible approach to addressing botnets and other malware impacting consumer machines. This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”
In less than a month, European leaders will come together to finalize the draft rules of procedure for the Unitary Patent Court. On Tuesday, a diverse cross-industry coalition of nearly 20 companies and associations urged the European Union to make further amendments to the rules to support innovation, while deterring patent trolls from entering the EU patent space.
The rules of procedure are the blueprint for the Unitary Patent Court, which will govern patent disputes for most of the EU. If these rules are sound, companies doing business in Europe will be able to innovate more efficiently.
Posted by Peter CullenGeneral Manager, Trustworthy Computing, Microsoft
This week is particularly exciting for the many people at Microsoft who focus on data privacy. Several of us will attend the annual Global Privacy Summit in Washington, D.C., hosted by the International Association of Privacy Professionals (IAPP). It is a week for privacy professionals from around the world to convene and discuss the big topics that industry, civil society and governments work on collectively to advance the state of privacy protections in today’s data-rich world.
Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing group, will deliver a keynote address on Thursday that explores both the trust dynamics resulting from ongoing disclosures regarding government data access and the challenges facing commercial data privacy models in a world of increasingly ubiquitous computing.