Brendon Lynch, Chief Privacy Officer, Microsoft writes on the Trustworthy Computing Blog:

Yesterday morning I read an article in The New York Times that described “How to Muddy Your Tracks on the Internet.” The article gives consumers some suggestions for addressing the complicated problem of managing the information left by one’s activities online. This information has many diverse components – website visits, searches, instant messages, e-mails, social-network postings, and so on – indicating personal organizational management, technology solutions, and continued attention at industry and government levels will be important for the foreseeable future.

At Microsoft, we embrace the concept of “privacy by design.” This includes building meaningful choices into our products and services to help consumers protect their privacy and limit their online information. With Internet Explorer 9 Tracking Protection Lists, customers can choose which third-party sites can receive their information and track them online. IE 9 also features In Private Browsing, a function that helps prevent web-browsing activity being retained by the browser. The Microsoft Personal Data Dashboard Beta gives consumers greater visibility and control of their Bing search history, as well as the ability to opt-out of online ads. And, Microsoft Hotmail does not scan the contents of customer e-mails to serve ads.

While all of these tools can greatly enhance individual privacy, a comprehensive solution to managing one’s online information doesn’t exist; the Internet is composed of many products and services from many different organizations. And, studies show that when faced with a decision, people frequently choose convenience over privacy. Granted, choices are often confusing, and organizations can continuously improve their privacy communications to better enable consumers to make informed decisions.

To continue moving forward, we think the time is ripe for a discussion about new ways for organizations to manage consumer information. One possibility is a privacy model that creates obligations for organizations as to how they use personal data. To learn more about our thinking, download this short paper. We also encourage you to join Microsoft’s Online Safety twitter handle, which regularly provides information on ways to stay safer online.

I just wrote a new 2-page background paper on social networking safety for policymakers.  Our Trustworthy Computing Policymakers web page offers a number of these backgrounders on safety and privacy topics, including Privacy in Online Advertising, Privacy in the Cloud Computing Era, Online Safety Education Model Legislation, Sexual Offender Registries, and more. 

Microsoft has engaged in some very constructive efforts with governments to help make social networks safer.  Our recent collaborative efforts include the Safer Social Networking Principles of the European Union, a set of best practices agreed upon by 18 social networking service companies, including Microsoft, and the European Union.  As well as the Joint Statement on Key Principles of Social Networking Safety announced by the United States Attorneys General Multi-State Working Group on Social Networking and MySpace, which resulted in the landmark Internet Safety Technical Task Force report on Enhancing Child Safety and Online Technologies.

 Download the backgrounder here:

 

-- David Burt, CIPP, CISSP

  Today, I testified before the Article 29 Working Party, the Europe Commission group charged with providing advice to the EU and member states on the protection of personal data.  The Article 29 Working Party hearing examined the data anonymization practices of major search companies.  

In April 2008, the Article 29 Working Party issued an opinion that asked search companies to evaluate their search anonymization policies and adopt strong anonymization after 6 months.  In December 2008, Microsoft announced that it was prepared to meet the Article 29 Working Party's guidelines for search anonymization but believes it is imperative that all search companies adopt the same standard to truly protect people's privacy.  

At today's hearing, Microsoft voiced its support for the Working Party's April opinion that called for a common industry standard for search anonymization. Specifically, we are prepared to move to a six month anonymization timeframe so long as all search companies adopt an equivalent timeframe and methodology.

We explained why the strength of the anonymization method matters even more to consumer privacy protection than the timeframe when it is anonymized. While both an effective timeframe and method are necessary, a short timeframe coupled with a weaker method will not yield as strong privacy protections since, if cross-session identifiers remain, data can possibly be correlated and maybe even linked to an individual at a later date.

Unlike the anonymization methods of many other search companies, Microsoft deletes the entirety of the IP address, as well as all other cross-session identifiers such as persistent cookie IDs. The company also takes steps from the outset to separate queries from personally identifying information. The following chart explains our understanding of the distinctions between search data practices of the major search companies.  The colors indicate the relative privacy risk of the various approaches.

--Brendon Lynch, director of privacy strategy

(For a higher resolution version of the chart below, click here.)

A major announcement today from the IE blog:

Today, consumers have very little awareness or control over who can track their online activity. Much has been written about this topic. With the release candidate:

1.      IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.

2.      “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection Lists (TPLs), and the underlying technology mechanism for Tracking Protection offer new options and a good balance between empowering consumers and online industry needs. They further empower consumers and complement many of the other ideas under discussion. You can see how it might work in this video:

Continue reading IE blog post.

 

Microsoft Chief Privacy Strategist Peter Cullen provides some background and context on the new feature on the Microsoft of the Issues blog:

Any discussion of online privacy today can quickly become polarized and shed more heat than light. It is clear that privacy remains a key topic and also clear the discussion centers on finding the right balance of investments by both companies and the advertising industry that will provide meaningful choice, control and protection for the consumer’s information and that contribute to growing consumer trust and which supports the content to which people have grown accustomed. Privacy by Design is but one investment area receiving a lot of dialogue. Today we announced functionality we intend to provide in IE9 that both advances and demonstrates Privacy by Design and provides consumers with more choices to control information about their online activities. However, the industry together can also continue to contribute additional investments that will help grow trust.

Recent Actions

Last week in Paris, Jean-Philippe Courtois, President of Microsoft International, described Microsoft’s commitment to “Privacy by Design” at the IAPP Europe Data Protection Congress.  Privacy by Design means different things to different people, and Jean-Philippe’s remarks provide a review of our company’s approach.

Neelie Kroes, European Commission Vice-President for the Digital Agenda, when speaking at Les Assises du Numérique conference, on Nov. 25, said: “The Commission believes that we need further research to enhance the security features of these technologies. And indeed we are funding such research at the European level – which looks at "privacy-by-design" and "privacy-enhancing technologies." 

On Dec. 1, the Federal Trade Commission proposed a new framework for consumer privacy. The FTC has also embraced Privacy by Design as the first principle in its framework. The FTC stated that “Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.”

We applaud all the efforts to consider this meaningful topic and look forward to continuing our dialogue with all parties.

The FTC recognized the positive steps that major browser vendors have taken to improve consumer choice regarding online tracking. However, under its proposed framework, the FTC discusses a particular way to promote consumer privacy in the context of third party behavioral advertising and supports a universal choice mechanism known as “do not track” for this activity. There are many different views on how best to offer consumers the ability to control their online information and on how any “do not track” option might be designed. And the FTC has solicited feedback on a number of important questions related to this topic. We look forward to participating in the ongoing dialogue on this topic with others in the industry, and hope that our announcement today about new features in IE9 will help drive forward the continued thoughtful dialogue between all interested parties on this topic. We are hopeful that our efforts and those of others in the industry will further support transparency and consumer choice, while continuing to support a robust and vibrant Internet which serves consumers, advertisers and publisher interests in continued development of information and content.

In his post today on the Internet Explorer blog, Dean Hachamovitch announced that we intend to deliver a set of functionality in a release candidate of IE9 that enables consumers to choose to limit the amount of data they wish to share with websites. This extends our earlier architectural strategy and builds on a prior version of a technical method built into IE8.

The new functionality, named “Tracking Protection,” will help limit the potential for Internet tracking for users who choose to enable it. By designing these sorts of enhancements with privacy in mind at the design phase, we’re able to the deliver a functionality that provides consumers additional levels of control over what they want to engage in and how they choose to do so. A key change, as Dean notes, is that IE 9 is more of a “platform,” one where consumers make choices based on trust with websites they engage in. We believe that the combination of consumer control, an open platform for publishing of Tracking Protection Lists, including lists that allow “calls,” offer progress and a good balance between empowering consumers and online industry needs. I encourage you to read Dean’s post to learn more.

The Past & The Future

At the launch of IE8 in 2008, we continued dialogue and engaged with industry, agreeing that work was required to develop common approaches and share best practices that all responsible parties should abide by to provide more transparency and control to consumers regarding their online information. There was clear agreement that this was a necessary investment to grow the trust of consumers and to ensure a viable online advertising industry could thrive and continue to deliver value to all stakeholders.

Since that time, industry, of which Microsoft is part, has worked to increase the transparency of information to consumers, and many companies have increased the choice and control mechanisms available. With the increasing focus on this important topic, now is the ideal time to make additional progress. We need to get clear on a shared definition of “tracking” and get to a common understanding of how consumers should be empowered to manage their online information in the manner in which they see fit. This could include beginning to conceptualize how lists might be developed – not just “block” lists but, just as importantly, “allow” lists – to help consumers have an even more trusted Web experience.

Today’s announcement puts forth a new option to consider for browsers and invites discussion on a number of questions related to it, including those put forth in the FTC report. We welcome that discussion. We also look forward to continuing our work with stakeholders to make online advertising and the overall Web experience for consumers more trustworthy; a system that is, ideally, Trust by Design.

The Week in Privacy & Online Safety, April 23, 2012
A weekly global roundup of news, policy developments, research, and influence

General Online Privacy
News (U.S.) -  To Read All Those Web Privacy Policies, Just Take A Month Off Work, NPR, Apr. 19, 2012
News (U.S.) - How Social Currency Is Driving Identity, Trust and New Industries, Tech Crunch, Apr.  15, 2012
News (U.K.) - Tim Berners-Lee: demand your data from online companies, The Guardian, Apr. 18, 2012
News (U.S.) - Face recognition software at businesses raising privacy, safety concerns, ABC News, Apr. 16, 2012 

General Online Safety
News (U.S.) - Study: Playing a Video Game Helps Teens Beat Depression, Time, Apr. 20, 2012
News (U.S.) – ‘Revenge Porn” Site IsAnyoneUp Is Now Permanently Down, Forbes, Apr. 19, 2012
Advocates (U.S.) - EFF White Paper Outlines How Businesses Can Avoid Assisting Repressive Regimes, EFF, Apr. 18, 2012
News (U.S.) - Does the internet breed killers?, CNN, Apr. 19, 2012
News (U.S.) - A Texas University's Mind-Boggling Database Of Teens' Texts, Emails, and IMs Over 4 Years, Forbes, Apr. 18, 2012

Advertising & Search
Advocates (U.S.) - Tracking Progress on Do Not Track, Future of Privacy Forum, Apr. 19, 2012 

Mobile
News (U.K.) - New 'terahertz' scanner lets mobile phones see through walls - and clothes, Daily Mail, Apr. 19, 2012
News (U.S.) - Navizon's new tech tracks you, the smartphone user, CNET, Apr. 20, 2012 

Social Networks
News (U.S.)  -  Privacyscore rates app’s privacy policies, USA Today, Apr. 21, 2012
News (U.S.) - Rite of Passage for Teens and Parents: Setting Up Social Network Accounts, Huffington Post, Apr. 19, 2012 

Legislation & Regulation
News (E.U.) – Article 29 Working Party  concerned about costs of new data protection regime, OutLaw, Apr. 17, 2012
News (U.S.) - CISPA gets a rewrite but still raises privacy concerns among advocates, CNET, Apr. 16, 2012
News (U.K.) - MPs call for block on  online porn to stop the surge in children watching adult material, Daily Mail, Apr. 17, 2012
News (New Zealand) - 44% of Parents View Their Child’s Social Network Account Without Their Consent, Stuff.NZ, Apr. 18, 2012
News (Pakistan) - Pakistani Activists Move Court Against Website Blocks, IDG, Apr. 19, 2012 

 -- Compiled by David Burt, CISSP, CIPP

Stephen Bury writes on the Office 365 Blog:

Microsoft Office 365 is an online business service that was purposely built to optimize the flexibility, responsiveness, and efficiency of the cloud. It was also created with a strong emphasis on data protection and with Microsoft's three tenets of privacy - responsibility, transparency, and choice - at its core. This week we'll explore each principle as explained in the Microsoft whitepaper "Privacy in the Public Cloud: The Office 365 Approach" and on the Office 365 Trust Center, which provides a comprehensive overview of Microsoft's privacy and security practices.

Our commitment to responsibility is supported by our broad network of people that implement our privacy standards and provide guidance and training. For instance, if there is a privacy incident we have rigorous procedures to address the problem, diagnose the cause, and update our customers in a timely manner.  Examples of how we approach privacy governance in Office 365 are outlined below.

• Standing the test of time. The ability to respond to the rapidly changing priorities for privacy and security in the cloud is something every organization should look for from their service provider. Office 365 has a variety of risk management mechanisms to appropriately respond to regulatory change, organizational change, personnel change, and technological change.
• Enabling regulatory compliance. Customers are responsible for complying with national, regional, and industry-specific requirements governing the collection of personal data. To support our global customer base, we run our services with common operational practices and features that span multiple customers and jurisdictions. We're also committed to providing our customers with detailed information about our cloud services to help their assessments. The Office 365 Trust Center was built specifically to support customers and includes detailed information about things like regulatory compliance and security, audits, and certifications.
• Support for EU Model Clauses. Office 365 offers companies with European users the opportunity to sign data processing agreements with the standard contractual clauses published by the European Commission.
• Using customer data only for the customers' purposes. We have strong internal policies that delineate what we and our partners can and can't do with customer information. With Office 365, we use our customers' data only for what they pay us to do - maintain and provide Office 365 services. This means we don't use customer data for building advertising products or analytics, data mining, or improving service without our customers' permission.
• Controlling access to customer data. There are strict controls over who will be granted access to customer data. There must be a legitimate business justification and the request must but approved by the person's manager. Accountability of customer data is enforced through a set of system controls like the use of unique user names, data access controls, and auditing.
• Securing customer information and Office 365 systems. Office 365 is designed specifically for secure access over the Internet. We provide anti-spam and anti-malware technologies that are automatically updated against the latest security threats. The security features and services for Office 365 are built-in, which reduces customer time and cost associated with securing their IT systems.

In our next post we'll review transparency and how we strive to make information about our data protection policies and procedures readily available and easy to understand.

Additional resources:

• Office 365 Trust Center
• FISMA becomes latest security certification for Office 365
• Privacy in the Public Cloud: The Office 365 Approach
• Microsoft Private Cloud: A comparative look at Functionality, Benefits, and Economics
• Office 365 service specific privacy & security practices

______________________________________________________________________________

--Stephen Bury

In conjunction with Safer Internet Day, Microsoft today released a survey of the perceptions and behaviors of gamers and parents of gamers.  Cross Tab Marketing conducted the survey of 300 gamers aged 18-24 and 300 parents of gamers aged four and above.  The survey found that while parents have concerns, most parents feel they are taking effective steps to protect their children.  Among the findings:

 

• Parents rank the risks from online gaming low compared to other online activities
  • Online chatting, browsing social networks and the Internet are considered more risky
  • There are only minor differences between the concerns parents have for general online activities and online gaming
  • Gamers aged 18-24 rank risks associated with “my ability to play” (e.g., hacking my account) high compared to “direct attacks against me” (e.g., poor behavior)
  • Concerns about online gaming are similar between parents who play online games and those who do not
• 86% of parents say the steps they take to protect their children have been effective but most do not use family safety settings
  • The most effective steps are direct monitoring by playing with the child or playing in a family area without the door closed
  • 53% of parents believe that family settings are too hard to use or are unaware of what is available.  A similar number of parents (54%) don’t use family settings because they trust their children
  • Gamers aged 18-24 rely more heavily on friends to help them decide which games to play.   They also pay less attention to game ratings and are more price conscious than parents of gamers under 18

Among the most encouraging findings is that parents are spending time with kids online:

From the Microsoft Malware Protection Center Blog:

Almost a year ago, we started a project designed to monitor incoming attacks against a normal user on a day-to-day basis. We presented you with details about the geographical area from where the attacks originated and what services were targeted, and we gave you just a hint about FTP dictionary-based attacks. Now we’re going into a bit more detail about the passwords, having  so far gathered hundreds of user names and tens of thousands of passwords that have been  used in automated attacks in the last couple of months. Most of them were collected by our (fake) FTP server, which is designed to emulate a small part of the FTP protocol and log the information so that it’s easy to process.

As you can see below in the statistics, the length of the passwords is quite interesting, mainly because the average length according to our data is 8 characters and that’s quite close to the length of the passwords that many people use for their Internet accounts.

Statistics about user names and passwords:

• Longest user name: 15 chars
• Longest password: 29 chars
• Average user name length: 6 chars
• Average password length: 8 chars

Here is a top 10 list with the most common user names used in automated attacks:

User names	Count
Administrator	136971
Administrateur	107670
admin	8043
andrew	5570
dave	4569
steve	4569
tsinternetuser	4566
tsinternetusers	4566
paul	4276
adam	3287

And a similar list for passwords:

Passwords	Count
password	1188
123456	1137
#!comment:	248
changeme	172
F**kyou (edited)	170
abc123	155
peter	154
Michael	152
andrew	151
matthew	151

Trivia: One attacker tried more than 400,000 user name and password combinations.

Most of the probing is done from compromised systems that are connected to a password-protected IRC channel and are waiting for commands.

As you can see in the image below, one such command is to scan and identify other vulnerable hosts.

We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.

You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.

Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.

The three basic things to remember when creating a strong password are the following:

1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.

2. Use a combination of upper and lower case letters.

3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases.

To check if you have a strong password, you can use Microsoft's password checker (http://www.microsoft.com/protect/fraud/passwords/checker.aspx).

Having a super strong password is not enough. From time to time, you need to change it, especially when you feel that your account has been compromised. We also advise you to have several sets of passwords that differ in every account so in case one has been compromised not all your accounts will be affected.

For additional information regarding passwords you can visit the following links

Creating passwords - http://www.microsoft.com/protect/fraud/passwords/create.aspx

Maintaining passwords - http://www.microsoft.com/protect/fraud/passwords/secret.aspx

And by the way…..Don’t forget your password!!!!

Francis Allan Tan Seng && Andrei Saygo

Last week I attended the Privacy Identity Innovation 2010 (Pii2010) Conference in downtown Seattle.

The conference was hosted by technology reporter Larry Magid, and featured a number of well-known Microsoft presenters, including Kim Cameron, Chief Architect of Identity in the Microsoft Identity and Security division; and Marc Davis, who was just hired to the position of partner architect for Microsoft's Online Services Division.  Other notable presenters included Michael Fertik; Chris Hoofnagle; Jeff Jarvis; Christopher Wolf; Berin Szoka; Linda Criddle; Heather West; and Steve Wildstrom.

Pii2010 explored the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models.

The conference started with an interesting interview by CNET's Declan McCullagh with Chris Kelly, former CPO of Facebook and unsuccessful candidate for California state Attorney General. Then Microsoft's newly-hired Marc Davis delivered the opening keynote with an interesting proposal for a "New Personal Data Stack and Ecosystem."  Davis feels that government regulation is pressuring business to move closer to retaining less information, and this will eventually harm the economic value of information. His proposed solution is to restructure the Internet to protect that value and protect privacy by creating the missing infrastructure and ecosystem to make personal data bankable and tradable personal digital assets.

Blogger Jeff Jarvis then delivered another keynote on the benefits of publicness, which he said "makes and improves relationships, enables collaboration, builds trust, enables wisdom of the crowd, allows organization, and creates value."

After lunch, Larry Magid interviewed Michael Fertik of Reputation Defender. Fertik said that despite earlier failures, people indeed are willing to "pay for privacy."

Kim Cameron of Microsoft then delivered an interesting keynote on location privacy. Kim’s follow-up blog post is here.

Here’s a couple of interesting blog posts from those attending and presenting at Pii2010:

 

Larry Downes writes that, “what interested me most was just how emotional everyone gets at the mere  mention of private information, or what is known in the legal trade as  “personally-identifiable” information.”

 

Christopher Wolf accurately sums up the conference, “Lively" doesn't beging to describe the event, with audience members intervening at will and peppering the panelists with questions and "colorful" comments,  It was a little like a blog come to life.  One major take-away:  there are widely divergent views on the role of government and regulation in protecting online privacy.”

 

--David Burt, CIPP, CISSP

 

Marcelle Amelia writes on the Security Tips & Talk Blog:

We recently received an email that provided a great example of the tools in a cyberscammer's toolbelt. Here's the email. Can you spot the signs of a scam? Scroll down to read more.

Dear Account Owner

We are having congestion due to the anonymous registration of free Windows Live Account therefore we are shutting down some Windows Live Account. Your account is among those to be deleted, we are sending you this email to enable you re-confirm your account details in order to commence immediate upgrade of your account from being deleted. If you have the interest of proceeding your account with us kindly re-confirm your account by filling the space below after clicking the reply button. * Username: ........................................ * Password: ......................................... * Date of Birth: ..................................... * Country Or Territory: .......................... After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences. Microsoft, Windows Live Account Services Hotmail is part of Windows Live. * This assumes a reasonable growth rate. Microsoft respects your privacy. To learn more, please read our online Privacy Statement. For more information or for general questions regarding your e-mail account, please visit Windows Live Hotmail Help.Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA © 2009 Microsoft Corporation. All rights reserved.

Six signs of a scam

1.       Request for passwords and other personal information. Most scams are designed to trick people into turning over their passwords, user names, social security numbers, or other personal information. You should never send this information in an email message. For more information, see How to reduce the risk of online fraud.

2.       Use of the Microsoft name. Cybercriminals often use the names of well-known companies, like Microsoft, to increase legitimacy and convince you to release your personal information.  For more information, see Avoid scams that use the Microsoft name fraudulently.

3.       Threats that require you to take action. In the scam above the cybercriminal claims that your account will be deleted if you do not respond with your personal information. Microsoft does not send threatening messages and will not ask for personal information in an email message.

4.       Use of real information about Microsoft. The email above uses the correct Microsoft address and a link to the Microsoft privacy statement. Don't be fooled by these details or others such as Microsoft logos or language you've seen on official Microsoft email.

5.       Bad grammar and misspellings. Our copyeditors would never have allowed mistakes like the ones in this email to pass their desks. For more information, see How to recognize phishing emails or links.

6.       Generic greeting. Legitimate messages are not often addressed to "Account Owner."  If Microsoft needs to send you official correspondence about your email account, for example, we will address you by name. However, bear in mind that cybercriminals do have ways of getting your name from your email address. Check for other signs of a scam, even if an email is addressed directly to you.

If you think you might have been a victim of a scam, see What to do if you've responded to a phishing scam.

Ten years ago, a series of high-profile cyberattacks surfaced, including Code Red, Nimda and "I Love You," underscoring the need for improved security, privacy and reliability. This lead Bill Gates on January 15, 2002, to send out a companywide memo stating Microsoft must make trustworthy computing the highest priority for the company and for the industry over the next decade. 

Today, Microsoft is marking the milestone of the original TwC memo by affirming its ongoing commitment to Trustworthy Computing for the next decade-plus, and highlighting the lessons learned and how they serve as a foundation for building secure, private and reliable experiences as computing and society continue to evolve. 

In the last ten years, Microsoft has continued to make privacy an important commitment.  Microsoft was one of the first companies to publish privacy standards for developers and to provide consumers with layered privacy notices.  Microsoft continues to work responsibly to manage customer information, provide transparency about our privacy practices, and offer meaningful privacy choices.

 We understand privacy will continue to be an evolving and ongoing effort, so we emphasize adaptability and flexibility to respond to shifting privacy imperatives. Today Microsoft employs more than 40 full-time
privacy professionals, with several hundred more employees responsible for helping to ensure that privacy policies, procedures and technologies are applied across all products, services, processes and systems.

Over the next decade, cloud computing and our connected society will create vast amounts of data, which creates new challenges. One will be how we continue to protect people’s privacy, even as “big data” and
global data flows strain information principles that rely heavily on “notice and consent.” 

To learn more about what’s planned for TwC Next, visit: http://www.microsoft.com/twc.

Posted by Posted by: Mark Estberg, Senior Director, Online Services Security and Compliance on the Trustworthy Computing Blog:

Microsoft’s Global Foundation Services (GFS) organization delivers the global infrastructure and network for over 200 consumer and enterprise cloud services. The security, privacy and reliability expectations of the customers served by these services must be met in order to develop the level of trust necessary to support a global shift to online and cloud computing. Each of Microsoft’s online and cloud services focus on its respective customer requirements and GFS must meet the obligations that come from all of the more than 200 services because they all reside in the GFS infrastructure. While many of the capabilities must be provided at the service layer, all services have at least some level of dependency on the cloud infrastructure built, managed, and secured by GFS. 

This results in a broad set of requirements that must be met and represented by GFS. These requirements stem from regulatory and statutory sources (e.g., European Union Model Clauses, United States health care requirements including HIPAA and HITECH, United States Federal Information Security Management Act, etc.), industry sources (e.g., Payment Card Industry Data Security Standard, etc.), self-selected standards (e.g., ISO 27001, SOC 1, SOC 2, etc.), as well as risk-based security expectations commemorated in our policy and business decisions. 

In GFS, we maintain an extensive compliance program and corresponding control framework. This approach allows us to have a clear understanding of the control activities that GFS must operate, the reason behind each control activity (i.e., the specific clause from an audit such as SOC 2 or the specific element of security policy that drives the need to perform the control activity) as well as a number of other metadata mappings that allow us to effectively and efficiently manage our program. Our compliance program also includes both self-reviews performed by Microsoft teams and third-party reviews of our overall Information Security Management System and performance against our control framework. The third parties that conduct the regular audits of our GFS environment provide a scalable mechanism for Microsoft to communicate the capabilities of our online and cloud infrastructure to our customers and partners. 

This model is extended to our online services, allowing for trusted third parties to examine relevant service elements and provide in-depth reviews of targeted services such as Office 365 and Windows Azure. The independent assessments are logically stacked upon one another to reflect dependencies and are shared with our customers and partners. This allows our customers and partners to examine, in detail, the capabilities relevant to their services from the data center all the way to the service they use.

The approach Microsoft takes to managing our compliance program and control framework is necessary to meet the complex and changing requirements associated with operating online and cloud services. It also provides visibility into the overlapping and sometimes antiquated and conflicting requirements that must be met to operate and use a cloud service. Overlapping, antiquated and conflicting requirements are driving a level of inefficiency and confusion that must be addressed in order for the cloud to meet its potential and become a driver of the global economy and growth. Earlier in June, I participated in a forum of European Union policy makers that acknowledged this challenge and the need to solve it as one way to help with economic recovery. Similar groups are coming together around the globe. I believe these types of forums that include public and private sector representatives are in the best position to build and put solutions in place that remove unnecessary roadblocks to cloud computing while maintaining a strong basis for verifying trust in the cloud ecosystem.

For more information on our cloud infrastructure security, privacy, and compliance strategies, please visit our web site at www.globalfoundationservices.com. There you will find a number of videos, white papers, and strategies briefs covering these topics. 

Here’s the fourth and final in our series of privacy profiles at Microsoft.  Lyn Watts and Michelle Bruno work behind the scenes at Microsoft to help ensure that online gamers don’t have to fight to maintain their privacy.  Read the entire profile.

Here's the first in a series of profiles of privacy managers at Microsoft.  Robert Gratchner is director of privacy and online safety supporting the advertising business group at Microsoft.  Click here to read the entire profile in a 2 page pdf:

 

 

Hi, I’m Jules Cohen. I work in Microsoft’s Privacy group.  I focus on our privacy strategy and helping our product teams to support our privacy principles.

 

In his post on July 23, 2007, Peter discussed some of the key aspects of our Privacy Principles for Live Search and Online Ad Targeting. As part of the work our team does around these principles, we’ve written a whitepaper that describes how we protect your privacy when serving ads: “Privacy Protections in Microsoft's Ad Serving System and the Process of "De-identification,"  

 

In working on this whitepaper, we’ve focused on our first and fourth privacy principles.

 

Principle I states:

 

We will be transparent about our policies and practices so that users can make informed choices.

 

Principle IV states:

 

We will design our systems and processes in ways that minimize the privacy impact of the data we collect, store, process and use to deliver our products and services.

 

So, as a part of honoring the first principle we have produced a whitepaper that shares a lot of the details of how we’ve gone about implementing the fourth principle. In particular, the paper spells out the details of how we have designed our online ad targeting platform to select appropriate ads based only on data that does not personally and directly identify individual users.

 

I encourage you to read the paper but I’ll share the punchline up front. We use an automated one-way hash to associate non-identifying demographic and clickstream data with an ID that isn’t linked to any data that personally and directly identifies any individual user. Our systems then use that ID, rather than one that is directly connected to personal information (like your e-mail address) to serve ads. This means that neither the machines nor the folks who work on the ads systems can identify the people who are getting the ads based on the information in the ads system. We think that this is a strong privacy protection and we hope you agree.

 

Jules

Roger Capriotti writes on the Internet Explorer Blog:

While the web is a wonderful place, there are many dangers online that can
put you and your computer at risk. Your browser is the first line of defense
against attacks on the web, and it plays a critical role along with anti-virus and other security software to help keep
you safe online. With Internet Explorer, SmartScreen helps protect users from socially
engineered malware attacks by stopping them before they have a chance to infect
your PC.

NSS Labs, an
independent security research and testing organization, released two reports today that show SmartScreen
continues to offer industry-leading protection against socially engineered
malware. According to the global test conducted by NSS, “IE9 caught an
exceptional 96% of the live threats with SmartScreen URL reputation, and an
additional 3.2% with Application Reputation.” The graph below compares the test
results from various browsers and shows that Internet Explorer blocks up to
seven times more malware than other browsers in the global test.

Source: NSS Labs, August 2011 – Global Socially Engineered Malware
Protection

Other regional tests released by NSS for socially engineered malware targeted
at users in Asia Pacific and in Europe showed similar and consistent results. In
all cases, Internet Explorer 9 leads across all browsers in protecting users
from these live threats of malware.

Source: NSS Labs, Asia, Global, and Europe Reports (2011)

We continue to improve the quality and protection SmartScreen technology
offers to our Internet Explorer users. You can see these improvements in how
much faster SmartScreen is in blocking malware over time. Since the October 2010 NSS report, the average time taken by
SmartScreen filter to block a threat has gotten 28% faster - and if Application
Reputation is considered, then the average time has improved by 85%. Not only
has the effectiveness of the technology improved, but so has the speed at which
it is able to identify socially engineered malware. For our Windows customers,
this means fewer infections and headaches for you.

Internet Explorer is designed with your security and privacy in mind. Innovative features such as SmartScreen and Application Reputation are examples of technologies
that help protect you as you browse from an increasingly prevalent threat – socially engineered malware. According to Bruce Hughes from AVG Technologies, “Users are 4
times more likely to come into contact with social engineering tactics as
opposed to a site serving an exploit.” As this threat becomes more common consumers need better protection and
the SmartScreen filter in Internet Explorer is designed to directly address this threat.

When it comes to browsing the web safely, your browser choice matters. If you
haven’t already done so, download Internet Explorer 9 and experience a safer
browsing experience.

Roger Capriotti
Director, Internet Explorer Product Marketing

This morning at the Family Online Safety Institute Conference in Washington, D.C., Peter Cullen, GM Trustworthy Computing Group and Chief Privacy Strategist for Microsoft delivered the following keynote address:

 

Good morning.  Thank you for having me.  It is a privilege to be among such an impressive collection of worldwide experts in cutting-edge fields.

 

The world is a complicated place, and companies need to think about the complex issues of Internet freedom, safety and citizenship.  In our view Companies need to think differently about these issues and consider making investments in perhaps different ways to help address these complex issues – both internally and how they partner with governments, law enforcement agencies, industry and civil society.  It is fitting that the title of this conference is “Internet Freedom, Safety and Citizenship.” But it is even more fitting that your theme is what “action” is required.

 

What I wanted to do today is share a bit about why Microsoft thinks these issues are so key to our business and to the successful growth of our internet economy and a bit about how we think about investments to help deal with the myriad of issues that exist today.  The “how” we do it is less about Microsoft but more about sharing our experience in the hopes that it may give other organizations some ideas that will work for them.

 

You may have noticed I have the title of Chief Privacy Strategist,  but I also have responsibility for what we call Online Trust and Safety along with Freedom and Expression as well as Accessibility and GeoPolitical.

 

As more of the world’s information, commerce, and communications move to digital form, doors are being opened to a new world of connected experiences where we are able to create and share information quickly and seamlessly.   At the same time, concerns about the collection and use of personal data, security and data breaches, and online fraud and identity theft, children’s online safety threaten to erode public confidence in the computing ecosystem and slow the advance of digital commerce. 

 

At Microsoft, we look at privacy and “online trust and safety” as separate but inter-related disciplines – one of the reasons these core strategic areas are anchored together.  People have high expectations about how we and other Internet companies collect, use, and store their information.   People must trust that their privacy and safety will be protected. This means that Microsoft, and all companies operating online, must adopt strong privacy practices that build trust with its customers. Microsoft has a deep and long-standing commitment to consumer privacy.  They also expect us to help provide a safer online experience for themselves and their families.  Do this and we earn “Trust” – this one reason is why these core areas are of such importance to Microsoft.  As the world’s largest software company, we believe that technology has the capacity to help improve the lives of people everywhere. But without trust, this vision will not be realized.

 

The enormous benefits and opportunities the Internet enables require a strong commitment to privacy & safety.  We address these issues via a four-part strategy: providing and investing in technology, partnerships with others, and by offering guidance and education to consumers. Core to all of this is an internal foundation of policies and practices that help us meet our commitments.  We understand shared goals are achieved by working with an ecosystem of committed partners, including governments, non-governmental organizations (NGOs), international organizations, other businesses, academics, and citizens.   We are strong advocates for:  using technology to strengthen economies and address problems faced by society; the benefits of an open, fair, and safe Internet; and the responsibilities we have to operate our business in a responsible and sustainable manner.

 

We have been working in the privacy and online safety space for more than 15 years. In fact, one of the first major events we joined with a number of you here on in 1997 was the “Online Summit for Children.”  We continue to enjoy rich partnerships with many of you as we help educate consumers.  We offer guidance to help people maintain online safety and privacy; we provide guidance to help partners develop software with privacy and safety in mind. Our consumer site, Protect site, which focuses on safety and privacy content, gets 1 million hits per month.

 

We are committed to building trust with our customers and in our brand by maintaining the integrity of our services and helping prevent online harms through proactive education and the active protection of users from exploitation, abuse, criminal activity or exposure to objectionable content enabled by computing systems, online services, or other users. 

 

An example of privacy and safety in action is our newest gaming device called the Kinect for X-Box that launched last week.   The Kinect experience was also integrated into Xbox’s overall Family Settings, putting parents in control of their family’s safety. Fifteen controls allow parents to decide, among other things, what games their children can play and whether they can play online. Children are required to get parents’ permission to use Kinect online, and parents can set restrictions on online play. Sharing of videos, voice, chat, and personal information can be controlled through Family Settings.  There’s a special setting called Kinect Sharing that allows parents to determine whether photographs taken by certain games can be shared online to social media sites.  We have a Kinect here at the conference, I hope you will take a minute to visit the Microsoft table in the lobby to experience the Kinect; it’s a blast! 

 

But none of these areas will work unless we have an ability to live up to our promises. We call this internal Governance. While our governance infrastructure around privacy is more mature, the same model for privacy is being adopted for Online Trust and Safety.    Today, we have more than 35 full-time employees and over 400 part-time employees that help us meet our overall commitments to privacy and OLTS in all of our product, service and process designs.  Products simply can’t ship before they have gone through and assessment against our goals.  This is, of course, supplemented by policies, standards, tools, training and internal community-building efforts.

 

Our efforts are aimed at meeting our commitments to provide people greater control over how their personal information is collected, shared and used and helping protect people from threats like identity theft.  Through parental control tools on a wide range of our products, including Windows Live Family Safety – all of which are available for free – we also strive to give parents, teachers and caregivers more control over the content and contacts.

 

Lastly, I want to touch on our approach freedom of expression.       One of the things we have heard loud and clear is that there are international expectations of companies to both help address online safety, public safety and child protection concerns.  We're proud of the voluntary steps we've taken in this regard and we think strong governance is essential.  Equally, we hear the international expectations that companies take steps to ensure due respect for fundamental rights to freedom of expression. We think investing in this area is key to advancing a safer and more free internet economy.       Microsoft is committed to protecting and advancing human rights throughout the world.  Along with Google, Yahoo!, academics, investors and human rights advocates, we helped form the Global Network Initiative to provide a systematic way to collaborate and develop guidance on the steps we take to integrate the principles of freedom of expression into every aspect of our business. 

 

As part of Microsoft’s internal effort to tackle all of these issues – privacy, safety and freedom of expression – we tried to remove the silos and figure out the best way to integrate all of these issues into our operating procedures.  So too,  we had to do a great deal of thinking about how we balanced compliance without stifling innovation and how we would marry high ethical standards with effective governance structures.     In this way we are approaching our commitment to Freedom of expression is the same building block way as we have invested in privacy and OLTS

 

Privacy, safety and freedom of expression issues are all critical imperatives for a balanced corporate citizenship program.  They are also complex, nuanced and dynamic issues that will continue to evolve as new technologies and services present both new benefits and risks.   While there are no concrete answers with respect to addressing these issues, there are two clear imperatives.

 

The first is that these issues need to be addressed in a holistic fashion – partnership; education & awareness, technology tools and effective public policy will all play a role.  Industry, governments, consumer groups, law enforcement, NGOs and technology users themselves all have a role to play in helping build a safer, more trustworthy online ecosystem.

 

The second imperative is that companies need to invest more in this space. They need to develop and implement more “accountable” governance structures that ensure their commitments are backed up with actions.              For Microsoft, this level of investment is simply part of the way we do business – there is no question of the ROI.

 

I suggest that we all need to think more deeply about our level of investment.          I look forward to furthering all of these goals as we work together to raise and discuss these issues in the context of this very important conference – and beyond.  I hope this brief tour of how Microsoft thinks about these issues will provide with some action oriented opportunities.

 

Thank you.

The Week in Online Safety, June 27, 2011
A weekly global view of online safety news, policy developments, research, and influence

 News
As Internet Safety Month continued in the U.S., major media outlets published broader online safety stories.  ABC News published 15 Steps to Safer Social Networking for Your Child, as well an interview with Reputation.com CEO Fertik on How to Protect Your Online Reputation. 

The ACLU continued its “Do Not Filter Me” campaign to persuade public schools to drop filtering of LGBT websites.  In an article in eSchool News, several filtering Companies respond to ACLU’s ‘Don’t Filter Me’ campaign.  The article quotes several filtering companies that offer categories to filter LGBT speech.  

In an effort to fight cyberbullying, The Star-Ledger reports a  N.J. school board to consider policy to discourage posting photos, videos of students online. 

Policy – Legislative, Regulatory, and Legal Developments
This morning, the Supreme Court struck down a California law restricting the sale of violent video games to minors, The Washington Post reports.  The ruling is here. A full round-up of reactions from advocates next week. 

In Texas, the Houston Chronicle reports on what appears to be a first-of-its-kind lawsuit, where a father is suing middle school girls for defamation over a cyberbullying video aimed at his daughter. 

The Federal Trade Commission released a new 16-page online safety booklet tilted Living Life Online: Staying Safe.  The booklet will be distributed to schools. 

Two more states enacted legislation easing penalties for minors who engage in ‘sexting.’ Florida enacted HB 75, which the Tampa Bay Tribune reports will “shield children who send risque texts from being prosecuted for big-time offenses, like child-pornography distribution. Under the law, first-time violations come with a $60 fine or eight hours of community service.”  Texas enacted SB 407, which the  AP says will “allow prosecutors to pursue less draconian criminal charges against minors." 

Research
Both the European Union and Australia published new reports on online safety.  The EU Kids Online Project released Social Networking, Age and Privacy, and in Australia the Joint Select Committee on Cyber-Safety released Cyber-Safety and the Young, which the Courier Mail reports suggests cyber-safety education should start at kindergarten after a fifth of teen girls admit to 'sexting' 

In India, Daji released a study of Indian children that found Cyber Bullying Highest on Children in Bangalore, and in the U.S., security software vendor GFI released What are Teenagers Really Doing Online. 

Influencers
In area of online content restriction, Analyst firm GigaOM released an opinion on The downside of social networks as a public space: Censorship, while U.S. advocacy group EFF expressed concern that Australia Heads Down the Slippery Slope, Authorizes ISPs to Filter. 

In the  U.S., Judi Westberg-Warren of  Web Wise Kids posted on Being Digitally Safe during the Summer, and Anne Collier described how On social networks, ‘kids don’t want to be friends with their parents’. 

Compiled by David Burt.

The Week in Privacy and Online Safety, July 30, 2012
A weekly global roundup of online safety news, policy developments, research, and influence

General Online Privacy
News (U.S.) - MAC and IP Addresses: Personal Information?, Data Governance Law, July 24, 2012

News (U.S.) - US groups: Foreign cloud providers marketing against privacy concerns, IDG News, July 25, 2012

Research (U.S.) - Consumer privacy: What are consumers willing to share, PricewaterhouseCoopers, July, 2012

General Online Safety
News (U.S.) - eBay's next target: The under-18 crowd, CNet, July 26, 2012

News (U.K.) - Habbo’s CEO calls for online safety coalition in wake of sex-chat crisis, Venture Beat, July 27, 2012

News (Taiwan) - Teen Dies After Playing Game For 40 Hours Straight, Mirror, July 18, 2012

News (U.S.) – TRO issued in Washington state online sex ad law, Ars Technica, July 28, 2012

Advertising & Search
Research (U.S.) – Americans Roundly Reject Tailored Political Advertising, Joseph Turow, et. al., July 23, 2012

News (U.K.) - Firefox 14 encrypts Google search, The Register, July 19, 2012

Mobile
Research (U.S.) -  'Sexting' may be just a normal part of dating for Internet generation, Univ. of Michigan, July 24, 2012

News (U.S.) - Parental Control Apps for Smartphones, PC Magazine, July 27, 2012

Research (U.S.) - June 2012 FPF Mobile Apps Study, Future of Privacy Forum, July, 2012

Social Networks
News (U.S.) - Man accused of stalking Little Leaguers on Facebook for sex, Minn. Star Tribune, July 27, 2012

News (U.S.) - Google's Secret Weapon To Fix YouTube's Awful Comments: Your Real Identity, Forbes, July 23, 2012

News (U.S.) - Twitter Appeals Order That It Turn Over Protester’s Posts, Bloomberg News, July 19, 2012

 

Legislation & Regulation
News (U.S.) - 'Do Not Track' Internet spat risks legislative crackdown, Reuters, July 24, 2012

Research (U.K.) – The Right to Privacy in Constitutions, Privacy International, July 26, 2012

News (U.S.) - Congress to Examine Data Sellers, The New York Times, July 24, 2012 

-- Compiled by David Burt, CISSP, CIPP

Last week I attend the 2011 Family Online Safety Institute (FOSI) Annual Conference in Washington, D.C.  The theme of the fifth annual conference was “Evaluate. Innovate. Collaborate. Strategies for Safe and Healthy Online Use.” The FOSI event brings together over 400 people from the U.S., Latin America, Europe and the Middle East.  Attendees represent a broad spectrum from industry, government, advocacy organizations, NGO, media and academia.

The first day began with Amanda Lenhart from the Pew Internet & American Life Project launched the FOSI, Pew and Cable in the Classroom research titled “Teens, Kindness and Cruelty on Social Network Sites: How American teens navigate the new world of Digital Citizenship.” Lenhart walked through the study results and then a larger research panel took place with Alice Marwick from MSR, David Finklehor from Univ of New Hampshire and Sonia Livingstone from the London School of Economics.  The researchers presented their latest findings and discussed the opportunities that exist to use research to address effective strategies for keeping people safer online.

I then went to a fascinating session titled “How do We Handle Apps?” The session began with the moderator, Steve DelBianco of NetChoice, trying to define what makes mobile “apps” different from other software and web pages in relation to online safety.  DelBianco suggested that apps are different because they are more self-contained than web pages, and distributed through a central app store rather than independently.  The distribution model has safety implications because it creates an implication of trust with the platform provider that the apps will have some safety controls.

 

We then reconvened for a panel titled, “A New Beginning for Privacy Online?”  Microsoft was represented by our Chief Privacy Officer, Brendon Lynch.  The panel focused on discussion of the Children’s Online Privacy Protection Act, COPPA.  

Day Two featured Dave Miles, Director of FOSI EMEA presenting the “State of Online Safety Report.”  The report uses FOSI GRID as its data set, which is now used by 700 online safety professionals in 120 countries.  Miles noted there is little cooperation, and lots of duplication between countries in online safety.  Most of 120 countries have no coherent approach to online safety.  

FOSI has become the online safety event of the year.  It’s a fascinating mix of government, industry, and advocates.  I look forward to next year! 

-- David Burt, CISSP, CIPP

Microsoft’s Trustworthy Computing just released new research we commissioned, Parental Involvement in Children's Social Networking Activities, along with an executive summary and PowerPoint Presentation. The survey has some good news – the overwhelming majority of parents are involved in their children’s social networking activities – but also some cause for concern, because many parents are allowing their children to sign up for social networking accounts before they meet the minimum age requirements.  Cross-Tab Marketing Services conducted the survey of 1,051 parents of 5-17 year olds in August, 2010.  Among the important findings:

 

·        Overall, 67% of the parents surveyed report their child has a social networking account.

·        Parents overwhelmingly believe (95%) they are primarily responsible for keeping their children safe when using social networks.

·        Most (67%) help set up accounts, discuss the benefits and risks, and monitor usage.

·        Parents mainly monitor behavior by “friending” their child in their social network (56%), checking their browser history (52%) or logging into their account (49%). They rarely use monitoring software for this purpose (10%).

·        The social networking risks parents fear most are sexual predators and identify theft.

Parental Involvement in Children’s Social Networking Activities is the second installment of social media research from Microsoft’s Trustworthy Computing.  Earlier this year we released Online Reputation in a Connected World, which studied the attitudes of both hiring managers and job applicants regarding the use of online information in hiring practices.

 

-- David Burt, CIPP, CISSP

From the Microsoft on the Issues Blog:

Editor’s Note: Microsoft has been a proponent of accountability, a globally recognized principle of privacy and data protection, and prioritizes the concept in our privacy program. We recently published an accountability-based analysis of Microsoft’s privacy program and shared our position that organizations need clear guidance on how to demonstrate accountability, and that regulators need consistent means of measuring accountability. We’ve asked Elizabeth Denham, the Information and Privacy Commissioner for British Columbia, to share her thoughts on accountability timed to the recent release of accountability policy guidance in Canada.

Three of Canada’s Privacy Commissioners collaborated to publish policy guidance to help businesses effectively manage their obligations under privacy legislation.

Getting Accountability Right with a Privacy Management Program is getting noticed by businesses, regulators and organizations in Canada and internationally. Here is what you need to know about the paper, including why implementing a comprehensive privacy management program for your business is smart practice.

Accountability is at the heart of Canada’s privacy laws. When a business is held “accountable,” it means that business is both legally and ethically responsible for the personal information it collects.

There are some pathfinder companies in Canada with robust privacy programs. But despite the legal requirement to be accountable, most Canadian businesses have failed to put even the most basic privacy controls in place. Other businesses have done the “paperwork of privacy” but can’t demonstrate concretely to regulators or to consumers how they manage privacy -- how they have breathed life into the policies.

We want to change that. The Commissioners in British Columbia, Alberta and at the Federal level got together to publish a document to help move data protection from policy to practice.

Getting Accountability Right is a roadmap to sound data governance. The paper is a practical, workable and scalable framework to help businesses demonstrate accountability and better protect personal information.

The paper takes a “building block approach” to privacy management, beginning with an organizational commitment to privacy, followed by the implementation of program controls as well as ongoing review and updates.

By implementing these building blocks, businesses can demonstrate to customers, clients and regulators that they are committed to privacy and accountability, which can also enhance their reputation and build trust in those relationships.

The building block framework is inter-operable. That means there will be certainty for business and consistency in the regulators’ expectations of private sector organizations operating across Canadian jurisdictions.

As regulators, we are already using this tool in our enforcement work. In British Columbia, we’ve applied the program elements in our systemic investigations as well as investigations of privacy breaches. In these investigations, we are assessing not only the event or technical breach in question but also the broader privacy management program. This is a sea change in our approach to oversight.

Privacy management is a fundamental corporate responsibility, beyond a matter of compliance or legal risk management. By implementing a comprehensive privacy management program, one that is woven into the organizational fabric, a business can distinguish itself as a company that respects consumer privacy, one that deserves the public trust.

The guidelines are available via the Commissioners’ websites: www.priv.gc.ca; www.oipc.ab.ca; and www.oipc.bc.ca.

Doug Park, Director of Online Safety for Xbox writes on the Get Game Smart blog:

Last week I had the chance to attend the annual Consumer Electronics Show (CES) and the Kids@Play Summit. It was great to see the newest products and ideas in consumer electronics while thinking about the online safety implications that come with each new innovation. A plethora of smart devices – from cameras on televisions to browsers on every device and unlimited content – are bringing connected entertainment to more people than ever before. At the same time, there could be new potential risks being introduced.

It all adds up to some common themes that were represented well at the Kids@Play Summit. Online safety and privacy awareness and education are critical for parents and children alike. Parental controls should be part of the conversation (and we have you covered for Xbox), but parental involvement is key. At the end of the day, we know you can’t be there to protect your children all the time, so we need to partner to give them tools for when they go it alone. It’s like teaching a child to always wear a seatbelt, not just when you are in the car to enforce it.

I was given a chance to present some of these ideas on the Taming the Reputation Monster panel, moderated by Larry Magid, Technology Columnist and Co-Founder of ConnectSafely.org. My fellow panelists included George Garrick, CEO of SocialShield, Clayton Ostler, Senior Director of Technology at ContentWatch (NetNanny), and Noopor Argawal, Senior Director of Public Affairs at MTV. As Larry noted near the end of our discussion, we were all somewhat surprisingly consistent with our outlook that there needs to be a balanced approach for addressing privacy and online safety needs for children and families.

Some of the common themes from our discussion included working to create safer online communities and combating digital abuse, as well as creating awareness of online monitoring tools and online safety education resources. We also agreed that parents are the "first line of defense" as kids and teens are increasingly connected and new gadgets are coming into the home. Parents need to take the lead in a continued discussion on acceptable technology habits with their children. It was a great panel to participate on.

The summit and CES were a good reminder that technology isn’t going to slow down and will continue to introduce new threats and risks. As a parent myself, it also increases the importance I place on having the right conversations regarding privacy and online safety with my own children (ages 5, 7, and 12).  If you need help, check out the PACT on our site. It is an outstanding resource to start the conversation.

Elizabeth Grigg, Program Manager, Windows Live Family Safety on the Windows Live Family Safety blog:

It was rewarding yesterday to see a discussion emerging from news articles on child safety. In Europe, MSN conducted a study of children’s habits online, and certain European companies also pledged to protect children online. The story is also active in the US. If you’re aware of this story in other places please provide that link in the comments here.

Microsoft can be a resource for parents who would like more information on the technical solutions that are available, as well as how to guide effective conversations with children. Over here on the Windows Live Family Safety team, we see the materials posted here as a companion to the technical solution we deliver with Windows Live Essentials. It’s incorrect to just install a Family Safety product and expect that to cover 100% of what your child does online. It’s also incorrect to just have a conversation with your child (even a good one) and expect that to cover 100% of what your child does online. Both approaches are needed.

If you have Windows Live Family Safety installed for your family, please use the comments here to describe what additional conversations you may have had with your children. Is there something more you’d expect to happen on the software side? Are there questions about educating kids that you’d like answered?

Thanks in advance for the discussion.

- Elizabeth Grigg, Program Manager, Windows Live Family Safety