Microsoft Privacy & Safety

Today is Data Privacy Day and to celebrate, Microsoft is launching a series of whitepapers and webcasts titled A Guide to Data Governance for Privacy, Confidentiality and Compliance to help organizations create or expand a data governance initiative. 

Data governance is an approach for enabling organizations to more effectively manage, protect and use the growing volume of personal information, intellectual property and other confidential data. Specifically, it includes steps organizations can adopt to help meet the constantly evolving challenges around data privacy, data security and related regulatory compliance obligations. 

As part of Microsoft’s long-standing commitment to privacy, the series provides guidance that will help organizations develop stronger data protection practices, rationalize compliance and identify opportunities to leverage the economic potential of their data assets. Papers one and two – available today along with the first webcast – focus on helping professionals make the business case for data governance, and provide a description of the process and organization used for data governance. Upcoming papers and webcasts will be made available from March through June and will discuss tools and techniques developed at Microsoft to manage technological risk using the data governance process. A capability and maturity model for data governance will also be presented, along with guidance for extending tools and processes to the cloud, and into mixed environments. 

We invite you to read the white papers and listen to the webcast.  To find subsequent papers and webcasts, visit www.microsoft.com/datagovernance. A podcast introducing Data Privacy Day and the Data Governance series for Privacy, Confidentiality and Compliance is also available here.

Javier Salido, Senior Program Manager, Microsoft Trustworthy Computing 

Tomorrow marks the 4th annual Data Privacy Day (or ‘Data Protection Day’ in Europe) and Microsoft will be joining consumers, governments and organizations at events held in San Francisco, Washington D.C. and Brussels to support the increased awareness of online privacy.

As people share more about their lives online through social networks, micro-blogging, photo sharing and other services, we at Microsoft see the issue of online privacy and control over personal data becoming a more important consideration. People continue to prize safety, but they also want the ability to share information in ways that allow them to maintain control over how it’s used and how it might impact their reputation.

To commemorate Data Privacy Day, Microsoft released a study conducted with 2,500 consumers, HR managers and recruitment professionals in the US, UK, Germany and France, to learn more about attitudes toward online reputation and how this information can have real life consequences. The results illustrate how we, as a society, are still grappling with the intersection of privacy and online life. For example, 63 percent of consumers surveyed are concerned that online reputation might affect their personal and/or professional life, yet, less than half even consider their reputations when they post online content. Finally, Fewer than 15% of consumers in any of the countries surveyed believe that information found online would have an impact on their getting a job

This consumer outlook contrasts sharply with how important online reputation is to HR professionals as part of the hiring practices. Online reputation is becoming inseparable from the other ways in which employers and professional contacts judge us. In a challenging economic environment where job hunting is top of mind and online information is playing a pivotal role in the hiring process.

 Our study found 70% of surveyed HR professionals in U.S. (41% in the UK) have rejected a candidate based on online reputation information. Reputation can also have a positive effect as in the United States, 86% of HR professionals (and at least two thirds of those in the U.K. and Germany) stated that a positive online reputation influences the candidate’s application to some extent; almost half stated that it does so to a great extent.

You can watch a video highlighting the research findings below. 

 What we hope people take away from this research is that an online reputation is not something to be scared of; it’s something to be proactively managed. That means not just removing (or not posting) negatives, but also building the online reputation that you would want an employer (or friend or client) to find.  Microsoft is releasing new guidance to help people take control of their online reputation and build their own online brand. You can find that guidance at: www.microsoft.com/dataprivacyday.

Our work for Data Privacy Day is part of our long-standing commitment to help protect people’s privacy that includes building strong internal practices, participating in ongoing policy discussions and providing clear guidance to consumers. We believe that everyone should know how the information they put online is being used and understand that they have control over that information.

Peter Cullen, Chief Privacy Strategist, Microsoft

This week Kim Howell, Director of Privacy Governance in the Microsoft Trustworthy Computing Group, and Ralph Hood Lead Program Manager for the Security Development Lifecycle (SDL) in Microsoft Trustworthy Computing Group. Participated in a podcast on “Integrating Privacy Practices into the Software Development Life Cycle,” with the Computer Emergency Readiness Team (CERT):

Integrating Privacy Practices into the Software Development Life Cycle

December 22, 2009
Featuring Ralph Hood Kim Howell and Julia Allen

Clearly security and privacy are closely linked when it comes to protecting information, yet when it comes to software development, privacy hasn’t yet pulled the same profile as security. As is the case for security, privacy is most effectively addressed when privacy practices, roles, responsibilities, and review approvals are integrated into your existing software and security development lifecycle. This helps ensure that privacy is at the forefront of developers’ minds as they execute each lifecycle phase.  In this podcast, Ralph Hood and Kim Howell, both with Microsoft’s Trustworthy Computing Initiative, will discuss Microsoft’s top ten privacy practices and how they have been integrated with their security development lifecycle (SDL). Ralph is a lead program manager on the SDL team and Kim is a director in the Privacy group.

Download:
full conversation (17:27)

·        Keeping Privacy at the Forefront; Collect Only Essential Information (6:54)

·        Minimize Collected Data; Prevent Unauthorized Access (5:08)

·        Gain Parental Consent; Ensure Privacy in the SDL (5:29)

Additional Materials
Show Notes
Transcript(pdf)

From the Microsoft on the Issues Blog:

Posted by Ernie Allen
President & CEO, National Center for Missing and Exploited Children

For most of us, the word “childhood” conjures up thoughts of innocence and security. But for thousands of children, it is shrouded by darkness and pain, because of the vilest kind of sexual abuse and exploitation. And when that abuse is recorded and shared online among pedophiles as child pornography, the abuse continues indefinitely; each time images of a child’s abuse are viewed and passed on, that child is victimized again.

We can help these children and prevent others from suffering their fate. Technology is a critical part of the solution, and that is why I’m proud to announce that Microsoft is donating to the National Center for Missing and Exploited Children (NCMEC) an important technology, called PhotoDNA,  to help power the fight against online child pornography. PhotoDNA was created by Microsoft Research and helps to calculate the distinct characteristics of a digital image in order to match it to other copies of that same image.

Child pornography worldwide, and particularly in the United States, has exploded with the advent of the Internet. Here at NCMEC, since 2003, we have reviewed and analyzed almost 30 million photos and videos of child pornography, and we project that nine million child pornography  photos and videos will be reviewed and analyzed in the coming year. As much as the Internet has improved our daily lives, it has also allowed people to access child pornography with limited risk of discovery, and encouraged pedophiles to build networks that validate and facilitate their depraved desires.

At NCMEC, we are devoted to ending all forms of child abuse and exploitation. To that end, our organization works closely with law enforcement and policymakers to strengthen protections for children. Technology, too, has played an integral role in our work, helping us to rescue abused and missing children and fight those using technology for such crimes.

PhotoDNA will revolutionize the work we’re doing in the fight against child pornography, allowing us to index the worst images, which we’ve confirmed to be depictions of actual child rape, by each image’s unique “DNA” or digital signature. Online service providers and others can use that DNA to better prevent these images from circulating. By “worst of the worst” I mean images of the physical sexual penetration of an identified prepubescent victim – truly horrific images of despicable crimes. Many of these images surface repeatedly during child pornography investigations as they are passed from pedophile to pedophile. Stopping their flow has been a challenge. PhotoDNA will enable members of the online service industry to voluntarily and proactively ensure that their services are not unwittingly hosting or distributing these photos of child sexual abuse.

Increasingly, child abusers are targeting younger and younger children, in part because very young children can’t tell anyone what’s happening to them. And because the average person will never see these horrifying photos, the victims have essentially become invisible. That is why we have to speak up for them. Law enforcement works heroically on this problem, but neither they nor technology can do it alone. We need increased awareness and broad-based support for policies that safeguard and protect children. We need to bring this issue into the open by reminding everyone that these children need our help, and that childhood should be a wonderful—not terrifying—experience for everyone.

What can you do to help?

First, help NCMEC and Microsoft raise awareness by participating in A Childhood for Every Child , our campaign to remind everyone what childhood should be about. Today and tomorrow, we are asking people to replace their Facebook, Twitter, Windows Live, MySpace, instant messenger or any other online profile photo and signature with the campaign logo, and share a story that speaks to you about what is best about being a kid. Whether it is a memory from your own childhood or that of your children, or a tale from a book or movie that made you smile, please update your profile or status, tweet, or blog to help us remind policy makers that we care about providing a childhood for every child.

Most importantly, help fight the problem of child sexual abuse and exploitation. If you see it, if you know about it, if you suspect it, report it to us by e-mail or call 1-800-THE-LOST.

I’d like to thank Microsoft Research, Professor Hany Farid at Dartmouth College who further developed PhotoDNA, the Microsoft Digital Crimes Unit and everyone else involved in making PhotoDNA a reality.  I’d also like to thank each and every one of you for getting involved. Together, we can let these children know that they are not alone and that we are here to support them.

Privacy Center is not Microsoft software. It’s a new form of fake antimalware software (also known as rogue security software) that pretends to help protect your computer, but is really a new form of spyware. It can slow down your computer and damage your files.

To remove the Privacy Center, download and use Microsoft Security Essentials, Microsoft Windows Defender, the Windows Live safety scanner, or another up-to-date scanning and removal tool.

For more technical information, see the Microsoft Malware Protection Center: Win32/Privacy Center. 

Here are a couple images of the Privacy Center:

From the Microsoft Windows Blog:

Yesterday was what is known as “Cyber Monday,” which is the first Monday after Black Friday every year and is one of the top online shopping days here in the United States. Cyber Monday is when people move to the Web to make purchases they missed in stores during Black Friday. And many online retailers offer hot deals similar to the in store deals seen on Black Friday. This year’s Cyber Monday was impressive - as of 1pm yesterday, sales for Cyber Monday were up 19.6% over last year according to Coremetrics. A lot of online shopping was done yesterday (I did some too)!

When shopping online, it is important to do so safely and privately. It would not be fun having to deal with stolen credit card details or identity theft instead of celebrating the holidays with your family. Many people don’t even think about their browser while shopping online. But in fact the browser plays a very important role in keeping you safe and secure while making online purchases and browsing the Web.

There are 3 major threats people shopping online should be aware of: Malware, Cross-site Scripting (XSS), and ClickJacking. Internet Explorer 8 protects against each of these threats (via SmartScreen), making it rated #1 for malicious software and phishing protection. To date, Internet Explorer 8 has delivered over 275 Million malware blocks. And as of September, Internet Explorer 8 is blocking 1 in every 200 downloads that appear as malicious. Internet Explorer 8 also helps protect your privacy with InPrivate Browsing.

To help spread awareness about the importance of a browser that puts people in control, especially when it comes to keeping safe while shopping online, we’ve created this fun video:

For a bunch of really great Tips and Tricks for using Internet Explorer 8 – click here.

Safe online shopping!

From the Microsoft On The Issues Blog:

Posted by David Bowermaster
Administrator, Microsoft on the Issues

The Federal Trade Commission’s roundtable series on “Exploring Privacy” begins today in Washington, D.C.   Microsoft Associate General Counsel Mike Hintze is participating in the first panel of the day, entitled “Benefits and Risks of Collecting, Retaining and Using Consumer Data.” 

Links to a Webcast of the event and background materials are available here.  The extensive public comments that Mike Hintze filed on behalf of Microsoft last month are also available online, if you’d like to delve into the specifics of our position and our privacy protections. 

_______________________________________________________________________

Posted by Frank Torres
Director, Consumer Affairs

(originally posted November 9, 2009)

On December 7, the Federal Trade Commission will host the first in a series of day-long roundtable discussions “to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.” The goal of the sessions, according to the Commission, “is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.”

As part of the ramp-up to the roundtables, the Commission invited public comments about how best to address consumer privacy in emerging technologies. Our comments focus on Health IT, online advertising, and cloud computing. These three evolving fields have a lot in common: each promises significant potential benefits for both consumers and innovators, but widespread adoption depends on ensuring users’ privacy at every step.

Microsoft has a long-standing commitment to privacy, based on our belief that for consumers to take full advantage of new technologies and contribute to the online ecosystem, consumers must trust that their data will be subject to consistent, predictable and robust privacy protections. Among the protections we focus on in our comments are transparency, consumer control and security. For example, consumers should have a choice about whether information on their online activities is used to create behavioral profiles for targeted advertising. In the context of cloud computing, consumers and enterprises should be given flexibility and choice about whether their data, software, and applications are kept locally or delivered as a service over the Internet. And in healthcare, patients should have control over where their health data is, who is looking at it, and for what purpose.

We support the goal of the FTC roundtables and we appreciate the Commission’s thoughtful approach. It’s the right time for a fresh look at privacy and security, and we look forward to the dialogue on December 7.

From the Microsoft Malware Protection Center Blog:

Almost a year ago, we started a project designed to monitor incoming attacks against a normal user on a day-to-day basis. We presented you with details about the geographical area from where the attacks originated and what services were targeted, and we gave you just a hint about FTP dictionary-based attacks. Now we’re going into a bit more detail about the passwords, having  so far gathered hundreds of user names and tens of thousands of passwords that have been  used in automated attacks in the last couple of months. Most of them were collected by our (fake) FTP server, which is designed to emulate a small part of the FTP protocol and log the information so that it’s easy to process.

As you can see below in the statistics, the length of the passwords is quite interesting, mainly because the average length according to our data is 8 characters and that’s quite close to the length of the passwords that many people use for their Internet accounts.

Statistics about user names and passwords:

• Longest user name: 15 chars
• Longest password: 29 chars
• Average user name length: 6 chars
• Average password length: 8 chars

Here is a top 10 list with the most common user names used in automated attacks:

User names	Count
Administrator	136971
Administrateur	107670
admin	8043
andrew	5570
dave	4569
steve	4569
tsinternetuser	4566
tsinternetusers	4566
paul	4276
adam	3287

And a similar list for passwords:

Passwords	Count
password	1188
123456	1137
#!comment:	248
changeme	172
F**kyou (edited)	170
abc123	155
peter	154
Michael	152
andrew	151
matthew	151

Trivia: One attacker tried more than 400,000 user name and password combinations.

Most of the probing is done from compromised systems that are connected to a password-protected IRC channel and are waiting for commands.

As you can see in the image below, one such command is to scan and identify other vulnerable hosts.

We just want to make users aware of the fact that passwords of around 8-10 characters (the average length of passwords that are normally used for Internet accounts) are used in attacks. Even a long password (10 to 15, or even 20 characters) isn’t good enough if it’s dictionary-based. As seen in the table above, there are passwords in dictionaries that are even using special characters (for example #!comment: ), not only numbers and letters.

You should take good care of what user name and password you're choosing. If your account has no limit on the number of login attempts, then knowing the user name is like having half of the job done. Especially for the user names from the top 10 (and mainly for the Administrator/Administrateur accounts), the passwords shouldn’t be picked lightly.

Usually we choose easy to type and/or easy to remember passwords, but please don’t forget that those passwords (for the moment) are the most commonly used or authentication on the Internet so they need to be strong.

The three basic things to remember when creating a strong password are the following:

1. Use a combination of letters, numbers and special characters. Also, remember that some dictionaries used in attacks have a "l33t" mode, which allows common letter/number-to-special character substitutions (like changing a-@, i-1 ,o-0 and s=$, for example, password = p@$$w0rd). Therefore, mix them in different ways so that they are not predictable.

2. Use a combination of upper and lower case letters.

3. Make it lengthy. A longer password does not necessarily mean it is strong but it can help in some cases.

To check if you have a strong password, you can use Microsoft's password checker (http://www.microsoft.com/protect/fraud/passwords/checker.aspx).

Having a super strong password is not enough. From time to time, you need to change it, especially when you feel that your account has been compromised. We also advise you to have several sets of passwords that differ in every account so in case one has been compromised not all your accounts will be affected.

For additional information regarding passwords you can visit the following links

Creating passwords - http://www.microsoft.com/protect/fraud/passwords/create.aspx

Maintaining passwords - http://www.microsoft.com/protect/fraud/passwords/secret.aspx

And by the way…..Don’t forget your password!!!!

Francis Allan Tan Seng && Andrei Saygo

Kim Cameron, the Chief Architect of Identity in the Identity and Security Division at Microsoft writes on his Identity Blog:

Earlier this week I presented the Identity Keynote at the Microsoft Professional Developers Conference (PDC) in LA.  The slide deck is here, and the video is here.

After announcing the release of the Windows Identity Foundation (WIF) as an Extension to .NET, I brought forward three architect/engineers to discuss how claims had helped them solve their development problems.   I chose these particular guests because I wanted the developer audience to be able to benefit from the insights they had previously shared with me about the advantages - and challenges - of adopting the claims based model.  Each guest talks about the approach he took and the lessons learned.

Andrew Bybee, Principal Program Manager from Microsoft Dynamics CRM, talked about the role of identity in delivering the “the Power of Choice” - the ability for his customers to run his software wherever they want, on premises or in the cloud or in combination, and to offer access to anyone they choose.

Venky Veeraraghavan, the Program Manager in charge of identity for SharePoint, talks about what it was like to completely rethink the way identity works in Sharepoint so it takes advantage of the claims based architecture to solve problems that previously had been impossibly difficult.  He explores the problems of ”Multi-hop” systems and web farms, especially the “Dreaded Second Hop” - which he admits “really, really scares us…”  I find his explanation riveting and think any developer of large scale systems will agree.

Dmitry Sotnikov, who is Manager of New Product Research at Quest Software, presents a remarkable Azure-based version of a product Quest has previously offered only “on premise”.  The service is a backup system for Active Directory, and involved solving a whole set of hard identity problems involving devices and data as well as people.

Later in the presentation, while discussing future directions, I announce the Community Technical Preview of our new work on REST-based authorization (a profile of OAuth), and then show the prototype of the mutli-protocol identity selector Mike Jones unveiled at the recent IIW.   And finally, I talk for the first time about “System.Identity”, work on user-centric next generation directory that I wanted to take to the community for feedback.  I’ll be blogging about this a lot and hopefully others from the blogosphere will find time to discuss it with me.

From Adam Sohn on the Bing Blog:

There’s been some buzz today based on a post by Nicholas D. Kristof at the New York Times suggesting that Bing filters results for searches conducted outside of the People’s Republic of China (PRC) using Simplified Chinese characters for their query.

As Mr. Kristof reported over the summer, we did fix a bug in web search that addressed this issue. There are some queries that provide very balanced web results, for example 六四 天安门 (June 4^th Tiananmen). We recognize that we can continue to improve our relevancy and comprehensiveness in these web results and we will.

In addition, today’s investigations uncovered the fact that our image search is not functioning properly for queries entered using Simplified Chinese characters outside of the PRC. We have identified the bug and are at work on the fix. We expect to have this done before the Thanksgiving holiday.

Bing’s intent for these types of queries is to provide relevant and comprehensive results for our customers.

We appreciate the dialog that Mr. Kristof has kicked off. Community feedback and input is incredibly important to Bing – it helps us do better and sometimes alerts us to things we can take immediate action to fix as we continue to improve.

Adam Sohn – Senior Director, Bing

Social Networking Site Tagged Pays $500,000 to Settle Privacy Violations

New York had accused Tagged.com of sending more than 60 million emails stating that friends had sent some photos, which in fact did not exist, and that recipients were told to sign up for Tagged.com to access them. The company would then use these contacts to send out more misleading emails.

Big Companies Sign Draft Privacy Agreement at Conference in Madrid

At an annual gathering of data protection officials in Madrid, attended by more than 50 countries and 100 representatives and – significantly – some of the biggest corporate data gatherers including Google and Facebook, experts signed off on a draft agreement for basic international data protections.

The Council of the European Union Set to Require Web users to consent to Internet cookies
But once the law goes into effect, users must provide consent to cookies being stored on their computers, meaning that they could be bombarded with annoying pop-ups or pages asking for permission. The new legislation does offer an exception for when a cookie is “strictly necessary.”

Survey: Online users becoming less anxious privacy

Concerns over security in everything from online shopping and banking to safety from computer viruses, as well as national security along with personal and financial security, were significantly down over what was recorded half a year ago for populations in the United States, the United Kingdom, Germany, Belgium, Brazil, Netherlands, Spain, Australia and New Zealand.

UK Information Commissioner's Office Reports 'Unacceptable' level of data loss

The number of incidents of loss or theft of personal data has risen to an "unacceptable" level in the past year, the privacy watchdog has warned.

The Windows Live team blogs writes:

Thanks to coordinated efforts across the tech industry, and partnerships between industry players who are a part of the Anti-Phishing working group, over the years most web services, users and other applications have become smarter at spotting tricks like link manipulation, phone phishing, and forged websites. Cybercriminals have adapted to improved vigilance by focusing on the consumers as easier targets than battling technology.

Unfortunately, even technologically unsophisticated attacks can be successful because people traditionally underestimate the value of their online identities, and the gates that this information can open.

In most cases, this type of phishing attack is carried out by sending a simple e-mail that appears to be from someone you know. It might appear to be from the customer support department of Hotmail or another webmail provider, or it may even appear to come from a friend of yours (most likely, the message went to their entire contact list) and asks you to provide the credentials for your webmail service or it instructs you to click a link. Probably every one of us has seen an attack like this by now!

Some of the most common types of phishing attacks... (There's More)

Peter Cullen here. 

The concept of “accountability” has certainly become a recent catch-cry in the wake of the global economic crisis but it has long been an established principle of privacy and data protection. In fact, the concept was first established in data protection by the Organisation for Economic Co-operation and Development (OECD) back in the early 1980s and the principle of accountability is a core principle of the Canadian Data Protection Act (PIPEDA), the APEC Privacy Framework and is a key guiding tenet of the US Safeguards Rule. So too, the accountability principle is inferred in the privacy laws of the European Union and its member states.

Last week, a significant policy paper was publicly released by the Centre for Information Policy Leadership (CIPL) entitled, “Data Protection Accountability: The Essential Elements,” which seeks to reinvigorate the discussion around accountability and data privacy and represents the collective thinking of more than 40 privacy experts from around the world representing industry, government, academia and civil society.  The paper, which Microsoft contributed to, not only helps further crystallize the key elements of accountability as a mechanism for global governance of data but also frames the discussion around how an accountability-based system might be designed.  Under such a governance model, the Company is responsible for understanding the risks to individuals that comes with the processing of that individual’s data and is also responsible for mitigating those risks.  Furthermore, as proposed in this paper,  the company is responsible for ensuring that those processes do indeed safeguard their customer’s data.  So, in many ways, accountability requires more diligence and vigilance from an organization than basic compliance with the law.

While the concept of accountability for data protection and privacy may not be new, what has changed dramatically over the past few decades is the technology-enabled use and transfer of information since modern-day concepts of privacy or data protection were first advanced. Privacy remains personal and local yet is challenged with today’s collection and global flow of information. Today, the Fair Information Principles, or “FIPs” tend to prioritize the lens for the consumer around individual control and “notice and choice” – a prioritization which is becoming increasingly challenging in the current information environment.

Currently, the “management” of global data flows are governed by law and guidance, which are enacted and enforced by individual governments, through regional or self-regulatory frameworks or by through commonly accepted principles.  Yet, under the present scheme, the burden is currently on the consumer who is expected to carry much of the responsibility for policing the appropriate use of their data. Regulators, where data protection laws exist, are charged with ensuring that companies implement the principles of fair information practices that form the basis of law and guidance.

However, this approach is neither well-suited nor sufficient to serve the new information economy. Collection of information from or about individuals has become more ubiquitous and perhaps less transparent, and information about them may be obtained from sources other than the individual. The concept of “primary and secondary use” that underpins traditional privacy governance quickly breaks down when information is used for dozens of purposes across many organizations. New technologies and business models that offer benefits to individuals rely on the use of information in ways that may not always be anticipated at the time the information is collected. Thus, in addition, the complexity of information collection is difficult to explain to even the most well-informed consumer. 

Neither companies nor their customers are well-served by the proliferation of complex and potentially conflicting laws that attempt to protect individuals from the misuse of their information. In the end, current governance models do not necessarily afford individuals the protections that they deserve and that would foster increased trust in the marketplace. Yet, the consumer is due fair processing and accountable use of information no matter where it is obtained and whether or not he or she is in a position to control its use. 

This is why Microsoft believes that policymakers and other relevant stakeholders need to take a closer look at how accountability might work within existing legal regimes, how organizations can do more to advance accountability and what role third party accountability agents and programs might play in this evolving paradigm.  So too, much consideration must be given to how accountability is measured and ultimately enforced.  We believe that this paper, which represents some of the collective thinking of some of the most prolific privacy thinkers around the globe, puts an important stake in the ground to ignite further discussion around the role of accountability in privacy and data protection schemes going forward.

In the first week of November, hundreds of representatives from government, industry and civil society will be descending upon Madrid for the 31^st International Conference of Data Protection and Privacy Commissioners to discuss a range of issues related to privacy, security, emerging technologies and the changing nature of global data flows.  Microsoft looks forward to engaging in this multi-stakeholder dialogue and will directly be involved in discussions around children’s privacy as well as safeguarding privacy in the cloud computing era.

Another important dialogue will ensue around the “Joint Proposal for a Draft International Standard on the Protection of Privacy with Regard to the Processing of Personal Data,” a laudable effort which has been spearheaded by the conference’s host, Mr. Artemi Rallo Lombarte, Director of the Spanish Data Protection Agency (AEPD) based on a resolution  adopted at the 30^th International Conference of Data Protection and Privacy Commissioners  The proposal was developed in consultation with other data protection authorities,  leaders of business and members of civil society. It  seeks to encourage the development of a universal and binding legal instrument for the guarantee of privacy, or a “global privacy standard.”

As the patchwork of worldwide laws has become increasingly difficult to navigate, Microsoft has repeatedly called for a comprehensive, workable global privacy framework that is consistent, flexible, transparent and principles-based.  Doing so will not be an easy task; some of the regulatory models in place today are outdated, while others take a piecemeal approach, with still new privacy models emerging in the developing world.  That said, there are certainly common, over-lapping principles in all of these approaches can help inform a comprehensive approach that can provide greater legal certainty to information providers while enhancing protections for the rights of individuals and their data. However, a global framework or consistent, principles are just part of the puzzle. Any principles or standards will need to be implemented in a consistent way to avoid creating further regulatory differences.

With the evolution  of cloud computing, in particular, global data flows have changed to become continuous and multi-point rather than linear and point-to-point.  Chances are that data will flow differently in ten years than it does today, and privacy rules will need to anticipate these inevitable changes. At the same time, privacy laws, by their very nature, are local.  This dynamic creates inherent tension.  As such, new privacy paradigms and governance models, such as one governed by accountability need to be considered in the context of global such frameworks.

We thank the Spanish Authority for its vision and leadership around this important debate and look forward to continued collaboration in promoting consistent global data privacy structures.  The theme of this year’s conference is “Privacy: Today is Tomorrow,” which is apt given the imperative for all of us to address the data protection needs of the future, while helping to facilitate the rich benefits of our information age. 

Peter Cullen, Microsoft Chief Privacy Strategist