The Data Privacy Imperative

Today on the Microsoft on the Issues Blog:

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing

As I blogged last month, the increasing quantity and sophistication of cyber attacks requires a comprehensive and coordinated strategy to secure the nation’s critical infrastructure and sensitive data.

Today I had an opportunity to continue the discussion while testifying before a congressional hearing on  “Assessing Cybersecurity Activities at the National Institute of Standards and Technology and the Department of Homeland Security,” convened by the House Subcommittee on Technology and Innovation.  

As I explained to the committee, the complexity and breadth of national governments, and the wide array of constituents they serve, require a careful and thoughtful approach to managing government-wide cybersecurity.

Most governments function like a conglomeration of businesses, each with different missions, partners, customers, data, assets and risks.  The number and diversity of component organizations  and systems make centralized management impractical—if not impossible.  Each agency or ministry has a unique security paradigm with its own threats, so each must manage its own risk.

I believe a hybrid model to government cybersecurity can create both a “horizontal,” centrally managed security framework and customized, “vertical” solutions that meet the specialized security needs of individual agencies.  

Such a combination of horizontal and vertical functions would help ensure that minimum security goals and standards are set, while enabling agencies to manage risks appropriately for their unique operating environments. 

To maximize the value of a horizontal cybersecurity function, governments must collect the right data;  analyze that data;  and use the data to drive action. 

To achieve these core objectives, I highlighted several tools I believe are essential: 

• Security monitoring: In addition to traditional network monitoring from intrusion detection systems, governments could use information provided by IT assets, such as routers, hosts, and proxy servers to evaluate their operational and security status.

• Audit:  Meaningful audit data improves agencies’ cybersecurity posture because it drives behavior and provides accountability.  In addition to comprehensive quarterly or annual reporting, this  should include continuous audit, with spot checks and periodic evaluations that can help assess the adequacy of controls and compliance. 

• Advanced analytics:  Monitoring and audit capabilities can create a baseline of data about the real-time health and overall trends in security.  Combining this with threat information and advanced technical analyses can create an operational awareness of the “attack surface” of the government.  

• Agile and collaborative response:  Over the past 10 years, there have been several attempts to improve operational coordination between and among key government and private sector stakeholders, but they’ve had limited success.  I strongly support creating a more effective model for operational collaboration to move us from the less effective government-led partnerships of the past to a more dynamic and collaborative approach involving cybersecurity leaders from government, industry, and academia.

• Innovative security controls:  Since computing technologies advance at a rapid pace, organizations creating security policy, standards, and technologies must consider how transformative changes  (e.g., wireless, RFID, peer-to-peer networks) create different risks and require different controls to maintain or improve security.

These capabilities are necessary to build an effective government cybersecurity function, but we must also recognize that cyberspace threats are not going to disappear.  Technology alone will not create the trust necessary to secure cyberspace and realize the full potential of the Internet.  Technological innovation must be aligned with social, political, economic and IT forces to enable change.  Microsoft works with partners in the ecosystem to help drive and shape these forces to create a safer, more trusted Internet through our End-to-End Trust vision.  Governments must similarly drive forward with clear vision and holistic Information Age strategies to combat these threats to national and economic security, and public safety.  As long as threats evolve, so must our efforts to protect against them. 

From the Microsoft Forefront blog:

Today Microsoft released findings from a survey of 1200+ IT professionals in the US, UK, Germany and Japan. Some of the top findings about their opinions on IT in a recession, priorities and where they are investing are here. Among the most interesting results are related to security, such as:

·         IT pros cite security as the number one challenge in managing infrastructure (above some other big challenges, such as uptime, resource utilization, systems management, end-user support, sprawling datacenters and interoperability.)

·         Protection of customer and company data is the top security priority, above other activities including security systems management (#2), compliance and governance, identity management and adopting hosted security services.

·         A majority of IT pros view security as an enabler of business.  More than half think that IT security responsibilities include advancing overall business goals (52%) and increasing end-user productivity (51%)

1.       Behavioral Targeting before Congress.  On Thursday, the House  subcommittee on communication and consumer protection held a hearing on the data collection practices of Internet companies.  The Wall Street Journal reports that, “Lawmakers in the House are drafting Internet-privacy legislation designed to provide consumers more information about what is being collected online and to give them greater control about how that data can be used. It could also set rules for how consumers could prevent their personal data from being shared with advertisers.”  Microsoft's Privacy Principles for Live Search and Online Ad Targeting are here.

2.      Rouge Employees, Hackers Most to Blame for ID Theft.  The Washington Post reports on the new figures from the Identity Theft Resource Center.  “The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008.”

3.      Center for Democracy & Technology calls for Locaction-Enabled Web Privacy.  A new blog post from CDT’s Alissa Cooper states that: “It’s CDT’s belief that location information should only be used on individual Internet users’ own terms. Individuals should get to decide with whom they share their location, what that information is used for, whether or not it gets shared, and how long it’s retained. Location-enabled technologies – including Web browsers – should be designed with privacy in mind from the beginning and with built-in user controls to allow individuals to manage their location data as it’s collected.

4.      Google Reaches Agreement with German Government on Street View Data.  Spiegel reports that, “The dispute between Google and the data protection office in Hamburg over the company's Street View service has been settled. Google has agreed to erase identifiable raw data depicting people, property or cars upon request.”

From the Bing Blog:

From the Bing Blog:

You may have read our post last week where we talked about how Smart Motion Preview and SafeSearch work together.

As we mentioned, Microsoft is never done when it comes to providing tools to help customers, whether they are large enterprises, local school districts or parents make sure they can provide a safe searching experience when using Bing.

We made two changes that we think will help.

First, potentially explicit images and video content will now be coming from a separate single domain, explicit.bing.net.  This is invisible to the end customer, but allows for filtering of that content by domain which makes it much easier for customers at all levels to block this content regardless of what the SafeSearch settings might be.  This makes it much easier for filtering software to block unwanted content if SafeSearch has been turned off.

In addition, we will begin returning source url information in the query string for images and video content so that companies who already use this method of filtering will be able to catch explicit content on Bing along with everything else they are already blocking for their customers.  An example of such a query string is:  

http://ts2.explicit.bing.net/images/thumbnail.aspx?q=974382499649&id=12ae77a7fed979b0502840bedacd2552&url=http%3a%2f%2fwww.explicitsite.com%2fexplicit-picturegoeshere.jpg  

Thank you to everyone who shared feedback with us on this matter, it helped us to quickly develop a solution and get it into production.

Mike Nichols, General Manager, Bing

Business Week has a story out this week about how a case involving a New Hampshire law barring data mining on drug prescription data, that could have a profound impact on data mining across industries:

IMS Health (RX) has built a lucrative niche collecting data on which drugs physicians prescribe, then selling the information to pharmaceutical companies. But legislators in more than 20 states are considering actions to curb the practices. The Supreme Court could shine a spotlight on this topic in the next few weeks if it decides to hear a closely watched case IMS has been fighting in New Hampshire. The court's ruling would quickly reverberate beyond the pharmaceutical industry, affecting virtually any business that uses information about consumer buying behavior to guide its sales strategies.

The legal drama began in 2006, when New Hampshire passed the Prescription Information Law. It bars the collection of data on what drugs specific doctors prescribe—information drug companies use to fine-tune sales tactics. The law struck right at the heart of IMS's business model, which brought the Norwalk (Conn.) company $311 million in profits on $2.3 billion in sales in 2008. New Hampshire Attorney General Kelly A. Ayotte has argued that collecting prescription data endangers the privacy of physicians and patients, even though patient information is kept anonymous. IMS and another data collection company, Verispan (now SDI Health), sued in federal court to challenge the law, which they believe violates their First Amendment rights to free speech.

The case wound its way up to the U.S. Court of Appeals for the First Circuit, which upheld the New Hampshire law in November 2008. The court ruled that data and speech are not the same thing. Data is just like any product, Circuit Judge Bruce M. Selya said, and states have the authority to legislate how companies sell their goods. "The plaintiffs … ask us in essence to rule that because their product is information instead of, say, beef jerky, any regulation constitutes a restriction of speech," wrote Selya in the November

From Kim Cameron's blog:

Today I am posting a new paper called, Proposal for a Common Identity Framework: A User-Centric Identity Metasystem.

Good news: it doesn’t propose a new protocol!

Instead, it attempts to crisply articulate the requirements in creating a privacy-protecting identity layer for the Internet, and sets out a formal model for such a layer, defined through the set of services the layer must provide.

The paper is the outcome of a year-long collaboration between Dr. Kai Rannenberg, Dr. Reinhard Posch and myself. We were introduced by Dr. Jacques Bus, Head of Unit Trust and Security in ICT Research at the European Commission.

Each of us brought our different cultures, concerns, backgrounds and experiences to the project and we occasionally struggled to understand how our different slices of reality fit together. But it was in those very areas that we ended up with some of the most interesting results.

Kai holds the T-Mobile Chair for Mobile Business and Multilateral Security at Goethe University in Frankfurt. He led the EU research project FIDIS (Future of Identity in the Information Society), a multidisciplinary endeavor of 24 leading institutions from research, government, and industry, and co-ordinates PICOS, the ISO Security Evaluation Criteria working group, and the ISO Identity Management and Privacy Technology working group. He s also one of the editors of the book in which this paper was published.

Reinhard taught Information Technology at Graz University since the mid 1970’s, and was Scientific Director of the Austrian Secure Information Technology Center starting in 1999. He has been federal CIO for the Austrian government since 2001, and was elected chair of the management board of ENISA (The European Network and Information Security Agency) in 2007. 

I invite you to look at our paper.  It aims at combining the ideas set out in the Laws of Identity and related papers, extended discussions and blog posts from the open identity community, the formal principles of Information Protection that have evolved in Europe, research on Privacy Enhancing Technologies (PETS), outputs from key working groups and academic conferences, and deep experience with EU government digital identity initiatives.

Our work is included in The Future of Identity in the Information Society - a report on research carried out in a number of different EU states on topics like the identification of citizens, ID cards, and Virtual Identities, with an accent on privacy, mobility, interoperability, profiling, forensics, and identity related crime.

I’ll be taking up the ideas in our paper in a number of blog posts going forward. My hope is that readers will find the model useful in thinking about how they think about the architecture of their identity systems.  I’ll be extremely interested in feedback.

The Bing team address concerns about the Bing SafeSearch settings on their blog:

One important conversation going on right now is about unwanted adult video content within this feature.  To start with, by default in Bing (and in Live Search before it), we do not return explicit adult content in video or image results. In web results, we also do not include any explicit images or video content by default.  This is a bit more of a conservative approach than others in the industry.  If you set SafeSearch to strict, you will not see any explicit text, image or video content. If you turn SafeSearch off – which requires you to change the setting and then click again to acknowledge that you are over 18, then explicit content may appear.

We think our current search safety settings are solid but at Microsoft we are always working on pushing this stuff farther.  We also are listening to customers, and some have told us they want more control and they want it now.  In particular some folks who manage corporate networks have asked for tools now to enforce SafeSearch settings at the network level.  So for right now, we wanted to let people know that you can add “&adlt=strict” to the end of a query and no matter what the settings are for that session, it will return results as if safe search was set to strict.  The query would look like this: http://www.bing.com/videos/search?q=adulttermgoeshere&adlt=strict (yes it is case sensitive).

This short term work-around should work with lots of popular firewall and safety products, as well as for larger, managed network environments.

In the next couple of months we will formalize this work so that a broader range of partners, applications and tools can take advantage of this functionality more easily.  In addition, we are looking for more ways to give consumers more control to ensure that Bing gives them a great search experience.

Kim Cameron,Chief Architect of Identity at Microsoft, writes on his Identity Blog:

The recent European Identity Conference, hosted in Munich by the analyst firm Kuppinger Cole, had great content inspiring an ongoing stream of interesting conversations.   Importantly, attendance was up despite the economic climate, an outcome Tim Cole pointed out was predictable since identity technology is so key to efficiency in IT.

One of the people I met in person was James McGovern, well known for his Enterprise Architecture blog.  He is on a roll writing about ideas he discussed with a number of us at the conference, starting with this piece on use of Information Cards in industry verticals.  James knows a lot about both verticals and identity.  He has started a critical conversation, replete with the liminal questions he is known for:

‘Consider a scenario where you are an insurance carrier and you would like to have independent insurance agents leverage CardSpace for SSO. The rationale says that insurance agents have more personally identifiable information on consumers ranging from their financial information such as where they work, how much they earn, where they live, what they own to information about their medical history, etc. When they sell an insurance policy they will even take payment via credit cards. In other words, if there were a scenario where username/passwords should be demolished first, insurance should be at the top of the list.’

A great perception.  Scary, even...

Posted by Scott Charney, on the Microsoft On the Issues Blog:

Corporate Vice President, Trustworthy Computing

Today I had the privilege of attending an event at the White House where President Barack Obama announced the results of the 60-day cybersecurity review and highlighted the steps the United States Government would be taking to help ensure the security of our nation’s computer networks.  This is an important step in ensuring we have a comprehensive and coordinated national strategy for cybersecurity. 

Advances in information technology have revolutionized the way we live and our increased dependence on IT systems makes addressing cybersecurity risks an increasingly important priority for both the government and the private sector. 

Right now, we are locked in an escalating but often hidden conflict in cyberspace, as cyber attacks steadily grow in sophistication and target critical infrastructures and sensitive data. According to Microsoft’s latest Security Intelligence Report, 40 percent of attacks in 2008 were considered “moderately complex”; less than 20 percent earned that descriptor in 2003. 

Addressing these attacks and securing cyberspace is going to require a comprehensive and coordinated national strategy, and the 60-day review provides a baseline to inform its development.  Such a strategy requires that the White House, the Congress and the private sector to collaborate on common security goals and we look forward to contributing to this important effort.

Frank Torres, Microsoft Director of Consumer Affairs blogs at the Microsoft on the Issues Blog:

 Posted by Frank Torres
Director, Consumer Affairs  

 Last month the U.S. Department of Health and Human Services sought public input on guidelines the agency is developing for technologies that companies and organizations should use to safeguard consumers' electronic health records, and on mechanisms for notifying  consumers if the privacy and security of their health data is compromised. Microsoft, as well as other stakeholders in the health world, filed comments with HHS yesterday.

In addition to proven security technologies such as encryption, we recommended that HHS support technologies that render data unreadable or unusable to unauthorized individuals. We also commented that when there is a security breach that consumers need to know about, the notice should be sent to the user through whatever contact information the user provides. In some cases an individual may only provide an e-mail address and not a street address or phone number, for example.

Establishing guidelines to keep electronic health records more secure is critical to build consumer trust in health IT and, in turn, to enable the widespread adoption of health IT that will make health care more affordable and effective for everyone.

Yesterday's deadline for responding to the HHS request for information is an early step in the agency's key involvement in setting the rules that will govern federal investments in health IT through the American Recovery and Reinvestment Act.

The decisions made by HHS will carry great weight in determining what technologies your doctors and health care providers are encouraged to use, thanks to federal incentives, to improve the quality and availability of care you receive.

Two major challenges for those drafting the HHS recommendations are to ensure that innovation is allowed to thrive, and that consideration is given to the specific ways technology is used by both consumers and health care providers.  That way, consumers will be better protected, but also enabled to benefit from new and evolving technologies selected by their health providers.

President Obama and Congress are looking to technology to improve the nation's health care system for everyone. This is an exciting time and the decisions HHS is preparing to make are critical to allow promising new solutions to help solve some of the major challenges facing the health care system today. 

Kim Cameron,Chief Architect of Identity at Microsoft, reports on a disturbing trend at a seminar on cloud computing from his IdentityBlog:

A few weeks ago I spoke at a conference of CIOs, CSOs and IT Mandarins that - of course - also featured a session on Cloud Computing.  

It was an industry panel where we heard from the people responsible for security and compliance matters at a number of leading cloud providers.  This was followed by Q and A  from the audience.

There was a lot of enthusiasm about the potential of cutting costs.  The discussion wasn’t so much about whether cloud services would be helpful, as about what kinds of things the cloud could be used for.  A government architect sitting beside me thought it was a no-brainer that informational web sites could be outsourced.  His enthusiasm for putting confidential information in the cloud was more restrained.

Quite a bit of discussion centered on how “compliance” could be achieved in the cloud.  The panel was all over the place on the answer.  At one end of the spectrum was a provider who maintained that nothing changed in terms of compliance - it was just a matter of oursourcing.  Rather than creating vast multi-tenant databases, this provider argued that virtualization would allow hosted services to be treated as being logically located “in the enterprise”.

At the other end of the spectrum was a vendor who argued that if the cloud followed “normal” practices of data protection, multi-tenancy (in the sense of many customers sharing the same database or other resource) would not be an issue.  According to him, any compliance problems were due to the way requirements were specified in the first place.  It seemed obvious to him that compliance requirements need to be totally reworked to adjust to the realities of the cloud.

Someone from the audience asked whether cloud vendors really wanted to deal with high value data.  In other words, was there a business case for cloud computing once valuable resources were involved?  And did cloud providers want to address this relatively constrained part of the potential market?

The discussion made it crystal clear that questions of security, privacy and compliance in the cloud are going to require really deep thinking if we want to build trustworthy services.

The session also convinced me that those of us who care about trustworthy infrastructure are in for some rough weather.  One of the vendors shook me to the core when he said, “If you have the right physical access controls and the right background checks on employees, then you don’t need encryption”.

I have to say I almost choked.  When you build gigantic, hypercentralized, data repositories of valuable private data - honeypots on a scale never before known - you had better take advantage of all the relevant technologies allowing you to build concentric perimeters of protection.  Come on, people - it isn’t just a matter of replicating in the cloud the things we do in enterprises that by their very nature benefit from firewalled separation from other enterprises, departmental isolation and separation of duty inside the enterprise, and physical partitioning.  

I hope people look in great detail at what cloud vendors are doing to innovate with respect to the security and privacy measures required to safely offer hypercentralized, co-mingled sensitive and valuable data. 

Microsoft Associate General Counsel Tim Cranton tells us:

There is news from Edinburgh today of guilty verdicts for leaders of the largest child pornography ring ever broken-up in Scotland.  As the BBC News explains, a single image found on a computer led to literally thousands of others, shared through the Internet by at least 200 pedophiles around the world. 

I am grateful for the verdicts and the prospect of more arrests and convictions, but obviously this is not a cause for celebration.  These are horrific cases, due to the nature of the images and the devastation to the victims and their families.  Our thoughts are with them as they grapple with the impact these events have had on their lives and, hopefully, begin to heal.

Thanks are due to the prosecution and to law enforcement in the UK and around the world for the painstaking and determined detective and legal work that led to convictions.  The investigation was truly global – images from Scotland were distributed to pedophiles in at least five other countries, including the U.S.  The case shows why global coordination by law enforcement is so important when dealing with crimes like these. 

Kudos are also deserved for the tough, clear laws on child pornography that carry strong sentences in the U.K.  We affirm the principle prosecutors expressed during the trial, that each image itself represents a severe and violent act of child abuse that deserves swift justice.

Technology is essential in solving these crimes.  In this case, the technical expertise of academics Hany Farid of Dartmouth College, Miroslav Goljan of Binghamton University, and Susan Black of the University of Dundee in Scotland was central to establishing the link between the perpetrators and the images of abuse.

Along with the experts at the U.K.’s Child Exploitation and Online Protection Centre and Serious Organized Crime Agency, the FBI, INTERPOL and some of the world’s leading academics on image forensics, Microsoft also assisted the investigation.  With these and other partners, we share a steadfast commitment to the protection of children.  Whether through our training sessions or the use of our technology tools, we’ve come to know and respect the people on the front lines in the fight for online family safety.  In our view, they rank among the world’s unsung heroes.

Doug Leland, Microsoft General Manager, Identity & Security Division shares his thoughts on cloud computing security and privacy:

 Hi all – Doug Leland here, general manager of the Identity and Security Business Group.  Today at the Microsoft Management Summit vice president Bob Kelly spoke about cloud computing.  He outlined Microsoft’s investments and provided guidance to help customers understand their options as they incorporate the cloud into their future plans, whether it is through “private clouds,” “public clouds,” or a combination.  You can read an article about this and view the keynote or a related webcast on-demand.

I wanted to provide some additional information about our efforts to help customers maintain security with cloud infrastructure. 

As part of our Business Ready Security strategy, we are taking a comprehensive approach to security across on-site and cloud infrastructure.   This encompasses protection, access and management, all built around user identity and integrated with a highly secure, interoperable platform for a broad set of partner solutions.

Identity is a core part of our strategy, because it allows for more contextual protection and access to information and resources.   With our Forefront platform, on-premise identities, such as those in Active Directory, work with cloud services.  That enables simplified, secure user access to applications, such as Exchange, regardless of where the application is hosted.  

Forefront's identity provisioning/de-provisioning and access management empower customers to integrate their investments in Active Directory and existing identities with cloud infrastructure.  And, with solutions like Rights Management Services, in the future customers will be able to enforce persistent, identity-based policies around data anywhere it is stored, sent, or accessed - including the cloud.

We are delivering both standalone security services and security technologies within Microsoft’s cloud infrastructure.  Forefront Online Security for Exchange is an example of a standalone service solution, providing email security for both on premise Exchange Server and Exchange Online (and other on-premise messaging systems.)  Another example is System Center Online Desktop Manager, introduced today and available in beta by the end of the year.  It is an integrated security and management tool that will provide desktop management capabilities in the form of an online service.

We are also providing fundamental identity components for Microsoft cloud services, such as the Azure Services Platform.  The Microsoft Services Connector, for example, extends identities from on premises systems to cloud services.  The .Net Access Control Service issues and manages identity “claims.”  Both are based on “Geneva,” an open platform for simplified user access that works across organization boundaries for on-premise and cloud-based applications.   Beta 2 of “Geneva” will be available soon. 

I hope this information is helpful.  Let us know if you have questions or comments.

Doug