Microsoft Privacy & Safety : Peter Cullen

Peter Cullen on Privacy Accountability

Microsoft Privacy Team — Wed, 04 Nov 2009 22:23:00 GMT

Peter Cullen here. The concept of “accountability” has certainly become a recent catch-cry in the wake of the global economic crisis but it has long been an established principle of privacy and data protection. In fact, the concept was first established...(read more)

Statement by Peter Cullen on the Spanish Data Protection International Standards Proposal

Microsoft Privacy Team — Thu, 29 Oct 2009 16:11:00 GMT

In the first week of November, hundreds of representatives from government, industry and civil society will be descending upon Madrid for the 31 st International Conference of Data Protection and Privacy Commissioners to discuss a range of issues related...(read more)

Data Privacy Day – Focus Group Findings

Microsoft Privacy Team — Wed, 28 Jan 2009 18:39:00 GMT

Today the United States, the European Union and Canada are celebrating Data Privacy Day, which is dedicated to educating people about online privacy protections. To commemorate the day, Microsoft commissioned focus group research examining consumer perceptions...(read more)

Peter Cullen talks privacy at the Churchill Club

Microsoft Privacy Team — Wed, 29 Oct 2008 19:52:00 GMT

Peter Cullen, Chief Privacy Strategist at Microsoft, spoke at a forum September 8, 2008 at the Churchill Club in California. During the forum, “Personalization versus Privacy: Balancing Business and Customer Interests,” Peter addressed how Microsoft builds privacy into Microsoft products.

Peter Cullen discusses building privacy into Microsoft products (4:41)

Peter Cullen talks about data retention, on the future of privacy (3:12)

-- David Burt

Moving Information Across Borders: The Need for a Global Accountability Framework

Microsoft Privacy Team — Thu, 16 Oct 2008 19:13:00 GMT

When it comes to data protection and privacy today, there is much discussion about the future of regulation and business practices in a globalized environment where information flows across borders like water. How will yesterday's regulatory and business accountability models evolve to help face tomorrow's data protection challenges? What would this new model look like? How would it work? How can it ensure the consumer is adequately protected?

To face the challenges of today as well as tomorrow - the growing diversification of information collection, and the global flows of this information - an entirely new model is needed, one that will require a fundamentally different type of partnership between policy-makers, regulators, business and civil society.

Why is such broad change needed? Simply put, there are three reasons:

Today's regulatory models were designed for a different era. Data flows much differently today than it did a decade ago, and it will flow much differently a decade from now.
Organizations, both public and private, have not shown enough accountability to meet the data-protection challenges of this new world.
As a result, today there is too much responsibility placed on the consumer.

The future of data protection will require much more than simply talking about the regulatory model. Yes, the regulatory framework needs substantial change. But the business accountability model must also change, along with the way business and regulatory communities engage with each other.

To get to a more acceptable point, business, government and civil society are going to have to work together in fundamentally different ways. Those who set and enforce policies must become adaptable. And at the same time, as the keepers of valuable personal information that often cuts across national boundaries, organizations must become more accountable to common standards of data protection.

The above is a small excerpt of the remarks I shared earlier today at the 30^th International Conference of Data Protection and Privacy Commissioners in Strasbourg. The entire speech is below:

Moving Information Across Borders
The Need for a Global Accountability Framework
By Peter Cullen

The Need for Change

Why is such broad change needed? Simply put, there are three reasons:

Today's regulatory models were designed for a different era. Data flows much differently today than it did a decade ago, and it will flow much differently a decade from now.
Organizations, both public and private, have not shown enough accountability to meet the data-protection challenges of this new world.
As a result, today there is too much responsibility placed on the consumer.

Today, business models that involve vast and diverse data flows - once reserved for large organizations - are being used by small and medium enterprises and even consumers, who choose for themselves where their data goes. These business models are being enhanced to provide greater value, which often means data is dispersed around the world. The flow of data is also being enabled and affected by other factors, such as the increasing number of devices that connect with each other, and the emergence of "cloud computing," which creates mirrored data around the world. Today, information flows are truly global.

The terms "privacy" and "data" are also changing. Formerly, "data protection" was limited to such things as name, address and credit card number. Today there is a range of other information to be considered, such as IP addresses and other unique numbers associated with the Web 2.0 world.

Today, there are more players in the field, and new entrants to the market, such as advertisers, who until recently would not have thought of themselves as part of the data protection schema.

The diversity of these challenges is compounded by the diversity of new threats, often through new vulnerabilities targeted for exploitation by criminals, making the entire picture infinitely more complex than it was just yesterday.

What does all this mean to organizations? What does this mean for consumers, in a world where the ultimate criminal "prize" is personal information? What does the current "notice and consent" model provide for consumers who have to wade through the complexity of broader data use and the real threats of today?

Clearly a new level of transparency and accountability is needed. After all, today's organizations have shown time and again that they cannot effectively protect data as evidenced, for example, by the large number of data breaches globally. As the threat landscape continues to evolve, rapidly and dramatically, there is little doubt this complex arena will continue to evolve, just as dramatically, just as rapidly, over the next decade. In this new world, business accountability needs to evolve and, as well, the current regulatory model needs to change.

Harmonized Principles, Disjointed Approaches

The diversity of regulatory models around the world illustrates the challenge. There are umbrella models in the EU, Canada, Australia and New Zealand. There are patchwork, piecemeal approaches such as in the U.S. In places such as Vietnam, the Philippines, Malaysia and Singapore, and APEC countries overall, new hybrid models are emerging.

Some have said that harmonizing the principles of these different approaches is all that's needed. This is not the issue. There is a surprising overlap in their principles.

The issue is that approaches to regulation in each region are fundamentally different. Even in so-called "harmonized" markets there is a lack of harmonization.

For example, today there are more than 20 different approaches to registering data processing within the EU alone. The U.S. approach features a dizzying combination of sectoral, state and issue-driven regulation, combined with self-regulation. The spectrum of approaches to this issue is almost as diverse as the threat landscape they're trying to address, which only adds complexity to an already confusing equation.

Worse, many of the more advanced economies, including the EU, seem to believe that geographically and culturally created points of view are both sustainable and exportable. Regulatory bodies find it difficult to even recognize each other's efforts - would it be better to have no privacy law in Vietnam than to have a privacy law that does not include an "independent data protection commissionaire"?

In the face of all this change, business, policy-makers and regulators are not communicating enough to even understand today's challenges in a way that positions the industry for tomorrow. How can regulators understand new and complex business models without effective communication? How can that happen in the EU, much less in Singapore or Peru? How can businesses become truly accountable, when today accountability is not even fully described? How can this model support compliance when regulators do not have the resources to investigate and promote a viable framework? What's the incentive for all parties?

To date, attempts at figuring this out have not proven successful. Binding Corporate Rules have not been successful despite the considerable amount of time and money spent on them. The Article 29 Working Party has acknowledged these challenges and announced efforts to help, but there is yet much work to do, and it is not clear if this will be enough.

The overall model today is untenable, let alone workable in the future. In this world of more players and broadening data and its implications to privacy, a different approach is needed.

Adaptable and Accountable

Regulators must be open to thinking about new regulatory models that are not rooted in historical, traditional points of view. Regulators must understand not only today's and tomorrow's data flows, but also what's going to be required to make business more trustworthy. This can only be accomplished by inviting broad participation from all stakeholders, including civil society, to engage in a level of global partnership that has not occurred in the past.

Developed economies must work in cooperation - and compromise - with developing economies, recognizing how cultural, legal, economic and business climates differ - and what each entity is facing regarding information protection and privacy.

Regulators must work closely with businesses to define their role, their responsibilities and what accountability means in the new information age. What are the standards? How can they create an atmosphere of mutual trust? Is it certification? If so, is it self-certification, or perhaps a regulatory body using a Trustmark agency to validate compliance - in effect expanding the regulator's resources?

Underneath those options lies a fundamental need to define what it means to be accountable, and to develop a system that helps ensure compliance - a system built on mutual recognition, and on growing mutual trust. The ultimate goal is to improve transparency between organizations, regulators and policy-makers.

Building for the Future

So is anyone getting this right today? The APEC privacy initiative is as close as anyone has come to this kind of cross-border engagement. In APEC there is an attempt to address the challenges of cross-border data flow with an ethic of mutual recognition, where more developed economies work inclusively with developing ones.

The APEC privacy initiative represents progress in two ways. Number one, the inclusion and mutual recognition of varying economies, capabilities and cultures. Number two, a process that takes the best of existing regulatory models, focuses on the challenge of cross-border data flows and business responsibility, and works to create a privacy framework that works for everyone.

Outside of APEC, a group of like-minded experts under the leadership of the Irish Data Protection Authority, Billy Hawkes, will explore the components of organizational accountability in 2009. As with changes to the regulatory approach, the model for organizational practices needs to change if business is to be seen as trustworthy.

Ultimately, this challenge is beyond regional. This is not about meeting directives doled out from one part of the world to create another, standalone, regional solution. This is global. This challenge belongs to all, and therefore everyone needs to be sitting at the table.

Without the kind of broad partnership and coordination demonstrated by APEC on a global scale - without mutual recognition - more of the same limited, regional regulatory approaches will be developed. The result will be even more complexity in the regulatory ecosystem, and this complexity will remain the industry's greatest vulnerability.

By pursuing "more of the same," protection for the people that matter most will degrade rather than improve, because whether these problems are fixed or not, the flow of information globally will continue, and it will grow. If business and government fail to adapt and evolve, the ability to protect data worldwide will gradually erode. These problems cannot be solved immediately, but something must be done now, with cooperation and collaboration from all stakeholders.

Microsoft Accepts Second Privacy Seal from Prestigious Germany Authority

Microsoft Privacy Team — Tue, 04 Sep 2007 12:15:00 GMT

Peter Cullen, Microsoft's Chief Privacy Strategist, here ...

Microsoft maintains a strong focus on providing our customers with products and services that they can trust – because trust is vital to the success of our business. And we believe that to secure trust, we must safeguard the privacy of our customers’ personal information. So, it is essential that we constantly think about privacy. That is why we have put in place an internal structure that helps us to look at privacy holistically – throughout all of Microsoft. For products that our customers use, we think about privacy from conception, to design, to implementation. The Microsoft Security Development Lifecycle (SDL) helps us to make our products more secure and more private at every step of the process.

But our commitment doesn’t end with us. To ensure that we are living up to our own high standards, we also seek third-party audits for some of our products and services. By submitting to a rigorous inspection of our policies and our processes, our goal is to provide the level of transparency that our customers both desire and deserve. When it’s said and done, the audit process helps us to gain an outside and unbiased perspective on our products’ privacy levels and gives an added level of assurance for our customers.

On Monday, Sept. 3, in Munich, we accepted a privacy seal for the Microsoft Windows Genuine Advantage Program (WGA) for Windows XP from German privacy authority, Unabhängigen Landeszentrum für Datenschutz Schleswig-Holstein (ULD), which is recognized the world over for its exacting high standards for privacy protection. The ULD awarded the seal to Microsoft after we submitted to and underwent a thorough legal review, as well as technical confirmation of how all data is collected and stored. This extremely detailed audit, conducted by independent auditor TÜViT, attested that our policies and practices are in line with those required by ULD standards. In addition, the audit also entailed a review of all WGA services relating to Windows XP and a review of all technical and functional specifications combined with a demonstration of all security measures and data access protocols.

This is not the first privacy award that we have received, in fact, Microsoft Update Service 6.0 and Windows Server Update Service 2.0 also received a privacy seal from the ULD earlier this year. And the Microsoft Phishing Filter has undergone a thorough review by the auditing firm Jefferson Wells – which noted full privacy compliance. But we are excited to receive the ULD seal for WGA, because it serves to underscore our commitment to provide products that reflect our customers’ desire to protect their personal information and to control the flow of that information.

So for us, it is gratifying to have our efforts recognized by such a prestigious body; but it is even more gratifying that our customers can be confident that we are meeting high privacy standards.

The security and privacy landscape is rapidly evolving, with new threats emerging every day. That is why we take the implementation of and adherence to privacy protocols so seriously. That is why we take the extra steps to let our customers know that Microsoft is committed to meeting some of the highest privacy thresholds in the world.