Microsoft Privacy & Safety : Privacy Community

Peter Cullen on Privacy Accountability

Microsoft Privacy Team — Wed, 04 Nov 2009 22:23:00 GMT

Peter Cullen here. The concept of “accountability” has certainly become a recent catch-cry in the wake of the global economic crisis but it has long been an established principle of privacy and data protection. In fact, the concept was first established...(read more)

Data Privacy Day – Focus Group Findings

Microsoft Privacy Team — Wed, 28 Jan 2009 18:39:00 GMT

Today the United States, the European Union and Canada are celebrating Data Privacy Day, which is dedicated to educating people about online privacy protections. To commemorate the day, Microsoft commissioned focus group research examining consumer perceptions...(read more)

Recent Research Commissioned by Microsoft on Data Governance and Role Collaboration

Microsoft Privacy Team — Tue, 27 Nov 2007 01:38:00 GMT

Hi, I am Brendon Lynch, Director of Privacy Strategy in Microsoft’s Trustworthy Computing group. Among other things, my team’s work includes engagement with external privacy stakeholders and advising Microsoft product groups on data governance strategies.

I wanted to highlight some interesting research we recently conducted which explores how different roles within organizations are collaborating to protect personal information.

As you are probably aware, there is a lot of concern about personal information today. Research, including the latest edition of Microsoft’s Security Intelligence Report, shows that criminals are increasingly targeting personal information for financial gain. Other research shows that consumers are expressing concerns about shopping and banking online. We are also observing a seemingly endless string of reports of data breaches.

In response to these concerns, many organizations in both the public and private sectors are investing in people, process and technology to better govern the data they collect and manage. Looking at the people dimension of data governance, three important roles within organizations that standout are information security professionals, the data collectors and users (e.g., marketers) and privacy professionals (the newest role to emerge). We thought it would be interesting to explore how these roles are working with each other (or not!) to address data governance.

Our survey of over 3600 professionals across these three roles, and across three countries (USA, UK and Germany), was conducted by the Ponemon Institute and provided some very interesting results, including:

· Marketers consult security and privacy professionals a lot less often than security and privacy professionals think they do

· Organizations that had better collaboration between the roles reported that they had significantly less data breaches than organizations with poor collaboration

I encourage you to take a deeper look at the research results and view two related keynote presentations from Microsoft executives last month: Scott Charney, presenting to the International Association of Privacy Professionals (IAPP) annual Privacy Academy in San Francisco; and Ben Fathi presenting to the RSA Security Conference in London.

Trevor Hughes, executive director of IAPP and Peter Cullen, chief privacy strategist for Microsoft, also recorded a video discussing the data protection research and other challenges facing privacy professionals today.

A Privacy Call to Action

Microsoft Privacy Team — Mon, 23 Jul 2007 14:07:00 GMT

Peter Cullen, Microsoft's Chief Privacy Strategist, here ...

Today, joined by industry colleague Ask.com, we are encouraging other technology leaders, consumer advocacy organizations and academics to come together in an effort to develop global privacy principles for data collection, use and protection related to search and online advertising.

Additionally, expanding on our ongoing work to protect customer privacy, Microsoft also announced a set of privacy principles to protect the privacy of Microsoft’s Windows Live users, including making search query data anonymous after 18 months by permanently removing cookie IDs, the entire IP address and other identifiers from search terms.

I wanted to take a moment to focus on two important aspects of these announcements: why we believe industry needs to establish a set of global privacy principles, and why we believe it is important to strike the right balance between privacy and security for our users when storing search queries linkable to IP addresses.

Industry dialogue will benefit consumers

The details of data collection and use practices in the search and online advertising space are difficult enough to understand even if you are a technologist or privacy professional. So it’s probably an understatement to say that it is very difficult for most Internet users to know how, or if, their privacy is being protected. Given these services are becoming ubiquitous across the Web, it is hard for a consumer to know which companies may be logging information relating to their interactions with Web sites. Therefore, we believe it’s time for a comprehensive discussion between industry and the privacy community. Some of the topics for discussion might include ways to provide the appropriate amount of user notice so consumers can make informed choices; appropriate approaches to providing user choice relating to the use of their data, appropriate ways to secure data to protect data from unauthorized access; and an agreed upon timeframe for anonymizing search records and the method of that anonymization.

We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.

Security relies on enough data to detect seasonal changes

In determining the appropriate time period before anonymiszing search queries data, we carefully examined the uses of the data that are necessary to operate our Windows Live Search service, and have concluded that 18 months of data strikes the right balance and allows us to ensure that we are providing users with relevant search results, to protect the financial integrity of our business model including being able to detect and defend against click fraud, and to help protect the security and integrity of the Windows Live Search service. For example, in order to detect and protect against security threats such as botnet attacks, click fraud, worms, and other future threats, it is necessary to create a baseline of normal traffic patterns against which to conduct the analysis. Because search patterns vary seasonally, it is necessary to look back to the same time the prior year, and several months before and after, in order to create that baseline. An even longer period would help to provide a more reliable baseline, but we believe that 18 months strikes an appropriate balance.

We look forward to engaging in a dialogue between industry and the privacy community on these matters with the goal of enabling consumers to continue to realize the benefits of technology at the same time as being confident that their privacy and security are appropriately protected. We plan to provide an update on progress in September.