• Sidebar: Seven Principles of Privacy
• Sidebar: How P3P Works
• Illustration: Compact Privacy Policies
• Illustration: A P3P Exchange

Microsoft’s hold on the desktop and on the client interface to the Internet gives the company a huge head start in creating profitable Web services like the HailStorm Foundation Services. But these services are based on the premise that people will store information about themselves online. Public concerns about privacy and the consequences of putting huge amounts of personal data in Microsoft’s hands require the company to lobby carefully to ensure that regulators don’t cripple its efforts; to court people with promises of privacy and advanced security for their data; and, in some cases, to lead the charge to protect personal data.

Threats to Privacy

Concerns about privacy are not new. In the 1970s, the Organization for Economic Cooperation and Development (OECD), an international economic and social policy organization, began work on privacy policies aimed at striking a balance between governments’ need for information about their populace and individuals’ right to privacy. (For a summary based on the OECD guidelines, see "Seven Principles of Privacy".)

In the business arena, the privacy debate has focused on the balance between convenience and risk. While customers like conveniences such as credit cards, which put information about their buying habits in the hands of credit card companies, few want businesses to probe deeper into their personal habits, income, and lifestyle, and even fewer are willing to let businesses sell such information to third parties who assemble mailing lists for sale. The public is especially concerned about "Big Brother" activities: surveillance of individuals by employers or insurers who can look for telling patterns of behavior in data about the individual’s location, education, gender, family, income, and purchases.

The digital age has compounded the tensions. With virtually all personal information available in electronic databases; with government-supplied universal identification numbers (such as a U.S. Social Security number) that provide unique keys for every person; and with broadband networks that can ship data around the world in a blink, smart companies can assemble detailed pictures of how consumers live. Adding up the amount of information that people reveal about themselves, implicitly or explicitly, privacy consultant Alan Westin says, "The average person today is engaged in a level of self-disclosure that is unparalleled in the history of Western civilization."

Furthermore, the Internet has made the consequences of privacy breaches much more serious. Criminals can steal an individual’s identity to conduct transactions, review other personal data, and transfer money out of accounts in seconds. In some cases (e.g., where an abusive spouse or stalker uses online directories and search engines), an individual’s physical safety can be endangered. Less serious, but affecting far more people, is obnoxious, unsolicited e-mail, much of it touting potentially offensive activities such as gambling and pornography.

One measure of the rising public concern about privacy is the sudden interest by politicians. According to the Center for Democracy and Technology (www.cdt.org), some 28 bills related to privacy are currently before the U.S. Congress—nearly double the number of two years ago. The U.S. health care industry is now gearing up for a massive effort to comply with provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which, among other things, requires companies to protect the security and confidentiality of electronic patient records and related health data. The 1999 Financial Services Modernization Act laid down new rules for financial institutions regarding their use of customer data.

Why Privacy Fears Matter to Microsoft

Microsoft has based much of its future on the premise that widespread Internet connectivity will reduce barriers to sharing and exchanging data about individuals. However, increasing fears about Internet privacy may actually raise those barriers higher.

Microsoft's .NET vision promises added convenience if users share their personal information with the company’s services and employ its software. Users can avoid typing in usernames, passwords, credit card numbers, or street addresses on Web sites by submitting data from the Microsoft-run Passport and HailStorm services, which will then share this data with participating sites at the user's discretion. (For a description of the HailStorm initiative, see "HailStorm Fulfills Crucial Roles for .NET" on page 18 of the May 2001 Update.)

Other Microsoft priorities, such as validation of terminal server licenses and invisible, electronic activation of new software, require users to send some sort of information about themselves—even if just a numerical activation key based on their hardware profile—over an active Internet connection.

Unfortunately for its plans, Microsoft now finds itself at the center of a perfect privacy storm. Groups such as the Electronic Privacy Information Center (EPIC) have filed formal complaints with the U.S. Federal Trade Commission, arguing that Microsoft’s Passport, HailStorm, and the product activation feature in Windows XP are significant infringements on personal privacy, and that they allow Microsoft to exert extraordinary control over user behavior and information on the Internet. Microsoft counters that the personal data stored in Passport is minimal, that the company does not use the data in Passport for any purpose other than authenticating users (unless users have given the company permission to do more with their data), and that Passport in fact increases consumer privacy and information security.

Regulation vs. Technology

For users to feel comfortable sharing information about themselves, they need solid assurances that it will not be misused or compromised. Microsoft is trying to steer the debate away from regulatory solutions and toward technological solutions that will impose fewer constraints—and could even generate additional revenue for the company.

Regulatory Solutions

Regulations, such as the Children's Online Privacy Protection Act (COPPA), or the rules outlined in the European Union’s (EU’s) Directive on the Protection of Personal Data, place many restrictions on the collection and distribution of data about individuals. They also attempt to place some boundaries on the Internet: the EU’s privacy directive applies to companies that do any kind of business in Europe, even if only on the Web. In the absence of an international consensus, American companies that want to work with data from European customers must sign a "Safe Harbor" agreement that applies strict safeguards to the collection of data from Europeans.

Regulatory solutions have teeth in the form of civil or criminal penalties, and they offer legislators a highly visible response to the concerns of citizens. In addition, they are theoretically free of commercial or technological biases, in contrast to industry promises that are sometimes tarred as letting the foxes watch the chicken coop.

But legislators may be moving too quickly, and their efforts could stifle the digital future, says Richard Purcell, Microsoft’s chief privacy officer.

"Privacy" is an undefined concept in many of the laws that purport to protect it, he says, and privacy regulations could put up costly legal barriers to new, engaging services.

"Today, you can walk out of a store with a new stereo on credit because it’s easy for the store to verify that you can pay the bill. We have to be concerned about crude approaches" that limit access to information and end up hobbling the very individuals the regulations are designed to protect, Purcell warns.

Nevertheless, the company has made significant concessions to meet regulatory requirements. It was one of the first to sign the Safe Harbor agreement offered by the European Community to U.S. companies willing to comply with European rules for the protection of individual privacy. The Safe Harbor regulations are not suitable for every company, but Microsoft looked at its privacy protection measures, tweaked them to make them compliant with the EU’s rules, and was able to meet the Safe Harbor requirements with little special effort, says Purcell.

P3P Heads Technological Solutions

Microsoft is a member of several industry groups which argue that technology, rather than regulations, should be used when possible to reduce privacy risks and give consumers control of who sees their data when, for how long, and for what purposes. These groups are lobbying governments to keep a loose hand on privacy issues. Exhibit A among these technological solutions is the Platform for Privacy Preferences (P3P), a standard endorsed by the World Wide Web Consortium (W3C) and implemented in Microsoft's Internet Explorer (IE) 6.

Although billed by Microsoft as a way to protect individual privacy, the point of P3P is in fact to make users more comfortable sharing their information with Web sites, by giving them better information about the privacy policies of the sites they visit, and about how any information they share will be used.

P3P defines a machine-readable version of an organization’s privacy policy, including what data it collects, why it collects it, with whom it will share the data, and how long it will retain it. A P3P-enabled browser compares the privacy preferences the user specifies in the browser with the policies of the site and alerts the user to any mismatches. (For more about P3P, see the sidebar "How P3P Works" and the illustration "A P3P Exchange".)

Microsoft already supports P3P on its own Web sites, but the standard's long-term impact on privacy remains to be seen. P3P compliance is purely voluntary, and sites that misuse it or misrepresent their policies could go unpunished.

Also, given the daunting complexity of P3P’s options, the knowledge required to make intelligent choices, and the lack of documentation in IE for fine points such as "compact policies," the vast majority of users are unlikely to change Microsoft’s default settings or notice the tiny icon at the bottom of their browser window that indicates a privacy conflict. Users who do set high privacy preferences might encounter problems, such as being unable to log on to Hotmail because their preferences reject cookies.

Walking the Narrow Line

Microsoft could conceivably do more to ensure privacy on the Internet—requiring all of its partners to adhere to strict privacy rules, for example—but Purcell says, "We don’t want to be the policeman or set the rules of behavior on the Internet." The company does require other Web sites that use Passport to have clear privacy policies, and in the future they will have to implement P3P. Microsoft has also responded to concerns about Passport by reducing the amount of data that it collects when users sign up for Passport and giving users more control over how their data will be shared. (See "A Closer Look at Passport".)

As for policing itself, Purcell says the company has "robust" policies in place to ensure that the company’s internal practices do not violate privacy rules. The company does not mine data collected by its services (such as MSN) to target marketing messages to individual users. The company’s Wallet technology, designed to ease purchasing of goods and services on the Internet, could be a gold mine of data about customer purchases, but the architecture of Wallet does not allow it to collect any information about individuals and their purchases, other than recording the sites that access a user’s Wallet. Microsoft keeps no records from Wallet, other than those that might be required for legal or auditing purposes, Purcell says.

For now, Purcell believes, the software industry and government must both tread carefully to protect consumer privacy without crippling the future of electronic commerce. One sign of hope is that both regulators and business are willing to distinguish between "personally identifiable information" that can be traced to an individual (such as a name or e-mail address) and "non-identifiable" information that cannot (such as a state, ZIP code, or age group). Although non-identifiable information is less specific, it is still extremely valuable for companies that want to study consumer behavior in aggregate—for example, to measure the effectiveness of new business initiatives in a particular region.

"We want consumers to be able to trust companies with personal data in ways that make sense in the context in which they deal with those companies," Purcell says.

Resources

The OECD has created a tool for developing Web site privacy policies, at http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm.

The Center for Democracy and Technology, at www.cdt.org, keeps track of current privacy legislation and other issues. Another important privacy watchdog is the Electronic Privacy Information Center, at http://epic.org.

A good summary of HIPAA issues can be found at www.hipaa-iq.com. This site is operated by a company engaged in developing and providing health care technology.

More information about Safe Harbor initiatives is available from the U.S. Department of Commerce site, at www.export.gov/safeharbor/.