After the recent row kicked up by a Microsoft antipiracy tool, Cullen was selected to help undo the PR damage and mend fences with upset customers.
The controversy stemmed from Microsoft's failure to make the proper privacy disclosures with its. It didn't disclose that the software connected to a Microsoft server after each start-up, which irked users and had one critic .
Cullen, Microsoft's chief privacy strategist, has been very involved with the issue and readily admits that the software maker. The flap puts him on the front line, rather than his usual role behind the scenes.
For the most part, Cullen, whofrom the Royal Bank of Canada in Toronto, is happy with his role at the software giant. He works on things such as guidelines for developers and privacy policies.
Like other Microsoft employees, Cullen, who calls Vancouver home, is proud of having an impact at the Redmond, Wash., software giant. He's working to make long privacy policies a part of history and helping to make Windows Vista the most privacy-sensitive operating system Microsoft has ever built.
CNET News.com sat down with Cullen on Thursday at the Computer History Museum in Mountain View, Calif., after he participated in a panel discussion on privacy and technology.
Q: What would you say the biggest difference is between working at Microsoft and working at a bank?
Cullen: The dilemmas--think of Windows Automatic Updates, as one. You could make an argument that, for the good of the user and even the good of the ecosystem, Automatic Updates should be turned on by default. People should have patched machines. But that would be contrary to our belief about user control; users need to have a choice.
In the three years that you have been at Microsoft now, what do you think is the single most important thing you've been able to achieve?
Cullen: , into the way the company does business. For example, we now have a very prescriptive set of privacy standards that guide the development of all products and services that's integrated into the development process, as opposed to having it as a standalone checkpoint.
Is there one thing that you've done that millions of people worldwide will have seen?
Cullen: The best example is the way we've . We were probably one of the first companies to implement the short form, or layered form, of privacy notice. In the case of MSN, that means that 250 million people have access to a much more streamlined privacy notice. That has since been expanded to all online services, and Microsoft Office 2007 will be one of the first boxed products that comes out with a layered, or short form, privacy notice.
This short form is because longer forms are simply impossible to read?
Cullen: In the spirit of trying to be very upfront and include everything, privacy notices have become incredibly long. The previous MSN notice was 13 pages long--that's a lot to ask anybody, to read it. Users want to know very specific information, so the answer was to put those specific things into an executive summary of a single page.
Q: Microsoft has been under fire recently for
Cullen: Yes. We spent a lot of time focusing on the type of disclosure and type of notice around validation. That is really the part where the user's information, at least the system information, is . We didn't spend the same amount of time on the notification side of it, which really transmits no information about the user back to Microsoft.
It's important to go back to the fundamental goal of Windows Genuine Advantage and the risk of pirated software. A lot of people believe that it might be about the revenue, but in actual fact, it is about the security and privacy of the users. Some research that we've done finds that(malicious software) is a lot higher on pirated software, so we really are trying to make sure that users really have the opportunity to protect themselves.
WGA Notifications was found to ping Microsoft every day. Do you feel that should be disclosed to users?
Cullen: We have a basic promise that we will be as transparent as possible. In this case, we've spent a lot of time on the Windows Genuine Advantage Validation part that really transmits information and neglected the area of Notifications.
Microsoft has a big push for online services. Everything is going "Live." Is there a difference between online and offline when it comes to privacy?
Cullen: We're to the same set of standards around privacy as more traditional products. Also, think about that even though software sits on your computer, it's still connecting to the Internet.
Windows Error Reporting, for example, has privacy built into it. When there is a problem with the system we want to know about that, because it is perhaps the only way that we can fix it. But we also understand that you need to have the choice about whether the information is sent. So, before it gets sent, you have to affirmatively say "please send."
So there is no need for special guidelines for online services?
Cullen: When we the built the privacy standards, we thought about it in terms of products, and we also thought about it in terms of services, so it applies to every single one of our Web pages.
Is there much debate, or do you have to fight for certain things when you're working with product teams? Are there certain things that you really have put your foot down over?
Cullen: One of the most gratifying things about Microsoft is privacy is a core tenet of the company. It's part of the Trustworthy Computing Initiative, which was . I find privacy is actually a forethought as opposed to an afterthought. There are situations where we do provide counsel, but usually it is because the business unit really wants to do the right thing.
Cullen: That gets back to the standards that we've right built into the product. Vista went through the entire , which means that privacy is built right into it.
You don't often have to slap people for doing something bad, related to privacy?
Cullen: It hasn't been my experience, no.
Maybe the WGA Notifications flap is the only example?
Cullen: We've spent a lot of time on parts of that, and we'll . My experience is that people absolutely want to do the right thing all the time. In our company, there are over 350 people that have responsibility for privacy as part of their job, so it's a marvelously rich infrastructure that's inculcated right into the business unit.