Microsoft's balancing act

The company is spending February auditing its software for security flaws and putting more than 8,500 developers through training in secure programming. At the same time, it is focusing just as seriously on the closely related issue of data privacy, an area in which analysts and watchdog groups give it mixed grades.

The software maker is aiming to ensure that its existing privacy policy is airtight and that any changes in software or Web site security don't infringe on the privacy of customers' data, said Richard Purcell, Microsoft's director of corporate privacy. The company's privacy policy extends to customers registering Microsoft software, or to those signing up for the MSN Internet service or the Passport authentication service, Purcell said.

Security and privacy are tightly linked. The better the security of Microsoft's products and Web sites, the less chance customers' private data will be exposed. The company's security audit is supposed to help it find weak links, but problems could still exist.

Just last week, for example, Microsoft scrambled to plug a security hole in its MSN Messenger software that introduced a potential privacy problem. The hole allowed any Web site to grab a visitor's instant-messaging nickname and buddy list, meaning a malicious intruder could in theory assume someone's identity or intercept private communications.

Sometimes Microsoft's best intentions to safeguard privacy are compromised by security holes. Last month, a noted security expert found that new privacy-enhancing controls in Microsoft's Internet Explorer 6.0 software were rendered useless by a security flaw in the company's Media Player software.

The privacy push is as much about policy as it is about technology. Like many large companies, the Redmond, Wash.-based software maker has a chief privacy officer--Purcell--responsible for setting and enacting policies for handling outside data. Microsoft long ago put into place extensive privacy policies that dictate how the company collects personal information, what information is appropriate to collect, and what control consumers or businesses have over the collected data.

Still, for all of its efforts to establish sound privacy policy and build privacy protection into its software services, Microsoft is constantly questioned about its intentions.

"Microsoft can't win for losing," said Fran Maier, executive director of Truste, a San Jose, Calif., nonprofit organization that certifies companies' privacy policies. "They try to do all the right things, but people always wonder about their motivation. Even if they were perfect, there would be criticism."

The software giant faces two hurdles when it comes to privacy. One is a widespread suspicion that it abuses personal information. The other stems from efforts to increase the data security of its software.

If urban myths are to be believed, Microsoft collects all kinds of personal data through its Windows XP Product Activation feature, and the U.S. government settled its antitrust case in exchange for access to Windows' back doors for use in fighting terrorism.

There's no evidence that Microsoft is involved in anything so nefarious, and the company has consistently denied any malicious intent. Still, the rumors persist, and that's a big problem for Microsoft, analysts say.

"The problem is one of perception," said Technology Business Research analyst Bob Sutherland. "There's no question about this Big Brother myth surrounding Microsoft and the sense they can't be trusted to protect users' privacy."

The .Net threat
The notion that Microsoft has secret access to all kinds of personal information--or that it uses personal information in ways not expected by consumers--could be the undoing of the company's .Net software-as-a-service strategy, Sutherland said. Unless Microsoft can dispel the sense of an Orwellian menace, people aren't going to trust that their information will be protected using services like Passport, which is key to .Net.

A recent string of security breaches in Microsoft's products--including the Windows XP operating system, the Mac Office suite, the Excel and PowerPoint applications, and the Internet Explorer browser--doesn't help the company's case. These problems could give consumers and businesses good reason to worry that their personal information might inadvertently be made public.

In this area, analysts warn, Microsoft has much work to do, particularly if .Net Web services are to be successful.

"Their heart seems to be in the right place," said Kate Rears, a policy analyst with the Washington-based Electronic Privacy Information Center (EPIC). "They have extensive privacy policies for the products that they put out. But the unfortunate circumstance seems to be they've had some security breaches with their large, (widely used) products."

Purcell is adamant that Microsoft is serious about protecting the personal information that's collected daily. That seriousness, he says, starts with a sound policy on privacy, in five main areas: notice, choice, access, security and enforcement.

In the matter of notice, Microsoft is supposed to disclose to consumers or businesses the kind of information it collects and to explain how the data will be used.

"Choice means that when data is being used for other purposes than the purpose you gave to me, you get a choice to say, 'Yes, please,' or, 'No, thank you,'" Purcell said. "You get a choice of opt out or opt in."

Access means that consumers and businesses can modify or change the data collected about them, while security pertains to protecting data or transactions from unauthorized access, corruption or loss.

"Enforcement indicates we watch over ourselves internally and make sure we are complying with these rules," Purcell said. "We also have third-party monitoring. We're a licensee of Truste, and they watch over and provide alternative dispute resolution in case a problem can't be resolved."

Like other large companies conducting business on the Internet, such as AOL Time Warner and CNET Networks, the publisher of News.com and ZDNet News, Microsoft posts a privacy policy on its Web site. The software giant has also incorporated into Internet Explorer 6 the Platform for Privacy Preferences (P3P), a feature that helps track Web sites' privacy policies and gives consumers greater control over what information they reveal.

The need to educate
But in the case of Microsoft, simply posting a privacy policy may not be enough to dispel the sense of Big Brother or to convince consumers that their personal information will be safeguarded.

"Microsoft's battle is educating the user population about what information they are collecting and why," Sutherland said. "They have to be much more proactive," if for no other reason than the dot-com meltdown a year ago, when some bankrupt start-ups sought to sell personal data they had collected, he said.

"There were a lot of questionable ethics" at that time, Sutherland said. "There were companies that promised information wouldn't be shared, and then it was. Microsoft is being painted with the same brush. People figure Microsoft will do whatever they can do to influence their users...If they didn't plan to use it, why collect that information?"

The inconsistency in privacy policies among companies and the risk of unwanted disclosure are part of the reason EPIC wants lawmakers to step in. "That's why we and other security advocates would argue for legislation, particularly over e-commerce, that would create a standard," Rears said.

Microsoft in some ways has been its own worst enemy. Early customers installing Windows XP were confronted with a new anti-piracy mechanism that contacted the company via the Internet to "lock" the software to the hardware. But optional product registration that followed immediately after activation bred worries that Microsoft was building a database of user information.

"Product Activation does not collect any personally identifiable information," Purcell said. "It's only voluntary. It collects the country and the 'hash code,' or value that is unique to your system."

Still, other Microsoft product features create opportunities for revealing personal data that could give consumers cause for concern. Windows XP uses a bug report feature that optionally sends a report to Microsoft via the Internet after a program crash. That report forwards data dumped from memory, some of which could contain personal information.

Microsoft also has backpedaled on some aspects of privacy. Concerns about the wording of its Passport privacy policy forced the company to revise the policy last year. The original policy granted Microsoft enormous control over customer communications.

Ironically, privacy organizations say that Microsoft does stand above its peers when it comes to trying to safeguard personal information, despite the public's suspicions.

"They are very committed in a very clear way to privacy," Truste's Maier said. "They are always pushing for higher standards, and I would say their policy is better than the average right now."

Going the extra mile
Even EPIC, which has harshly criticized Microsoft regarding Passport, says the company has good privacy policy. But good is not good enough, at least for Microsoft, Rears said.

EPIC has filed two complaints with the Federal Trade Commission about Passport privacy and security, last month also sending a letter to state attorneys general warning of potential problems with the authentication service.

"Microsoft is so ever-present, and just about everybody uses something from Microsoft," Rears said. "If they're going to be out there on that large scale, they need to make sure their privacy policy just isn't OK. It has to be superb; it has to be the best. If Passport is going to have 200 million users, they've got to take the extra measure to protect people."

For this reason, the ongoing security problems are a serious privacy concern, Rears warned. She praised a recent companywide e-mail sent by Microsoft Chairman Bill Gates urging that security be a top priority. "It's a good start," Rears said.

Microsoft's challenge is the same as that facing other companies trying to offer services that are easy to use but also secure, Sutherland said. "I think a lot of consumers have given up on this one," he said.

Purcell conceded that this is an area of great concern and one that Microsoft will be looking at as it refines its Web services strategy.

"You've got to make it as easy as you can to implement it, but if you make it too easy, it's easy to overcome," Purcell said. "If you make it too hard to overcome, then it's too hard for the (customer) to use. Ease use in some ways works against security. You can make it really, really secure, but people aren't going to be able to get to it."

The results of Microsoft's newfound emphasis on security and privacy won't be apparent for some time. Analysts and other observers expect more fine-tuning, however.

"We'll know in a month," after the internal security review, Sutherland said.