Putting privacy first at Microsoft
Chief privacy strategist Peter Cullen discusses Windows Vista, Microsoft's online endeavors and the WGA Notifications flap.
After the recent row kicked up by a Microsoft antipiracy tool, Cullen was selected to help undo the PR damage and mend fences with upset customers.
The controversy stemmed from Microsoft's failure to make the proper privacy disclosures with its Windows Genuine Advantage Notifications tool. It didn't disclose that the software connected to a Microsoft server after each start-up, which irked users and had one critic liken the tool to spyware.
Cullen, Microsoft's chief privacy strategist, has been very involved with the issue and readily admits that the software maker dropped the ball on WGA Notifications. The flap puts him on the front line, rather than his usual role behind the scenes.
For the most part, Cullen, who joined Microsoft three years ago from the Royal Bank of Canada in Toronto, is happy with his role at the software giant. He works on things such as guidelines for developers and privacy policies.
Like other Microsoft employees, Cullen, who calls Vancouver home, is proud of having an impact at the Redmond, Wash., software giant. He's working to make long privacy policies a part of history and helping to make Windows Vista the most privacy-sensitive operating system Microsoft has ever built.
CNET News.com sat down with Cullen on Thursday at the Computer History Museum in Mountain View, Calif., after he participated in a panel discussion on privacy and technology.
Q: What would you say the biggest difference is between working at Microsoft and working at a bank?
Cullen: The dilemmas--think of Windows Automatic Updates, as one. You could make an argument that, for the good of the user and even the good of the ecosystem, Automatic Updates should be turned on by default. People should have patched machines. But that would be contrary to our belief about user control; users need to have a choice.
In the three years that you have been at Microsoft now, what do you think is the single most important thing you've been able to achieve?
Cullen: Integrating privacy into the process, into the way the company does business. For example, we now have a very prescriptive set of privacy standards that guide the development of all products and services that's integrated into the development process, as opposed to having it as a standalone checkpoint.
Is there one thing that you've done that millions of people worldwide will have seen?
Cullen: The best example is the way we've radically changed privacy notices. We were probably one of the first companies to implement the short form, or layered form, of privacy notice. In the case of MSN, that means that 250 million people have access to a much more streamlined privacy notice. That has since been expanded to all online services, and Microsoft Office 2007 will be one of the first boxed products that comes out with a layered, or short form, privacy notice.
This short form is because longer forms are simply impossible to read?
Cullen: In the spirit of trying to be very upfront and include everything, privacy notices have become incredibly long. The previous MSN notice was 13 pages long--that's a lot to ask anybody, to read it. Users want to know very specific information, so the answer was to put those specific things into an executive summary of a single page.
Q: Microsoft has been under fire recently for a program called WGA Notifications that connected to a Microsoft server every time a PC starts up, which was not disclosed. Are you aware of this?
Cullen: Yes. We spent a lot of time focusing on the type of disclosure and type of notice around validation. That is really the part where the user's information, at least the system information, is being transferred back to Microsoft. We didn't spend the same amount of time on the notification side of it, which really transmits no information about the user back to Microsoft.
It's important to go back to the fundamental goal of Windows Genuine Advantage and the risk of pirated software. A lot of people believe that it might be about the revenue, but in actual fact, it is about the security and privacy of the users. Some research that we've done finds that the incidence of malware (malicious software) is a lot higher on pirated software, so we really are trying to make sure that users really have the opportunity to protect themselves.
WGA Notifications was found to ping Microsoft every day. Do you feel that should be disclosed to users?Cullen: We have a basic promise that we will be as transparent as possible. In this case, we've spent a lot of time on the Windows Genuine Advantage Validation part that really transmits information and neglected the area of Notifications.
Microsoft has a big push for online services. Everything is going "Live." Is there a difference between online and offline when it comes to privacy?
Cullen: We're building online services to the same set of standards around privacy as more traditional products. Also, think about that even though software sits on your computer, it's still connecting to the Internet.
Windows Error Reporting, for example, has privacy built into it. When there is a problem with the system we want to know about that, because it is perhaps the only way that we can fix it. But we also understand that you need to have the choice about whether the information is sent. So, before it gets sent, you have to affirmatively say "please send."
So there is no need for special guidelines for online services?
Cullen: When we the built the privacy standards, we thought about it in terms of products, and we also thought about it in terms of services, so it applies to every single one of our Web pages.
Is there much debate, or do you have to fight for certain things when you're working with product teams? Are there certain things that you really have put your foot down over?
Cullen: One of the most gratifying things about Microsoft is privacy is a core tenet of the company. It's part of the Trustworthy Computing Initiative, which was proclaimed by Bill Gates four-and-a-half years ago. I find privacy is actually a forethought as opposed to an afterthought. There are situations where we do provide counsel, but usually it is because the business unit really wants to do the right thing.
Windows Vista is coming down the pike, and Microsoft is touting it as its most secure operating system. Is it also one of the most privacy-centered operating systems?
Cullen: That gets back to the standards that we've right built into the product. Vista went through the entire Security Development Lifecycle, which means that privacy is built right into it.
You don't often have to slap people for doing something bad, related to privacy?
Cullen: It hasn't been my experience, no.
Maybe the WGA Notifications flap is the only example?
Cullen: We've spent a lot of time on parts of that, and we'll do a better job of the rest of it. My experience is that people absolutely want to do the right thing all the time. In our company, there are over 350 people that have responsibility for privacy as part of their job, so it's a marvelously rich infrastructure that's inculcated right into the business unit.