As Microsoft's chief privacy strategist, Cullen is a proponent ofplaying a big role in helping customers realize the potential of technology.
For a high-profile company like Microsoft, that means ensuring confidential user information is well-protected, and giving customers the ability to.
In an interview with CNETAsia, Cullen discussed how the software giant is helping to block more than 3 billion spam messages a day and explains why the company chopped its 13-pagenotice to a single page.
Q: When Singapore first established a credit bureau, it sparked a heated debate about the loss of privacy. Before your current role as Microsoft's privacy officer, you held a similar role at the Royal Bank of Canada. Based on your experience, how do you balance a company's need for information and a
Cullen: In many different scenarios, customers are looking to capitalize on the benefits that information flow creates for them, while at the same time to minimize their risk (exposure). So in a credit exchange, they want to know their information is being protected and used appropriately, and they have control over it.
When our customers interact with our products, it's exactly the same. They want to know their information is protected, that the product does a great job of protecting the information, that they have control over how their information is used (in terms of what information is given to Microsoft) and they have some choices over what information gets collected.
We do that through a number of different ways. One is (to provide) very clear and prominent notices that explain to our customers exactly what happens to their information, how it's collected and what it's used for.
But do people really read privacy notices?
Cullen: What's happened with a number of companies over the past several years is that in a desire to become transparent and accountable, privacy notes have become very long. So we recently made some changes in MSN, where the privacy note was once 13 pages long. That's great for users because there's a lot of information, but it's very difficult to read.
So we created "short notices," which present privacy notices in layers. All the key information that customers want is on a one-page screen, and they always have the option to look at the longer form. By the end of this month, all MSN sites worldwide will have short notices.
Is this the best way to increase awareness about the need to read privacy notes?
Cullen: We think about it on two different levels. Anytime you want to see the privacy statement, you can click on it at the bottom of the page.
We also make it very obvious through that, which we call first-run experience. The best example is the Windows Media Player where even before you install it, the very first screen you get is a privacy note. It talks about what the product does, how it connects to the Internet, what information it exchanges with the Internet, and what choices the user has. In that case, some of the options are pretagged and the users can untag them. And in other cases, users have to physically opt into the services they want.
We think it's important to be very upfront and also to put it into context for the user, which is why the first-run experience is so important.
When we launched Windows Service Pack 2 last September, we became the first operating system to have a privacy statement in there. To date, over a million people have clicked on that privacy statements. So I think there's a growing awareness that users are interested in their privacy.
Data privacy, however, hasn't really been a priority for many governments in Asia. Do you think this could get in the way of e-commerce adoption, for example?
Cullen: Asia is a diverse region. The penetration of broadband and Internet use is high in countries like Singapore and Korea, whereas in other emerging economies in Asia, PC use and Internet use are not as predominant. That's perhaps one reason why privacy legislation has been slow to pick up in this region.
What I think you'll see, as evident in the establishment of the Asia-Pacific Privacy Framework that all countries in this region have now signed up for, is the recognition that the free flow of information provides tremendous value to users and businesses, and therefore the economy.
What I think they're also starting to understand is this benefit-and-risk tradeoff. If you want to realize the benefits of free information flow, you need to manage the risks that this information flow sometimes creates.
So I think what you'll see, like in many other parts of the world, legislation starts to grow principally because it's about making sure the economic benefits of technology, information flow and the Internet in general are fully realized.
Do you think legislation will help combat spam?
Cullen: In the United States, there were some 3,000 privacy bills that were introduced last year at the state and federal levels. And many of them were technology-based bills, as opposed to behavior-based bills. Where that can lead to problems is, we sometimes run the risk of creating legislation that inhibits the growth or value of technology.
We advise that authorities be very careful with legislation, which can have an extremely important role to play but needs to be done carefully. We need to be careful that we create laws that are reasonable and fair, but most of all, we have the ability to enforce them.
Microsoft Chairman Bill Gates predicted that spam will be history by 2006. Do you think we'll ever see that day?
Cullen: I think we're making some great progress. For example, today the SmartScreen technology that's resident in MSN and Outlook is blocking over 3 billion pieces of mail per day. So this is spam that's not even reaching users' mailboxes. Some of our users of those products have experienced as much as a 90 percent reduction in spam. So we're getting better at it.
Gates proposed the concept of charging for e-mail. Is that going to be a viable solution against spam?
Cullen: It was probably not clearly understood (back then) what we meant by charging. We were describing the concept of changing the economics for the spammers.
Currently, a spammer needs to only get a response of about 0.001 percent of the mail they send out to make money. But if you increase the cost of sending the mail, it adds to the problem (for them). Let's take the example of Dictionary attacks where they randomly pick names or register en masse for Hotmail services. If we put a kind of barrier in front of that which requires some form of human interaction, say, to answer a test question, then a computer can't sign up for 10,000 e-mail accounts at one time.
That's an example of a computational cost that can help prevent spam.
So it may not necessarily be a monetary cost?
Cullen: Absolutely. If it now costs the spammer three servers, instead of one, to handle all the work, you're increasing the cost and, therefore, changing the economic proposition for the spammer. This makes it more difficult for them to do their business. So that's what we really meant in terms of (charging for) the cost of mail.
There's this urban legend that Microsoft, through its automatic software update tool, looks through a personal computer to check for illegal software downloads. Can you clear this up once and for all?
Cullen: We understand that that's a concern, but our interests are about ensuring that people have the most protection for their computers. It's not really important to us what they have on their computers at all. Not only does that not happen, we've established links directly to the privacy notice within the automatic update, so the user always has the ability to look at exactly what the system is doing.
Eileen Yu of ZDNet Asia reported from Singapore.