The public face of Microsoft privacy
As the chief privacy strategist for Microsoft, Peter Cullen has an onerous responsibility. Microsoft software routinely collects information from millions of computers around the world, quietly and often without the owner's explicit knowledge.
Harvesting this kind of private information may seem intrusive, but Microsoft claims it is done for a good reason — the more information the company has on users, the better it can protect them.
Cullen moved to Microsoft three years ago from financial services where he helped develop the industry's best practices around the collection and use of information.
ZDNet UK talked to him about ID theft, the increasing threat of phishing attacks and combating the ever-present menace of spam
How do you differentiate your role from that of chief security officer or equivalent?
At the core definition level security is about how to keep information confidential and privacy is about the use of information. But the two are very related. Look at a phishing event. What started off as a security event — something that caused the customer’s information to be collected inappropriately — ended up with customers' information being used, perhaps for identity theft, which is a privacy issue. Around the world all privacy information has a security component to it.
On an issue like identity theft, what can Microsoft do to help people guard against that?
We approach it from a number of angles. Look at the fight against spam as an example. There were really four buckets of things we had to look at. One was technology solutions. The second is education and there are two strands. One is consumer education, so we help them by showing how to interact with online vendors and when not to. The other area that we focus on is partnerships with industry, so if we think about spam, it is about working with other industry players on ways to combat spam.
And then there is government, and in particular working with government on the law enforcement side of things and we have launched about 120 actions against spammers, phishers, spyware purveyors around the world.
So if you think about spam, two years ago it was about marketing and offering us body-parts we didn’t need and today it is about a delivery mechanism for spyware and phishing. So we are really focusing on spyware as part of spam. Now we are focusing on phishing but it is still part of the spam problem. As we block spam reaching the user's mailbox, it becomes one less way of launching a phishing attack, which can also lead to identity theft.
What new solutions and methods do you have in the pipeline for protecting privacy?
In the next version of Internet Explorer there will be more advanced ways in which users are warned when something looks like a suspicious site.
Our philosophy around both security and privacy is to put users in control of their information. We find ways to educate users, to warn users. We put them in control by making very definite choices around things. At the end of the day, the user still retains control.
A common way in which spyware is put onto people's PCs is through something called drive-by downloads. It comes bundled with something that the user may have decided to download. What the download blocker [in XP Service Pack 2] does, is alert the user that there is something that someone is attempting to download, gives them very clear information about who it is that is attempting to do this and allows the user to make the choice. That is the way we will approach phishing as well.
There is a possible inconsistency here; if we accept that it is a bad thing to allow people to access their system routinely why does Microsoft software do this all the time?
You can argue that today, with the need to have secure computers, the need to provide patches and the need to provide updates means that any system in today’s ecosystem should be patched automatically.
The other argument is that users should always retain control over what is coming onto their PC. The way we dealt with that is with automatic updates which became a much easier feature in Service Pack 2. The user, right at the time of installation, is asked to make choices, such as do they want automatic updates turned on, do they want it automatically installed, do they want to be informed. They were informed and the result of that is that close to 98 per cent of them chose to turn automatic updates on.
But isn't it the case that you are asking people to make informed choices when they don't necessarily understand what the choices are?
We approach this in a number of ways. What has happened is the desire to provide clear, all encompassing information. Privacy notices are becoming too long. A year ago we launched an initiative to make then much more readable and appealing to customers. The result was a short, or layered, privacy notice that means all the key information is on one page.
That is one approach, the other one is something we call "just in time". If we look at Windows error reporting today, and the multitude of different applications that people run on their PCs, there are conflicts. It is really important that we have that information so that we can work with the other providers to solve those compatibility problems, but we are also very sensitive that users don’t always want someone automatically sending information back to their PCs, so Windows Error Reporting asks for permission to send information back to Microsoft. I call that 'just-in-time consent'. We provide users with information and control.
What is the single biggest issue facing privacy? Is it Phishing?
It is really tough to identify one big issue. Spam used to be about marketing, now it is about delivering spyware and phishing. A year ago they term phishing didn't exist. Spyware, a year ago, was about tracking where users went for the purpose of feeding them ads. Now it is about keystroke loggers being put on people's PCs.
Take spam. We block 3.2 billion pieces of spam per day across MSN and Outlook but still 65 percent of the world's email is spam. That’s why we felt that the whole Sender ID framework was good and now, 25 per cent of the mail that MSN receives has the Sender ID framework. So that means we can now focus on the 75 percent, as opposed to the whole 100 per cent. Collectively, all of these things allow us to really narrow the funnel down so that we can really focus on the bad people.
Do you think that the chip-and-pin initiative in the UK and elsewhere is the way to go forward with privacy?
Chip-and-pin is great, but there are some operational issues with it. What happens if I lose it, for example? Does that mean that I am left stranded? I think that there are multiple different types of solution. In other parts of the world, they are looking a two-factor authentication. In places like the US and Canada, Internet banking tends to be rolled out without the use of smartcards. They just use password and user ID.
It's not just about the financial institution knowing who they are dealing with. Are we as users telling them we are dealing with a financial institution? In our view, authentication needs to be very two way.
From the authentication point of view, is there any particular method you favour?
We’ve done an awful lot of thinking about this and the system itself needs to be able to exist with multiple different kinds of technology solutions. It has to be very inter-operable as opposed to one single solution. We think that is the answer. So we have designed a set of principles, collaboratively. Even people from the open source community helped to create this and as a result of that, all of our technology solutions will actually meet those standards. They are called the seven laws of identity and were created over the past year and in our view, these are the laws a successful identity management framework needs to exist by.
Because we helped create them, these will be the standards that we meet in terms of identity solutions that we roll out for our customers…