A Discussion with Microsoft's David Purcell
New technologies like Web services are expected to change the way we develop Internet applications. But they also raise concerns about privacy, from consumers and businesses alike. Perhaps no company has been more scrutinized than Microsoft, whose .Net platform is expected to be one of the key technologies in the Web services market. Web Techniques caught up with Richard Purcell, Microsoft's director of corporate privacy, to see how the gang from Redmond feels about this subjectnd what the rest of us should expect.
Web Techniques: There seems to be a public perception that individual privacy is at greater risk when dealing with online businesses. What do you think causes this perception?
Richard Purcell: Because we live in an age where information is the newest and most valued commodity, individuals feel as though they have less control over who has their information.
WT: So what can businesses do to combat this perception?
RP: Customers have told us they want to use technology, not be used by technology. So we've been committed to enabling consumers to better manage their information. This means providing software tools, and it also means giving our consumers the needed consent, notice, and access to their information whenever they do business with us.
WT: What's your reaction to government's handling of privacy issues?
RP: We believe that the sector approach that we've seen the government take to regulating private information and sensitive data is very appropriate, such as for medical data, financial information, and children's information.
WT: Do you foresee a move toward greater regulation in the future?
RP: We've been working very closely with legislators at the state and national level. Solutions have to be built through broad understanding of issues across all sectors of the government, businesses, and consumers. Technologies are the best way to provide individuals real empowerment through control of personal information. Policies can instill real confidence between businesses and consumers. And laws can provide baseline protections. But they all have to work together.
WT: One product that has received some negative attention has been Microsoft's HailStorm Web services suite, part of the .Net platform. Are the privacy concerns raised about HailStorm justified?
RP: Building customer trust is essential to the success of our products, so privacy and security are fundamental design points in our .Net architecture. Passport and other .Net services are designed to let end users control how and with whom their personal information is shared. They're built firmly upon the fair information principles and will employ a strict opt-in model for consumer data.
WT: Beyond HailStorm, the .Net model seems to encourage the practice of storing more data on the server side, rather than on the user's PC. Doesn't this introduce greater privacy risks than the client-side model we're accustomed to? Is it really a superior model?
RP: Wherever information is storedclient or server sidethere needs to be proper security around that information. Data being stored in any data centers will actually be a fairly limited set, and there will be significant encryption, both in storage and transfer of data.
ET: Does Microsoft have any other specific plans in the works that should help address privacy concerns?
RP: With .Net, we're increasing the security around the Passport authentication tool, as well as within any data centers. We're considering how they're set up, who has access, how many levels of security they need. Microsoft will go through a very thorough process for security and who handles the data.
RP: We'll be incorporating the Platform for Privacy Preferences Project (P3P) specification into Internet Explorer 6, which will be part of Windows XP. This will be the first broad-adoption implementation privacy tool incorporating P3P to be released to market.
We're also committed to the consumer education piece of security protection, and working on ensuring that consumers know what they can do to protect themselves, such as developing strong passwords.
WT: What do you see as the greatest challenges for developers of Web services in the area of privacy? What advice would you give to these developers?
RP: First, it's essential that any developer of Web services be aware of the privacy principle upon which to base their work. At Microsoft, that principle is individual control over personal information.
Next, all developers should become familiar with the Fair Information Practices and work on two fundamentals: design bad privacy out of products, respecting those principles; and design good privacy into those products, providing individuals with as much control as possible. At Microsoft, we're designing privacy protections and controls into our products and services from the beginning, as building blocks of our products. We've put privacy as a top priority for the company and have instructed all employees to be mindful of our principles and policies in all of their work.