Microsoft Corp. (MSFT
) believes it has a better solution. Over the next few years, it wants to sell sophisticated scheduling services to people who use products such as the Windows operating system and the MSN network. The company hopes to keep its customers' personal calendar in a centralized database, making it possible to match your schedule against Tom's, Lucy's, and the baseball team's (which might be located elsewhere on the Web). A few mouse clicks, and the same get-together could be squared away in seconds."SOLE POSSESSION." This type of next-generation Internet service promises to make everyone's lives vastly easier. But it also points to one of a series of troubling privacy issues starting to dog Microsoft. In order to reconcile people's schedules, the company is going to have to have the ability to figure out where its customers are. "They want to create a place where all manner of information about your life and your interests is stored. And they want to be in the sole possession of this," says Irwin R. Gross, an attorney at Wilson, Sonsini, Goodrich & Rosati, a firm representing many of the software giant's most vehement Silicon Valley critics.
And calendar information isn't the half of it. As part of its grand Net strategy, Microsoft is trying to reinvent itself as a seller of business and consumer services. So engineers are dreaming up a wide array of new subscription services that will help people shop, manage their finances, communicate with one another, and organize their lives (table). To pull off its plans, though, the software giant is going to have to store vast amounts of private data on its own servers, potentially including people's travel plans, doctor's appointments, credit-card numbers, hobbies, and online purchases. Why? Because nearly all of these services are based on gathering, analyzing, and disseminating consumer information in creative new ways.
Few of these products are even on the market, yet law enforcers are already looking into the potential privacy issues. At an April conference of state attorneys general in Boston, several of them gathered informally to discuss the privacy threat posed by Microsoft's new business initiatives. No legal actions are currently planned, but the states are monitoring the issue closely. "There was a lot of talk of [Microsoft being] Big Brother," says Tom Miller, Iowa's AG and a longtime critic of the company.
Meanwhile, Microsoft is doing all it can to persuade the world there's no danger. It has endorsed a strong set of privacy principles, known as "Safe Harbor," that requires personal authorization for data to be sold or used for reasons unrelated to its original purpose. The company stresses its business model calls for making money from consumers by having them pay for these services. Breaking their trust by misusing personal data hardly makes good business sense, says marketing director Ruthann Lorentzen. "The model completely falls apart if we violate this principle," she says.THE COOKIE JAR. But privacy advocates are still worried. No company in history has amassed as much data about its customers as Microsoft hopes to possess. Privacy advocates fear that such a rich database would be a single point of failure that could entice hackers and criminals. What's more, they question whether a company with Microsoft's aggressive personality will be able to keep its hands off such a valuable trove of private data. If over time the company determines there's a fortune to be made using data for commercial purposes, it will change its policies, suspects David M. Winer, CEO of UserLand Software Inc. "The business model will follow the money," says Winer.
The company's grand plan to sell consumer services--known as its "HailStorm" initiative--illustrates some of the pressure Microsoft's managers could face. One possible service consumers might be willing to buy, for instance, would be an e-mail notification that favorite musicians are coming to town. But to winnow out who might want such a service, Microsoft might be tempted to turn to the bank of customer data sitting on company servers.
Where would such information come from? Much of it could be supplied by Passport, another service the company is aggressively rolling out. Passport functions like a digital wallet and includes a consumer's address and credit-card data, as well as authentication of his or her identity. Over the long term, the company wants it to become the standard payment system on the Internet. This would put Microsoft at the center of millions of e-commerce transactions--and give it the ability to make detailed portraits of consumers' shopping habits.
The company is adamant that it has no plans to exploit the Passport data in this way. But there's no law that prevents it from changing its mind. About the only assurance consumers have that their privacy would be respected is Microsoft's word. And for many, that may not be enough. By Dan Carney in Washington, D.C.