Microsoft's Chance to Promote Privacy


By Jane Black Privacy proponents were elated recently when Microsoft shelved its plans to launch an information-management offering, My Services, on .NET, its platform for Web businesses. Originally dubbed Hailstorm, My Services would have created a single, central database for consumers, including personal calendars, home addresses, even your credit-card number, and then make it all accessible to friends or businesses.

This alarmed privacy advocates, who predicted that a single storage place -- especially one housed inside Microsoft -- would become a honeypot for hackers. With Microsoft abandoning the effort, Chris Hoofnagle, chief lobbyist for Electronic Privacy Information Center, now sees a slowdown in the development of such centralized data centers, and "that's very good for privacy."

Case closed? Not so fast. Gates & Co. didn't drop the project because of privacy concerns. Rather, My Services' suspect business model forced the shift in strategy. Now, instead of creating and hosting data on its own, Microsoft plans to package My Services technology with server software, allowing any business to host its own data store. The new "federated" approach offers a clearer revenue model for partners, such as Internet service providers (ISPs) and cable and phone companies, which object to letting Microsoft -- or anyone else for that matter -- stand between them and their customers.

INHERENTLY SAFER? This opens a whole new database of worms, as far as privacy advocates are concerned. "There are trade-offs between [the] centralized and new model," says Larry Ponemon, president of the Dallas-based Privacy Council. "The new strategy could create new difficulties and risks that have to be assumed by the consumer."

Most online privacy advocates argue that when data is dispersed, it's inherently safer. If information isn't all in one place, the theory goes, it's more difficult for anyone -- marketers, hackers, government snoops -- to get a complete picture of who you are. All true. But that also makes it harder for the average consumer to figure out who has what, how they're using it, and, most important, with whom they're sharing the information. And while most Americans are concerned about privacy, they don't seem to invest significant time and effort in managing their personal data.

Look at Yahoo!'s announcement at the end of March that it has changed its privacy policy so that the company can soon send direct mail and make sales calls to the tens of millions of registered Yahoo users. The idea was to boost flagging revenues and generate profits. According to the new policy, Yahoo will send e-mail messages promoting more than a dozen of its services -- even if customers previously asked that they not receive such marketing messages. Users have 60 days to go to a page on the site and request again not to receive the solicitations.

QUIET CHANGES. Yahoo's policy change generated front-page headlines and raised a new row in the privacy field, where advocates called the plan "unconscionable." Now, think what happens when it's not Yahoo but a small online shop that's collecting your data. Such policy changes won't make headlines. And that means without consistent legwork, you won't know who's using your personal information and for what purpose.

Microsoft says it plans to establish standards for how its powerful software can be used. Adam Sohn, product manager for Microsoft's .NET platform strategy, says he expects the company to require some level of privacy protection as part of the My Services license for consumer-focused businesses like ISPs and cable operators. Though nothing is yet set in stone, Sohn says Microsoft will work with large operators to "set the rules that everyone plays by and guarantee a consistency of experience."

These rules might include assuring users that their data is used only in ways explicitly stated in the site's privacy policy (no more changes on the run, such as Yahoo's). The guidelines could also include setting default levels of privacy to a medium or high level and requiring that privacy policies are written in easy-to-understand language.

ENSHRINING STANDARDS. Sohn suggests that operators might create pop-up windows to inform users how any data provided in an online transaction will be used. Another popular idea is to require a "Cliff Notes" version of the privacy policy so consumers don't have to wade through dozens of pages of legalese.

By sheer force of its weight in the high-tech world, Microsoft could help enshrine these important standards. For proof, just look at its success in driving forward P3P, a privacy standard that, among other things, is designed to block data-tracking cookies from third-parties. Microsoft built P3P into its Internet Explorer 6.0 browser, which was launched in December, 2001, The new version already has garnered 33% of the browser market (see BW Online, 12/14/01, "Microsoft's Cookie Monster").

Many analysts, though, have their doubts about Gates & Co.'s willingness to follow through -- and about the rules' effectiveness even if it does. Microsoft's business, after all, is selling software -- not regulating privacy on the Internet. "Microsoft is certainly going to try to safeguard privacy. It's part of a top-down trustworthy computing initiative," says Matt Rosoff, an analyst with consultancy Directions. "But I don't see that they have the same leverage in this area. And they won't do anything to hurt sales."

Hence, even if Microsoft does eventually impose these rules, it would be difficult for the software giant to ensure that clients who use its technology are adhering to them.

STRONG MESSAGE. As if affirming analysts' skepticism, Microsoft's Sohn says Redmond is "not trying to stand up and set policy." The company won't make any demands on corporate customers that use the technology for internal purposes. He believes that they should be allowed to do what they like with employee data. However, for the many companies using the technology for their dealings with external consumers, Microsoft should require that these guidelines be followed.

That would generate some good will toward the embattled software giant. Standards would also send a strong message to Congress which, once again, is considering privacy legislation. Senator Commerce Committee Chairman Ernest "Fritz" Hollings (D-S.C.) is expected to introduce a bill on Apr. 18 that would require companies to offer opt-in policies and enforce new restrictions on e-mail spam. Taking the lead on protecting consumer data could be a real privacy win for both Microsoft and consumers. Black covers privacy issues for BusinessWeek Online. Follow her twice-monthly Privacy Matters column, only on BusinessWeek Online


Silicon Valley State of Mind
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus