Protecting Customers' Privacy Through Consistent Development Practices
As consumers increasingly rely on the Internet for shopping, banking, e-government and other activities, privacy has become both a major public concern and a barrier to the growth of Internet services and online commerce. Widely publicized data breaches, alarming statistics about privacy incidents and fear of identity theft all threaten to erode trust in the Internet. In fact, RSA Security's 2006 Internet Confidence Index found that nearly half of U.S. consumers have "little or no confidence" that organizations are taking sufficient steps to protect their personal data. At the same time, consumers are more frustrated with software and Web sites that do not clearly communicate the potential impact to their privacy, or do not consistently offer them controls over how their personal information is used.
The software industry can help address these issues by establishing a high bar for respecting customer privacy. However, there are currently no industry-wide practices to help standardize the user experience for privacy-oriented software features, or to address privacy issues and concerns in the software development process. To help establish a starting point for these efforts and open an industry dialogue about privacy guidelines for development, Microsoft has released an extensive set of public privacy guidelines for developing software products, Web sites and services. These guidelines draw from the company's experience incorporating privacy into its development processes and address customers' expectations about privacy as well as privacy legislation in effect worldwide. For example, they reflect the core concepts of the Organization for Economic Cooperation and Development (OECD)'s Fair Information Practices and privacy laws such as the European Union Data Protection Directive, the Children's Online Privacy Protection Act of 1998 (COPPA), and the Computer Fraud and Abuse Act.
The Privacy Guidelines for Developing Software Products and Services can be found in the "Related Links" section of www.microsoft.com/privacy.
Privacy concerns are easy to understand in principle, but challenging to address in practice, particularly in the development of software. Similar guidelines have helped Microsoft's developers to better understand and address privacy issues. Our hope is releasing a public version of the guidelines can promote an ongoing industry dialogue on protecting privacy through consistent development practices.
The public Privacy Guidelines for Developing Software Products and Services are based on the internal privacy practices incorporated in the Microsoft Security Development Lifecycle (SDL), a process that helps ensure that the company's products and services are built from the ground up with security and privacy in mind. The SDL implements a rigorous process of secure design, coding, testing, review and response for all Microsoft products deployed in an enterprise, that are routinely used to handle sensitive or personal information, or that regularly communicate via the Internet.
The guidelines cover a wide range of topics, including:
- Definitions of different types of customer data, including personally identifiable information (PII) such as the user's name and email address, sensitive PII such as credit card or Social Security numbers, and anonymous or pseudonymous data.
- Guidelines and sample mechanisms for notifying users that their personal data may be collected, and offering them ways to consent (or not) to the collection of this data.
- Guidelines for making disclosures to the users about how their personal information may be used.
- Reasonable steps to protect PII from loss, misuse or unauthorized access, including access controls, encryption, physical security, disaster recovery and auditing.
- Control mechanisms for users to express their privacy preferences, taking into account the needs of system administrators, as well as special guidelines for shared computers.
- Strategies to prevent data leakage by minimizing the amount of personal information that needs to be collected.
To set the proper foundation, the first half of the guidelines is devoted to general concepts and definitions. The second half lays out specific rules for common scenarios that can affect a customer's privacy, such as transferring PII to and from the customer's system, installing and updating software on the customer's system, storing and processing customer data over the Internet, and transferring customer data to third parties. The guidelines also provide additional requirements for deploying Web sites, for software targeted or attractive to children, and for server products within an enterprise (including measures to help system administrators protect the privacy of their end users).
One example scenario covers the development and policy guidelines for deploying a public Web site. According to the guidelines, the site must provide a link to a company-approved privacy statement on every page, regardless of whether PII is collected on that page. The link should not be smaller than other links on the page, such as legal notices, and it should be in a consistent location, such as the page footer. This rule also applies to pop-up windows that collect PII. For lengthy or complex privacy statements, the site should adopt a "layered notice" format, which includes a single-page summary of the statement that provides links to more detail. Additionally, the privacy statement should be compliant with the Platform for Privacy Preferences (P3P) standards for machine-readable statements, and, if appropriate, certified by an independent organization such as TRUSTe.
The site also should avoid the unnecessary use of persistent cookies when a session cookie, which is retained only for the duration of the browser session, would be adequate. When using persistent cookies that store PII, the site should get explicit opt-in consent from the user and store the PII in an encrypted form.
If a site collects any form of PII from the user, it must adhere to specific guidelines for notice and consent, security and data integrity, and customer access and control. If it stores persistent data on the customer's system, in cookies or any other form, it must adhere to a number of additional guidelines, including appropriate user notice and consent for storing PII, using encryption where relevant and other methods that help secure data in storage such as file permissions, as well as a consistent means to give users the opportunity to view and delete their PII, or prevent it from being stored at all.
Finally, if the site is directed at children, it should adhere to even stricter guidelines across the board, to empower parents to supervise and control their children's browsing experience as well as comply with legislation such as COPPA.
For several years, a number of product groups at Microsoft have been following similar privacy guidelines as part of the SDL. For example, development of the recently released Microsoft Phishing Filter included a number of key design decisions to help reduce the impact on our customers' privacy, including not storing IP addresses with the other data collected by the Phishing Filter (Web site addresses to be checked) to avoid potential correlation. Other decisions included having the Phishing Filter only send the domain and path of the Web sites to Microsoft (removing search terms) and sending the Web site addresses to Microsoft via SSL. We invited Jefferson Wells, an independent third-party auditor, to run two separate audits on the technology, which validated and confirmed our claims regarding how we handle customer data with the service.
Similarly, when customers run the current version of Windows Media Player for the first time, their privacy experience directly reflects our internal privacy guidelines. The user is presented with a link to the privacy statement as well as a number of privacy-related options that govern how their data is collected and used, including whether data about their music library is sent to Microsoft in order to display additional information (such as album art), whether licenses for protected content are acquired automatically, or whether the player remembers the user's viewing and listening history. The user also is asked whether he or she wishes to send data about player usage and errors to Microsoft as part of the company's Customer Experience Improvement Program.
With the release of the public Privacy Guidelines for Developing Software Products and Services, Microsoft hopes to promote a broader industry discussion about development guidelines to help protect individual privacy and ensure appropriate data governance. The benefits of such guidelines are clear; not only do consistent user experiences and development practices help protect against misuse of data and other privacy violations, they also promote trust among customers and organizations. Additionally, a reputation for responsible privacy protection has become a market differentiator for companies, attracting and retaining customers based on clear standards and reliable experiences.
No single company has all the answers when it comes to privacy. Addressing these issues requires broad collaboration among software developers, governments and industry organizations. In releasing these guidelines, our hope is that we can further the discussion on how consistent software development practices can make a difference in protecting privacy and preserving public trust in computing.
As Microsoft's Chief Privacy Strategist, Peter Cullen, CIPP, is directly responsible for managing the development and implementation of programs that enhance the privacy of Microsoft products, services, processes and systems, both internally and worldwide. With more than a decade of privacy and data protection policy expertise, he serves as a leading advocate for strong and innovative personal information privacy and data safeguards, meeting regularly with global industry and public policy leaders and frequently speaking at international conferences. Cullen is a member of the IAPP Board of Directors.