Privacy Advisor

The Privacy Advisor Interviews Scott Charney of Microsoft

December 1, 2007

The Privacy Advisor recently interviewed Scott Charney, Corporate Vice President of Microsoft Corp's Trustworthy Computing (TwC) Group about the company's efforts to protect its critical infrastructure, improve its engineering practices, secure its networks, and reach out to the rest of the technology industry on today's most important privacy and security issues.

Q: What does privacy mean for Microsoft?

A: As an industry, we all need to set a high bar for respecting customer privacy and helping to build greater trust in the Internet and e-commerce. To realize the full benefits of the information age, people should be able to trust their computers and feel certain that their personal data is being used appropriately.

We are committed to making sure customers feel confident about their safety when using our products and services, and we believe the best way to do that is to empower our customers and place them in control of their personal information. Consumers can feel certain that their data is being used in appropriate ways that they consent to. Our Trustworthy Computing group works to accomplish this through a combination of effective business practices, privacy-enabling technologies, and broad collaboration — with industry partners, government regulators and customers — toward improving privacy and protection.

But it doesn't begin and end with Microsoft. The entire industry needs to work together to address the continued challenges and evolving threats to people's privacy. We hope that security and privacy professionals can come together and participate in an open dialogue about how to develop common industry best practices. We have already started and will continue to work with our industry partners to develop a common framework to protecting user privacy.

Q: What has Microsoft done to ensure the privacy of its users?

A: We have developed companywide privacy principles that help put our customers in control of their personal information while using our products. Our principles focus on providing appropriate notice when collecting personal information, obtaining consent when using that information, transferring information to third parties only when appropriate, and giving users access to their personal information to ensure accuracy.

Microsoft also has established and implemented internal guidelines that ensure customer privacy is taken into consideration in the development of our products and services. We have developed and implemented new technologies, educated consumers about ways to protect themselves while online, and put into place best practices to ensure privacy and security.

This multi-faceted approach continues to be one of our highest priorities. We are committed to helping protect our customers' personal information and maintaining its integrity, and this is only going to get more important as more information is shared and used online.

Our privacy efforts are not just internal to Microsoft. To help create a more Trustworthy ecosystem we believe in sharing our practices so that others may benefit from what we have learned. Microsoft recently published a public set of Privacy Guidelines for Developing Software Products and Services. These guidelines draw from Microsoft's experience incorporating privacy into the development process and reflect customer expectations as well as global privacy laws.

Q: What are some current threats to online privacy?

A: Cybercriminals are now launching more targeted attacks that look to gather personal information from users and businesses. According to the 2007 eCrime Watch Survey and the Microsoft Security Intelligence Report, social engineering schemes such as phishing have become the greatest threat to enterprise data. So protection of that data continues to be a top concern for organizations as the threat of security breaches continues to evolve. In essence, data has become the new "currency" of crime, and is increasingly valuable to online criminals.

Along with security threats, the lack of strong organizational policies can increase the risk of compromising personal data. Companies need to enact strong and clear data handling policies, and educate their employees on how to properly handle personal information. Now more than ever, companies need to implement comprehensive privacy practices.

Q: How has the relationship between privacy and security evolved?

A: As more business is conducted online, companies increasingly rely on both the greater use of sensitive or personal data, and the ability to share information across borders and devices. We are seeing an increasing number of scenarios where security threats are also threats to people's privacy, and this has significant implications for how organizations approach the protection of personal information.

Q: Given that, what would you say to organizations as they plan for the future?

A: Organizations will need to have a dialogue on how to effectively deal with the converging security and privacy challenges that they will encounter. The ability to protect data will become more and more challenging as the interdependence between security and privacy becomes even more important, and organizations will need to find ways for their privacy and security professionals to work together and develop policies and practices that address both privacy and security concerns in tandem.