Microsoft's Guidelines for Customer Privacy

jcatcw writes "Microsoft has released its 'Privacy Guidelines for Developing Software Products and Services.' According to Peter Cullen, chief privacy strategist, Microsoft has learned about protecting user's data from such endeavors as Hailstorm and WGA. 'Certainly that and other things have contributed to us thinking deeply with how we provide security and privacy, as well as respect and control with how their information is used,' he said. 'We think others should join in this discussion.'"

Microsoft values privacy?

[davidwr]

First schools banning tag, and now the Evil Empire values privacy?

What is this, April Fools come early?

Re:Microsoft values privacy?

[Ided]

Next thing you know they're going to reduce the price of Vista!

Re:Microsoft values privacy?

[LifesABeach]

A half a dozen years ago, I stated answering questions with the following:

Name: Moore Garbage
Company: From Pathetic Minds
Address: [my address/]
Occupation: P0rn Critic

When my wife found about this, she did not like it. But after looking at the junk mail, even she is laughing at the stuff we get.

Re:Microsoft values privacy?

[Merle+Darling]

If they don't want you looking at their code you should respect their right to privacy.

privavcy guidelines ...

[thrillseeker]

... don't collect (and keep and share and sell) crap just because you can - show some backbone and leadership and collect as little as is necessary to serve your customer.

Re:privavcy guidelines ...

[bashamer]

this limits your future scalability

you want to capture more rather than less so you can use this data as training for future functionality.

Oh really?

[From+A+Far+Away+Land]

"WGA. "Certainly that and other things have contributed to us thinking deeply with how we provide security and privacy"

Is that why you have to sell your first born to Microsoft if you install Windows Media Player 11, and break the EULA? I bet you didn't know that was in there! It pays to read EULAs, unless you want rid of that kid.

And if they've learned from the WGA fiasco, why are they still requiring XP users to install it to get all updates?

Hailstorm?

[Slovenian6474]

Was it a good idea to name a program that stores people's names and credit card information after an egyptian plague?

That's a punch-line to a joke...

[lbmouse]

What's the smallest page on the web?

WGA

[MyNameIsEarl]

I thought WGA didn't keep any data on the user only the machine. I guess that "anonymous" data collection isn't so anonymous after all.

Summary is Totally Misleading

[mpapet]

FTFA: "The document outlines recommendations for software developers that will help them protect customer privacy"

Bolded emphasis mine. MS and their legions of developers won't do anything differently.

"Discussion." Indeed. This is MS working their coordinated PR effort to make them seem serious about "security." Talk all you want, no one is listening.

Keep in mind, I have to babysit these things for a living. So I am quite happy they don't actually address the issue directly because there will be no shortage of work.

Re:Summary is Totally Misleading

[MECC]

Microsoft's negligent software practices doesn't create work - it just creates bad software. See the broken windows fallacy.

The best way to protect customer information

... is not to collect it in the first place.

Uh-oh!

[Rob+T+Firefly]

According to Peter Cullen, chief privacy strategist, Microsoft has learned about protecting user's data from such endeavors as Hailstorm and WGA.

Cripes, they've got Optimus Prime on their side! Nothing in the galaxy will stop them now!

Re:Uh-oh!

[$RANDOMLUSER]

He was also the voice of KARR from Knight Rider; KARR was KITT's "evil prototype", which I always thought was a screamingly funny concept.

Re:Uh-oh!

[Rob+T+Firefly]

He was also the voice of KARR from Knight Rider; KARR was KITT's "evil prototype", which I always thought was a screamingly funny concept.

What, you mean you don't build an evil, megalomaniacal prototype of everything you invent? You know, just to work out the bugs and all?

In Other News...

[Admiral+Justin]

Symantec is offering guidelines to developers of antivirus solutions to use minimal resources.

Richard Stallman is offering guidelines for developers wanting to release proprietary code.

The Pope is offering guidelines on peaceful and friendly methods of talking about other religions.

Isn't this a good example of the blind leading the blind and dumb?

I thought this was obvious...

[__aaclcg7560]

Spill and/or sell first, pretend it didn't happen, and apologize only when the media calls.

And, in breaking news, the Big Bad Wolf...

[dpbsmith]

...has released a 49-page document entitled "The Big Bad Wolf's Guidelines for Protecting Little Red Riding Hood." In a prepared statement, the wolf said:

"We'd like others to join the conversation. A long, long time ago, several weeks ago in fact, we were a little insensitive about the way we implemented our last henhouse raid. Critics complained that wearing grandmother's clothing was deceptive, and that what we were doing posed a risk to Little Red Riding Hood. While we want to emphasize that Little Red Riding Hood was not harmed, that and other things have contributed to us thinking deeply with how we provide security and privacy, as well as respect for those we eat, for the use humane slaughtering practices. We also wish to assure the consumed that we target only henhouses, and that any collateral loss of innocent human life is accidental and deeply regretted."

"Our new guidelines protect the consumed by prohibiting the use of cloaks intended to resemble human beings. From now on, we will cloak ourselves only in the garb of sheep. We've devised technology in the form of a new chalk filter that guarantees that any traces of our individual voice identity will be erased, and that there is no possibility of causing psychological harm to our victims by the use of harsh vocalizations."

"We have asked our colleagues the Fox and the Coyote to join with us and to follow only best predatory practices."

"Because of this increased protection, we no longer recommend that home users build firewalls of brick. Instead, they should enjoy the economy, light, and airy comfort of porous straw walls, perforated by dozens of Windows."

Bad provisions in Microsoft's concept of privacy

[Animats]

There are several bad provisions in that proposal.

• The proposal does not require that, when collecting data, the collecting organization specifically identify itself. EU data privacy laws generally require that. California law requires that web sites give "the actual name and address of the business" before accepting credit cards, and that's a good standard. If you can't identify who collected the data, you can't effectively exert your rights against them. "xyz.com" isn't enough; you need "XYZ, Inc. 1234 Wilshire Blvd, Los Angeles, CA".
• "Web sites: Visiting pages on a Web site implicitly means the customer consents to the site's privacy statement and terms of use." - that's very weak, and not supported by law.
• For some things, even explicit consent is not enough. See the standards at StopBadware.org, which prohibit automatic updating which modifies other programs changes the functionality of the one being updated without user consent. (Think Tivo, where automatic updates took away commercial-skipping. That's badware.)
• Personal data transfer to third parties and retention policies need not be specified. Not good. In particular, the owner of the data (the user) needs the right to know which third parties have the data. And the collector of the data must remain responsible for what "affiliates" do with it. This has been a serious problem, where the "good company" disclaims responsibility for what their "affiliate" did. Remember the "outsourced medical transcription" scandal.
• The "privacy" document doesn't address the privacy issues associated with digital rights management (DRM). "Who knows what's on your ebook?"

For a more user-side view of privacy from a technical standpoint, the National Association of Theater Owners Digital Cinema Requirements document is valuable. Digital cinema at the movie theater level has DRM, and the theater owners have organized to tell (not ask) the studios exactly how intrusive the DRM can be. Stuff like

• "The System shall not compromise the security of the theatre's in-house network, including the security of digital cinema systems, point-of-sale systems, and other data systems owned and/or operated by the exhibitor." (i.e. no Sony-type rootkits)
• "The system shall be designed to push data to outside business entities per the needs of the exhibitor, and shall not allow outside business entities to pull data from the exhibitor's equipment or from the premises without the express written permission of the exhibitor on a case-by-case basis. All such communications shall be recorded and shall be auditable by the Exhibitor." (i.e. no spyware; the user has to explicitly send the log data, and can look at it first)
• "System components (servers, projectors) shall be capable of being moved from auditorium to auditorium within the same facility in any combination without limitation and without requiring receipt of new decryption keys." (you can swap components around without DRM problems)
• "Systems shall allow the movement and playback of shows among all auditorium systems within a complex." (you can move the movie from one room to another without DRM problems)
• "New Security Keys shall be delivered within 15 minutes of the time of request." (no long downtime because the DRM people screwed up)
• "Systems shall employ the standard interchange method for security log reports .... Systems shall employ tools that allow the exhibitor to filter security log reports logs prior to sharing." (it's all in XML, and you can see what the DRM owner sees.)

Compare that with Windows Vista.

Protect privacy from what?

[boyfaceddog]

any time a company or country defines security or privacy, it isn't to ensure their customers/citizens have more but to put limits on how much they need ro provide.

In some ways, I want them to know a bout me.

[Deathlizard]

I though I would never say this, but in a sense, I want Microsoft to know who I am when it comes to WGA. That way, when WGA screws up, I can prove that I'm the owner.

Something like when I activate windows, I have the option to login to my passport to associate my windows ID with that Windows Serial Key. that way, if my key is stolen by some hacker and WGA decides to lock my computer down, I can contact MS and prove that I'm the original owner of that key and get it either unlocked or a new key resubmitted.

If I have to deal with WGA on windows, at least allow me to protect myself from being screwed out of my purchase by the next key stealing Trojan or eventual random keygen.