Peter Cullen, Microsoft’s Chief Privacy Strategist, comes across as a really warm guy; in all of the years I have been in the business I can’t think of a warmer and more open greeting. I felt immediately at ease when I met him on Tuesday. Of course being so welcoming when he meets you puts Peter in an excellent position to hammer you later if he disagrees with you. And he soon did.
I didn’t learn much that was new about Microsoft’s privacy strategy, but then I wasn’t expecting to.
But I wanted to take the current temperature, and see what comes next. On the vendor side Microsoft’s investments in, and strategic focus on, privacy are matched only by Sun and IBM. The big question is – when does this investment become a competitive differentiator, and against who? Microsoft is now quite a mature company when it comes to privacy. It has invested significantly in training its software developers under its Trustworthy Computing initiative to build privacy and security into the application as part of a lifecycle approach. Paraphrasing Robert Persig:
“Privacy isn’t something you lay on top of objects like tinsel on a Christmas tree“
Is Microsoft perfect when it comes to privacy? Of course not. But it is committed, and has clear policies in the area. It also has some technical solutions to privacy issues, such as Kim Cameron’s Cardspace identity management architecture (the specification of which is freely available for other implementations including Open Source). Cullen has to take significant credit for the current situation. Cameron, for example, hired under Cullen’s watch, is a true visionary, an old school privacy campaigner, one of the good guys, with his seven laws of identity.
One critical Microsoft competitor that could lose a privacy standoff is Google. I got the feeling Peter was biding his time on that one, though he explicitly said:
“We don’t see competing with Google on privacy. If the search engine doesn’t provide better results, privacy is not a differentiator.”
As Google moves beyond search though opportunities will arise. We’re seeing a generational shift here, as Microsoft becomes IBM-like, and Google plays the role Microsoft played in in the late 90s (with a growing band of black helicopters carefully scrutinising its every move). Don’t even get me started on Facebook’s approach to privacy and behaviour tracking…
Hailstones, Firestorms and Declarative Living
Those of us old enough to remember y2k probably also remember a Microsoft initiative at the time called Passport (infamously code-named Hailstorm). The idea was a single sign on and authentication mechanism for the web, with Microsoft as the gatekeeper. Never mind a hailstorm-the initiative created a firestorm. At the time Joel Spolsky said:
Am I the only one who is terrified about Microsoft Passport? It seems to me like a fairly blatant attempt to build the world’s largest, richest consumer database, and then make fabulous profits mining it. It’s a terrifying threat to everyone’s personal privacy and it will make today’s “cookies” seem positively tame by comparison. The scariest thing is that Microsoft is advertising Passport as if it were a benefit to consumers, and people seem to be falling for it!
Frankly a lot of us felt like that. Meanwhile businesses circled the wagons in fear of Microsoft dominance and created a potential Passport alternative, originally led by Sun Microsystems, in the shape of the Liberty Alliance. But really how quaint Joel’s fears appear today. Declarative Living won. Google, Facebook, Twitter, MySpace dopplr, and so on: everything is revealed. I once hammered Scott McNealy for saying Privacy is Dead. He had a point.
As Peter put it:
“All Personalisation is good, all Surveillance is bad.”
As a heavy twitter user though I am a bit more relaxed about the idea of people watching me – you could call twitter permission-based surveillance. And theoretically too much personalisation can lead to echo chamber effects.
Of course it wasn’t just the net changing everything… it was events in the real world- namely 9/11. The phrase “why do you want privacy if you have nothing to hide” was repeatedly endlessly by homeland security. Notions of privacy have been under attack from the top down, and are changing remorselessly from the bottom up. That is why we need companies to take the issue seriously. Companies like Microsoft, which is, some 8 years later, is now evidently one of the good guys.
Why Rob Banks? That’s Where the Data Is
One area where my take on privacy significantly diverges from Cullen is in the responsibility of banks and public sector organisations for breaches. Cullen’s background is in financial services, and his roots show from time to time.
Cullen argues that the real change is in criminal behaviour, which increases data risk. Where people used to steal laptops, now they steal data. My take is that bank’s and so on have not taken the issue seriously enough, but paid lip service to security caring about customer data. Where Cullen and I agree is that the situation is changing fast. Whether by fear of criminals, or fear of legal remedies (Marks and Spencer ordered to encrypt all laptops), The Corporation is finally waking up. About time too. Data recklessness should be a criminal offence.
It is in this arena, from an enterprise perspective, that major opportunities arise for software and services vendors. IBM’s current mainframe resurgence is at least partly down to the fact the platform is perceived to be more secure than others (of course if you mail unencrypted backups tapes around the place mainframe security gets you precisely nowhere).
But I also think Microsoft’s approach to user-controlled data could pay major dividends against old school raise the firewall IT. The core idea behind Passport, as originally conceived, was to put the user in control of their own data, in a manner somewhat similar to Facebook’s “permissions” today. Today Cardspace revisits the concept, but with even stronger controls. Why should all our data be in banks? Why should all our data be in telcos? Why should all our data be in retailers? Why should all our data be in Information Banks? When we’re asked for personal information why can’t we say no- you can’t have that. Here is my identity. Do you want my business or not?
The Promise of User Managed Identity Data
That’s the promise of a user controlled identity metasystem, and that’s what Microsoft has been trying to establish. Socialising businesses and consumers to this change however is going to take massive resources and commitment (and probably some luck too). Of course Microsoft specialises in massive resources and commitment.
Next time a service provider asks for your social security number just ask yourself- wouldn’t you rather say no? Microsoft is working on solutions to allow you to do just that. I finally want to stress that of course other important technologies and approaches are out there - whether Open-ID, OAuth, Higgins, Liberty and so on. But its definitely good that Microsoft is working the problem.
hailstone picture courtesy of Cindy Funk, Flickr, creative commons Attribution 2.0 license.
Peter Cullen photo liberally “stolen” from his Facebook profile.