James Governor's Monkchips

Meeting Peter Cullen: On Microsoft Privacy Strategy

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

Peter Cullen, Microsoft’s Chief Privacy Strategist, comes across as a really warm guy; in all of the years I have been in the business I can’t think of a warmer and more open greeting. I felt immediately at ease when I met him on Tuesday. Of course being so welcoming when he meets you puts Peter in an excellent position to hammer you later if he disagrees with you. And he soon did. πŸ˜‰

I didn’t learn much that was new about Microsoft’s privacy strategy, but then I wasn’t expecting to.
But I wanted to take the current temperature, and see what comes next. On the vendor side Microsoft’s investments in, and strategic focus on, privacy are matched only by Sun and IBM. The big question is – when does this investment become a competitive differentiator, and against who? Microsoft is now quite a mature company when it comes to privacy. It has invested significantly in training its software developers under its Trustworthy Computing initiative to build privacy and security into the application as part of a lifecycle approach. Paraphrasing Robert Persig:

Privacy isn’t something you lay on top of objects like tinsel on a Christmas tree

Is Microsoft perfect when it comes to privacy? Of course not. But it is committed, and has clear policies in the area. It also has some technical solutions to privacy issues, such as Kim Cameron’s Cardspace identity management architecture (the specification of which is freely available for other implementations including Open Source). Cullen has to take significant credit for the current situation. Cameron, for example, hired under Cullen’s watch, is a true visionary, an old school privacy campaigner, one of the good guys, with his seven laws of identity.

One critical Microsoft competitor that could lose a privacy standoff is Google. I got the feeling Peter was biding his time on that one, though he explicitly said:

“We don’t see competing with Google on privacy. If the search engine doesn’t provide better results, privacy is not a differentiator.”

As Google moves beyond search though opportunities will arise. We’re seeing a generational shift here, as Microsoft becomes IBM-like, and Google plays the role Microsoft played in in the late 90s (with a growing band of black helicopters carefully scrutinising its every move). Don’t even get me started on Facebook’s approach to privacy and behaviour tracking… 

Hailstones, Firestorms and Declarative Living

Those of us old enough to remember y2k probably also remember a Microsoft initiative at the time called Passport (infamously code-named Hailstorm). The idea was a single sign on and authentication mechanism for the web, with Microsoft as the gatekeeper. Never mind a hailstorm-the initiative created a firestorm. At the time Joel Spolsky said:

Am I the only one who is terrified about Microsoft Passport? It seems to me like a fairly blatant attempt to build the world’s largest, richest consumer database, and then make fabulous profits mining it. It’s a terrifying threat to everyone’s personal privacy and it will make today’s “cookies” seem positively tame by comparison. The scariest thing is that Microsoft is advertising Passport as if it were a benefit to consumers, and people seem to be falling for it!

Frankly a lot of us felt like that. Meanwhile businesses circled the wagons in fear of Microsoft dominance and created a potential Passport alternative, originally led by Sun Microsystems, in the shape of the Liberty Alliance. But really how quaint Joel’s fears appear today. Declarative Living won. Google, Facebook, Twitter, MySpace dopplr, and so on: everything is revealed. I once hammered Scott McNealy for saying Privacy is Dead. He had a point.

As Peter put it:

“All Personalisation is good, all Surveillance is bad.”

As a heavy twitter user though I am a bit more relaxed about the idea of people watching me – you could call twitter permission-based surveillance. And theoretically too much personalisation can lead to echo chamber effects.

Of course it wasn’t just the net changing everything… it was events in the real world- namely 9/11. The phrase “why do you want privacy if you have nothing to hide” was repeatedly endlessly by homeland security. Notions of privacy have been under attack from the top down, and are changing remorselessly from the bottom up.  That is why we need companies to take the issue seriously. Companies like Microsoft, which is, some 8 years later, is now evidently one of the good guys.

Why Rob Banks? That’s Where the Data Is

One area where my take on privacy significantly diverges from Cullen is in the responsibility of banks and public sector organisations for breaches. Cullen’s background is in financial services, and his roots show from time to time.

Cullen argues that the real change is in criminal behaviour, which increases data risk. Where people used to steal laptops, now they steal data. My take is that bank’s and so on have not taken the issue seriously enough, but paid lip service to security caring about customer data. Where Cullen and I agree is that the situation is changing fast. Whether by fear of criminals, or fear of legal remedies (Marks and Spencer ordered to encrypt all laptops), The Corporation is finally waking up.  About time too. Data recklessness should be a criminal offence.

It is in this arena, from an enterprise perspective, that major opportunities arise for software and services vendors. IBM’s current mainframe resurgence is at least partly down to the fact the platform is perceived to be more secure than others (of course if you mail unencrypted backups tapes around the place mainframe security gets you precisely nowhere).

But I also think Microsoft’s approach to user-controlled data could pay major dividends against old school raise the firewall IT. The core idea behind Passport, as originally conceived, was to put the user in control of their own data, in a manner somewhat similar to Facebook’s “permissions” today. Today Cardspace revisits the concept, but with even stronger controls. Why should all our data be in banks? Why should all our data be in telcos? Why should all our data be in retailers? Why should all our data be in Information Banks? When we’re asked for personal information why can’t we say no- you can’t have that. Here is my identity. Do you want my business or not?

The Promise of User Managed Identity Data

That’s the promise of a user controlled identity metasystem, and that’s what Microsoft has been trying to establish. Socialising businesses and consumers to this change however is going to take massive resources and commitment (and probably some luck too). Of course Microsoft specialises in massive resources and commitment.

Next time a service provider asks for your social security number just ask yourself- wouldn’t you rather say no? Microsoft is working on solutions to allow you to do just that. I finally want to stress that of course other important technologies and approaches are out there – whether Open-ID, OAuth, Higgins, Liberty and so on. But its definitely good that Microsoft is working the problem.



Technorati Tags:

hailstone picture courtesy of Cindy Funk, Flickr, creative commons Attribution 2.0 license.

Peter Cullen photo liberally “stolen” from his Facebook profile.


  1. Nice overview, and I am happy to see multiple efforts towards user-centered identity management coming along. Two things:

    1) Hailstorm (never deployed) was more sweeping than Passport (still in use). Much of the original Hailstorm material has vanished from the web, but http://www.microsoft.com/presspass/features/2001/mar01/03-19hailstorm.mspx offers hints.

    2) One facet that distinguishes “permission-based surveillance” a la Twitter, Facebook, MySpace et al is that when we’re doing our own surveilling we get to choose not only how much to share – but whether what we share is even truthful. Thus you see a range in these arenas from completely synthetic personalities (Santa Claus, Jesus Christ) to those who shade the truth about their day by only Twittering selected areas (“look, boss, I’m always working!”) to those who really do let it all hang out.

  2. here a nice visual of privacy and security


    The last line of defence is not the SoX’s line , its the user themselves. In todays era Privacy a lot has to do with user education. for example, SMugMug has been caught with their pants down. albeit- Don & teamwas very professional about the whole thing.


  3. As much as I love OpenID, it is going to take a big vendor to push ( bully? ) people into using distributed authentication systems, maybe some developers really like writing authentication systems, I know I don’t.

    However, Joe Average consumer trusts MS so, I think they are probably well positioned to push it but, I don’t see them pushing. Are they engaging with startups to adopt their solution? Sun is sending people hardware just for laughs, if MS really wants to get this done and it’s not just a “keeping up with the Joneses,” where is there push?

    I would never use CardSpace, there is a Ruby library for it but, I never hear of anyone using it and the page looks mostly dead. Why use that when I can grab OpenID and not have to deal with MS or a dead OSS project.

  4. Also, you stole a picture but didn’t put it up…

  5. Mike – awesome context thanks guy. If you think microsoft.com is “clean” you should check out wikipedia. history didn’t happen there. Great point about spying on santa!

    Pd- word. i love that cartoon. i totally agree with you – and tried to capture that with the phrase “generational shift”

    Dan- ah yes the famous Facebook data portability… πŸ˜‰

  6. James,
    great to see you picking up on the privacy stuff again.
    Did Peter have much to say on EU v US differences?

  7. […] Meeting Peter Cullen: On Microsoft Privacy Strategy Great post from James at Redmonk on data security through a Microsoft lens. Gets to the nub of the issue. Its your data, your identity and should be down to you to own and control your own privacy. (tags: security privacy microsoft data) […]

  8. hey Thomas how are you mate? its been too long its true – but the privacy space has been so depressing of late in the UK what with all the UK government failures coming to light and so on what could i say?

    You can expect some more from me on the subject. And by the way, I recommended that Peter get in touch when you start at Gartner. i think that’s the first time I have ever recommended an executive talk to the Borg. πŸ˜‰

    Re EU vs US we talked a little about regulatory frameworks vs criminal threats as drivers for better data governance. As you know I am am of the opinion that in the UK at least regulatory powers are insufficient to change corporate behaviors.

  9. When Kim Cameron talks about Cardspace, one of the most interesting aspects is what he calls the ‘reification’ of credentials. (Or he calls it “thingifying” if he thinks the audience is a bit thick… ;^)

    To my mind, the way in which Cardspace presents a visual metaphor to the user is arguably the most visionary part of it. It’s a concept which I hope continues to extend and find adoption – whether or not that’s in the specific form of Cardspace implementations.

    There’s an opportunity for Web 2.n to do a much better job of reifying, to the user, what is happening with their personal data, their personas and their online privacy. Cardspace certainly doesn’t do all that yet, but it starts to show ways in which the problem can be approached.

Leave a Reply

Your email address will not be published. Required fields are marked *