internet privacy

Microsoft has suffered significant PR consequences for its consumer-unfriendly privacy practices. The company received major criticism when a federal criminal complaint revealed that Microsoft inspected a user’s personal Hotmail account without permission.

A couple of years ago, experts worried that the Xbox 360 Kinect camera, which always listens for voice commands even when the console is turned off, could be used for NSA spying. Also, a 2013 report claimed that Microsoft allowed the NSA to use Skype as part of its PRISM data mining program.

It’s fair to say that Redmond has a spotty past when it comes to privacy protection, but the company seems committed to turning things around. Azure recently became the first cloud provider to adopt the ISO 27018 privacy standard, and EU regulators affirmed that Microsoft Azure complies with strict EU privacy laws. In addition to boosting confidence in Azure security protections, these moves confirm Microsoft’s commitment to consumer and enterprise privacy. Where Google and Facebook are seeking to circumvent privacy regulators, Microsoft is cooperating.

Overstepping Its Boundaries

In 2013, the Electronic Frontier Foundation (EFF) added Microsoft to a list of companies in its annual “Who Has Your Back” report. The report praised businesses that required warrants before turning over user-generated content.

A year later, in 2014, former Microsoft employee Alex Kibkalo was arrested for violating trade secrets by passing code from Microsoft’s Activation Server SDK to a French blogger. The alleged trade secrets theft had happened several years earlier, and Microsoft got wind of it when the blogger tipped of the company’s internal security team.Internet privacy

The Kibkalo complaint revealed that Microsoft had searched the French blogger’s Hotmail account without consent — an account belonging to a person accused of no crime — for evidence of trade secrets theft. Microsoft argued that it wasn’t searching a customer’s content; it was merely searching “itself.” Since courts don’t issue warrants for businesses to search their own property, Microsoft argued that it didn’t need to ask for a warrant to read a customer’s Hotmail messages.

After an outcry from customers, Microsoft amended its policy to say that it would ask a separate legal team to confirm whether its own internal investigators had grounds to search user content before allowing a search. If the separate legal team found grounds for the search, then Microsoft would submit the evidence to “an outside attorney who is a former federal judge.”

In other words, Microsoft set up its own shadow court instead of agreeing just to ask for a search warrant. The amended policy didn’t last long. After a week of bad PR, the company agreed to never inspect user data and instead turn the matter over to law enforcement.

Lessons Learned

With Azure, Microsoft has re-positioned itself as a consumer privacy champion. Azure’s ISO 27018 compliance focuses around four major components:

  1. Where data lives. Microsoft has committed to letting Azure customers know where their data lives and disclose information about when and how subcontractors utilize personal information.
  2. What customers want. Customers have control of how cloud services providers running Azure use their information. For example, customers can use Azure without automatically consenting to data collection for marketing and advertising, and customers have to use explicit consent before CSPs can use data for that purpose.
  3. Who watches the CSP. ISO 27018 requires annual third-party audits to ensure ongoing conformity with privacy standards.
  4. When breaches happen. Customers receive timely notification of data breaches, and CSPs keep accurate and complete records about both the incident and remediation efforts.

In other words, Azure customers won’t automatically have their data mined for marketing purposes, which is a common practice with Google services. They can also expect responsible action regarding data breaches and third-party confirmation that their data is safe.

EU Vote of Confidence

data privacySome major U.S. tech firms have rebuffed Europe’s “right to be forgotten” rules. Google, for example, has only complied with 42 percent of removal requests. Facebook has argued that only Ireland can govern its privacy policy since its European headquarters are in Dublin. In response, the EU has proposed harsher fines for companies that ignore requests for data removal. Penalties range from 0.5 to 2 percent of a company’s annual revenue.

So far, Microsoft is the only tech company to receive approval for its data protection standards. It’s a refreshing about-face, and other tech companies should follow Microsoft’s lead.