Microsoft Crows About Its Privacy Program - But Australia Has Deep Concerns

A Microsoft-sponsored survey released Wednesday found that almost half of Web users felt like they had already lost control of their own data while online - just days after the Australian government complianed that Microsoft's suggested data policies might lead to just that result.

Some 45% of the 1,000 users polled by Ipsos Public Affairs found that users feel that they "have little or no control over the personal information companies gather about them while they are browsing the Web or using online services, such as photo-sharing, travel or gaming," Microsoft said in a statement.

“As online activities have become a valuable part of daily life, privacy is incredibly important. At Microsoft, we strive to help our customers manage their personal information online by providing easy-to-understand privacy policies, settings and guidance,” said Brendon Lynch, chief privacy officer, Microsoft. “We take seriously our responsibility to customers by investing in a comprehensive and dynamic privacy program that implements our policies and delivers privacy innovations to our customers.”

Microsoft also noted that while it published the report, it didn't author it; a pair of professors from Indiana University and Oxford did so. The report shouldn't be taken as Microsoft's official stance on online privacy, a company spokeswoman said.

Australia Isn't Convinced

But in an open letter to Microsoft sent January 15, the Office of the Australian Information Commissioner questioned whether Microsoft was really committed to privacy, based on a series of privacy summits the company organized last November. Specifically, the OAIC expressed "reservations" about one of the "discussion topics" Microsoft encouraged attendees to discuss.

The privacy discussions (PDF) that Microsoft organized concerned updates to the Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines, developed in the 1970s - before the World Wide Web, social networks, email and other forms of electronic data transmission. The discussions were held in Brussels, Singapore, São Paulo, Sydney and Washington, D.C. - as well as in Microsoft's headquarters in Redmond, Wash. - to discuss modernizing the OECD guidelines for the information age.

Should Data Be Free To Collect?

The meetings proposed rewriting the so-called "Collection Limitation Principle," which states: "There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject."

The report published by Microsoft states this "discussion version" was used: 

"Data should be obtained by lawful and fair means and in a transparent manner. Data should not be collected in a manner likely to cause unjustified harm to the individual unless required by law. 'Harm' may include more than physical injury." 

The OAIC worried that the revised discussion version placed no limitations on the collection of personal data. And the report said as much:

"[T]he requirement in the original OECD principle that data be collected, 'when appropriate,' with the 'knowledge or consent of the data subject,' seems to ignore the reality of the extraordinary volume of data that is generated today through routine activities and transactions and near-ubiquitous sensors (such as surveillance cameras, location monitoring by smart phones, and embedded computers in cars and other devices). Often, knowledge or consent of data collection in these situations is either nonexistent or likely to be so vague as to be meaningless. No one suggested that knowledge is not important, or that consent may not be appropriate in some settings, but there seems a real risk that the 'where appropriate' exception could swallow the entire principle, given today’s technology landscape."

The OAIC expressed concern that such an approach to privacy would be illegal in Australia. "In our view, this would allow a considerably broader re-use of data than that allowed by the original OECD version and indeed by Australia’s Privacy Act 1988."

In an email, Peter Cullen, Microsoft Chief Privacy Strategist, told ReadWrite, “Microsoft sponsored global conversations among privacy stakeholders to discuss how core privacy principles can evolve in a world of rapidly changing technology, data and innovation.  We published a whitepaper to summarize those conversations and to invite further input.  The Australian Privacy Commissioner’s thoughtful feedback on the report is an important part of the ongoing dialogue.”

Incidentally, at the Redmond meeting, members of other governments attended (Mexico's Secretary of the Economy, a member of Chile's House of Representatives, plus officials from Brazil and Costa Rica) but, according to Microsoft's report, no one representing the U.S. government did so.

Microsoft's Privacy Dashboard

According to the Microsoft/Ipsos survey, four in ten people online know how to protect and manage their online privacy. To make it even easier, Microsoft released a series of documents and videos that describe how to manage privacy settings on Microsoft products like Bing, Internet Explorer and the Xbox, as well as a general privacy dashboard.

While many users probably understand how to manage their browser privacy settings (turning off cookies, for example, or clearing Web pages cached within the browser) the Personal Data Dashboard beta will probably come as a pleasant surprise. The Dashboard allows users to block Microsoft from collecting personal information, preventing personalized ads (but not ads in general) It also allows users to select which topics they enjoy. Google does some of this as well.

Microsoft vs. Australia: Who's Right?

Unquestionably, Microsoft leads on one privacy aspect: Tracking Protection, a feature in Internet Explorer that actually blocks information that could be used by third parties, rather than a more gentlemanly "Do Not Track" request. From that standpoint, at least, Microsoft's commitment to privacy must be taken seriously.

So does Australia have a privacy gripe? Probably.

If nothing else, encouraging top-ranking officials from all over the world to assume that websites may capture whatever data they choose seems a bit Machiavellian. On the other hand, realpolitik suggests that all the free Web services we know and love must be paid for in some way, and that the currency of today's Web is often data, not dollars.

Still, government leadership in today's Web should follow the lead of states like California, whose mandatory privacy policies for mobile apps need to be enforced. Governments may benefit from encouraging digital partnerships, but they must always realize whose interests they represent.

(Editor's Note: The report that the OAIC referenced was published by Microsoft, based on meetings it organized. As the story now notes, the report was authored by two attendees.)

Image source: Microsoft.