Microsoft Releases Guidelines for Customer Privacy

Criticized in the past for an initiative that would require the company to collect and catalog personal information about its customers, Microsoft on Tuesday released an internal document about how it protects customers’ privacy in the hopes that other companies will adopt similar practices.

The company publicly published a 49-page document, called Microsoft’s Privacy Guidelines for Developing Software Products and Services, at the International Association of Privacy Professionals Privacy Academy 2006 in Toronto. The document can be found here.

The document outlines recommendations for software developers that will help them protect customer privacy when building applications that deal with sensitive information, such as websites or Web-based features that send personal information over the Internet, said Peter Cullen, Microsoft’s chief privacy strategist. He will speak on a panel at the show on Friday, sharing and discussing the document with attendees there.

For example, Cullen said Microsoft implemented a way to erase personal information in the new phishing filter it has built for its Internet Explorer browser. The filter, designed to protect users when they surf to online sites that could use phishing to steal personal information, compares sites that users visit to known phishing sites. However, before going to any site to do this verification, the filter erases any personal information that would identify which user visited, he said.

Microsoft has not always been seen as sensitive to customer privacy. Five years ago, the company tried to implement a project code-named Hailstorm, which theoretically would store personal and credit-card information and passwords so users could easily sign on to various sites. Customers balked at the idea of Microsoft controlling their personal information, and the project never lived up to its hype.

Cullen said Microsoft has learned a lot from such experiences and wants other companies to implement the practices it has developed to protect customer privacy.

“Certainly that and other things have contributed to us thinking deeply with how we provide security and privacy, as well as respect and control with how their information is used,” he said. “We think others should join in this discussion.”

Microsoft also got into some hot water earlier this year when it was disclosed that a new antipiracy feature in its Windows client OS, Windows Genuine Advantage (WGA), was sending information from PCs to an internal Microsoft server without users’ knowledge through an automatic notification feature. The feature was checking to see if the user’s copy of Microsoft was legitimate, if that copy had not yet been verified as authentic. After some accused the software of acting like spyware, Microsoft removed the offending feature.

Cullen said the uproar over WGA’s notification features and Microsoft’s subsequent removal of it gives the company “the benefit of hindsight.”

“We didn’t spend enough time to make sure [the feature] met our standards,” he said.

Microsoft continues to do everything it can to avoid violating customer privacy in its products and will continue to review each product carefully to make sure it meets the internal standards made public on Tuesday, he added.

By Elizabeth Montalbano, IDG News Service (New York Bureau)

Keep checking in at our Security Feed for updated news coverage.