Schneier on Security

A blog covering security and security technology.

« Heathrow Tests Biometric ID | Main | Create Your Own Northwest Boarding Pass »

October 26, 2006

Microsoft's Privacy Guidelines for Developing Software and Services

The document is actually pretty good.

Posted on October 26, 2006 at 1:38 PM • 7 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Greg • October 26, 2006 1:58 PM

Good Guildelines are a start, but are they following them? Is there some way to show that they are following them? Or do we just hope.

After all any document that is made public was at least rehased by the PR department.

Shadowtramp • October 26, 2006 2:58 PM

May I ask You: had You actualy read through the said document?
If so, what so pretty good You've found inside?
Most I had saw is either reciting of "old good truthes" or addressing to some new buzzwords, like P3P. This document is a switch for attention from necessity for design time hard desisions to inlaiability.
Consider this: good half of a document devoted to big forms which ask for those desisions from end users. How many user will read and understand what is there to read?

Anonymous • October 26, 2006 3:47 PM

Definitely this document contains some good stuff. E.g. clear statement that internet searches are personal information. However, there are also some interesting things, which suggest Bruce is being a bit overenthusiastic.

"When a customer types a URL [...] has implicitly consented to sending that information [...] over the Internet."

Clearly an immoral justification of the Microsoft habit of capturing domain typos to their search engine. If I try to type an intranet site name (secretstuff.bigco.com), I do not expect a typo (secretstiff.bigco.com) to be sent to Microsoft.

"Visiting pages on a Web site implicitly means the customer consents to the site’s privacy statement and terms of use."

Not unless they read those and then afterwards proceed to do something which is beyond the protections of fair use or local legal equivalent. In fact this is a very extreme legal land grab.

"The goal is to provide the appropriate level of notice so that the user remains engaged and is able to make informed decisions. "

Excellent; indisputable.

The section on children's data requires giving full access to parents, but does not require warning children of this. That could be dangerous if children (misguidedly) attempt to use an MS services for help, e.g. when being abused by a parent.

"Disaster Recovery..... RAID Level 5...."
ha ha ha ha ha. Do they actually read what they are writing?

Another problem is that everything is justifiable for "business needs"; that's a pretty open term and could be used to justify anything which might just possibly make money. "Approved business needs" might be beter?

havvok • October 27, 2006 9:50 AM

@Anonymous

"The section on children's data requires giving full access to parents, but does not require warning children of this. That could be dangerous if children (misguidedly) attempt to use an MS services for help, e.g. when being abused by a parent. "

This is a legitimate concern, but I think that the bigger threat is that of someone using the internet for child luring or some other predatory activity. I know from my siblings who have children that this is a source of critical concern for them and I have had to balance between respecting my niece and nephews privacy and helping my siblings to ensure the online safety of their children.

The bottom line is that if a child is being abused, withholding information from parents will not stop the abuse, but if a child is being targeted, providing information can prevent the child from becoming a victim.

Mark • October 27, 2006 12:34 PM

I found it slightly ironic that when I attempted to download the privacy guidelines doc, Microsoft's webserver apparently queried my browser, decided that the (FreeBSD) system I was using is incapable of opening Word docs, and refused to provide it ;^)

derf • October 27, 2006 1:22 PM

@Shadowtramp

Did you actually use "user" and "understand" in the same sentence? Is that legal?

RvnPhnx • October 27, 2006 2:34 PM

@havvok, "Anonymous", and others
Protecting a child is indeed seen as the responsibility of the parent, but if the child cannot trust the parent--or has no expectation of the parent trusting back--then all bets are off.
The fact of the matter that many parents are repeatedly warned about by their own peers (and my own mother keeps reminding me should the day come that I have to make the same kind of hard decisions) is that trust is of overriding importance in all things and at all times in parenting. If a child trusts a stranger too much that is a problem; and if the same child were to have no expectation of privacy due to the fact that the parent has clearly demonstrated a lack of trust in the child--that could complicate issues of said child actually seeking help to deal with anyone whom "steps over the line" (horrible cliche phrase).
The best solution does not involve technology--it is entirely in the "meatspace" (and thus thorny issues about the expectation of privacy of minors can be left for another day).

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M J
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D