Schneier on Security
A blog covering security and security technology.
« Instantaneous Data Grabbing |
| The FBI is Spying on Us »
November 7, 2005
Microsoft Calls for National Privacy Law
Here's some good news from Microsoft:
In an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.
According to the press release:
[Microsoft's senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:
- Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
- Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
- Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.
Here's Microsoft's document, with a bunch more details.
With this kind of thing, the devil is in the details. But it's definitely a good start. Certainly Microsoft has become more pro-privacy in recent years.
Posted on November 7, 2005 at 12:06 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If you look at their last 10-K they are worried about being the target of law suits which they are pretty protected for in the US by their EULA but that has never been testen in court. The wind may be changing and they probably identified that as a big risk with this being CYA due diligence.
This is hardly Microsoft being pro-privacy. As the Post's blogger states, they are being hit with a patchwork of state laws in this area and are trying to preempt the issue at the federal level so that they can deal with a single (and potentially weaker) set of requirements.
Microsoft may be realizing that many of the current fads in business are going to hurt them in the long run. Business patents seem to be something that they're re-evaluating, and even as they bring in more mechanisms for enforcing external control, someone in Redmond is realizing just what that means for their own privacy.
Not to be excluded from these internal revelations is the simple cost of doing business. Right now, they have to satisfy laws in 50 state jurisdictions, plus worry about county- and city-level contracts, and how these mesh with laws in Europe and Asia, the former with much, much tougher privacy laws than are present in the US. Bringing things in line on a more universal level will simplify their business model, presenting fewer obstacles to building it in one state or country and moving it to another.
If the federal standards for "information privacy" matches the E.U., I imagine it would surpass most states' levels.
I agree that this isn't Microsoft being pro-privacy, necessarily -> they're being driven by a desire to set a standard that will apply in all of their markets. However, given that the E.U. market has more stringent privacy laws than the U.S. (as a whole) the net result will probably be positive.
I thought EPIC had a very good response:
"While not everything that a privacy advocate would hope for, the Microsoft position is still very good. The many devils are in the details...."
The comments include a brief history of Microsoft's (Brad Smith) position on privacy.
The NYT article on Nov 1st (http://www.nytimes.com/2005/11/01/business/01theft.html) keeps getting referenced (the FBI brought it up during a presentation last week) and seems to have distilled the core policy struggle in the US:
"The data brokering industry wants to ensure that any new federal law pre-empts state laws and limits the ability of states and individuals to sue in the event of a breach. Consumer and data privacy groups, figuring that any law passed by Congress is likely to be less restrictive, want to preserve the ability of state and local governments to make and maintain tough laws."
Oh, and speaking of federal laws, I am not a lawyer but it appears to me that more than a dozen statutes directly related to privacy have been passed by the US Congress since 1990, not to mention that they strengthened the FCRA twice in that time (http://www.epic.org/privacy/fcra/).
Indeed the devil is in the details, some of which are already exposed here:-
"Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice."
That's far from the european model where you require my explicit consent to hold and process data and you must tell me what you're going to do with it. No 'balance' of obtaining consent but an absolute requirement. Many companies abuse this as it, by hiding the details or forcing you to go through loops to activate any opt outs (strictly illegal but I know of no prosecutions).
I'm inclined to agree with Morse that this is about pre-emption, and that that's the worst part of the deal. Federal privacy laws will be less responsive to local concerns and more easily gamed by industry. Better to establish a baseline and let individual states impose more stringent standards, same as minimum wages or environmental laws.
Don't support a convicted monopoly
The sooner I can go on-line, read a tech magazine, and frequent a computer store without having to read or hear the word "Microsoft" better.
Fool me once........
This is a transparent attempt to avoid nettlesome state regulation. While I disagree with unwise and ineffective state regulation, I disagree slightly more with using uniform federal law to fix that problem.
The “preempt state law in national markets��? argument is one that pro-business folks have been sympathetic to for a long time, but it proves too much. Soon, all markets will arguably be national. Does that mean we should have uniform federal regulation of the entire economy?
MSFT takes it a step further and calls for international harmonization, meaning we should have data protection nonsense like Europe does. Bureaucratic regulation like the European model looks good because it costs a lot in time and effort, but if you look at actual results - *actual results* - it's no better - and arguably worse - than forcing companies to compete against one another in service to consumers along all vectors, including privacy.
"A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information."
That, and a federal law should allow for prosecution of companies with heavy indemnities if the data is accessed by unauthorized personnel or the data is leaked. As always, if you make the company severely liable, they will be forced to clean up their act.
Great to hear.
Here in Germany politicians are just reconsidering how much privacy you still need, given the fact there's so much crime and terrorists out there.
I see Google's outreach also as a major factor in Microsoft's thrust. And for once I am on the side of Microsoft here.
Google for all its lofty claims is on dangerous ground. As an avid consumer of Google news, I notice that my news article ordering is highly influenced by my prior reading habits in spite of me not having a google account and clearing cookies. They seem to be tracking access by IP address and I have no way to delete my profile.
Is that a feature of 'longhorn'?
"Don't support a convicted monopoly"
It's not the company that we're supporting. It's the idea. I'm not especially inclined to support a great many groups and companies, but if an idea is good, I'm not going to say it's bad just because I don't like who is supporting it. I may ignore that someone I don't like is backing it, but I won't dismiss it purely because of that.
"It's not the company that we're supporting. It's the idea. I'm not especially inclined to support a great many groups and companies, but if an idea is good, I'm not going to say it's bad just because I don't like who is supporting it. I may ignore that someone I don't like is backing it, but I won't dismiss it purely because of that."
Even if that person is Barbra Streisand? She recently blew my momentum on a different cause I have been supporting for a few years, just by joining my side.
There are some evils that simply cannot be ignored.
I'm skeptical about this. Given that their primary concern is standardisation, I think they're more concerned about making compliance easier for their service developers, than they are about improving our privacy.
I'm not convinced that international standards are necessarily the best thing. Citizens of different countries may have differing views on the utility of privacy, and law makers should be able to reflect those. On the other hand, the US is so far behind the UK, that I'd appreciate them catching up a bit. I've had two marketing calls from the US recently, and none from the UK in over a year.
"Blockquote" tag fixed; sorry all.
anybody who believes that microsoft supports individual privacy, i would ask them how much lsd they had ingested.
this is all about federal pre-emption. they want to get it into congress where they can get an industry-friendly bill passed which would nullify stronger state measures. of course they're gonna tell you they support privacy, don't you know by now that corporate spokesliars lie?
"Create a baseline standard across all organizations and industries... This federal standard should pre-empt state laws..."
While I agree with the spirit of most of the idea, this bit, especially that wording, troubles me.
On the heels of the MA OpenDoc contention, this sounds to me as though MS is pushing for a federal "standard" to preempt "rash" state decisions, such as using FOSS solutions. "Standards" (e.g. "shall use X format") are good; "standard" (i.e. "MS-Word is the standard editor for use in all government applications") is potentially ushering in an age of government-mandated software "choice."
The beast of redmond wants to remind us all that they're still important, despite having a piece of shit OS and a growing bad reputation.
Sanity and innovationw will return to the world when we turn our backs and ears AWAY from the beast and its noise.
One poster said, "It's not the company that we're supporting. It's the idea."
Support is support
Fuck blue screens and remote exploit "bugs" in their OS, they've polluted the world with inferior and closed technology for too long.
Privacy??? Hey, don't get me started! First of all, the consumer buys their own "personal" computer...and PAYS for internet access....so, one would think that they're all set, right? But, no. That just opens the door. Once you go on line.....you're bombarded! And I mean just ambushed!!! THAT in itself should be breaking the law...invasion of privacy, what-eva. THEN, the average consumer, that thought he/she was safe using their "personal computer," ... I mean, after all...she's home alone...nobody there but her...she's all hooked up and paid for...THEN, all of a sudden her D drive opens.....all by itself! And then, a screen opens and tells her that she may be being spied on and she can download some protection for this.....at a cost of course... Well, she tries desperately to close the window...but it won't close! We're talking Twilight Zone, at this point. So...whas a girl to do??? What else...go out and buy yet MORE software to protect herself, right? Ah, but, alas......even THAT doesn't work out right. Why? Hell, b-cause the internet security software is SO secure...that she can't even get on-line?!?!? So then...she has to call in a geek squad......and they have to "adjust her firewalls" so that she can use the internet security software. But then, her computer keeps "locking up" because of some software compatibility issues... so then, she has to call in the geek squad again.....and all they can tell her is that they'll have to wipe out her hard disk ...... and start ova.....because, even THEY don't know how to fix the problems!!!\
Hey, y'all, I have a Masters in electrical engineering ....and I DON'T KNOW HOW TO KEEP MY COMPUTER PRIVATE AND WORKING!!! So, whas that say about the average consumer???
And it's all because of privacy issues. Why not instigate the "do not call list" for computers too? It's MY computer...it's MY internet access....leave me and my system ALONE!!! Why can't that be enforced?
I think I know the answer......
Just how much $$$ do people have to pay to be "secure" in their own homes??
Therein lies the answer.
"Even if that person is Barbra Streisand? She recently blew my momentum on a different cause I have been supporting for a few years, just by joining my side.
There are some evils that simply cannot be ignored."
So Barbra Streisand joining the cause made it a bad thing? If you agree with the principal, you should back it. If Barbra Streisand came forward calling for an overhaul in national privacy laws to limit what companies could do with information about you, would you oppose it just because she supports it?
"Google for all its lofty claims is on dangerous ground. As an avid consumer of Google news, I notice that my news article ordering is highly influenced by my prior reading habits in spite of me not having a google account and clearing cookies. They seem to be tracking access by IP address and I have no way to delete my profile."
There is a very THICK line between "news you can use" delivered via AI versus MS snatching all data, personal and private, any time they want to (including your IP and MAC address), (ad nauseum), while milking the security and spyware industry only necessary because of their inherently monolithic swiss cheese operation system in their effort to continue gross overindulgence for a far "in-superior" product across the board.
Steve Ballmer needs to take a back seat before MS loses their edge in the Phamacudical industry, too.
And, the only person that should be visiting Congress on behalf of ANYTHING MS wishes to "initiate" "innovate" or "bend to their favor" should be done by myself. However,at this point, Google, Boston, HSA, FBI and the CIA can afford me MUCH more than Steve Ballmer and their attorney, Mr. Gates Sr.
In other words - Steve/Bill/et.all - if you honestly think that you can hit good old golf balls with President George Bush, C. Rice, and all the others, (like you did with President Clinton the day before the Justice Department failed to come down on you hard enough for trying to buy Quicken in 1994), AND stiff the rest of us "yet another time", I'm pleased to announce that you are SORELY mistaken.
I'll poke the bear in both eyes myself. They don't even come close to feeding me. It's also REAL nice to have LOTS of friends in 2% of the most intelligent folks in existence on the planet (plus every single individual in every single low income to every rich income individual in every community damn near across the globe).
Open post to Ballmer, and Mr. Gates Senior, (and everyone else you either provide kickbacks for or bully onto your side):
Go back to congress and withdrawl your attempt to save yourself from the backlash of delicious lawsuits that await us consumers, small business owners, corporations, military generals, HSA, CIA, FBI, and all of my friends abroad who have been suffering for years from your abuse of your "power".
This time you will not win. I guarantee it.
I'm trying to figure out the jist of all the posts here...since I'm new. And the one thing I notice first.....is that noone responds to what you've just said. They just go onto their own agenda.
"I'm trying to figure out the jist of all the posts here...since I'm new. And the one thing I notice first.....is that noone responds to what you've just said. They just go onto their own agenda.
Are you by chance specifically referring to my previous post in this thread? If so, and only because I can only speak for myself (since it was my post) -- I apologize for my seemingly "wide reach" among various "archived" and current topics posted here on Bruce's blog. If you have any specific questions regarding what I have posted, (since you're new) -- when you get a chance, go ahead and do a search on Bruce's log for the areas of interest (you can search by poster's name, too). If you have any further frustrations, please do let me know. email@example.com.
As far as your earlier post on "how much money is it going to take to keep your personal system safe?"
The answer is simple. Wait until next year, update your OS to Tiger (BSD), use your electrical engineering brainpower to lock that b*tch down by removing root access to any and all executables not required by the applications that YOU use at home, install your own Firewall (or port blocker), monitor all incoming and outgoing network traffic (and watch it in real time as you work), and unplug it when you don't need 'net access.
If you constantly need net access, simply do your work on a machine with absolutely no network connection, and transfer your files through a USB key (or whatever works for you) to the machine connected to the Internet.
All that will cost (as of today) is roughly $150 for a 5 machine license of Tiger), and any old paper-weight PC I'm sure you have lying around to connect to the internet.
As far as personal agenda of my own, well, since no one "owns me", "feeds me", or can "bully me", I am absolutely, beyond a shadow of a doubt, fully capeable and willing to tell the Truth, and Nothing But the Truth, when I post. So help me God. The only Agenda I have is making this Country (et al) worth living, working, and rearing children in.
"Certainly Microsoft has become more pro-privacy in recent years."
Or perhaps that's their new marketing campaign.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.