«

»

Microsoft’s first major privacy misjudgement of 2012

microsoft image logo

By Simon Davies

Last month I wrote a fairly damning blog arguing that Europe’s regulators need to take a hard line against Google over its new amalgamated privacy policy. This policy re-write tears up previous safeguards by creating a company-wide free-for-all for the use of personal data. The French privacy authority CNIL is currently investigating the new policy.

Now I don’t know how this slipped under my radar (perhaps because I’m an Apple user?), but Microsoft has taken a worrying step in the same direction. Earlier this month the company announced an update to its services agreement to include changes to terms of usage for its online services. This includes a condition that could allow amalgamated data sharing across its cloud and desktop services. In short, that means for example that behavioural data you generate on your desktop could be merged with data within cloud services.

The new amendments come as an unpleasant surprise, particularly considering that Microsoft generally sees privacy safeguards as a market differentiator and the company had thus started to create clear blue water with Google.

There’s a clear movement across the information economy toward this type of data amalgamation but I had hoped Microsoft would buck the trend. The new amendments come as an unpleasant surprise, particularly considering that Microsoft generally sees privacy safeguards as a market differentiator and the company had thus started to create clear blue water with Google. The pro-privacy policy makes sense, particularly considering that privacy is one of the four pillars of Microsoft’s decade-old Trustworthy Computing (TwC) initiative. It also makes sense in view of the increasing regulatory activity in Europe and elsewhere.

True, there are important differences between the changes made by the two companies and I’ll come to those in a minute. However the question that sprang immediately to my mind is why on earth would Microsoft compromise a decade of trust-building on the privacy issue merely to create a contingency arrangement in a domain that isn’t even its core business model? Google’s prime directive is the monetising of personal data, so it follows that it would want to unconditionally exploit that resource. Why would Microsoft move in that direction?

If you accept Microsoft’s line, then it’s all about improving products and services. In reality that means optimising search results on Bing. More specifically, Microsoft might have taken the view that the only way it can compete in the near-monopoly search market in Europe is to start using data in the way Google does.

Even so, the new service agreement changes still don’t add up. If Microsoft had waited a year and held its ground on privacy it could have leveraged a persuasive and innovative antitrust case in Europe against Google. There are some interesting intersections between antitrust and privacy, and a claim by one company that it cannot compete against another because of differing privacy standards is ripe for the picking. That opportunity is now largely lost.

If Microsoft had waited a year and held its ground on privacy it could have leveraged a persuasive and innovative antitrust case in Europe against Google.

Whichever way you look at it, Microsoft doesn’t commercially “need” this sort of policy change as much as Google needs it. Nor does it “need” to monetize data in the same aggressive way that Google does. In those circumstances you’d imagine that Microsoft would have taken the opportunity to make changes that were specific and ring-fenced.  It failed to do so. Many of the Microsoft amendments are vague and uncertain. And in failing to offer specific guarantees the new conditions destabilise the user trust, which the company has fought for so long to enshrine.

Surely it would be simple enough to create an agreement that sets the conditions in concrete rather than resorting to vague statements of claim, but the straightforward route wasn’t taken. For example, the following clauses leave open a vast and uncertain opportunity for exploitation of data:

“When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.”

This is hardly the sort of language that’s guaranteed to build trust. Calling a spade a spade and being up-front would be a better approach.

It certainly seems the case that Microsoft has no immediate plans to exploit personal content for targeted advertising in the way Google does. That’s one of the key differences between the two companies. However consider the following new condition in the Microsoft terms:

“Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services…”

Yes, the new vague terms provide flexibility, but they also provoke the impression that a foundation has been laid for a future user agreement similar in nature to Google’s.

What on earth does that mean, and how does it help me as a user feel assured that Microsoft will continue to respect my data in the way it claims to? I have set out some thoughts in the post script below for clarity.

It’s certainly true that all major corporations have pro-privacy and anti-privacy components.. However in my experience, Microsoft at a policy level has a more benign attitude to privacy than does Google, but in failing to strictly define and ring-fence its use of data Microsoft finds itself hostage to fortune. Yes, the new vague terms provide flexibility, but they also provoke the impression that a foundation has been laid for a future user agreement similar in nature to Google’s. In fact you can bet that Google is arguing to regulators that the two companies have established exactly the same foundation for information access and sharing.

To be blunt I don’t believe this would be the outcome, at least in the foreseeable future. Even if Microsoft abandoned its commitment to TwC and privacy the Google business model would always make that company more naturally intrusive.

It’s not too late for Microsoft to lay its cards on the table and provide the sort of guarantees that it lambasts Google for avoiding. This would be a real opportunity to ensure that the clear blue water on privacy does not shrink to a muddy creek.

POST SCRIPT AND CORRECTION

I’ve amalgamated a couple of previous post scripts for this blog so they are in logical sequence. I also need to correct an error (which I’ve now done in the blog and explained below). My apologies for the length.

As I originally noted, I’ve had quite a few messages since this blog came out, a couple of which argued that I was being “a little harsh” on the company.

Talking broadly, I don’t believe I’m being harsh. I’m happy with the progress Microsoft has made in privacy. I just don’t want to see those reforms compromised because of a poorly conceived service contract. However, looking through my piece again I think it’s only right to devote a little more time to discussing the context elements. They are important, and will help unravel some of the issues I raised.

However, let’s deal first with the error. This is significant, and worth noting.

I provided the following excerpt from amended user agreement:

“Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services.”

which was extracted from this:

5.2. Does Microsoft disclose my personal information outside of Microsoft? You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as IP address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.”

I then made the observation: “What on earth does that mean, and how does it help me as a user feel assured that Microsoft will continue to respect my data in the way it claims to?”.

The error – which you might now have spotted – is that in my original blog there was a full stop where there shouldn’t be, giving the impression that this was a stand alone sentence. This error is entirely innocent (the dangers of working from a text file of extracts and not reconciling with the original documents) but it did create a different context to the one that was provided by the full clause.

The full clause does provide two important limitations:

1. it is directed at external disclosure and sharing, and

2. there are limitations to such disclosure

The second limitation applies for example where there is a legal obligation to comply with legal process or where Microsoft believes disclosure might save a customer from death or serious injury (which may also in majurisdictions be a legal requirement)

I’m not sure how much this changes the big picture. My blog is about being far more specific about contract conditions. For example the exception “to respond to legal process from competent authorities” essentially means “lawful access”, or to put it more bluntly: police, court, judicial and national intelligence access.   Every company discloses information in such conditions. The challenge is knowing to what extent they disclose and how readily they disclose. Call a spade a spade and tell people it’s access by police, but it would also be extremely valuable from a trust perspective to provide greater context and detail.

Having said that, there are important conditions that the company has specifically committed to, not the least of which is the public commitment not to use the contents or email or SkyDrive documents for advertising purposes.

It’s also significant that the agreement does affirm “we do not claim ownership of the content you provide on the services.”  While this won’t prevent disclosure, it does draw a line in the sand on other aspects. Microsoft sees this condition in part as a privacy protection. Let’s see more detail about that.

Somebody has to open up these new challenges. Why not Microsoft? While it’s a vast and complex corporation, it does have a track record of thinking about these aspects.

In some respects it’s BECAUSE Microsoft does relatively well at privacy that it rarely comes under fire, which is why this blog might seem pointed. Most other companies cop far worse criticism far more frequently, and for good reason

Read the blog again. What it says is that there’s an opportunity here to break new ground by entrenching specific conditions. In my view, given the company’s evolution, that would be the next natural step. It could be s leader in that regard. And my key argument at the pragmatic level is that the risk to trust from a false negative perception will unravel the hard work that’s gone into TwC. That is in no-one’s interest.

One thought I had after posting the blog is that it’s not helpful to the cause of privacy to characterise the main information players as being on opposing “sides”. It’s an easy linguistic device, but in reality of course there are many shades of grey and many complexities. Each information environment needs to be considered on its own merits (though firm principles of protection must be universal).

If you look back at the history of the automotive industry or utilities sectors you see an interesting pattern in which there was a complex interaction between innovation and consumer interests. Some of the best performing companies in innovation took a long time to accept standards. Taking Google and Microsoft aside for the moment, the entire information sector is currently in such a situation. The development of user terms and policies is going to be in flux for some time to come.

There’s a lesson here for all companies in the information space: don’t leave all your options open just because you can. I know lawyers love doing that, but sometimes consumers need to feel that their protections are locked down almost mathematically.