Q&A: Microsoft chief privacy strategist Peter Cullen

This week silicon.com caught up with Microsoft's chief privacy strategist, Peter Cullen.

Cullen, who works under Scott Charney, chief trustworthy computing strategist, joined Microsoft in 2003 from the financial services sector, notably Royal Bank of Canada.

silicon.com: Sony BMG has recently been accused of planting rootkits into people's computers to stop them copying CDs. Is that something that Microsoft intends to do?
Peter Cullen: No. To be honest, philosophically and practically our policies and practices are built around giving users control over their personal information and certainly what is put on their PC. One of our standards would be every time something is installed on a PC it requires very explicit notice and would definitely include the ability to uninstall. All of our products and services are built with that kind of standard in mind.

There is a lot information sent out of a computer without the user's knowledge, especially if they are not au fait with IT. Do you think there should be a tool that tells people what goes out?
Our belief and practice on that are that it starts off with very clear notice and consent when a customer enters into any relationship with Microsoft. But we also employ something called 'just in time' consent for specific activities. If you think about Windows error reporting, it's very important that we get information back if something went wrong on somebody's PC.

But we recognise that for some people that's a very sensitive thing. So we provide a very specific option. It has to be an opt-in consent for that to be sent back to Microsoft. And the customer has the ability to see what's being sent. So we take it a step beyond the notice that says that absolutely no personal information is transmitted.

Are most companies doing that or is the industry failing in that?
It's difficult to say. The industry is extremely broad. Our particular practices are around our products and we also work with a number of industry partners to put forward those types of practices.

There's a big push across industries to try and personalise marketing in order to get people's trust. Is it Microsoft's aim to gain consumers' trust and if so how are you trying to do that?
The core principle of the trustworthy computing initiative was for people to be able to realise the value of technology, they need to have a high level of trust. We worked very hard over the last three years since that initiative to build trust.

We've come to understand we are just a player in this field and the real trust comes when everyone puts in place trustworthy computing.

What is the main barrier to privacy at the moment?
I think the challenge for consumers is trying to feel control over how their information is collected and used but also having to deal with a number of harms - spam, phishing and spyware are potential harms for users.

For the business community they're faced with an increasingly large number of regulations over how they collect and manage their customers' information. For global companies that's becoming very complicated because of the growing numbers of regulations. Those are challenges we are working on.

Is Microsoft looking to deploy RFID tagging?
We're not really a consumer company in terms of RFID tags. It's not a huge part of our business at all. Having said that, we play a role in terms of helping organisations bridge data-handling within their supply chain.

We've watched the RFID debate and the observations we've taken is that there's a way for the benefits to be realised at the same time users' privacy is well protected. We wrote a paper a year ago which detailed the scenarios RFID plays and what the risks are. We married it with some practices we felt should be employed any time RFID is used.

What are they?
They start off with the notice of consent. We believe transparency is critical for users to have trust in technology. So even if it's RFID or products we produce that don't involve the collection of personal data all practices suggest that users should be provided with very clear consent.

What's the biggest difference between privacy in the US and in Europe?
I'm not sure there are a lot of differences now. I think Europe set the benchmark in 1995 with the data directive. What has happened over the last couple of years, consumers concern over how their information is collected and used has grown around the world. Whether it's Europe, the US, Japan, consumers want to understand how their information is used.

Are there any plans to change licensing agreements to improve consumer privacy?
I think licensing agreements are not the way we think about privacy. We think that there needs to be an explicit notice up front.