Thursday, October 26, 2006

Privacy Guidelines from Microsoft

I confess that I'm generally pretty skeptical of Microsoft's dedication to the rights and interests of consumers. However, I've just read their Privacy Guidelines for Developing Software Products and Services, Version 2.1, dated October 10, 2006, and I have to say that they've done a pretty good job. If all software products and services followed these guidelines, cyberprivacy would be in much better shape than it is now.

This is a very pragmatic document that starts from user concerns and the business case for addressing them, moves on to general principles and specific definitions, and finally gives fairly detailed guidelines for nine representative scenarios. I find it credible and sensitive to most of my concerns about electronic privacy.

Protecting customer privacy is critically important. In many areas of the world, privacy is considered a fundamental human right. Additionally, protecting customer privacy can increase loyalty and be a market differentiator.

Customers are getting increasingly frustrated with software and Web sites that do not clearly communicate the behaviors that impact customer privacy and the controls available to them. Currently, there are no industry-wide practices to help standardize the user experience and the software development process. For some, ignoring this growing frustration has led to an erosion of trust, negative press, and even litigation.

The software industry as a whole would benefit from establishing a higher bar for respecting customer privacy. Giving customers more information about how their privacy may be impacted (i.e., transparency) coupled with improved controls can empower customers and raise their level of trust. At the same time, it is important not to annoy customers with a barrage of notices that ultimately may be ignored.

The purpose of this document is to propose a baseline for establishing this higher bar. It offers guidance for creating notice and consent experiences, providing sufficient data security, maintaining data integrity, offering customer access, and supplying controls when developing software products and Web sites. These guidelines are based on the core concepts of the Organization for Economic Co-operation and Development (OECD) Fair Information Practices and privacy laws such as the EU Data Protection Directive, the U.S. Children's Online Privacy Protection Act of 1998 (COPPA), and the U.S. Computer Fraud and Abuse Act (as amended 1994 and 1996). In the interest of developing a common set of industry best practices for privacy, we invite the community and other interested parties to participate in an open dialogue...

The core principle driving these guidelines is:

Customers will be empowered to control the collection, use, and distribution of their personal information.
For customers to have control over their personal information, they need to know what personal information will be collected, with whom it will be shared, and how it will be used. In addition:
  • Customers must provide consent before any personal information is transferred from their computer.
  • If a customer's personal information is transferred over the Internet and stored remotely, they must be offered a mechanism for accessing and updating the information.
Before collecting and transferring personal information, you, as the entity requesting the information, must have a compelling business and customer value proposition. A value proposition that benefits customers may create a natural incentive for them to entrust you with their personal information. Only collect personal information if you can clearly explain the net benefit to the customer. If you are hesitant to tell customers "up front" what you plan to do with their information, then do not collect their data. This applies to data collected and stored locally on the customer's machine or transferred over the Internet...

One of the best ways to protect a customer's privacy is to not collect his or her User Data in the first place. The questions that should constantly be asked by architects, developers, and administrators of data collection systems include:

  • "Do I need to collect this data?"
  • "Do I have a valid business purpose?"
  • "Will customers support my business purpose?"
The answers must explicitly address both the primary use of the customer's data (such as providing the feature or service the customer is requesting) and any planned secondary use (such as marketing analysis). Only collect data for which there is an immediate planned use. In addition, only transfer data that is absolutely necessary to achieve the business purpose, reduce the sensitivity of the data retained (e.g., aggregate data where possible), and delete data that is no longer needed for the business purpose.

Another important area to consider is how customers will react to the collection of their data. For example, while one customer may appreciate product recommendations derived from his or her purchase history, another may see such personalization as an invasion of his or her privacy...

The longer data is retained, the higher the likelihood of accidental disclosure, data theft, and/or data growing stale. User Data should be retained for the minimum amount of time necessary to support the business purpose or to meet legal requirements. Any User Data stored by a company should have a retention policy that states how long the data should be kept and the manner in which it should be removed from all data stores...

All products and services that collect User Data and transfer it must provide an explanation ("give notice") to the customer. The customer must be presented with a choice of whether to provide the information, and consent must be obtained from the customer before PII can be transferred from the customer's system. The type of notice and consent required depends on the type of User Data being collected and how it will be used...

Security is an essential element of privacy. Reasonable steps should be taken to protect PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Preventive measures include access controls, encryption in transfer and storage, physical security, disaster recovery, and auditing. Security requirements vary depending on the type of User Data collected and whether it will be stored locally, transferred, and/or stored remotely. When storing Sensitive PII on a customer's system, it must be stored using appropriate security mechanisms to prevent unauthorized access (e.g., file permissions and encryption). Sensitive PII transferred to or from a customer's system over the Internet must be transferred using a secure method that prevents unauthorized access...

[My thanks to Cameron Wilson of USACM for a pointer to this document.]

Labels: ,


Post a Comment