Past problems help Microsoft stay focused on data protection

Just how secure is your data? For most people, that question will be met by a blank stare or a shrug as they continue to use their free social-networking accounts, fill out their user profiles for web email accounts or simply allow their gadgets to “talk” to each other and share data.

Until not so long ago, consideration was rarely given to where this data went or who had access to it. Now privacy has become a hot topic. It has been dragged into the spotlight on numerous occasions, with Edward Snowden’s revelations about the National Security Agency’s Prism project among the more shocking. Then came the European Court of Justice’s ruling on the right to be forgotten, which effectively turned Google into a gatekeeper. Facebook campaigner Max Schrems is making noise in Europe over Facebook and its practices, with the Office of the Data Protection Commissioner caught up in the maelstrom.

Microsoft has had its well-documented run-ins with European authorities. These have been mainly limited to antitrust proceedings, which stretch back to the late 1990s and have since been resolved. But Microsoft hasn’t been spared the fallout. The company found itself being backed by Europe when it took a stand against the US courts over a request to hand over data located on servers in Ireland. It was also one of the firms that initially took part in the National Security Agency’s Prism project.

Requests

Microsoft, like many other large multinational engaged in this area, has also found itself the subject of requests by law enforcement agencies. More than 30,000 requests for data from Microsoft, covering almost 53,000 accounts, were made between January and June last year. A request, however, doesn’t necessarily mean that law enforcement bodies get what they’re looking for.

The company’s head of privacy in Europe, Marie-Charlotte Roques-Bonnet, was in Dublin recently to speak at the Irish Centre for European Law’s annual conference on IT law. She thinks that Microsoft is doing pretty well on the privacy front, although the company insists that it won’t sit back and become complacent. The multinational, like others of its kind, is treading a line between data privacy rules in the US and in Europe.

Despite the view from some quarters that European data protection and privacy rules are more stringent than in the US, Rocques-Bonnet says that is not strictly true.

“The radical and the main difference, I think, is that we have a somehow more bureaucratic approach in the EU, with notifications – that is kind of the basis for everything – and we have notice and consent,” she says. “In the US, it would be absolutely the same, but implemented in a way that would be consumer-oriented and not obviously in a way that is [data protection authority]-oriented.”

The EU approach is based on principles and theory, she says, while the US takes a more user-friendly approach. “It is really striking that EU policymakers perceive themselves as [having] high standards. On the principles, they’re right, but on the implementation, it’s radically kind of the opposite.”

Part of the problem is that, at present, companies in Europe often work with different interpretations of the same directive. That means 28 member states all enacting their own laws based on the 1995 EU Data Protection Directive.

This has lead to a situation where there are different levels of data protection throughout the member states, with limited enforcement options and regulations that predate much of the technology in common use today.

One-stop shop

There are moves to update data privacy rules in Europe, probably by adopting a one-stop-shop model that would allow citizens to file complaints in their country of residence instead of where companies are headquartered.

Decisions can be appealed to a pan-European body, the European Data Protection Supervisor.

It’s not just for big companies. Things need to be made easier for consumers too. Faced with large volumes of text masquerading as user agreements, most people won’t bother reading them before installing apps on their phones. Roques-Bonnet admits that occasionally she doesn’t read the fine print either.

“I’m deeply committed to data protection, but sometimes I skip the terms of service and click yes, because I’m in a rush and I don’t want to bother,” she says.

Windows 10 and privacy

Privacy was a consideration when Microsoft was developing its new product Windows 10, the operating system set to debut at the end of July. But developing the software has thrown up a few data protection issues.

Roques-Bonnet points to the use of alternative security measures. Using Windows Hello, with its biometric data, would be more secure than a password, for example, but if it was the only way to log into Windows 10, some people would be understandably reluctant to use it.

“Microsoft is different. We’re a software company. It’s not like social networking, it’s not like free services,” she says. “We have paid services that should be highly secure. We could, for good reasons and in good faith, decide to have some products mandatory. We decided not to do so even if it really brings something to the service we provide – the quality, the reputation of the company – because of being fully aware that privacy is absolutely key and that trust is based on an opt-in approach.”

In fact, the biggest conflict is found not in the boardroom, with executives from both sides of the Atlantic, but with designers who often don’t consider the privacy implications of their work.

“They innovate all the time,” says Roques-Bonnet. “And they don’t really understand that sometimes we say ‘you should disclose this information’ or ‘oh no, it is too risky on the security side’.”

She cites the Internet of Things and connected wearable devices as one area where conflicts can arise.

“On such a tiny device you cannot secure it properly, so we see privacy risks that data would be accessed so easily,” she says. “Sometimes there is this clash between them innovating so much – we are really proud of them – and then there’s us saying ‘yes, but it’s not secure enough’. ”

All this indicates how complex the issues have become in recent years. Technology, while it has made our lives easier in some ways, has made them harder in many more. Things that were once concrete, clearly defined, have taken on a more fluid character.

Take data, for example. Microsoft has been publicly fighting requests from the US government to hand over data held on servers outside the US, but unlike the days of old, when information was stored on physical media in locations, the advent of the cloud has made everything more complicated.

“Let’s not hide ourselves from reality and say it’s just about having some tools [to adapt to] the world we are living in. Ten years ago we had tools that were fitting; now they don’t any more,” says Roques-Bonnet.

Clear-cut guidance

One thing she would like to see is less complex regulation and more clear-cut guidance for companies, rather than them having to interpret directives. A quicker enforcement procedure would also be welcome.

Regardless of the outcome of current talks on data protection, Microsoft intends to stay ahead of the pack.

“Some of our key competitors were kind of turning their back to EU regulators for a while, and now they’re back on track and trying to find the solutions, and understand that a long-term relationship with consumers is built on trust,” says Roques-Bonnet.

It’s what users expect, she explains.

“It’s not only for regulators, it’s for achieving something that is in line with what users would expect. I would say that we are not in a time when you can decide to hold back on data protection.

“All of our competitors have admitted that now.”