Microsoft WPC13 – Security & Privacy Update

Posted on July 10, 2013

1



Well as expected Security and Privacy were high on the list of boxes to tick from all the execs at this year’s Microsoft World Wide Partner Conference. I would like to theme it as the conference that made the commitment to ‘Trust and Security with Microsoft in Digital Life’.

For attendee’s who were not able to get into my Breakout Session ‘BL11 – Myth-busting data security and cloud’ because the room was packed with a fantastic turnout, thank you everyone, you can get the recording of the session and the presentation by logging into the Digital WPC website. You can also find the deck in my own download area for the rest of you, if I can get clearance from Microsoft to also post the audio I will so please check back.

Today’s chest thumping Keynote parade of achievements and challenges to Partners form Kevin Turner (Microsoft Chief Operating Officer) made Security and Privacy a standalone up front and central commitment of Microsoft to PRESERVE AND PROTECT individual’s data. This is a bold statement that draws a line in the sand and places Microsoft clearly heads and shoulders above the trustworthiness of ANY of the other commercial online entities (Google, Facebook, Twitter etc) and Apple.

This is no mean achievement or commitment from a company endeavouring online, a company with a top ranking online search and advertising initiative and device and application marketplaces that simply hoover up user data. The temptation to harvest and work that data for many would be beyond resistance, look no further than Google for that!

I see a few challenges though:

  1. My blog on this back in May when Xbox One was announced, bubbles up some of the real challenges with their new entertainment platform ecosystem ‘Privacy Champion at Risk – Microsoft’
  2. BING – The first keynote this week at WPC13 saw the announcement against one of Microsoft main pillars ‘Big Data’ the pending availability of BING data set’s to be shared?
  3. Windows 8.1 – Doing a bit of ‘Scroogling’ it is not a privacy friendly upgrade, but looks to be a major privacy downgrade. ‘Windows 8.1 looks to follow Android’s playbook for tracking users’

Microsoft is off to a great start with the support from Twitter in the Do Not Track enablement debate that has been rumbling across the Internet, see Twitter May Have Handed Microsoft A Huge Victory In Its War Against Google’

For so long Microsoft was the lonesome white knight, the people’s privacy champion in the Browser Cookies tracking wars. Now with Twitter coming onside with Microsoft it looks like Firefox and the others will hitch their waggon to what has to be the only credible and honourable option. This leaves Google on their own and in the absence of a crowd to hide their immortals in (Facebook is probably their only companion now) their character is laid bare as parasitic data and privacy invaders.

Mr.Turner I hold you to your word, I expect this to be driven hard and those who default held to task in a way that will continue to send a resounding message of Trust and Security with Microsoft in Digital Life. I see x3 areas I would suggest urgently (as there are many more) need to be realigned with the core truth of the ‘Trust and Security with Microsoft in Digital Life’ commitment:

  1. Marketplace Apps – Robust controls constraining the harvesting of data off device of various classes. Developers must be made to qualify with sound and credible reasons WHY they require ANY data insights from consumer devices, and to provide a dashboard where customers can review what apps are harvesting what data in a simple tabulated view where they can retract said rights. Furthermore where they do they must demonstrate that that data is held in a responsible and secure way. ANONYMITY IS NOT a good enough protection. In fact I would go one step further and state that developers DO NOT get access to that date directly but have to consume it from a Microsoft managed repository where that data can be more credibly managed and use audited.
  2. Mobile Communication Privacy – VPN (Virtual Private Network and Email encryption certificates supported on Windows Mobile devices.
  3. BING – Reverse the Windows 8.1 BING data harvesting updates referred to above. Diligently review the impact of the announcement to make BING data available to developers. The challenge here is with the power of modern data mining algorithms that can break down most current statistical disclosure controls. This means that data can be reattached with a worryingly high success rate where it was assumed to be anonymous. In principle I could start offering a service where I can legitimately take anonymous data from BING and run it with some of my large enterprise client’s databases that legitimately contain personally identifiable information and because of the size of these databases there is a very high probability that the anonymous data could be reattached to identifiable records. The impact of this is exponential, as the behavioural profiles of identifiable users become richer the attachment statistically to the anonymous data becomes easier and with a higher accuracy probability. You know where this is going and the end game is not pretty.

So Mr. Turner look no further than your very own Microsoft Research Cynthia Dwork and the work on Differential Privacy.

Advertisements