Privacy has been top of mind for many people lately, and for all kinds of reasons. Much of the public discussion has focused on government access to data, which I addressed in my recent keynote comments at the RSA Conference and in a related blog post.
But the future of commercial data privacy models is also getting attention. As an example, our General Counsel, Brad Smith, recently announced an important change at Microsoft to better protect customer privacy.
I discussed Microsoft's perspective in a speech to the International Association of Privacy Professionals' Global Privacy Summit in early March, and I want to share more of our thinking here.
The availability of data is rapidly changing how businesses operate. Generating and processing large and diverse pools of information -- also known as "big data" -- allows companies to offer rich value-added services to customers.
Today, your mobile phone reads you turn-by-turn directions to the nearest gas station. Soon, your refrigerator might order milk by itself, or your medicine cabinet might send an email to remind you to take medication. The analysis of large data sets may also have important societal benefits, such as helping health organizations to spot outbreaks of contagions. We are only beginning to understand the future of interactions between people and various devices, a concept known as the "Internet of Things."
The changes ahead will create a whole range of new privacy challenges. However, the rules regarding privacy issues have not kept pace. Many of the seminal documents regarding privacy practices were written decades ago, including the U.S. Privacy Act of 1974 and the OECD Guidelines of 1980.
At Microsoft, we believe it is time to update global privacy models to enhance data protection for consumers. In support of this effort, we have been convening global conversations as Trustworthy Computing Chief Privacy Strategist Peter Cullen outlined in a recent blog post. Most recently, Peter and other privacy experts participated in a panel on the topic, and you can watch a video replay to hear more of the current thinking on the issue.
The privacy issues we're discussing are not really new -- we've known for some time that data collection concerns were building. In fact, I noted the challenges two years ago in a paper called TWC.Next:
... In this new world, it seems increasingly clear the privacy challenges posed by a data-centric society cannot be addressed adequately by traditional privacy principles which focus heavily on the collection of data and the notices provided at the time collection occurs.
While notice and consent are important tools to preserve, the current model relies too heavily on the concept. Under this model, notice involves people reading numerous lengthy, complex privacy statements about what data will be collected by online service providers and how it's going to be used. Consent involves the individual clicking a box agreeing to those terms.
The current approach overly burdens the user. Researchers have shown that that reading all of the privacy policies an average Internet user encounters in one year would take 76 work days. Most people just skim the privacy statement, click "accept" and move on.
In addition, information about you might not be collected directly from you. For example, a bank will use your credit score to decide whether to lend you money. But it might also look at your friends on Facebook to see if they have reliably paid back their loans. In that example, what did the bank collect from you and what notice did you get?
Another challenge in the current data protection model relates to the specification of data use when it's collected. We can inform individuals what will happen to their data today, but what happens when organizations develop new services or data use models? It's important to allow for future innovation - which might offer great personal and societal benefits -- without undermining reasonable expectations of privacy.
So, what is the path forward?
First, we need to evolve toward a model that retains the value of notice and consent, but shifts the focus of data protection to the use of information by accountable organizations.
Increased organizational accountability will enable organizations to keep leveraging data to drive valuable service innovations while adhering to privacy models that protect reasonable expectations of privacy.
This will require new enforcement models, with resources to tackle the oversight challenges that are emerging in a data rich world, with increasingly ubiquitous computing.
I'm optimistic that we'll find the right way forward, balancing the important benefits that data collection enables with the equally important need to preserve and enhance consumer privacy protections.
For more information, I'd invite you to read two recently published white papers that outline important new thinking on this topic: Data Protection Principles for the 21st Century and Data Use and Global Impact.