Network News

X My Profile
View More Activity

Microsoft Calls for National Privacy Law

Microsoft Corp. today called on Congress to enact a new federal privacy law, a move that is sure to prompt lawmakers to consider whether consumer privacy both online and offline should go further than merely requiring companies to notify people when their personal and financial data is lost, stolen, or inadvertently disclosed.

In an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.

Microsoft said any federal privacy law should require data keepers to notify people of any material changes in company privacy policies or if a data breach, theft or loss jeopardizes the security of their personal information.  Microsoft also said consumers should have a right -- within reason -- to view any information a company holds about them.

Perhaps most significantly, Microsoft said consumers should have at least some control over how their personal information is used and disclosed. Specifically, Microsoft said the federal government should require data keepers to obtain people's consent before disclosing or sharing their  information for "secondary purposes" -- apparently meaning purposes unrelated to why they provided the information in the first place.

Last, but not least, Microsoft said organizations that maintain private consumer information  should have to meet some kind of national standard to prove they have at least taken reasonable steps to protect that data from hackers, viruses, or other kind of loss, theft or disclosure.

This strikes me as a good beginning, and Microsoft's vision of a federal privacy law should help jump-start a larger debate that launched way back in the late 90s but has since stalled.

A lot of people may be uncomfortable with Microsoft prodding lawmakers on privacy issues, but I think their approach is a sane one: If Congress passes a general privacy law that fairly and sensibly addresses the issues of consent, security, notification and control, then to a large degree that would eliminate the need to spend vast amounts of time on other, more problematic types of legislation relating to spyware, phishing, for example.

To the extent that Congress has been addressing consumer privacy issues at all, it has focused mainly on heading off the states from passing a patchwork of different data-breach-notification laws, which 21 of them have now done. In fact, two separate congressional committees are voting on notification legislation today.

I find it interesting that Microsoft has come so far in its stance on privacy issues over the years. Just five or six years ago, it was a strong and vocal advocate of industry self-regulation on privacy. Now, it has effectively embraced the very principles espoused by groups as diverse as the Center for Democracy and Technology (CDT), American Civil Liberties Union (ACLU) and Electronic Privacy Information Center (EPIC).

CDT President Jerry Berman praised Microsoft's move as "a landmark moment in the cause of establishing and protecting individual privacy rights online. ... While we have not reached consensus on all of the provisions of a privacy bill, we applaud Microsoft 's willingness to work actively with other high tech companies, consumer organizations and policymakers."

Chris Hoofnagle, EPIC's senior counsel, agreed that Microsoft's position has softened significantly over the years. He noted that it was opposition from Microsoft and Hewlett-Packard that derailed an industry-friendly privacy bill from Rep. Cliff Stearns (R-Fla.) that was quickly gathering support a few years ago.

"Microsoft is being more assertive now and it shows that the company is maturing," he said.

Still, the devil will be in the details, Hoofnagle cautioned, noting that Microsoft's statement of principles says the company supports "consumer opt-in" -- the consumer's advance permission would be required -- for sharing of sensitive (e.g., financial or medical) data but supports "opt-out" -- data can be shared unless the consumer explicitly says "no" -- for every other kind of information.

"Most companies don't hold sensitive data, and letting most companies get away with opt-out is a problem because most consumers believe that just because a company has a privacy policy ... it doesn't share data with others," Hoofnagle said. "And that would need to be made clearer."

ACLU legislative counsel Timothy Sparapani also praised Microsoft's move, but cautioned that any federal privacy law would need to include safeguards for data gathered by commercial data brokers. That includes companies like ChoicePoint and LexisNexis, both of which had fairly large security breaches that exposed sensitive data on thousands of consumers, most of whom had no idea these companies held such information about them (much less routinely sold it to the government and other companies.)

Almost any time Congress passes a law that tells companies how they should act, lawmakers exempt themselves and the government at large from the same requirements. But that cannot happen with respect to privacy legislation, Sparapani said.

"This issue needs to be seen in the broader, post-9/11 context that information is power and access in our society, access not only to secure places but to people's personal and financial well-being," Sparapani said. "We welcome the people with the butterfly logo to the debate, but we need to be sure [of] a broad push that really will provide citizens with the ability to enforce the commodification of their own personally identifiable information."

By Brian Krebs  |  November 3, 2005; 1:05 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Sony Raids Hacker Playbook
Next: Consumer Group Asks FTC To Sue Spyware Company


There's a major loophole here, one that I've seen in the financial realm...

" should require data keepers to notify people of any material changes in company privacy policies or if a data breach, theft or loss jeopardizes the security of their personal information."

If you're incapable of detecting a harm, no foul.

I used to work at a financial services company, and while a significant amount of data was maintained on individuals (this company provided identity theft protection products, and had tie-ins to the big three credit reporting agencies, major banks and credit cards, etc.), it was amazing to me that there was literally nothing in the way of monitoring, even from simply a network infrastructure perspective.

Yes, there were customers in CA. Yes, sweeps would find copious amounts of spyware on systems. However, due to lack of staffing, security funding, etc., the only time we knew we had an incident was if it was *really* obvious.

So, a federal (rather than just state) law requires a company to notify people if there's a breach. One would think that the cost of notification, added to both the hard and soft costs of publicizing a breach, would be reason enough to (carefully, thoughtfully) invest in security. NOT!

Posted by: H. Carvey | November 3, 2005 1:44 PM | Report abuse

The devil will be in the details. Note, the law proposes over-ruling state law, therefore good law must be in place. A great start that MS is doing this, and ultimately banks, online retailers, etc. should also line up in self interest, even tho is may cost them some revenue for 'secondary' purposes. I think the aggregators are the big question, how do they get regulated: they ARE secondary purposes...

Posted by: Dave H | November 3, 2005 3:51 PM | Report abuse

I'll back the vole, Microsoft, when they stop intoducing "holes" into the software that allow packets to escape into the clutches of the web backbone "supercomputing center sniffers."

Posted by: Habanero | November 3, 2005 8:04 PM | Report abuse

Maybe Microsoft wants to require Google to verify all the information they have before making it available for web searches.

Posted by: Eric | November 3, 2005 9:27 PM | Report abuse

Maybe Microsoft wants to require Google to get permission from everyone involved before making it available for web searches.

Posted by: Eric | November 3, 2005 9:33 PM | Report abuse

Try this on for size. MS lobbies to get a federal privacy law passed and wins all kind of praise for their altruistic efforts.

Law gets passed albeit with a loop hole or two. MS is once again praised as a driving force behind the legislation.

Brief interlude.

MS and others prospective info peddlers, under cover of consortium, lobby congress to "reform" the existing legislation in order to make it more business friendly.

Surprise! The revised version provides all the privacy protection of a holey blanket. The states can do nothing because their laws are superseded. The backlash is largely dissipated because number of reform supporters. MS takes a lump or two but pockets millions while avoiding the costly prospect of having to adjust its strategies to deal with maverick states that might actually give a bleep about their citizen's privacy. Who ya gonna call?

Sounds like a win, win, win for Billy Gates to me.

Posted by: LaserSight | November 4, 2005 10:03 AM | Report abuse

The Direct Marketers did the same thing. Opposed anti-spam legislation for as long as they possibly could, then when states (California) passed opt-in laws with teeth, they did a 180, called for "anti-spam" legislation, and managed to pass pro-spam legislation that pre-empted state law.

Posted by: A. Kelly | November 4, 2005 10:37 AM | Report abuse

This is coming from an entity which has a time honored history of violating consumers' privacy, including spyware in instant messaging software, hidden browser caches in Internet Explorer, and fingerprints in MS Office documents. But Bill Gates suddenly found moral outrage regarding privacy issues?

More likely, given the player involved, is the probability that a single law makes it easier to get around. Better a patchwork of state laws which, given the global nature of the internet, requires constant vigilance and compliance with the most restrictive of those laws, lest a transaction run afoul of the most restrictive of those laws.

This way, even consumers in a state which has not passed effective privacy legislation can still benefit from the restrictions imposed by other states. While it is true that in this case consumers would be affected by law over which they had no voice, the same can effectively be said of a federal law with the difference being that at least with a patchwork of state laws there is a greater chance that the laws will benefit consumers rather than a handful of campaign funds.

Posted by: Phil | November 4, 2005 2:40 PM | Report abuse

Microsoft is on the right track, realizing that it will take federal legislation to solve the identity crisis. For over ten years I have been advocating the passage of such federal legislation to give consumers control over their names and personal data, and be paid for its use. It would significantly curb identity theft and the individual's portion of the proceeds from the sale of their name and personal information could be used to supplement their Social Security.

In 2005, I turned activist-from my former job in junk mail of selling your name and personal data-and launched my blog, The Dunning Letter. You can read all about it in my some forty articles at:

Jack E. Dunning
Cave Creek, AZ

Posted by: Jack E. Dunning | November 5, 2005 4:42 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company