MICROSOFT IS "BETTING the company" on its ability to convince computer users that Redmond respects their privacy. So says Richard Purcell, the company's director of corporate privacy, who assumed the new position a year and a half ago and reports directly to Bill Gates and Steve Ballmer. Microsoft's latest browser comes with special privacy "controls" and, on an even grander scale, Microsoft's new .NET strategy is built upon a system where computer users store all their personal data with Microsoft. These initiatives have been greeted with skepticism from privacy advocates (see accompanying story), but Microsoft contends that they mark a major advance.
With his long rattail and somewhat groovy manner, Purcell makes a bit of a contrast with the Oxford-cloth-and-khaki uniformity of most Microsoft execs; at a recent media forum, he called on wearying participants to take "a stretch break, a bio-break." We spoke with him about the hot-button issues he's confronting.
What are the principles behind Microsoft's privacy effort?
It's not Microsoft's job to tell you what level of privacy you should get or you should demand. That's up to you. It's our job to give you the tools so you can figure your preferences for sharing personal information. It's really important to talk about IE 6 and the P3P controls in it [see accompanying story] as a privacy enabler, not a privacy enhancer.
We don't believe it's proper for [Web site operators] to take information from you without giving you something of value. We can't specify what the value proposition ought to be. We say, at the very least, you [the Web site operator] have to provide notice and consent, and it's up to you to figure out how you're going to provide value. Why should I give away my personal information without getting something for it?
Do you think people are overly paranoid about privacy on the Net?
I don't think people are overly paranoid. They are certainly paranoid. People feel somewhat victimized by technology, based largely on their powerlessness to actually influence what technology does. None of these concerns that we see today are necessarily unique to the technology space. They come from a set of data management practices that, particularly in the U.S., have been utilized for, literally, the last 40 years. Commercial companies and the U.S. government itself have essentially taken control of your personal information, removed you from that control, and used that data in exploitative ways for their own benefit. The direct marketing industry has been very, very willing to gather information, sell it to other companies, share it back and forth, combine that information in large databases from a variety of sources. Banks have been perfectly willing to sell your name and address and their relationship with you. Now, the Internet didn't create that. [But] it has accelerated the ability of businesses to very quickly spread that data, distribute it, replicate it, combine it with other data sets.
Is Microsoft gathering information on people only with their permission, as far as you know?
Oh yeah. We have a fundamental set of principles that governs all data collection. They include: notice—tell people what you are doing; choice—give them an opportunity to decide what personal information is given; access—I want to know what you know about me; security; and enforcement—how you're making sure these promises are upheld.
What about the cases in which people have uncovered privacy problems in Microsoft software?
In the Windows 98 case, an identifying number was being collected from people without providing notice, and we fixed it right away. At the same time, it was discovered that Word97 also had a unique identifier that was contained in documents. We immediately stopped that activity and made sure it wasn't happening. That's years ago now. Microsoft, in January 2000, made a formal commitment to my authority over all the data collection practices at the company. Are we always going to be perfect? No. Have we always been perfect? No. Have we always corrected any mistakes we've made? Absolutely, we've gotten right on top of it.