By Jane Black Privacy proponents were elated recently when Microsoft shelved its plans to launch an information-management offering, My Services, on .NET, its platform for Web businesses. Originally dubbed Hailstorm, My Services would have created a single, central database for consumers, including personal calendars, home addresses, even your credit-card number, and then make it all accessible to friends or businesses.
This alarmed privacy advocates, who predicted that a single storage place -- especially one housed inside Microsoft -- would become a honeypot for hackers. With Microsoft abandoning the effort, Chris Hoofnagle, chief lobbyist for Electronic Privacy Information Center, now sees a slowdown in the development of such centralized data centers, and "that's very good for privacy."
Case closed? Not so fast. Gates & Co. didn't drop the project because of privacy concerns. Rather, My Services' suspect business model forced the shift in strategy. Now, instead of creating and hosting data on its own, Microsoft plans to package My Services technology with server software, allowing any business to host its own data store. The new "federated" approach offers a clearer revenue model for partners, such as Internet service providers (ISPs) and cable and phone companies, which object to letting Microsoft -- or anyone else for that matter -- stand between them and their customers.
INHERENTLY SAFER? This opens a whole new database of worms, as far as privacy advocates are concerned. "There are trade-offs between [the] centralized and new model," says Larry Ponemon, president of the Dallas-based Privacy Council. "The new strategy could create new difficulties and risks that have to be assumed by the consumer."
Most online privacy advocates argue that when data is dispersed, it's inherently safer. If information isn't all in one place, the theory goes, it's more difficult for anyone -- marketers, hackers, government snoops -- to get a complete picture of who you are. All true. But that also makes it harder for the average consumer to figure out who has what, how they're using it, and, most important, with whom they're sharing the information. And while most Americans are concerned about privacy, they don't seem to invest significant time and effort in managing their personal data.
QUIET CHANGES. Yahoo's policy change generated front-page headlines and raised a new row in the privacy field, where advocates called the plan "unconscionable." Now, think what happens when it's not Yahoo but a small online shop that's collecting your data. Such policy changes won't make headlines. And that means without consistent legwork, you won't know who's using your personal information and for what purpose.
Microsoft says it plans to establish standards for how its powerful software can be used. Adam Sohn, product manager for Microsoft's .NET platform strategy, says he expects the company to require some level of privacy protection as part of the My Services license for consumer-focused businesses like ISPs and cable operators. Though nothing is yet set in stone, Sohn says Microsoft will work with large operators to "set the rules that everyone plays by and guarantee a consistency of experience."
By sheer force of its weight in the high-tech world, Microsoft could help enshrine these important standards. For proof, just look at its success in driving forward P3P, a privacy standard that, among other things, is designed to block data-tracking cookies from third-parties. Microsoft built P3P into its Internet Explorer 6.0 browser, which was launched in December, 2001, The new version already has garnered 33% of the browser market (see BW Online, 12/14/01, "Microsoft's Cookie Monster").
Many analysts, though, have their doubts about Gates & Co.'s willingness to follow through -- and about the rules' effectiveness even if it does. Microsoft's business, after all, is selling software -- not regulating privacy on the Internet. "Microsoft is certainly going to try to safeguard privacy. It's part of a top-down trustworthy computing initiative," says Matt Rosoff, an analyst with consultancy Directions. "But I don't see that they have the same leverage in this area. And they won't do anything to hurt sales."
Hence, even if Microsoft does eventually impose these rules, it would be difficult for the software giant to ensure that clients who use its technology are adhering to them.
STRONG MESSAGE. As if affirming analysts' skepticism, Microsoft's Sohn says Redmond is "not trying to stand up and set policy." The company won't make any demands on corporate customers that use the technology for internal purposes. He believes that they should be allowed to do what they like with employee data. However, for the many companies using the technology for their dealings with external consumers, Microsoft should require that these guidelines be followed.
That would generate some good will toward the embattled software giant. Standards would also send a strong message to Congress which, once again, is considering privacy legislation. Senator Commerce Committee Chairman Ernest "Fritz" Hollings (D-S.C.) is expected to introduce a bill on Apr. 18 that would require companies to offer opt-in policies and enforce new restrictions on e-mail spam. Taking the lead on protecting consumer data could be a real privacy win for both Microsoft and consumers. Black covers privacy issues for BusinessWeek Online. Follow her twice-monthly Privacy Matters column, only on BusinessWeek Online