Microsoft Cloud Gets Data Privacy Promise

John Lister's picture

Microsoft has signed up to an international standard for protecting customer privacy with online data. Among other measures, Microsoft promises to tell customers when the government demands access to their data.

The company has followed ISO standard number 27018, which are guidelines set forth by the International Organization for Standardization. It's an attempt to set internationally recognized rules and regulations for the way "personally identifiable information" is handled in cloud services, and where data is stored or processed online rather than on the user's own computer.

Four Microsoft products and services have been independently verified as meeting the standard and include: Office 365; Microsoft Azure, an online processing and storage service; Dynamics CRM Online, a service for running customer databases; and Intune, a service for remotely managing mobile devices.

Key Data Principle: Customer in Control

Meeting the ISO standards includes following five key principles. The first is that customers retain control over their personal data, and that Microsoft only ever process it in line with customer instructions.

Secondly, Microsoft has committed to transparency. It says it will tell customers how and where their data is used and stored, inform them of any third-party involvement or access, and tell customers about any access breaches.

Thirdly, Microsoft must follow several technical rules about the way it handles and transmits data to ensure security. Thus, all staff with access to personal data must be under an enforceable confidentiality agreement.

The fourth principle is that Microsoft will not use any personal data for advertising purposes. That appears to cover Microsoft ads as well as third-party advertising.

Government Snooping to be Revealed, When Allowed

Finally, Microsoft says it will inform customers if law enforcement and other government agencies request access to their personal data. The big catch here is that this promise doesn't apply if the agency making the request has or gets the legal authority to demand Microsoft keep the request secret.

While the move is certainly a positive for privacy-conscious users, it also appears Microsoft has strong commercial reasons for agreeing to the standard. It could be a selling point to businesses that want to use cloud-based services but need to show shareholders and regulators that they are demanding serious privacy measures.

In particular, one source quoted by GigaOm noted arch-rival Google will never sign up to the standard because it could never agree to the rules about advertising. Microsoft has repeatedly highlighted Google's use of customer data as a way to personally target ads.

What's Your Opinion?

Do you welcome Microsoft agreeing to the standard? Does it mark a serious commitment to privacy, or do you see it as more of a public relations exercise? Would meeting a standard like this make you more likely to use Microsoft's cloud-based services?

Rate this article: 
Average: 5 (3 votes)


Dennis Faas's picture

With the exception of Office 365, I'm not sure how Microsoft will enforce these data collection rules if the businesses that use their cloud services have free reign over their own programming (as most would). For example, a business could deploy a website using Azure, then collect user data from online web forms, then turn around and sell that data to third parties or even remotely store the data the moment it is collected. I don't see how Microsoft can monitor and actively prevent things like that from happening.

rich4150's picture

Microsoft's promise is to its customers, not to the clients of those customers. Microsoft's promise is about its own activities, not its customers' activities. If you run a business website that's using Azure, Microsoft's promise applies to your business. If your clients provide data to your website, their data relationship is with your business, not with Microsoft.

stooobeee's picture

A secret only remains a secret when you do not tell anyone. After that, there is no assurance of privacy!

JimBo's picture

John wrote "catch here is that this promise doesn't apply if the agency making the request has or gets the legal authority to demand Microsoft keep the request secret".

That's the deal breaker. For those who don't know, National Security Letters are issued by the hundreds to entities of interest by our government. These letters are legalized by a "secret" federal court. The recipient of such a letter cannot divulge, under penalties, that the letter was even received. Directives outlined in the letter must be performed under the rule of law without exception and cannot be generally announced to the public or appealed.

Don't believe me? Do some fact checking.

So, the simple question that Microsoft cannot answer is - how many of these letters have they received and, of those, how many resulted in software changes to the installed base of Windows users or servers? I don't think you would like the answer if it could be given.

Of course, the intent of our government is to protect us by watching over what we do but if you carry that out you can see some not so good endings. For major technology contributors like Microsoft who have changed our everyday lives, it must be very perplexing for them to be forced into what must seem to be an exceedingly dishonest position to hold. That's not America!

For example, consider that if Microsoft were forced to install a secret backdoor into everyone's Windows system, wouldn't it make for a clever, ready made, access point for hackers once they determined its presence. The spy -vs- spy game is all about one upping and is usually time critical but then, who gets left in the dust?

One last thing - A quick simple question for Dennis - Have you or your company received a National Security Letter?

If he doesn't answer this question (and I'm sure he reads all these posts), you'll know what that means. I do believe he is honorable and would not lie to protect his business by giving a "No" answer if received or, would it simply be OK to say no if that's the government's expectation for him? Avoidance of the question is effectively a yes answer. Please - we need more thoughts and opinions on the subject of how to deal with this problem and how it is undermining our trust in information products we use daily.