Microsoft & Computer
Security, Privacy, &
Online Safety July 2007
At Microsoft, our customers’ computer security, privacy, and online safety are top
priorities. For that reason our Chairman Bill Gates launched Trustworthy Computing (TwC) in 2002 and we are today reaching out to leaders in government, law enforcement, non-profits, and the private sector in a broad-based effort to advance four core principles:
; Security: online systems should be safe from attack and unwonted intrusions by
viruses, worms, or other malicious software.
; Privacy: Internet users should be free from fear that their personal and financial
data will be stolen and used by others without their consent.
; Safety: all Internet users should be free of harassment or exploitation. It is
especially vital that our children be free to explore the wonders of the Internet
without being harmed by inappropriate content or threatened by predators. ; Critical Infrastructure Protection (CIP): society’s critical services – from banking to
communications, transportation, energy, healthcare, and government – must be
made safe, reliable, and secure.
Microsoft is making progress in all four areas, innovating new software technology that builds security into software from the beginning; empowering Internet users through education, privacy protection, and improved regulatory and legal standards; and creating a culture of safety in collaboration with others in industry, business, law enforcement, and government.
The Promise and the Problem
The promise of the Internet has only begun to be realized as a catalyst of innovation, education, and expanding global economic growth. Left free to realize that promise, there are few areas of our lives that cannot be dramatically benefited from this “new interconnected world.”
Yet, this miracle of positive change is threatened by a new kind of vandalism, harassment, and outright criminality. Concerns about the collection and use of personal data have the potential to erode public confidence in digital commerce. Spam, once just an annoyance, has become a very real threat to computer security and even endangers the viability of e-mail communications. Criminals impersonate legitimate companies to perpetrate identity theft. Child predators prey upon unsuspecting minors. And,
computer viruses, worms, and other malicious software have become increasingly sophisticated in penetrating the ever new defenses arrayed against them.
MICROSOFT’S STRATEGY FOR CYBER SAFETY
These complex and unpredictable challenges require flexible and comprehensive responses. Microsoft is pursuing a multi-pronged strategy that: 1) builds security into our software from the beginning; 2) empowers Internet users, and 3) creates a culture of safety in collaboration with other companies in the industry, businesses, law enforcement, and government.
Building Security into Software from the Beginning
Microsoft is committed to strengthening our software’s defenses against attack: our goal is to create products that are secure by design, secure in their default mode of operation, and secure when deployed.
; Trustworthy Computing: In January of 2002, Microsoft fundamentally changed the
way we design and develop software when we launched Trustworthy Computing.
The ramp up of TwC brought the work, at the time, of 8,500 software developers to
a temporary halt and delayed the release of Windows Server 2003, costing the
company over US$200 million. But, it produced a generational leap in the defense
against cyber attack.
; Windows Vista: Microsoft’s Windows Vista – the most secure operating system in
company history – was designed from the beginning with security in mind. Vista
designers employed the Security Development Lifecycle, or SDL, an innovative
software development method, which now applies to all of our products that connect
to the Internet (some 90 percent of our product offering). While the Internet
changes too rapidly for any software to be 100 percent secure and still provide an
effective user experience, the SDL enables significant reductions in the kinds of
vulnerabilities that hackers and cyber-attackers exploit.
; Security Updates: Because a rapidly changing Internet means a continually evolving
threat, Microsoft issues monthly security updates that are available to all through
Microsoft Update. Scheduled updates bring consistency and predictability for
customers both large and small, from those managing complex enterprise systems to
small business owners and consumers.
; Critical Infrastructure Protection Team: In December 2006, Microsoft formed a
dedicated Critical Infrastructure Protection Team in order to continue to drive
strategic change both at Microsoft and with partners. Our goal is to enhance the
security of critical infrastructure -- banking, communications, transportation, energy,
healthcare, and government services -- by increasing the trustworthiness of software
and IT services, and by collaborating with governments and critical infrastructure
providers to reduce and manage risks.
; Our Quick Response Team: Because cyber attacks are inevitable no matter how
good the software, we have created the state-of-the-art Microsoft Security Response
Center (MSRC) to immediately investigate any reported vulnerability and to swiftly
build and disseminate security fixes.
; Spam Blockers: Microsoft deploys robust filtering and blocking technology to fight
the epidemic of spam, which by some estimates makes up two-thirds of all e-mail
traffic worldwide and threatens the very viability of the Web.
Empowering Internet Users
Educating consumers about the actions they can take to improve their computer security, enhancing their privacy protections, and giving them better tools to safeguard their personal information and their children’s well-being – these are all part of our campaign
to empower the consumer.
; Educating the consumer. To help customers better manage external threats to their
computers, Microsoft launched the “Protect Your PC” campaign, which now
incorporates the Security At Home site on Microsoft.com. These resources –
available in 41 markets and translated into 29 languages – offer advice on how to
protect children online, combat and reduce spam and so-called “phishing” attacks,
and preserve online privacy.
; Giving Parents Better Tools to Help Protect Their Children: We’ve built advanced
Parental Controls into Windows Vista to help guide and protect children’s Internet
usage, including settings that allow parents to set up separate accounts for each
family member, customize content, and access detailed activity reports about Web
sites visited, total time spent online, and information about interactions in chat
rooms and at social networking Web sites. In addition, Windows Live OneCare
Family Safety is a free Web-based service to aid parents in blocking inappropriate
content and creating a safer online experience for their children.
; Helping the Consumer Take Control: Microsoft empowers users to take privacy
protection and safety into their own hands with a broad range of technologies built
into the Microsoft Windows operating systems and other products, as well as our
Windows Live offerings.
o For example, Xbox and Xbox 360 are designed to provide a safer, age-
appropriate experience for all users, with parental controls and Xbox 360’s Family
Safety Settings that give parents the ability to customize their children’s playing
environments. Xbox 360 recognizes game-rating systems from countries around
the world, allowing parents to decide the maturity level of games they want their
children to play.
; Building Privacy Protections in From the Start: The Microsoft Privacy Standard for
Development (MPSD) ensures that customer privacy and data protections are
systematically incorporated into the design, development, and deployment of our
products and services. Among other things, the MPSD includes detailed guidance for
creating notice-and-consent experiences, providing sufficient data-security features,
and maintaining data integrity.
; Clear Communications: In an effort to clearly communicate to customers the extent
of the company’s use of their data, Microsoft has instituted a “layered” privacy notice
that provides summaries of our practices with links to full statements and relevant
Building a Culture of Safety
Microsoft engages at multiple levels with industry, business, law enforcement, and government to create an expanding culture of safety in which all work together to find solutions, mitigate risks, and promote best practices. These efforts include formal legal actions; support for global law enforcement against spammers, perpetrators of Internet fraud, and child predators; advocacy for comprehensive privacy legislation, and leadership on a variety of industry-driven computer security and online safety initiatives.
Additionally, Microsoft provides technical assistance to local, state, and national legislatures drafting bills on content regulation, child safety, social networking, spam, online fraud, and malicious and deceptive software. Indeed, we support efforts to strengthen and harmonize worldwide privacy laws, increase punishment for perpetrators of crimes against children, and establish formal, mandatory Internet safety education programs in schools.
At the same time, we must be careful that the desire to protect does not choke off the well-spring of innovation the Internet offers. As a general rule, we believe that governments should allow self-regulation to demonstrate its efficacy, and that while ratings, labels, and other such mechanisms are useful in many contexts, they should not be mandated by law. In some cases, however, regulation will be urgent and necessary, such as in the prevention of criminal activity and child exploitation. In such cases, Microsoft is a leader in the effort to help governments and law enforcement fashion laws that are effective because they are clear, precise, and narrowly tailored to address the specific need of the issue at hand.
; Strengthening the Rule of Law: Microsoft has been a leader in a number of initiatives
to increase the legal protections of Internet users.