Computer Security, Privacy, and Online Safety - TwC at Five Years

By Marjorie Wagner,2014-11-25 10:04
12 views 0
Computer Security, Privacy, and Online Safety - TwC at Five Years

    Microsoft & Computer

     Security, Privacy, &

    Online Safety July 2007



    At Microsoft, our customers computer security, privacy, and online safety are top

    priorities. For that reason our Chairman Bill Gates launched Trustworthy Computing (TwC) in 2002 and we are today reaching out to leaders in government, law enforcement, non-profits, and the private sector in a broad-based effort to advance four core principles:

    ; Security: online systems should be safe from attack and unwonted intrusions by

    viruses, worms, or other malicious software.

    ; Privacy: Internet users should be free from fear that their personal and financial

    data will be stolen and used by others without their consent.

    ; Safety: all Internet users should be free of harassment or exploitation. It is

    especially vital that our children be free to explore the wonders of the Internet

    without being harmed by inappropriate content or threatened by predators. ; Critical Infrastructure Protection (CIP): society’s critical services – from banking to

    communications, transportation, energy, healthcare, and government must be

    made safe, reliable, and secure.

    Microsoft is making progress in all four areas, innovating new software technology that builds security into software from the beginning; empowering Internet users through education, privacy protection, and improved regulatory and legal standards; and creating a culture of safety in collaboration with others in industry, business, law enforcement, and government.



    The Promise and the Problem

    The promise of the Internet has only begun to be realized as a catalyst of innovation, education, and expanding global economic growth. Left free to realize that promise, there are few areas of our lives that cannot be dramatically benefited from this “new interconnected world.”

    Yet, this miracle of positive change is threatened by a new kind of vandalism, harassment, and outright criminality. Concerns about the collection and use of personal data have the potential to erode public confidence in digital commerce. Spam, once just an annoyance, has become a very real threat to computer security and even endangers the viability of e-mail communications. Criminals impersonate legitimate companies to perpetrate identity theft. Child predators prey upon unsuspecting minors. And,


    computer viruses, worms, and other malicious software have become increasingly sophisticated in penetrating the ever new defenses arrayed against them.


    These complex and unpredictable challenges require flexible and comprehensive responses. Microsoft is pursuing a multi-pronged strategy that: 1) builds security into our software from the beginning; 2) empowers Internet users, and 3) creates a culture of safety in collaboration with other companies in the industry, businesses, law enforcement, and government.

Building Security into Software from the Beginning

    Microsoft is committed to strengthening our software’s defenses against attack: our goal is to create products that are secure by design, secure in their default mode of operation, and secure when deployed.

    ; Trustworthy Computing: In January of 2002, Microsoft fundamentally changed the

    way we design and develop software when we launched Trustworthy Computing.

    The ramp up of TwC brought the work, at the time, of 8,500 software developers to

    a temporary halt and delayed the release of Windows Server 2003, costing the

    company over US$200 million. But, it produced a generational leap in the defense

    against cyber attack.

; Windows Vista: Microsoft’s Windows Vista – the most secure operating system in

    company history was designed from the beginning with security in mind. Vista

    designers employed the Security Development Lifecycle, or SDL, an innovative

    software development method, which now applies to all of our products that connect

    to the Internet (some 90 percent of our product offering). While the Internet

    changes too rapidly for any software to be 100 percent secure and still provide an

    effective user experience, the SDL enables significant reductions in the kinds of

    vulnerabilities that hackers and cyber-attackers exploit.

    ; Security Updates: Because a rapidly changing Internet means a continually evolving

    threat, Microsoft issues monthly security updates that are available to all through

    Microsoft Update. Scheduled updates bring consistency and predictability for

    customers both large and small, from those managing complex enterprise systems to

    small business owners and consumers.

; Critical Infrastructure Protection Team: In December 2006, Microsoft formed a

    dedicated Critical Infrastructure Protection Team in order to continue to drive

    strategic change both at Microsoft and with partners. Our goal is to enhance the

    security of critical infrastructure -- banking, communications, transportation, energy,

    healthcare, and government services -- by increasing the trustworthiness of software

    and IT services, and by collaborating with governments and critical infrastructure

    providers to reduce and manage risks.

; Our Quick Response Team: Because cyber attacks are inevitable no matter how

    good the software, we have created the state-of-the-art Microsoft Security Response


    Center (MSRC) to immediately investigate any reported vulnerability and to swiftly

    build and disseminate security fixes.

    ; Spam Blockers: Microsoft deploys robust filtering and blocking technology to fight

    the epidemic of spam, which by some estimates makes up two-thirds of all e-mail

    traffic worldwide and threatens the very viability of the Web.

Empowering Internet Users

    Educating consumers about the actions they can take to improve their computer security, enhancing their privacy protections, and giving them better tools to safeguard their personal information and their children’s well-being these are all part of our campaign

    to empower the consumer.

    ; Educating the consumer. To help customers better manage external threats to their

    computers, Microsoft launched the “Protect Your PC” campaign, which now

    incorporates the Security At Home site on These resources

    available in 41 markets and translated into 29 languages offer advice on how to

    protect children online, combat and reduce spam and so-called “phishing” attacks,

    and preserve online privacy.

; Giving Parents Better Tools to Help Protect Their Children: We’ve built advanced

    Parental Controls into Windows Vista to help guide and protect children’s Internet

    usage, including settings that allow parents to set up separate accounts for each

    family member, customize content, and access detailed activity reports about Web

    sites visited, total time spent online, and information about interactions in chat

    rooms and at social networking Web sites. In addition, Windows Live OneCare

    Family Safety is a free Web-based service to aid parents in blocking inappropriate

    content and creating a safer online experience for their children.

; Helping the Consumer Take Control: Microsoft empowers users to take privacy

    protection and safety into their own hands with a broad range of technologies built

    into the Microsoft Windows operating systems and other products, as well as our

    Windows Live offerings.

    o For example, Xbox and Xbox 360 are designed to provide a safer, age-

    appropriate experience for all users, with parental controls and Xbox 360’s Family

    Safety Settings that give parents the ability to customize their children’s playing

    environments. Xbox 360 recognizes game-rating systems from countries around

    the world, allowing parents to decide the maturity level of games they want their

    children to play.

; Building Privacy Protections in From the Start: The Microsoft Privacy Standard for

    Development (MPSD) ensures that customer privacy and data protections are

    systematically incorporated into the design, development, and deployment of our

    products and services. Among other things, the MPSD includes detailed guidance for

    creating notice-and-consent experiences, providing sufficient data-security features,

    and maintaining data integrity.


    ; Clear Communications: In an effort to clearly communicate to customers the extent

    of the company’s use of their data, Microsoft has instituted a “layered” privacy notice

    that provides summaries of our practices with links to full statements and relevant


Building a Culture of Safety

    Microsoft engages at multiple levels with industry, business, law enforcement, and government to create an expanding culture of safety in which all work together to find solutions, mitigate risks, and promote best practices. These efforts include formal legal actions; support for global law enforcement against spammers, perpetrators of Internet fraud, and child predators; advocacy for comprehensive privacy legislation, and leadership on a variety of industry-driven computer security and online safety initiatives.

    Additionally, Microsoft provides technical assistance to local, state, and national legislatures drafting bills on content regulation, child safety, social networking, spam, online fraud, and malicious and deceptive software. Indeed, we support efforts to strengthen and harmonize worldwide privacy laws, increase punishment for perpetrators of crimes against children, and establish formal, mandatory Internet safety education programs in schools.

    At the same time, we must be careful that the desire to protect does not choke off the well-spring of innovation the Internet offers. As a general rule, we believe that governments should allow self-regulation to demonstrate its efficacy, and that while ratings, labels, and other such mechanisms are useful in many contexts, they should not be mandated by law. In some cases, however, regulation will be urgent and necessary, such as in the prevention of criminal activity and child exploitation. In such cases, Microsoft is a leader in the effort to help governments and law enforcement fashion laws that are effective because they are clear, precise, and narrowly tailored to address the specific need of the issue at hand.

    ; Strengthening the Rule of Law: Microsoft has been a leader in a number of initiatives

    to increase the legal protections of Internet users.

    o Microsoft aggressively targets spammers and scammers with litigation. Since

    2003, the company has taken more than 500 legal actions against spammers and

    “phishers” worldwide.

    o Microsoft advocated for the U.S. CAN-SPAM Act that took effect in January 2004,

    expanding civil and criminal penalties for fraudulent and deceptive spam.

    o Microsoft was one of the first organizations to embrace the Safe Harbor privacy

    principles developed by the U.S. Department of Commerce and the European


    o Microsoft serves as an advisor on privacy-focused legislative and framework

    proposals now under consideration at the Asia-Pacific Economic cooperation

    (APEC) forum, and in China, Singapore, India, Mexico, and in other nations and

    with organizations around the world.


    o In the U.S., Microsoft has teamed with eBay, HP, and the Center for Democracy

    and Technology to launch the Consumer Privacy Legislative (CPL) Forum. The

    CPL Forum advocates for comprehensive federal privacy legislation that would

    apply to all organizations and industries; cover online and offline transactions; be

    consistent with global standards; increase clarity and transparency in the

    collection, use, and disclosure of personal data; and provide individuals with

    increased control over the use and disclosure of their information.

    ; Critical Infrastructure Protection (CIP): Working with our government partners and

    industry peers, Microsoft is committed to protecting the cyber-security of our critical infrastructure by investigating, preempting, detecting, and deterring cyber-criminals. Our multi-pronged effort includes:

    o Promoting more secure software development processes like Microsoft’s Security

    Development Lifecycle;

    o Building information-sharing relationships and incident-response capabilities to

    respond to and prevent globally significant threats;

    o Implementing next-generation-network technology security to increase

    communications capability and resiliency;

    o Advocating for information security research to prepare for future challenges,

    solve existing difficult problems, and create the academic knowledge base that

    will enable us to keep infrastructures secure; and

    o Promoting and evangelizing best practices and security awareness.

    ; Protecting Our Children: Microsoft is committed to making the Internet a safer, more secure experience for the world’s children. A Microsoft survey revealed that online conversations with strangers is the top concern of parents with children ages 10-12 (70%) and 13-17 (65%). Their concerns are not misplaced. Studies indicate that a significant portion of children online inadvertently come into contact with sexually explicit material or have been solicited or harassed. A further complication: children are well-versed in the technologies of the online world, yet they don’t understand the very real risks they may face. Meanwhile, most parents do not understand the technology nor are they knowledgeable about or fully appreciative of the potential dangers.

    We are working in three areas to respond to these issues: 1) we collaborate closely with law enforcement agencies around the globe, 2) we develop technology to help limit children’s exposure to inappropriate content and potential threats to their safety,

    and 3) we provide practical advice to children and parents on how to recognize and respond to “stranger danger, thereby creating a safer and more rewarding Internet experience.

    o Microsoft works closely with both the National and International Centers for

    Missing and Exploited Children (ICMEC, NCMEC), as well as Interpol. In

    December 2003, Microsoft, ICMEC, and Interpol teamed to co-sponsor intensive

    training sessions for law enforcement personnel on computer-facilitated crimes

    against children. As of May 2007, more than 2,200 international law


    enforcement officers from 105 countries have been trained in 25 sessions held in

    various worldwide locations.

    o In June, 2006, Microsoft, AOL, EarthLink, United Online, and Yahoo! announced

    a partnership with NCMEC to create a new Technology Coalition at NCMEC to

    develop and deploy advanced technology solutions that disrupt predators’

    abilities to use the Internet to exploit children or traffic in child pornography.

    o In conjunction with ICMEC and NCMEC, Microsoft is a founding member of the

    Financial Coalition Against Child Pornography (FCACP), an organization

    committed to eradicating the commercial viability of child pornography on the

    Internet. In addition, Microsoft and ICMEC collaborate to encourage worldwide

    governments to strengthen anti-child pornography laws.

    o A best practice associated with Microsoft’s collaborative efforts in child safety is

    its work with Canadian law enforcement authorities to develop the Child

    Exploitation Tracking System (CETS) -- an innovative software tool that allows

    law enforcement to gather and share evidence of online child exploitation. CETS

    has been adopted in Brazil, Canada, Chile, Indonesia, Italy, and the United

    Kingdom, with the prospect of additional deployments in the works.

    o In the U.S., Microsoft worked with the American Academy of Pediatrics (AAP) to

    develop a three-tiered “Ages and Stages of Online Use” guide to assist parents in

    determining the appropriate level of supervision needed for children when

    surfing the Web. This and other information and resources on family-safe

    computing are available at

    ; Building Privacy Protection into Our Own Corporate Culture: Microsoft understands

    that safety begins in the home in this case, among our own employees and in our

    day-to-day business practices.

o Microsoft’s privacy policy – TRUSTe-certified is never to sell, rent, or lease

    customer lists to other companies. Period.

    o Microsoft’s Corporate Privacy Group sets the company’s overall privacy strategy.

    In addition, dedicated full-time privacy staffs exist in many of our major business

    units, and responsibility for privacy is incorporated into the roles of several

    hundred staff members. Every senior manager and executive is measured on

    privacy management in their annual employee performance review. In many

    groups like Windows Live, where close contact with customer information is

    more common, every employee takes part in mandatory privacy and security


    In Summary…

    Microsoft is committed to engaging at every level from technology innovation to

    education; working with national and international law enforcement and government

    to creating a safer, more secure Internet that enables the fulfillment of the full promise

     of our new interconnected world.


Report this document

For any questions or suggestions please email