Microsoft & Computer
Security, Privacy, &
Online Safety July 2007
At Microsoft, our customers’ computer security, privacy, and online safety are top
priorities. For that reason our Chairman Bill Gates launched Trustworthy Computing (TwC) in 2002 and we are today reaching out to leaders in government, law enforcement, non-profits, and the private sector in a broad-based effort to advance four core principles:
; Security: online systems should be safe from attack and unwonted intrusions by
viruses, worms, or other malicious software.
; Privacy: Internet users should be free from fear that their personal and financial
data will be stolen and used by others without their consent.
; Safety: all Internet users should be free of harassment or exploitation. It is
especially vital that our children be free to explore the wonders of the Internet
without being harmed by inappropriate content or threatened by predators. ; Critical Infrastructure Protection (CIP): society’s critical services – from banking to
communications, transportation, energy, healthcare, and government – must be
made safe, reliable, and secure.
Microsoft is making progress in all four areas, innovating new software technology that builds security into software from the beginning; empowering Internet users through education, privacy protection, and improved regulatory and legal standards; and creating a culture of safety in collaboration with others in industry, business, law enforcement, and government.
The Promise and the Problem
The promise of the Internet has only begun to be realized as a catalyst of innovation, education, and expanding global economic growth. Left free to realize that promise, there are few areas of our lives that cannot be dramatically benefited from this “new interconnected world.”
Yet, this miracle of positive change is threatened by a new kind of vandalism, harassment, and outright criminality. Concerns about the collection and use of personal data have the potential to erode public confidence in digital commerce. Spam, once just an annoyance, has become a very real threat to computer security and even endangers the viability of e-mail communications. Criminals impersonate legitimate companies to perpetrate identity theft. Child predators prey upon unsuspecting minors. And,
computer viruses, worms, and other malicious software have become increasingly sophisticated in penetrating the ever new defenses arrayed against them.
MICROSOFT’S STRATEGY FOR CYBER SAFETY
These complex and unpredictable challenges require flexible and comprehensive responses. Microsoft is pursuing a multi-pronged strategy that: 1) builds security into our software from the beginning; 2) empowers Internet users, and 3) creates a culture of safety in collaboration with other companies in the industry, businesses, law enforcement, and government.
Building Security into Software from the Beginning
Microsoft is committed to strengthening our software’s defenses against attack: our goal is to create products that are secure by design, secure in their default mode of operation, and secure when deployed.
; Trustworthy Computing: In January of 2002, Microsoft fundamentally changed the
way we design and develop software when we launched Trustworthy Computing.
The ramp up of TwC brought the work, at the time, of 8,500 software developers to
a temporary halt and delayed the release of Windows Server 2003, costing the
company over US$200 million. But, it produced a generational leap in the defense
against cyber attack.
; Windows Vista: Microsoft’s Windows Vista – the most secure operating system in
company history – was designed from the beginning with security in mind. Vista
designers employed the Security Development Lifecycle, or SDL, an innovative
software development method, which now applies to all of our products that connect
to the Internet (some 90 percent of our product offering). While the Internet
changes too rapidly for any software to be 100 percent secure and still provide an
effective user experience, the SDL enables significant reductions in the kinds of
vulnerabilities that hackers and cyber-attackers exploit.
; Security Updates: Because a rapidly changing Internet means a continually evolving
threat, Microsoft issues monthly security updates that are available to all through
Microsoft Update. Scheduled updates bring consistency and predictability for
customers both large and small, from those managing complex enterprise systems to
small business owners and consumers.
; Critical Infrastructure Protection Team: In December 2006, Microsoft formed a
dedicated Critical Infrastructure Protection Team in order to continue to drive
strategic change both at Microsoft and with partners. Our goal is to enhance the
security of critical infrastructure -- banking, communications, transportation, energy,
healthcare, and government services -- by increasing the trustworthiness of software
and IT services, and by collaborating with governments and critical infrastructure
providers to reduce and manage risks.
; Our Quick Response Team: Because cyber attacks are inevitable no matter how
good the software, we have created the state-of-the-art Microsoft Security Response
Center (MSRC) to immediately investigate any reported vulnerability and to swiftly
build and disseminate security fixes.
; Spam Blockers: Microsoft deploys robust filtering and blocking technology to fight
the epidemic of spam, which by some estimates makes up two-thirds of all e-mail
traffic worldwide and threatens the very viability of the Web.
Empowering Internet Users
Educating consumers about the actions they can take to improve their computer security, enhancing their privacy protections, and giving them better tools to safeguard their personal information and their children’s well-being – these are all part of our campaign
to empower the consumer.
; Educating the consumer. To help customers better manage external threats to their
computers, Microsoft launched the “Protect Your PC” campaign, which now
incorporates the Security At Home site on Microsoft.com. These resources –
available in 41 markets and translated into 29 languages – offer advice on how to
protect children online, combat and reduce spam and so-called “phishing” attacks,
and preserve online privacy.
; Giving Parents Better Tools to Help Protect Their Children: We’ve built advanced
Parental Controls into Windows Vista to help guide and protect children’s Internet
usage, including settings that allow parents to set up separate accounts for each
family member, customize content, and access detailed activity reports about Web
sites visited, total time spent online, and information about interactions in chat
rooms and at social networking Web sites. In addition, Windows Live OneCare
Family Safety is a free Web-based service to aid parents in blocking inappropriate
content and creating a safer online experience for their children.
; Helping the Consumer Take Control: Microsoft empowers users to take privacy
protection and safety into their own hands with a broad range of technologies built
into the Microsoft Windows operating systems and other products, as well as our
Windows Live offerings.
o For example, Xbox and Xbox 360 are designed to provide a safer, age-
appropriate experience for all users, with parental controls and Xbox 360’s Family
Safety Settings that give parents the ability to customize their children’s playing
environments. Xbox 360 recognizes game-rating systems from countries around
the world, allowing parents to decide the maturity level of games they want their
children to play.
; Building Privacy Protections in From the Start: The Microsoft Privacy Standard for
Development (MPSD) ensures that customer privacy and data protections are
systematically incorporated into the design, development, and deployment of our
products and services. Among other things, the MPSD includes detailed guidance for
creating notice-and-consent experiences, providing sufficient data-security features,
and maintaining data integrity.
; Clear Communications: In an effort to clearly communicate to customers the extent
of the company’s use of their data, Microsoft has instituted a “layered” privacy notice
that provides summaries of our practices with links to full statements and relevant
Building a Culture of Safety
Microsoft engages at multiple levels with industry, business, law enforcement, and government to create an expanding culture of safety in which all work together to find solutions, mitigate risks, and promote best practices. These efforts include formal legal actions; support for global law enforcement against spammers, perpetrators of Internet fraud, and child predators; advocacy for comprehensive privacy legislation, and leadership on a variety of industry-driven computer security and online safety initiatives.
Additionally, Microsoft provides technical assistance to local, state, and national legislatures drafting bills on content regulation, child safety, social networking, spam, online fraud, and malicious and deceptive software. Indeed, we support efforts to strengthen and harmonize worldwide privacy laws, increase punishment for perpetrators of crimes against children, and establish formal, mandatory Internet safety education programs in schools.
At the same time, we must be careful that the desire to protect does not choke off the well-spring of innovation the Internet offers. As a general rule, we believe that governments should allow self-regulation to demonstrate its efficacy, and that while ratings, labels, and other such mechanisms are useful in many contexts, they should not be mandated by law. In some cases, however, regulation will be urgent and necessary, such as in the prevention of criminal activity and child exploitation. In such cases, Microsoft is a leader in the effort to help governments and law enforcement fashion laws that are effective because they are clear, precise, and narrowly tailored to address the specific need of the issue at hand.
; Strengthening the Rule of Law: Microsoft has been a leader in a number of initiatives
to increase the legal protections of Internet users.
o Microsoft aggressively targets spammers and scammers with litigation. Since
2003, the company has taken more than 500 legal actions against spammers and
o Microsoft advocated for the U.S. CAN-SPAM Act that took effect in January 2004,
expanding civil and criminal penalties for fraudulent and deceptive spam.
o Microsoft was one of the first organizations to embrace the Safe Harbor privacy
principles developed by the U.S. Department of Commerce and the European
o Microsoft serves as an advisor on privacy-focused legislative and framework
proposals now under consideration at the Asia-Pacific Economic cooperation
(APEC) forum, and in China, Singapore, India, Mexico, and in other nations and
with organizations around the world.
o In the U.S., Microsoft has teamed with eBay, HP, and the Center for Democracy
and Technology to launch the Consumer Privacy Legislative (CPL) Forum. The
CPL Forum advocates for comprehensive federal privacy legislation that would
apply to all organizations and industries; cover online and offline transactions; be
consistent with global standards; increase clarity and transparency in the
collection, use, and disclosure of personal data; and provide individuals with
increased control over the use and disclosure of their information.
; Critical Infrastructure Protection (CIP): Working with our government partners and
industry peers, Microsoft is committed to protecting the cyber-security of our critical infrastructure by investigating, preempting, detecting, and deterring cyber-criminals. Our multi-pronged effort includes:
o Promoting more secure software development processes like Microsoft’s Security
o Building information-sharing relationships and incident-response capabilities to
respond to and prevent globally significant threats;
o Implementing next-generation-network technology security to increase
communications capability and resiliency;
o Advocating for information security research to prepare for future challenges,
solve existing difficult problems, and create the academic knowledge base that
will enable us to keep infrastructures secure; and
o Promoting and evangelizing best practices and security awareness.
; Protecting Our Children: Microsoft is committed to making the Internet a safer, more secure experience for the world’s children. A Microsoft survey revealed that online conversations with strangers is the top concern of parents with children ages 10-12 (70%) and 13-17 (65%). Their concerns are not misplaced. Studies indicate that a significant portion of children online inadvertently come into contact with sexually explicit material or have been solicited or harassed. A further complication: children are well-versed in the technologies of the online world, yet they don’t understand the very real risks they may face. Meanwhile, most parents do not understand the technology nor are they knowledgeable about or fully appreciative of the potential dangers.
We are working in three areas to respond to these issues: 1) we collaborate closely with law enforcement agencies around the globe, 2) we develop technology to help limit children’s exposure to inappropriate content and potential threats to their safety,
and 3) we provide practical advice to children and parents on how to recognize and respond to “stranger danger,” thereby creating a safer and more rewarding Internet experience.
o Microsoft works closely with both the National and International Centers for
Missing and Exploited Children (ICMEC, NCMEC), as well as Interpol. In
December 2003, Microsoft, ICMEC, and Interpol teamed to co-sponsor intensive
training sessions for law enforcement personnel on computer-facilitated crimes
against children. As of May 2007, more than 2,200 international law
enforcement officers from 105 countries have been trained in 25 sessions held in
various worldwide locations.
o In June, 2006, Microsoft, AOL, EarthLink, United Online, and Yahoo! announced
a partnership with NCMEC to create a new Technology Coalition at NCMEC to
develop and deploy advanced technology solutions that disrupt predators’
abilities to use the Internet to exploit children or traffic in child pornography.
o In conjunction with ICMEC and NCMEC, Microsoft is a founding member of the
Financial Coalition Against Child Pornography (FCACP), an organization
committed to eradicating the commercial viability of child pornography on the
Internet. In addition, Microsoft and ICMEC collaborate to encourage worldwide
governments to strengthen anti-child pornography laws.
o A best practice associated with Microsoft’s collaborative efforts in child safety is
its work with Canadian law enforcement authorities to develop the Child
Exploitation Tracking System (CETS) -- an innovative software tool that allows
law enforcement to gather and share evidence of online child exploitation. CETS
has been adopted in Brazil, Canada, Chile, Indonesia, Italy, and the United
Kingdom, with the prospect of additional deployments in the works.
o In the U.S., Microsoft worked with the American Academy of Pediatrics (AAP) to
develop a three-tiered “Ages and Stages of Online Use” guide to assist parents in
determining the appropriate level of supervision needed for children when
surfing the Web. This and other information and resources on family-safe
computing are available at www.microsoft.com/protect.
; Building Privacy Protection into Our Own Corporate Culture: Microsoft understands
that safety begins in the home – in this case, among our own employees and in our
day-to-day business practices.
customer lists to other companies. Period.
o Microsoft’s Corporate Privacy Group sets the company’s overall privacy strategy.
In addition, dedicated full-time privacy staffs exist in many of our major business
units, and responsibility for privacy is incorporated into the roles of several
hundred staff members. Every senior manager and executive is measured on
privacy management in their annual employee performance review. In many
groups like Windows Live, where close contact with customer information is
more common, every employee takes part in mandatory privacy and security
Microsoft is committed to engaging at every level – from technology innovation to
education; working with national and international law enforcement and government –
to creating a safer, more secure Internet that enables the fulfillment of the full promise
of our new interconnected world.