Interview with John Weigelt
May 2006
Interviewee: John Weigelt, National Technology
Officer, Microsoft Canada
Interviewer: Terry McQuay, President of Nymity
Subject: Microsoft's Incorporation of Privacy Into
The Product Development Process
Nymity: John, please introduce yourself and your role at
Microsoft Canada.
Weigelt: I am National Technology Officer
at Microsoft Canada. In this role I am responsible for driving
Microsoft Canada’s strategic technology efforts and
am the lead public advocate within the company on key issues
such as the development of national technology policy and
the use of technology by government, education and academia.
I am also responsible for the development and implementation
of strategies which strengthen the company’s relationships
with the Canadian technology industry at large.
Nymity: John, how has Microsoft incorporated Privacy into
the Product Development Process?
Weigelt: Microsoft’s product development
process follows our Security Development Lifecycle which,
in addition to addressing security concerns, provides a set
of rules and guidelines for developing products to empower
our customers to control the collection, use, and distribution
of their personal information.
Nymity: How does this relate to Microsoft's Trustworthy computing?
Weigelt: Privacy is a critical element
in Microsoft's Trustworthy Computing Initiative, along with
security, reliability and responsible business practices.
We have developed policies and processes to ensure that we:
- Engineer privacy into our products during the product
lifecycle;
- Ensure that our global privacy policies are properly
executed throughout the company;
- Provide leadership for the industry.
Nymity: What are the privacy-focused steps in the Security
Development Lifecycle?
Weigelt: Privacy has been incorporated
into the Security Development Lifecycle (SDL) at Microsoft
so that we systematically address both security and privacy
issues during development of our products and services. The
SDL has been implemented to address all stages of the software
development lifecycle at Microsoft from definition of requirements
during the early design through implementation, verification,
release, support and servicing.
The SDL starts with security and privacy training, covering
topics from appropriately providing notice and obtaining user
consent, to data minimization, and exception management to
ensure the application responds robustly to error conditions.
The reasons for this integration of security and privacy are
that there is significant overlap at the design and implementation
stage because security is one of the key supporting elements
for privacy. Because of this tight relationship, it is far
more effective to incorporate privacy throughout the development
process.
The use of threat models and security development tools help
minimize the possibility of vulnerabilities in the code which
also helps safeguard against the potential for data spillages.
In addition to the security tools, privacy standards, checklists
and best practices help ensure that developers build privacy
into products from the outset. For example, a privacy review
is held prior to any public release - even for a beta test
release. In addition, at the verification stage, where we
test and verify that the product or service we’ve developed
is consistent with our designs, there is a final team-wide
review of the security and privacy functionality with a focus
on threat model updates, code review, testing, and documentation
scrub. One of the goals of a privacy review would be to ensure
adequate disclosure which might include, for example, a privacy
statement.
Successful completion of the necessary reviews leads to formal
signoff prior to the release of the product. If the documentation
or testing is incomplete, the product organization and the
Trustworthy Computing team have authority to postpone the
launch until issues are addressed.
Finally, privacy is a key element in the support and servicing
stage, where we ensure that we have identified appropriate
resources to respond to any issues that may arise where Microsoft
products manage data from customers. For example, where appropriate
we ensure that our Privacy Response Center is prepared to
address customer concerns.
Nymity: How does Microsoft’s Security Development Lifecycle
compare to a Privacy Impact Assessment (PIA)?
Weigelt: The SDL addresses all the elements
of a traditional PIA in a very concrete fashion. A privacy
assessment is the first step in the SDL where in the design
phase we assess the privacy impact of the features under consideration
and make recommendations that can either reduce the privacy
impact or ensure that we take appropriate steps to protect
customer privacy throughout the development of the product
or service. The privacy assessment helps define the requirements
for the development teams so that product features such as
notice, consent and control can be built in from the beginning
and carried throughout the products. Detailed security reviews
are also performed where safeguards, such as data encryption,
are implemented within our products.
Nymity: How should a corporate privacy officer work with
an IT development team?
Weigelt: A privacy officer should work
as an expert advisor to the developer team throughout the
development lifecycle to provide guidance on privacy features
and functionality. The privacy officer should also work to
improve the privacy-awareness of the development team via
a network of privacy champs who are part of that organization
and who spend some portion of their time identifying and addressing
privacy issues at the grass-roots level in addition to handling
their normal development responsibilities. The privacy officer
may also have a strong role in the final approval process
prior to the product or service being made available.
Nymity: What are some of the questions a privacy officer
should ask the IT group related to application development?
Weigelt: The first question should always
be whether the product or service will handle personally identifying
information (PII). Because there may not be a common understanding
of what constitutes PII, the privacy officer should always
work with the IT group to help qualify if the information
used by the application requires privacy protections. Once
it has been determined that the application design proposes
collection and processing of PII, the privacy officer should
help the group assess the rationale for handling PII to look
for ways to minimize data collection and reduce data sensitivity,
and work with the IT group to map out the information lifecycle
for the application. The information lifecycle is the concise
definition of how notice and consent are handled and how the
information is collected, managed, safeguarded and disposed
of by the application. The privacy officer can then apply
the organization’s privacy principles, such as the CSA
model code, at each of these stages to ensure that the appropriate
policy, process or product controls are implemented.
Nymity: What are some of the privacy controls a privacy
officer should look for in applications?
Weigelt: Aside from the commonly cited
confidentiality controls, a privacy officer should look for
consent management controls and determine whether they provide
clear and concise information about how PII will be handled.
In general, it is of significant importance that transparency
is provided to customers regarding the rationale for collection
and use of their PII, that we explain why and how the data
is collected, how it is used for their benefit and yours,
how the data is protected, how they can review and update
the data for accuracy and how they can decline to participate
in further collection of that data. The privacy officer should
also evaluate the information management aspects of the applications
with a focus upon the controls, audit and reporting capabilities.
One area often overlooked is exception handling, or how an
application responds if something goes wrong. The privacy
officer should investigate how the application maintains the
privacy of the data it safeguards when confronted by unexpected
events.
Nymity: What are some of unique privacy considerations
for internet based applications?
Weigelt: Internet-based applications should
be developed with a customer's perspective of the information
flows in mind to ensure that the application provides appropriate
notice, choice and consent. For customers to have control
over their personal data, they need to know what personal
data will be collected, with whom it will be shared, and how
it will be used. Consent should be obtained before any personal
information is transferred from their computer. When personally
identifying information is transferred over the Internet and
stored remotely, users must also be offered a mechanism for
accessing and updating the data.
Before collecting and transferring personal information, it
is critical there be a compelling business and customer value
proposition. A value proposition that benefits customers will
create a natural incentive for them to provide their personal
information. Only collect personal information if you can
clearly explain the net benefit to the user. If you are hesitant
to tell users “up front” what you plan to do,
then do not collect their data.
In addition, when collecting personal information, you should
transfer it to or from a user’s system using a secure
method that prevents unauthorized access, avoid methods of
form submission that potentially leak data, and transfer the
minimum amount of data necessary to achieve the business purpose.
Internet based applications are exposed to a very large number
of individuals that could seek to exploit any particular weakness
in the application or the business process that it supports.
It is essential that the application be considered in the
overall business context, since a malicious user may seek
an opportunity to exploit a separate service delivery channel
(e.g. the phone) with the sole goal of exploiting the internet
based application with the knowledge that they have gleaned.
Other considerations specific to privacy include providing
clear notices, obtaining consent appropriately, minimizing
the data collected for the service, providing an ability for
customers to review and correct the personal information they
have shared and finally providing an avenue to challenge compliance.
Nymity: What measures should be considered for data minimization?
Weigelt: Data minimization can be a challenge
for developer and business leaders alike since it is often
difficult to tease out the information that is core to the
business from that which is superfluous. In some cases it
is helpful to view the information flow from a data rejection
perspective (see Kim Cameron's Identityblog.com for his posting
of a discussion with Toby Stevens (http://www.identityblog.com/?p=73)
) where the business has the understanding that much of the
personal data held by the organisation is simply unnecessary,
and could in fact be more of a liability than an asset. The
question that should constantly be asked by architects, developers
and administrators of data collection systems is, “Do
I need to collect this data?” The answer must explicitly
address both the primary use of the user’s data (such
as providing the feature or service the user is requesting)
and any planned secondary use (such as marketing analysis).
Do not collect data for which you do not have an immediate
planned use. In addition, only share data that is absolutely
necessary (and where you have provided the appropriate notice
and consent experience), do not retain data that no longer
has an explicit planned use, and reduce the sensitivity of
the data you retain (e.g., aggregate data where possible).
Nymity: How can a privacy officer be trained to best understand
the privacy considerations related to application development?
Weigelt: I have found that privacy officers
come from a variety of backgrounds and there are some that
don't have a great comfort level with technology. Fortunately,
application development is very similar many other service
delivery activities that follow a structured evolution of
requirements, design, implementation, delivery and support.
Armed with their deep subject area expertise and their customer
(Data subject) focused perspective, the privacy officer has
a great foundation for engaging with the developer team right
from the outset of any project. Privacy technologies is a
rapidly evolving field, and privacy officers may wish to keep
abreast of the best practices, techniques and tools available
to support privacy friendly application development. There
are some great training resources available for the privacy
practitioner including your offerings as well as the IAPP's
privacy education and Certification Program (CIPP).
Nymity: What do you consider the key privacy factors in
any application development?
Weigelt: Key privacy factors in any application
development include a lifecycle approach to addressing privacy
requirements in product development. Privacy is not an add-on
and needs to be a consideration, just as security is, as all
functionality is developed, implemented and tested. Once privacy
is part of the lifecycle, key areas to focus in upon include
initial privacy assessment, consent management, implementing
safeguards to protect PII and emphasizing opportunities for
data minimization.
Nymity: In closing, Microsoft has been very active advancing
privacy around the world and Canada. What are some of the
key initiatives for Microsoft Canada?
Weigelt: Aside from Microsoft Corporation’s
focus on developing and marketing well designed software,
MS Canada continues to focus on key aspects that ensuring
ongoing local compliance with our Global Privacy Policy. Given
the complexity of managing multiple policies, Microsoft Corporation
has designed a single policy that meets the Privacy standards
set by all countries in which we operate. This enables MS
to design and promote initiatives consistently around the
world and simplify the management of our Privacy Programs.
A single high standard of privacy is more than an efficient
business model, we feel it is important to treat all of our
customers around the world with the same level of privacy
protection. In the case of Canada, Microsoft’s policies
are consistent with Canada’s legal requirements and
include both consumer and business-related personal information
within our policy.
Internal awareness and monitoring of our Privacy compliance
highlight the other key areas of focus. With constantly changing
people and business strategies, awareness of our policies
and the appropriate application of those policies is a perpetual
activity. These activities are critical to ensure Privacy
Compliance and facilitate our effective stewardship over our
customers' personal information.
|
|
|
