GameFest: Microsoft Privacy Czar Gives Ten Privacy Commandments

Author: by Christian Nutt, Michael Zenke

At Microsoft's Gamefest in Seattle earlier this week, attendees had the chance to listen to user privacy suggestions from Nick Berry, dubbed Microsoft's 'privacy tsar' by colleagues at the event. Berry's role at the event was to offer suggestions on respecting user privacy while also meeting the needs of developers and publishers. He did so by outlining the different types of personal data companies need to be concerned with, and concluded with a simple count of 'privacy commandments'. Despite the obvious legal issues involved, the speaker was upfront about his position. "I am not a lawyer, and I do not intend to give you any legal advice," he said. The reality of U.S. law is that privacy is implied, not mandated. Said Berry, "Europeans have a right of privacy but here in the U.S. we don't really have a rule of privacy... there's no official privacy law." Despite this somewhat nebulous distinction, Berry contents that respecting the privacy of your users is an important choice that all developers and publishers should keep in mind. "It keeps you out of legal hot water, which should be a good enough answer as it stands, but it also increases customer loyalty. It also unblocks product deployments by governments," he said. Windows XP, when it was first released, sent obfuscated packets over the network as a component of Microsoft's new security stratagem. No one told users this, however, and there was a great deal of mistrust between the company and consumers as a result. The mistrust is understandable; data and privacy loss are inherently damaging to a company's image. "33% of those who suffer a security breach sever all ties with the responsible company." The Data LifeCycle Berry went on to describe the lifecycle and classes of data that businesses collect from their customers. He offered: "You collect data from a customer, you use it, you store it, you may share it or eventually destroy it. There are a whole smattering of laws, it's super-complicated... there's a law specifically dealing with movie rentals." To avoid running afoul of these laws, the Tsar suggests going above and beyond: "Make sure you have a privacy policy that's higher than all of the legal requirements and you'll be ok," he warned. There are five classes of data that companies might collect on an individual, according to the speaker. The first is anonymous data, simple stats tracking that might be collected to give a company hints about its user base. Within the PC gaming world, the automated Steam statistics are a fine example of this. The second data type is pseudonymous data. Stated Berry, "This is a word to describe information we know about a person but we don't know who that person is. The catch with pseudonymous data is that once I find out your name it becomes personally identifiable." Personally identifiable data is the most common data used in privacy breaches, and is unfortunately also one of the most common. Personally identifiable data can be traced back to an individual, hooking an address up with a name or social security number. The next class of data Berry mentions is data about children, which is classified differently than personally identifiable data because of various child protection laws in place in the US. The final type of data Berry outlines is "sensitive personal information", data that might be compromising to the individual it was linked to. This could be anything from a criminal conviction to a medical record. Data can have secondary uses, in all of these cases. The primary use is obvious: if you're ordering a product, for example, the data's primary use is to get that product delivered to your home. Secondary use of that data might be like a sweepstakes entry on the ordering website. Users might agree to allow their data to be passed on to corporate affiliates in exchange for the chance to win a prize. Clarifying the Data Types Berry then swung back around to reinforce what the types of data really meant. PII, or personally identifiable information, is "any piece of information that can potentially be used to uniquely identify, contact or locate a single person." It could also be data "from which a person's ID or contact info can be derived." PII is essentially the most dangerous data a company can keep on file, in the speaker's eyes. Said Berry, "I like to think about treating it like toxic waste - if you treat it like toxic waste you'll never go too far wrong." Data about children, meanwhile, needs to be handled properly because of COPPA - the children's online privacy protection act. "It's related to their content - it's not necessarily about filtering, it's about protecting their email address," he said. It's not about restricting access. If sites are attractive to children - games - you need to check up front" to ensure the ages involved. If the kids are under 13, developers need to ask for some sort of parental consent for participation. Sensitive PII is, of course, the most dangerous of all the data types. Berry reiterates a few more types of sensitive information, including: race, financial information, medical information, sexual preference, political preference, and a unique government-issue ID. Here in the states the Social Security Number is the 'biggie', and keeping those as safe as possible is a challenge. Before wrapping up, Berry offered a final piece of advice about the dangers of metadata. Customers can be sometimes terrifyingly intelligent when it comes to their own privacy, or piercing the privacy of others. Said the Tsar, "There's hidden data or metadata when you submit things upstream. Do your customers know what you collect about them? You need to be careful about inadvertent collection of PII. If you put a text box on your site, people might type PII into it." The Ten Privacy Commandments 1. Accountability - "Do no evil" is Google's model, and should be yours too. Do what you say you'll do, and follow your publicly displayed statements. 2. Notice - "Say what you do, and do what you say." Let people know in advance when you need their PII, and what specifically you'll need from them. 3. Collection - Be sure that your service's privacy policy is easily accessible when collecting information. Users have the right to know what they're getting into. 4. Choice/consent - Make sure that you offer the user the option not to participate. Always make it clear that submitting their PII is a choice, not a requirement. 5. Use and retention - Have clear policies on how data is to be used, and how long it will be kept. Make those transparent to the user. 6. Disclosure - If something goes wrong, ensure that information is disseminated to affected users. 7. Quality - Make an effort to ensure your data is high quality; out-of-date PII is low quality PII, and can adversely affect your users. 8. Access - Ensure that only individuals with a legitimate need to access PII can do so. 9. Security - Ensure that there are measures in place to restrict access to individuals with legitimate needs. 10. Monitoring/enforcement - Via security, ensure that only the right individuals are accessing the PII. If there's an infraction, ensure that your policies are carried out. Concluded Berry, "Of these, the two most important things are notice and choice. Give users a notice about the things you are collecting, and give them a choice. If you work out those two things you can never go too far wrong."