MSFT and the Ontario IPC Office

The Office of the Ontario Privacy Commissioner has long been a world leader in privacy advocacy, displaying a remarkable ability to anticipate the privacy impact of cutting-edge technologies.  Given its track record, the attention being lavished on the release of a new document on identity management is much deserved as it merits wide reading.  The Seven Laws of Identity builds on work being done by Microsoft designed to allow Internet users to better manage their online "identities" by limiting the disclosure of personal information ("data minimization"), using better authentication practices, and building in user consent and controls.  In recent news reports, the Office has touted the virtues of its Seven Laws of Identity approach, with claims that it will help solve Internet ills such as phishing, pharming, and spam.

As I read the coverage and white paper, I am left somewhat uncomfortable.   Part of the discomfort may stem from placing too much reliance on new technologies as a saviour – the Office has previously pointed to P3P, better privacy practices, and email encryption as providing similar benefits only to be left disappointed.  The discomfort may also arise from the overbroad claims about the ability for identity management to address spam and spyware.  As far as I can tell, it only holds the potential to render spyware less effective once it has reached users' inboxes, but does little to address the broader spam problem.  Moroever, we have heard in the past about technological solutions (email authentication anyone) that hold the key to the spyware problem only to have those solutions become mired in proprietary battles.

More troubling is the close connection with Microsoft as the release and accompanying press coverage at times feels like an infomercial for the software giant.  The Ontario Privacy Commissioner's Office has worked with Microsoft in the past, however, this intiative goes to great lengths to extoll not only the Seven Laws, but also the company itself.  The White Paper devotes nearly three pages to Microsoft's much-criticized Passport program and its CardSpace identity management feature that will be included in Vista, its forthcoming operating system upgrade.

The Office's seemingly unqualified embrace of Microsoft strikes me as a mistake for several reasons.  First, there are other companies developing similar solutions and they should be granted equal airtime.  Second, the CardSpace feature includes a significant DRM component.  When combined with the Vista licensing terms that prohibit circumvention, users are entrusting both their privacy and total computer experience to Microsoft (see Wendy Seltzer's review of the implications of the Vista terms and how that trust is being repaid).  Third, while it is good to see privacy commissioner offices in Canada working with the business community, they must take care to maintain sufficient distance to be advocates for privacy, not for particular companies and their products.  There is a fine line between co-operating and becoming co-opted and there is reason to believe that this initiative falls on the wrong side of the line.


  1. Alexandre Racine says:

    Gardien Virtuel
    Wait… Microsoft trying to do something good for the world? There must be a catch. Oh yeah, we have to buy Vista. Vista more secure? Well, the fact that there is already a vulnerability in Internet Explorer 7 with the motto “you wanted it easier and more secure” less then 24h after it was out and that the impact is “Exposure of sensitive information” leaves me in the cold that everything what Microsoft is promoting is “more secure”. See reference here : [ link ]

    The thing is, when writing some security standard or security white paper, the document should never have Company names or technology in it. This actually limit the reader. Of course, that is what Microsoft is all about, use their products, or buy them. But the truth is, there are other usefull software out there like Mac OS or Ubuntu (Linux) just to name a few.

  2. IAPP
    I attended the IAPP Privacy Conference last week in Toronto and I heard (for the first time) the Federal Privacy Commissioner open the conference followed by the Ontario Privacy Commissioner. I felt extremely uncomfortable and embarrassed with the Ontario Privacy Commissioner’s speech of which you have highlighted the key concerns. The speech and presentation was like a microsoft commercial. As a security professional we are all working in developing or implementing a variety of technical solutions from numerous vendors to mitigate a variety of current and future security and privacy risks but for a public official to vigorously single out one organization that has put together another blog white paper that someday may be turned into yet another fragmented standard is irresponsible. I also have concerns when public officials publish with Taxpayer dollars literature of this nature. This document contains numerous product endorsement claims that are unsubstantiated and misleading.

  3. While it’s important for the Privacy Commissioner to address the issue of privacy on the internet, it’s also important to create vendor neutral recommendations. There is a significant advantage to partnering with Microsoft, since they command the lion’s share of desktop operating systems and a major share of business computing infrastructure, and since MS has vast resources in R&D funds for security research, the fact remains that the world runs in many technology platforms. A significant part of the internet infrastructure does not run on a Microsoft platform.

    In order to achieve the wide penetration needed to succeed, the proposed standards must be open standards which can be shaped by all of the publics affected. Microsoft has a checkered history with open standards, tending to inject proprietary functions in order to monitize their proprietary products. However, they have made contributions in internet technologies like SOAP.

    I suspect that Dr. Cavoukian has sufficient logic to assemble an effective logical solution, and if Microsoft research happens to offer a compelling body of work to provide the basis for a good model, that’s a good starting point. In order to achieve the penetration across Platforms.

    Vista may be the first client that implements an improved identity system and the Information Privacy Commissioner can make reference to that technology as an example to illustrate how a technolgy can improve security for the general public.

    Finally, the reality is that improved security is a technology solution that must be implemented on all clients and infrastructure systems that serve the internet. This is an all or nothing exercise that is more political than technical. The Privacy Commission can start with a sound model, but then must work the politics of technology to achieve open standards and gain support from all of the technology vendors.

  4. IAPP
    Thanks Mike for that additional insight. I wanted to add that during the conference I picked up all the material from the Ontario Privacy Commissioner booth and I have to say that it is extensive and excellent.
    She is probably one the most active privacy commissioner’s that I have seen and her annual report is impressive both in terms of her accomplishments and her openness. However I will close off with another example of inappropriate advertising; Page 21 of a 40 page paper entitled Identity Theft Revisited, section on Database Encryption “encrypt critical data wherever they are stored across an enterprise -in applications, databases or backup tapes -exist today and widely available, such as I.B.M’s new x9 mainframe and…” The whole paper was great then out of the blue you see a sentence like that, there was no need for this, is does not add anything to the discussion and is again misleading like no other vendor has this functionality.
    Reading makes you wonder when she will join Microsoft or IBM as their chief privacy officer!