Microsoft to FTC: Don’t tell us how long to retain users’ private data

FTC comments show support for privacy but regulatory light touch

Microsoft believes it’s willingness to delete IP addresses tracked by Bing after six months (and cookies after a year and half) makes it an example of how to do privacy right. It is urging the Federal Trade Commission to consider the desires of Internet marketers before settling on new guidelines that cover data retention and other online privacy restrictions.

This is one of the findings collected by the nice folks at the Information Law Group, who read through all 442 comments filed with the FTC over its proposed Privacy Framework regulations so you don’t have to. The organization’s analysis posted Wednesday distills all the comments into five areas: The notion of a “Do Not Track” feature online; the responses of specific companies including Microsoft; reaction from interest groups such as the Electronic Frontier Foundation or the Consumer Federation of America; the impact of state privacy regulation on the federal rules; and defining “precise geolocation data,” which the FTC will put off for another day.

Microsoft, which just introduced a Do Not Track feature in the newly released Internet Explorer 9 Web browser, generally endorsed the framework, but, as you might imagine urged a regulatory light touch. It didn’t go so far as to advocate industry self-regulation, but came awful close. While I think it’s smart of companies like Microsoft to get out in front of this issue -- Mozilla also touted the Do Not Track feature of its new Firefox 4 browser -- user information is highly coveted by tech companies, their marketers and advertisers so I don’t think industry self-regulation -- as some have advocated -- will be sufficient.

Indeed, Do Not Track is one of a number of commendable steps by taken by Microsoft in an attempt to show that the industry is capable of self-regulation. Microsoft participated in Data Privacy Day in January, offering advice on using location-based services. But Microsoft’s stance on privacy is part earnestness and part marketing. It knows Google has a bad reputation when it comes to privacy, and so it has crowned itself master of the area. Problem is, Microsoft has hardly been flawless itself. Over the years, Microsoft has assisted law enforcement and intelligence agencies to obtain private user data, it has deflected questions on its storage, encryption, deletion policies of data kept on Windows Live and it could, but doesn’t, encrypt the cloud stored data of its Live@edu customers. It has also been accused of using ads as a cover for data mining -- which included sniffing browser histories.

The FTC released its set of proposed rules, "Protecting Consumer Privacy in an Era of Rapid Change" in December to address the privacy issues that have arisen in the Internet Age. Initially the concerns revolved around what information a company can obtain and use based on a computer user’s browsing activity. As computing has become increasingly mobile, privacy concerns have been raised about software applications downloaded to smartphones and tablet computers, including ones that know the location of the user. I covered an interesting panel discussion on online and mobile privacy in San Francisco in January that included privacy advocates, providers of online services and an attorney for the FTC.

EXPERTS WEIGH IN: Security bigwigs want more government involvement in cyber security

When Microsoft pats itself on the back in its comments, this should be read with a grain of salt. Microsoft declares it has long-embraced the FTC’s “privacy by design” approach to build in privacy protection into new Microsoft products and services. And it also points out that its Bing search policy is to delete IP addresses from which users make a search after six months and delete all other cross-session identifiers, such as cookies, after 18 months. Not surprisingly, then, Microsoft “urges the Commission to avoid imposing prescriptive requirements with respect to data retention periods or in further defining 'specific business purpose' or 'need.'” On that, Microsoft argues that the FTC needs to balance privacy with “accommodating and encouraging evolving or innovative technologies and business models over time.”

In other words, Microsoft still wants to make some money off of this gold mine of data.

In my next post, I’ll compare the comments of privacy advocates and online marketers. It’s some interesting reading.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.