Microsoft's chief privacy officer opens up

A DEFINING MOMENT at Microsoft came in 1995 when Bill Gates wrote a memo admitting his failure to grasp the importance of the Internet and definitively reversing tack. But there was, says Brendon Lynch, Microsoft's chief privacy officer, another such memo in 2002 that created the company's trustworthy computing initiative. That memo was the culmination of a growing recognition that privacy was the key to trust online and therefore the business going forward.

"It was a mixture of evolution and a defining moment," says Lynch.

At the time, Microsoft's online identity technology was the widely distrusted, centralised single sign-on Passport system.

"There is a fundamental problem with that philosophy in that it's an unnatural party to the transaction. It didn't make sense to add this middle-man," Lynch says, citing the laws of identity developed in 2005 by Kim Cameron, then Microsoft's identity and access architect.

"So I think part of the solution is that we need to bridge offline and online identities in some way," says Lynch. "Trust is needed online. There is a degree of trust offline among the parties. So you want to be able to reuse that trust online but not in a way that breaks privacy."

The first step was CardSpace. Introduced in 2006 and built into Vista and Windows 7, it's an attempt to create a usable platform on which to build digital identities. The question now is how to build them in while guarding privacy.

Microsoft began to answer this in 2008, when it bought the Canadian company Credentica, brainchild of Stefan Brands.

"Credentica really brought [bridging offline and online identities] to life," Lynch says, "ensuring privacy without sacrificing security. I am so excited to be working with [Brands] and to have acquired his technology."

Credentica's technology, now called "U-Prove", uses tokens to create decentralised, role-based authentication while retaining user control. A specific token cannot be linked to the issuer or cross-linked to other tokens from the same issuer unless the user specifically allows it. By analogy: a bar needs to check your age but not your name and address; a theatre needs know only that you have a valid ticket. This minimalist thinking is the opposite of the more common federated single sign-on that centralises all authentication and creates a complete, linked trail of all transactions. And this, for Lynch, is important.

"There's a need for rethinking and thinking deeply around how identity is dealt with online," he says. "In certain situations you want high assurance and strong authentication - for example, healthcare, when it moves online."

Lynch, a New Zealander, began his career by doing a business degree in information systems in the early 1990s, when total quality management and ISO 9000 standards were on everyone's minds. Once he arrived in the UK, he moved into consulting in the service sector. At PriceWaterhouseCoopers in London, he became part of the broader risk management consulting practice. In 2000, when privacy began to emerge as a new professional discipline he moved to New York and helped build PWC's privacy consulting practice.

At that time, concerns about online advertising - cookies, online profiling, tracking - had begun to surface; DoubleClick (now part of Google) was a client. His interest in online technology led him to WatchFire (now part of IBM), which crawled Web sites looking for privacy and security weaknesses - "a privacy-enhancing technology in the enterprise sense". He led their privacy business and then, in 2004, moved to Microsoft as part of the company's privacy team. He is also active in promoting the privacy profession as a whole; he was one of the founders of the certification programme for the International Association of Privacy Professionals.

Privacy, as past failed start-ups have learned, is a tough sell to consumers, mostly because the technology to implement it is often complicated and unintuitive to understand. It's this that Lynch hopes Brands' U-Prove technology, launched freely earlier this year for developers to experiment with, will change: the goal is to make authentication easy. But another aspect of the hard sell is that it's hard for consumers to understand what the risks are in posting pictures and personal information to, for example, Facebook.

"We do a lot of research with all audiences," says Lynch, "and one of the things that we find is that people are more concerned about things where there are tangible consequences to them as individuals." People worry about perceptible harms. One interesting finding, he says, is that people are often more concerned about their family and friends knowing things about them than they are, say, search engines. They worry most about the obvious areas that might cause them the most harm: money, spouses and children, employment, discrimination, theft.

The hope now is that U-Prove will be taken up by developers and built widely into identity technologies. In Germany, for example, Fraunhofer Fokus is working with the government on a pilot e-ID project. More broadly, Lynch hopes U-Prove will help to create a safer Internet.

"We want to show industry and governments how this can be enabled so you get the efficiencies of egovernment, and get extra leverage out of the identity systems we already have in place," says Lynch. µ