Microsoft's weak cloud privacy position

Microsoft released on Thursday a new position paper, "Privacy in the Cloud Computing Era: A Microsoft Perspective," that includes information about the remote storage and processing of personal information.

Privacy and security concerns continue to be a primary argument that cloud naysayers use against storing data and applications on the Internet. Big IT vendors and service providers like Microsoft and Hewlett-Packard will sooner or later be forced to take the cloud seriously or risk missing out on the whole next wave of IT consumption. And their large enterprise customers will expect them to offer cloud services with the appropriate levels of privacy and security measures in line with their business needs.

The interesting thing about this paper is that Microsoft takes surprisingly minimal responsibility for the data it will manage:

Unlike our consumer business, in which Microsoft has a direct relationship with consumers and directly controls the policies that govern their data, our cloud services for business customers defer to the policies of those customers. In this case, Microsoft has no direct relationship with the business's employees or the customers to whom the hosted data may pertain. Policies relating to the business's handling of this data in the cloud environment are controlled and set by that business rather than by Microsoft. Our role is to handle and process the data on behalf of the business, much like third-party telephone call centers process customer inquiries, orders, and data for their business customers.

The division of responsibility between an enterprise or government and its cloud services provider is similar to that of a company that rents physical warehouse space from a landlord for storing boxes of customer or company files. Even though someone else might own the building, access to those files and the use of information within them is still governed by the policies of the company that rents the space. These same principles should apply in the cloud environment.

The warehouse metaphor is a good one, but I find it hard to apply to Microsoft's cloud efforts as the company is not offering services like Amazon.com's S3 or EC2 but rather doing the actual data management of e-mail and documents through online services. And while a position paper is a flexible document, this type of thinking and positioning is not what customers want to hear.

Customers will need guidance and assistance to make the right choice not just about whether or not they should use cloud services, but also regarding recommendations and defined processes once they are ready to make the jump.

Microsoft's privacy principles are well documented, but as I read through this position paper, I found myself expecting more substantial assurances, especially considering Microsoft wants to be a cloud services provider for not just consumers but for enterprises and governments as well.

[Random_Walk]

Weird... but it seems like they're trying to straddle two contexts.

On the one hand, its understandable that they want to take a hands-off approach to the cloud bits they sell for enterprises to host in-house. If this were the whole context, okay, normal and natural, and I can understand that they'd want no part of taking responsibility for anything other than making sure you (the customer) get the media in working order and install it with a minimum of headache.

OTOH, if the context is that Microsoft is doing the hosting, then yeah, your point is extremely valid, and someone in Redmond needs to wake the hell up.

After the Sidekick fiasco, I'm surprised that they didn't pay closer attention to this detail. One would think Microsoft would have done more to ameliorate the bad taste it left in the mouths of the enterprise community.

While the Sidekick data loss deal (pretty much) involved only generic consumers' data, there has to be more than one CIO with that incident in the back of his mind thinking '...okay, so what promises will Microsoft make to insure that such a thing doesn't happen to my company's data?'

I've found (to my admitted semi-delight) that you can make a Microsoft sales rep VERY uncomfortable if you say "...but what about the Sidekick incident?" every time he says "cloud" (evil grin).

Also, I'm curious - is this Microsoft's way of trying to avoid holding themselves to the DR aspects of any SLA now, or what?

[Random_Walk]

bah - yes, I wandered off the rez a bit, going off on a storage tangent. The same holds true for privacy though, but w/o an example of loss/theft/whatever. Sorry about that :)

[kojacked]

"I've found (to my admitted semi-delight) that you can make a Microsoft sales rep VERY uncomfortable if you say "...but what about the Sidekick incident?" every time he says "cloud" (evil grin). "

I'm sure you get calls every day from Microsoft trying to sell you cloud services. Being that the Danger disaster was pretty recent and the fact that Azure is just getting off the ground I'm sure you've had many of these oppurtunies to flaunt this fact as you describe...in your dreams.

[bj1126]

I disagree I think it's a realistic approach. In Microsoft's position they can't promise the farm and they know it. I don't think large customers concerned with privacy will ever use public cloud services like Azure. Groups with those resources will see similar efficiency in hosting their own cloud environment and circumventing the privacy concerns.

I think public clouds like Azure will be far more beneficial to SMBs. The scalability and stability the cloud offers them lets them compete with larger competitors on even footing.

[Random_Walk]

"I don't think large customers concerned with privacy will ever use public cloud services like Azure"

I semi-agree, even down to the mid-sized level.

OTOH, if any large customers of that type have had any reservations before, they certainly won't touch it now. And SMBs, if they're concerned with privacy at all, would likely move to someone who does care

Not sure offhand what Amazon's S3 policies are, but if they're more helpful than Microsoft's, guess who's going to get the customers? It also doesn't help that Microsoft hands their competitors a big fat PTB-level talking point, on a silver platter no less (e.g. "...unlike Azure, we actually work to insure that your privacy policies and concerns are not only met, but exceeded...")

[kojacked]

"Not sure offhand what Amazon's S3 policies are, but if they're more helpful than Microsoft's, guess who's going to get the customers?"

Just like Fox News... Take an assumption and spin it into fact. If you're not sure why not look Amazon's S3 policies up and post it. Of course that could potentially wreck your FUD fun but you'd be a little more credible. Oh wait...

It all comes down to money. If a cloud provider has backup services and other hand holding they provide thier customers they'll work the costs into the price or go out of business. Or they could choose to low-ball the price and leave the rest up the customer. It's pretty simple.

Of course you'll always assume Microsoft is out to jack its customers; high price, low services but that shouldn't surprise anyone here Peng. Even if Microsoft gave eveything away and went out of business you still wouldn't be happy with them. All hail open source (or anything that isn't Microsoft)!

[baconstang]

So this article is suggesting that MS take up a leadership position in the emerging cloud market? That would require, I don't know, innovating perhaps? And for MS that would require a sea change in their business model.

[daverosenberg]

I don't see how MS has any other choice but to adapt.

[Pride73170]

The cloud conflicts with the business model that made MS and it's hardware partners filthy rich. They want businesses to continue to invest in high dollar storage and network solutions and continue to pay for large service contracts. If you look at Office Live, you'll see that MS is dragging it's feet in terms of collaborative, cloud business services. Businesses are looking more and more at Google Docs as a way to store and share data in a collaborative way, that makes doing business more efficient not only internally, but with their partners as well. MS prefers that we continue to buy mass licences for their Office software and for companies to continue to share data the old fashioned way (over Exchange servers silly.) So their head's in the sand...hoping the cloud will go away. In the meantime they fall further behind the competition and as is standard operating procedure at MS these days, they won't take it seriously until everyone else has found ways to dip into the revenue stream.

[Random_Walk]

The problem is, if they drag their feet too much, they'll get left out, left behind, and become the next Unisys, Wang, Tandem, (insert 'defunct has-been-and-functionally-irrelevant' corp here).

It's like their sudden lurch towards building and pushing Internet Explorer at all costs. The Internet's rise in popularity took Microsoft by surprise, and Gates responded with alacrity, shoving IE into every crack and crevice that Windows had to offer.

I think they're just trying to avoid the same situation (by pre-positioning Azure), and I agree - they are dragging their feet - a lot. It's like they want to play both sides of it. If the whole cloud thing takes off, they have a product they can shove into place and push/improve/whatever as needed. OTOH, you're right, in that it seems they'd rather not have to go that route unless they have no choice.

[seankirk]

I think the point is being missed here. While I uderstand the authors need for more substance and assurances about data, I think he is missing the point of this particular position paper, its data privacy stupid! MS is essentially saying, we will have your data in our controlled centers, but we have no interest in whats in your data. This is a PRIVACY ploicy, not a service policy paper. This is giving assurances to copmanies that MS will not be snooping around in your data, and indexing it it Bing.

[JasonM80]

This article certainly raises interesting questions and valid concerns, but the cited publication has been taken out of context and applied incorrectly. When it talks about the cloud, in this context, it is talking about the Windows Azure Platform - not Hotmail, Office Live, or any of the other web-based applications that some believe is the full extent of Microsoft's cloud computing offerings.

The Windows Azure Platform is a cloud-based hosting service for third parties to develop and deploy their own applications. If I use such a vendor's application and the vendor decides to use my data irresponsibly, that has nothing to do with Microsoft. Microsoft not only shouldn't, but CAN'T prevent that from happening. This paper merely spells that out to people who might look for bystanders to blame.

I think the key problem is in the following quote from this article: "... I find it hard to apply to Microsoft's cloud efforts as the company is not offering services like Amazon.com's S3 or EC2 but rather doing the actual data management of e-mail and documents through online services." The important bit of missing information is that Microsoft actually IS offering services like offering services like Amazon.com's S3 and EC2.
More information about Microsoft's Windows Azure Platform can be found here: http://bit.ly/WindowsAzurePlatform.

(Jason - collaborating with M80, representing Microsoft and Windows Azure)