Privacy and .NET My Services: Can You Trust Microsoft?
David Chappell - January 05 , 2002

Microsoft's forthcoming .NET My Services (formerly code-named HailStorm) provides a set of Web services that applications can use to access information about users. That information might include things such as address books, calendars, information about when and where we're accessible via the Internet, and even credit card numbers. If we choose to store this information in the .NET My Services database, then allow applications to access it, those applications can provide us with a range of useful new services.

Most people I talk with have no trouble believing in this technology's fundamental premise: applications that have access to this kind of information really would be able to provide services that make our lives simpler. .NET My Services is a platform for new kinds of applications, and those applications will be attractive to many people. The key stumbling block to the success of .NET My Services isn't the utility of what it can provide, nor is it Microsoft's ability to make this technology work. Instead, the biggest thing standing in the way of a profitable new business in this area is the willingness of potential customers to trust Microsoft to store their personal information.

Microsoft solemnly promises to keep all of the data we store in .NET My Services completely private. But why should we trust Microsoft to keep this promise? The temptation to make large sums of money from the data it holds might prove irresistible, since if .NET My Services succeeds, it will hold a great deal of valuable information. Trusting Microsoft or any private organization to maintain the privacy of our personal information requires a leap of faith.

Yet there's a strong argument for believing this concern is overstated. Think about it: If Microsoft breaks its promise, most .NET My Services customers will stop using the service, and .NET My Services will fail. In fact, business customers are likely to force Microsoft to sign contracts guaranteeing the privacy of their data, so selling this information would also expose Microsoft to large financial liabilities. Microsoft is spending something like $100 million on this new offering, and the company clearly hopes to profit from this investment. Following through on its privacy promise is Microsoft's only chance to make .NET My Services succeed as a business.

In other words, it's in Microsoft's interest to keep its word. If the company changes its mind, or if the people at Microsoft promoting .NET My Services have lied to us, .NET My Services will replace Microsoft Bob as the company's most visible failure. I always trust Microsoft to do whatever will maximize its profit, and in this case, that means keeping its promise about the privacy of our data.

Even if Microsoft does keep its promise, however, there's another concern: What about organizations that we let access our data? If I grant access to my .NET My Services information to, say, an application running on some company's web site, how can I be sure that company won't use my data in some way I don't approve of? It might sell my address, or send me unwanted email solicitations, or barrage me with telemarketing calls at dinnertime. Although Microsoft has talked about requiring applications using .NET My Services to conform to some sort of privacy regulations, this will be challenging to enforce. More likely, it will be up to me to decide whether I trust an organization with the information I'm allowing it to access.

But just how personal is this information, anyway? To rent a video at Blockbuster last week, I had to fill out a form containing my name, address, credit card number, date of birth, and lots more personal information. I then had to sign this form, the fine print of which granted Blockbuster the right to sell or otherwise use this data in any way it sees fit. Even my bank sells my address to annoying mailing lists. Yet I still use Blockbuster, my bank, and many other businesses that make no effort at all to respect my privacy. Given both an explicit promise and obvious business benefits in complying with that promise, I feel safer trusting Microsoft with this information than I do many other organizations.

Ultimately, it is customers who will decide. If they believe that the benefits of .NET My Services–based applications outweigh whatever loss to privacy those benefits bring with them,.NET My Services will succeed. If they don't, .NET My Services will end up as just another evolutionary dead end in the technology ecosystem.

And of course, there's another issue, too: Even if you trust Microsoft to keep its privacy promise, can they actually do it? Servers on the Internet full of personal data are bound to be a tempting target for hackers, so Microsoft must also provide the necessary security for that data. I'll look at this issue, one that's perhaps even more important than privacy, in my next column.