Google, Facebook and Microsoft on Data Privacy


Few topics are as relevant to information security as data privacy. At last week's RSA Security conference, top privacy executives from Google, Facebook and Microsoft explained what their companies are doing to help enhance user privacy.

The privacy panel, an annual tradition at RSA, has featured some of the most intense debates at past conferences. In 2013, for example, Google and Microsoft went at each other over the Microsoft "Scroogled" campaign that alleged Google's privacy was weak. The general theme at last year's panel was that privacy and security are not always the same.

This year panelists addressed the need for deep integration of privacy throughout the product development process.

Privacy Principles

"My job is to be looking around the corner, to be listening and talking to people and policy makers to understand the latest concerns about privacy, and to make sure we bring privacy into the products we build," said Erin Egan, Facebook's chief privacy officer.

Keith Enright, director, Privacy Legal Team, Google, said that Google is still learning about privacy, and its current programs reflect the lessons it has learned over the years. Google in the past has launched products that were imperfect from a privacy perspective, he admitted.

"We now have legal compliance professionals working with engineering and product people to identify privacy concerns and opportunities early in the development cycle," Enright said. "So now when we're called on to explain how we deliver on privacy, we can do it consistently."

Brendon Lynch, Microsoft's chief privacy officer, echoed the same basic principles of his colleagues at Facebook and Google. Microsoft has embedded people familiar with privacy issues within the company's engineering teams so they can ask the right questions at the right time, he said, noting that Microsoft also performs routine privacy reviews.

Facebook also conducts privacy reviews, using a cross-functional privacy review process for all of its products. Egan explained that these reviews occur before any product launch and are performed by a team that looks at privacy policy, legal, site integrity, communication and security.

Facebook is continuing to provide self-service features for users to better control visibility and privacy in their Facebook settings, Egan said.

Data and the Government

Google's Enright raised the topic of government intervention, emphasizing that Google wants to promote transparency about sharing information with law enforcement agencies. Google is pushing the use of visible, legitimate and accountable processes to obtain information.

"We will not collaborate with any government for information through the back door," Enright said.

"We want to ensure that any data collection from any government is through valid legal process," agreed Microsoft's Lynch. "Where encryption fits in is to make sure data is gathered legally and not through technical brute force."

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.