The following post is from Matt Thomlinson, Vice President of Microsoft Security. It was originally published on Microsoft on the Issues.
On Friday, I participated in a panel entitled “Rebooting Trust? Freedom vs. Security in Cyberspace” at the 50th Munich Security Conference. During my presentation, I discussed Microsoft’s initiatives to protect customer data from government snooping, which Microsoft General Counsel & Executive Vice President Brad Smith recently announced. Brad outlined three areas where Microsoft would be taking action: expanding encryption across our services; reinforcing legal protections for our customers’ data; and enhancing the transparency of our software code. On Friday, we announced another step we are taking in implementing those commitments.
We will open an international Transparency Center in Brussels, which will offer government customers an increased ability to review our source code. The Brussels center will build upon on our long-standing program that provides government customers with the ability to review our source code, reassure themselves of its integrity and confirm there are no back doors. It is my hope to open the Brussels Transparency Center by the end of this year.
My team also leads a comprehensive engineering effort to encrypt customer data moving between our customers and Microsoft; customer data that we store; and customer data as it moves between our data centers.
While there is much that industry can do to help protect the privacy of our customers, the way forward will not only require technical solutions, it needs to be accompanied by effective policies. The private sector has highlighted the need for basic global principles for reforming international government surveillance. Government and the private sector must work together to move us from this current crisis of trust to a new era of confidence in cyberspace.
A key step in the process of rebuilding trust is continuing international cybersecurity engagement. To make effective progress, we need a much more robust dialogue about global cybersecurity, and we need a place to have that discussion. One idea I proposed would be the convening of a “G20 + 20” group – 20 governments and 20 global information and communications technology firms – to draft a set of principles for acceptable behavior in cyberspace. Whatever forum we use, we need to further this important conversation.
Despite our various views, we need both technical improvements as well as agreement on the fundamental policies of cyberspace to meet our common needs for security and privacy. Privacy can’t exist without security, and security depends on privacy. We can have both.