Wyatt and Wingfield report: "Microsoft instituted a policy Friday that gives the company broad leeway over how it gathers and uses personal information."



'Microsoft's policy, which it calls its Services Agreement, allows it to analyze customer content from one its free products and use it to improve another service.' (photo: unknown)

As Microsoft Shifts Its Privacy Rules, An Uproar Is Absent

By Edward Wyatt, Nick Wingfield, The New York Times

icrosoft instituted a policy on Friday that gives the company broad leeway over how it gathers and uses personal information from consumers of its free, Web-based products like e-mail, search and instant messaging.

Almost no one noticed, however, even though Microsoft's policy changes are much the same as those that Google made to its privacy rules this year.

Google's expanded powers drew scathing criticism from privacy advocates, probing inquiries from regulators and broadside attacks from rivals. Those included Microsoft, which bought full-page newspaper ads telling Google users that Google did not care about their privacy, an accusation it quickly denied.

The difference in the two events illustrates the confusion surrounding Internet consumer privacy. No single authority oversees the collection of personal information from Web users by Internet companies. Though most companies have written privacy policies, they are often stated in such broad, ambiguous language that they seem to allow virtually any use of customers' personal information.

Web companies like Microsoft and Google have been moving aggressively to expand their abilities to gather and sort information about individuals' habits and interests - even as Congress, federal regulators and the Obama administration have been seeking ways to protect Internet users against unwanted privacy incursions.

Microsoft's policy, which it calls its Services Agreement, allows it to analyze customer content from one its free products and use it to improve another service - for example, taking information from messages a consumer sends on Windows Live Messenger and using it to improve messaging services on Xbox. Previously, that kind of sharing of information between products would not have been allowed under Microsoft policies, which limited the use of data collected under one of its products to that product alone.

Microsoft has promised, however, that it will not use the personal information and content it collects to sell targeted advertising. It will not, for example, scan a consumer's e-mails to generate ads that might interest the user. Google does that, and expanding its ability to draw on that content was part of the reason Google changed its privacy policy this year.

But the new Microsoft policy does allow for such targeted advertising. Microsoft promised not to do so in blog posts and e-mails informing its customers about the change, but not in the formal policy. That has some privacy advocates nervous.

"What Microsoft is doing is no different from what Google did," said John M. Simpson, who monitors privacy policy for Consumer Watchdog, a California nonprofit group. "It allows the combination of data across services in ways a user wouldn't reasonably expect. Microsoft wants to be able to compile massive digital dossiers about users of its services and monetize them."

Jack Evans, a Microsoft spokesman, says the company's plans are benign. He differentiates between the Services Agreement, also known as the terms of use, that was changed on Friday and the company's Privacy Policy, which was last updated in April.

"Over the years, we have consistently informed users that we may use their content to improve the services they receive," Mr. Evans said in a written statement. "For instance, we analyze content to improve our spam and malware filters in order to keep customers safe. We also do it to develop new product features such as e-mail categorization to organize similar items like shipping receipts in a common folder, or to automatically add calendar invitations.

"However," he added, "one thing we don't do is use the content of our customers' private communications and documents to create targeted advertising. If that ever changes, we'll be the first to let our customers know."

Microsoft's new services agreement affects only its free, Web-based products, not the software programs that individuals and companies buy off the shelf for home or business use. It covers Hotmail, and its related e-mail service, Outlook.com, but not the Outlook e-mail and calendar program that is individually loaded onto computer hard drives and widely used by corporations. Bing, its search engine, is covered, but Internet Explorer, its browser, is not.

Microsoft's pledge not to use the data from its Web services to target advertising has some credibility, given the company's broader privacy initiatives. The company has said it will include a "do not track" feature in its new Internet Explorer 10 Web browser that prevents online advertising companies from monitoring the browsing habits of users so they can target promotions. Microsoft has made "do not track" the default setting on the new version of Explorer, a move that has caused a firestorm among online advertising companies.

Microsoft's push to provide better privacy protections for consumers comes at a time when its efforts in Internet advertising have sputtered. Online advertising remains a small fraction of Microsoft's overall business, accounting for $2.6 billion, or about 3.5 percent, of the company's revenue during its last fiscal year, which ended June 30, according to Microsoft's filings with securities regulators.

But it is easy to see how Microsoft customers might be confused, because the different divisions of Microsoft that draft and oversee its user agreements and privacy policies did not anticipate that the changes in the services agreement would raise privacy questions.

The drafters of the service agreement, a more technical bunch, thought the changes were so small that they were mentioned in August in a specialty "Volume Licensing" blog dedicated to commercial customers, but seemingly nowhere else on Microsoft's vast array of corporate Web sites.

Microsoft also sent an e-mail about the change in late August to all of its 325 million Hotmail users. But those notices became the subject of nervous online chatter when some users learned that a similar message, using the same template, was being used by hackers to distribute harmful malware. Online message boards warned against even opening the messages.

Inside Microsoft, officials were focused not on whether the policy changes affected privacy but rather on a different change, one that limits the ability of Microsoft customers to sue the company, including in a class action, over its products. The new agreement requires the use of binding arbitration.

Mr. Evans said the change put in place on Friday in the Services Agreement "did not alter our existing privacy policies." Those policies include a 4,000-word main policy and at least 16 related product-specific privacy policies.

That itself is an example of how users cannot possibly know what Internet companies are doing with their personal information, said Jeff Chester, executive director of the Center for Digital Democracy, a consumer protection group based in Washington.