Interview: Brendon Lynch

Being the chief privacy officer for the world’s largest software company is no small task, especially in light of lingering PRISM accusations and the growing importance of data in an increasingly connected world. Eleanor Dallaway meets Microsoft's Brendon Lynch…

I sit down with Microsoft's chief privacy officer, Brendon Lynch, at a time when privacy and data exposure couldn’t be more topical.

With the revelations of NSA whistleblower Edward Snowden still rocking the industry, and bang in the middle of the RSA backdoor controversy, I could forgive Lynch for being a little cagey. After all, the media has been pretty unforgiving in accusing Microsoft of collaborating with law enforcement over access to customer data.

I needn’t have worried, as Lynch is nothing but friendly and entirely candid. Without motive or agenda, Lynch gives me the floor to ask whatever I want.

In his hybrid global accent – the result of a New Zealand heritage, six years in London, and the last 14 in the US - Lynch tells me that Microsoft’s trustworthy computing vision is what attracted him to join the company’s privacy team a decade ago. 

“I was a business consultant and looked on with envy when I saw that Microsoft had published this thought-piece about where technology was going, how it hadn’t yet reached the same degree of trust that other technologies before it had, and the broad vision for how to bring that about.”Brendon Lynch, Microsoft, Chief Privacy Officer

Knowing that there was strong executive support for the topic “grounded in customer trust,” encouraged Lynch, and he maintains that this support has been a constant throughout the decade. “Other companies are only just getting to this notion now,” he adds.

Privacy and trust have always been strategic to Microsoft, and Lynch’s priority has always been to gain and maintain the trust of customers. “What has changed over the decade, though, is the increasing importance of it.”

From the time when it was primarily a software company 10 years ago, to today’s radically different cloud service and hardware offerings, Microsoft’s data footprint has changed dramatically. “Now, it’s a vibrant app eco system, with data in the cloud,” says Lynch.

The sheer quantity of customer information the Redmond giant must look after, and the degree of connectivity between devices and Microsoft services, confers “much bigger obligations for privacy,” according to Lynch, who considers it imperative to Microsoft’s success.

“If we can’t maintain the trust of our customers, it will have a tangible business impact,” he tells me. 

The Difference a Decade Makes

I ask Lynch how attitudes to privacy have evolved during the decade he has spent in the privacy team at Microsoft.

“At a fundamental level, people cared about their privacy then, as they do now,” he argues. “But the nature of technology and the data collection and use that’s occurring now is much greater, and therefore perhaps concerns and fears are now manifesting themselves in the realities of what’s happening today.”

That reality, according to Lynch, is the “potential for a digital record of all human activity.” As technology intersects with people’s lives and activities, and devices become ever-more mobile, “sensors all around us” will create those digital records, he warns.

Perhaps as a result of this so-called “trendline,” people are now starting to question how their information is being used, who they should trust, what control they have, and in some cases, what actions they can take to better protect their privacy. All of this whilst still taking advantage of an explosion in new productivity and connectivity capabilities.

The Generation Game

Lynch dismisses any assertion that young people don’t care about privacy.

“You only have to look at the way that young people are using technology today. Yes, they’re sharing a lot on social networks, but they’re sharing in a controlled and creative way, using different social networks for different personas,” he argues. This is not the behaviour of a generation which doesn’t care about who’s seeing its information, Lynch considers.

“You can’t assume that sharing means no privacy, because for many, privacy is paramount.”

The younger generation want to control who they share their personal information with, Lynch continues. “It’s that ability to control where information goes, who it’s shared with, and how it’s used. They are conscious about what they share, because their online reputation is something that’s very important to them, in a socially-connected world.”

This is an argument well made. Whilst privacy remains important to technology users, the evolution of said technology forces society to “establish new norms” when it comes to privacy.

“Remember the stories of outrage when the Kodak camera first came about?” Lynch says, recalling the birth of the instant mobile camera set to “destroy society.”

“But now we all carry a camera on our smartphones and the ability [to take] a photograph is ubiquitous, so we’ve established a new set of social norms.

And yes, there is probably more sharing than some people would like, but generally I think we learn to adapt [to new technologies].” 

Protected by Default

With rapid advances in both technology and data use, Lynch suggests that it may be putting too much burden on individuals to expect them to adapt their practices in line with every evolution. “Whilst the responsibility [for privacy] is probably always going to be joint, I think that there needs to be more focus on the organizations providing these products and services to be more accountable and responsible for data use, so that people are protected by default,” he argues.

Lynch believes the core of privacy never changes, “but it’s just how they apply it, and how they adapt and manage it in the new world.”?

Of course, the notion of privacy is particularly relevant to social networks. With users willing to share their photographs, relationship status and who-knows-what-else, should they be responsible for their own privacy, or should the social networks be held accountable?

This is something that Microsoft is stimulating dialogue around in the public policy stakes, Lynch tells me. 

“Does the application have fair information practices that make sense for the world that we’re in…[and] the world that we’re heading to? There’s quite a reliance on notice and consent, for example, but many would argue – myself included – that this puts a lot of burden on the individual.”Brendon Lynch, Microsoft, Chief Privacy Officer

A Microsoft customer survey recently revealed that whilst users desire more information on how their data is used, the majority do not read the privacy statements provided.?

“There’s probably always going to be cases where noticing the consent makes sense, particularly with more sensitive data,” says Lynch, pointing to DNA information as a prime example.

“But for a lot of other data types and uses, it might be that I’m just going to need to rely on organizations to be responsible custodians and stewards of that data, and for perhaps others to look and make sure that they’re applying good practice.”

Lynch and I agree that a user with 10 wearable devices in an environment with multiple sensors, could never be expected to be aware of, understand and consent to each of the collection points, for example.

“Instead, the user will have to be able to trust that the right things are happening.”

This, he says, will require organizations to be more responsible for putting good practices in place – “providing a safe environment for the users of their products and services.”

A New Conversation

It’s at this point in the interview that I introduce the elephant in the room: Edward Snowden. To be fair, it’s 30 minutes in and I’ve held out thus far. Rather than rolling his eyes, Lynch breaks out into a huge smile; a look of ‘what took you so long?’ across his face. 

“Snowden has added an interesting element to the progression of growing interest in privacy amongst our customer base. It has also accelerated understanding in our organization of just how strategically important privacy and trust is.”

Has it impacted Lynch’s role directly?

“Of course,” he tells me. “There are more demands and expectations on myself and my team to provide advice in the company and continue to deliver upon our privacy promises.” 

Lynch recalls how Snowden changed the focus of the conversation from the relationship between the individual and Microsoft, to the citizen-to-government relationship, which includes information from private sector providers like Microsoft.

“Thinking about how to protect privacy in that realm added another dimension to our work. It deepened the relationship with information security, because the government surveillance topic is as much a security issue as a privacy issue.” Technologies like encryption, he offers, are fundamental to enabling privacy. “They’re necessary, but not sufficient, because privacy is not just about protection of the data – it’s also about the appropriate use.”

PRISM: Not Guilty

Lynch explains that Microsoft has invested resources into advancing encryption and information insurance across its services, as well as into “being clearer on how we deal with the legal process, and ensuring that any requests for data come through a legal process which we can be transparent about.”

Customer desire for this transparency became abundantly clear when the PRISM program became public knowledge and many software, telecommunications and technology companies were challenged over their sharing of customer data.

“It was challenging for us, and others, not to be allowed to be as transparent as we wanted to be,” he says. “We’ve published transparency reports before, outlining the details about information that was used by governments around the world for law enforcement purposes, but there were some restrictions on the national security uses.”

It was frustrating, Lynch explains, “because the media was painting a picture very exaggerated relative to the reality, and in some places actually wrong.” Allegations included that Microsoft was providing government departments with direct, unfettered access to customer data, and that it had backdoors in its products. “Until PRISM was released, we’d never heard of it,” he claims.

Lynch adds that only a fraction of Microsoft’s customer base has ever been involved in law enforcement requests relating to national security, and that the firm has never received a request for bulk collection of data. 

“[Requests] are always around specific accounts of identifiers.” Lynch would, he insists, fight any request for bulk collection of data.

“We didn’t feel concerned about anything we’d done, because we’ve got a very principled approach,” he says. “The concern is more about how things might be misunderstood. We wanted to be able to say more, and we were delighted that we were finally able to say more to set the record straight.”

This happened during Scott Charney’s RSA 2014 keynote, when Microsoft's corporate VP of trustworthy computing used his time on stage to declare that Microsoft does not, and has never, put backdoors in its products.

“We set our bar above all the legal requirements. That shields us from a lot of piecemeal law-making, because we can always come back to our principles. We can evaluate a new law or proposal, and come back and ask whether our policies and standards put us in a position to comply with this new requirement, and invariably it’s ‘yes’.”

A Burgeoning Profession

Lynch took over the role of chief privacy officer in 2010. The CPO role – or, at least, someone who is accountable and responsible for the appropriate management of customer information – is increasingly popular among organizations. However, it may often be listed under a different title, such as data protection officer, Lynch says.

He tells me that the International Association of Privacy Professionals (IAPP) – Lynch sits on the board of directors, and was chairman of the board in 2013 – has recently announced 15,000 members worldwide. When Lynch first got involved in the group 12 years ago there were approximately 40 members, so clearly there’s a growing appetite for privacy professionals.

In Microsoft alone, Lynch says there are hundreds with formal responsibilities for privacy, and more than 100 certified information privacy professionals.

Managing talent, he tells me, is a key part of his role. 

“We know that the best decisions around data collection and use have been when we’ve got privacy expertise involved in that discussion. There’s a real career growing around this domain now, and the IAPP has played an important role, because it’s now a certification program, and a place for continuing education.”Brendon Lynch, Microsoft, Chief Privacy Officer

Microsoft, as a co-founder (alongside HP) has invested in that, “to create a pipeline of talent and nurture the talent we already have.”

Before I conclude the interview, I have to ask Lynch about the most clichéd but frequently discussed ‘privacy versus security’ conundrum.

“They should definitely exist in harmony,” he says without hesitation. “National security is a classic example of where one may be in tension with the other. A degree of surveillance is going to be needed to help ensure public safety, and a degree of surveillance is going to have an impact on privacy, so then the question is, ‘how can you enable both in some way?’.” 

More often than not, he insists, security and privacy complement each other.

“When I think about how to protect the privacy of our customers’ data, for example, the fundamental starting point is security. Security is playing this crucial supporting role for privacy… if you don’t have security, then you don’t have the ability to really protect privacy either.” 

Brendon Lynch, it has been a pleasure. 

What’s Hot on Infosecurity Magazine?