Feeds

MS-commissioned secret audit clears MS over Hotmail holes

Huge victory for self-regulation, says Man in Suit

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Microsoft has been entirely exonerated over the ghastly cock-up that opened up the email of 50 million Hotmail users to all and sundry. The exoneration comes in a secret report of an audit that was carried out by a "big five accounting" firm which Microsoft won't name. One might of course speculate that this is the sort of thing that will torpedo industry attempts to self-regulate over privacy. In the wake of the discovery of the Hotmail security hole Microsoft and Web privacy overseer TRUSTe announced that Hotmail would undergo a voluntary review by a major accounting firm, and that the firm would not be named. Microsoft is one of TRUSTe's major funding sources, but then as Microsoft is a big software company, it would be, wouldn't it? TRUSTe also gets a lot from IBM and Novell. Nevertheless, by reacting to one of the biggest privacy screw-ups ever to hit the Net with a voluntary, secret audit TRUSTe was effectively, in the words of Junkbusters president Jason Catlett, saying "Trust me." Microsoft professes itself unable to name the auditors or release the final report because this would be prohibited under the guidelines set by the American Institute of Certified Public Accountants (AICPA). We can think of some companies whose auditors might like to take the fifth in this way as a matter of course, but under the circumstances it's remarkably convenient, as it lets Microsoft say "trust me" too. Microsoft released what we have to take on trust as being the report's findings in a press release yesterday. "TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind." What these are, and whether they apply to, say, IE5 (aka Security Hole Central), we know not. Microsoft then goes on to tell the areas the report "details activities conducted by the accounting firm in each of the following areas," without elaborating on the activities themselves. Briefly, they looked at documentation on the nature, extent and cause of the problem. Then they looked at documentation describing the solutions implemented, then they talked to the people involved. Then (grief…) they checked the code to see the fix had been implemented, and then (double grief…) they checked to see the problem was no longer there. Is it any wonder the full report isn't being released? Maybe that is the full report, and it just says that Microsoft fixed it, and promises not to do it again. Bob Lewin, executive director of TRUSTe, gave himself a hearty slap on the back: "The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works… I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe's privacy seal program on the Internet." Great stuff, eh? Junkbusters, which has been harrying MS and TRUSTe over this and other issues, takes a different view. "Suppose a space shuttle exploded and NASA commissioned an independent engineering firm to investigate, then claimed the problem was fixed but refused to even name the engineering firm. They would be ridiculed, and so should TRUSTe and Microsoft." ®

Intelligent flash storage arrays

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
What a Mesa: Apple vows to re-use titsup GT sapphire glass plant
Commits to American manufacturing ... of secret tech
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.