MS-commissioned secret audit clears MS over Hotmail holes

Huge victory for self-regulation, says Man in Suit

Microsoft has been entirely exonerated over the ghastly cock-up that opened up the email of 50 million Hotmail users to all and sundry. The exoneration comes in a secret report of an audit that was carried out by a "big five accounting" firm which Microsoft won't name. One might of course speculate that this is the sort of thing that will torpedo industry attempts to self-regulate over privacy. In the wake of the discovery of the Hotmail security hole Microsoft and Web privacy overseer TRUSTe announced that Hotmail would undergo a voluntary review by a major accounting firm, and that the firm would not be named. Microsoft is one of TRUSTe's major funding sources, but then as Microsoft is a big software company, it would be, wouldn't it? TRUSTe also gets a lot from IBM and Novell. Nevertheless, by reacting to one of the biggest privacy screw-ups ever to hit the Net with a voluntary, secret audit TRUSTe was effectively, in the words of Junkbusters president Jason Catlett, saying "Trust me." Microsoft professes itself unable to name the auditors or release the final report because this would be prohibited under the guidelines set by the American Institute of Certified Public Accountants (AICPA). We can think of some companies whose auditors might like to take the fifth in this way as a matter of course, but under the circumstances it's remarkably convenient, as it lets Microsoft say "trust me" too. Microsoft released what we have to take on trust as being the report's findings in a press release yesterday. "TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind." What these are, and whether they apply to, say, IE5 (aka Security Hole Central), we know not. Microsoft then goes on to tell the areas the report "details activities conducted by the accounting firm in each of the following areas," without elaborating on the activities themselves. Briefly, they looked at documentation on the nature, extent and cause of the problem. Then they looked at documentation describing the solutions implemented, then they talked to the people involved. Then (grief…) they checked the code to see the fix had been implemented, and then (double grief…) they checked to see the problem was no longer there. Is it any wonder the full report isn't being released? Maybe that is the full report, and it just says that Microsoft fixed it, and promises not to do it again. Bob Lewin, executive director of TRUSTe, gave himself a hearty slap on the back: "The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works… I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe's privacy seal program on the Internet." Great stuff, eh? Junkbusters, which has been harrying MS and TRUSTe over this and other issues, takes a different view. "Suppose a space shuttle exploded and NASA commissioned an independent engineering firm to investigate, then claimed the problem was fixed but refused to even name the engineering firm. They would be ridiculed, and so should TRUSTe and Microsoft." ®

Sponsored: Driving business with continuous operational intelligence