Financial Times: How much resource does Microsoft put into security?
Bill Gates: Security is our top priority. I can’t see that changing any time soon.
FT: More important than hitting the Vista deadline? [Windows Vista, the next version of Windows, is due to be launched late this year.]
BG:Oh, absolutely. Believe me, Vista would have been out nine months ago if we hadn’t had to do all the security design reviews and put the security features in. XP SP2 [the security update to the previous version of Windows] was a huge effort, when we took the people off Vista.
There is no doubt we have put our money where our statements are on this. We would have had a release of Windows out way earlier if it wasn’t for this focus on security. Even today, the date is not the sacrosanct thing. It is the feedback from the users, and the experience we have with this thing.
FT: After the big push on security around XP SP2, has it now become business as usual at Microsoft?
BG: In the sense that we know how to factor that into our schedules, yes. But it’s still the biggest thing in any development schedule. The amount of security work as you move up the stack gets to be less and less. But Windows is down here low in the stack, and so that’s where the most work is. That’s where smart cards have to connect up to, code reputation has to connect up to, the whole security centre that makes it easy to say what your security update is, that’s down here. For any Windows schedule in the future there will always be that security work. So no, it’s not business as usual. But hey, this is software, and security is the most important feature of software. After all, digital usage of critical information goes up every year. What was adequate a few years ago is no longer adequate. People are relying on these systems more and more.
FT: How much development effort is consumed by security?
BG: It’s not really in a precise way. It’s pretty easy to say the number is on the order of 30-35 per cent of what we’ve done in the Vista engineering cycle. If you define it broadly you could get over 40 per cent, or if you really define it narrowly you could get lower. But it’s on the order of a third of what we’ve done.
FT: Was the security work in Windows XP much lower?
BG: A dramatic difference. [It was] less than 10 per cent.
FT: It’s four years since you announced the “Trustworthy computing” initiative that made computer security a central priority. How far have you got?
BG: If you just look at the last year and you say, what was the biggest security thing this last year, no one can name one, because there wasn’t a big one this last year. That’s not to say everything’s perfect. People still get a little bit of spam, phishing – the sophistication of the phishing attacks has gone up. Three years ago, that really wasn’t there at all because the amount of online commerce, the opportunity just wasn’t there. Now, we have these incredible tools against phishing. Spam really shot up about two years ago, now we have some incredible tools against that.
FT: Where do you draw the line between security you build into the operating system and security you sell as a product or service? Microsoft has just announced the launch of OneCare, a consumer anti-virus service.
BG: It’s not a huge revenue opportunity. It’s more an opportunity to make sure the Windows platform is preferred because it has got the security built in. Take anti-spyware: people were starting to come into the market and charge for that. We very quickly said no, this will be built in. We’re not building in the anti-virus thing. There [are] a lot of people out there who have sold that separately and would have made things very tough for us if we’d built that in.
But every new thing we build in. The tradition on AV is not to bundle that in. We have stuck with that. Somebody can say that was wise or not, but every other new area we’ve built in. We’ll have people who say we shouldn’t have built so much in because we didn’t let people buy 20 extra packages, and we’ll have people who’ll even say we should have taken that one thing we didn’t build in and built that in. It won’t be a huge business for us. On the corporate side, some of these management tools – yes, we’ll have some business there. Not gigantic as a percentage. But its only on the corporate side where you can see separate revenue streams.
FT: Did anti-trust considerations figure in your decision not to bundle anti-virus software with Windows?
BG: Yes. The decision to leave AV outside – there’s so many factors that weigh into it. But certainly, we looked at that as one factor, how people will respond. Remember, the whole notion of improving software and making it better for users has been attacked because it makes it tough for competitors.
That’s the basic framework we have, where we’re kind of saying if we put new things in and don’t raise the price, it’s there, that’s competition, that’s beneficial to users, and other people are saying no, let’s protect us competitors. That’s a tricky framework. Clearly if that was all we thought about we wouldn’t have put all this new stuff in, but we have.
FT: Yahoo and AOL are planning to offer a service under which they charge companies a small fee for delivering their bulk email in a way that avoids it being blocked by spam filters. Will Microsoft so something similar?
BG: We don’t charge for Hotmail. I don’t see anything we’re likely to do where we charge per email. We charge to license Exchange, we charge to license Outlook, those are super-good businesses, we have a super-good share of those things. But charging per email, I don’t see us doing that.
FT: You have talked about building a “trust ecosystem” on the internet in which users’ identity information can be shared between websites. Would this be a closed system, or an open one?
BG: It’s totally standards-based and totally open. It runs on all platforms. It’s a series of standards that we’ve worked on – in fact, IBM has been one of the key participants in these standards. It’s got to work across all systems or it’s not worthwhile. It’s a great industry standard, just liked we’ve helped to extend HMTL for everybody to use, and TCP-IP for everybody to use. We have an implementation of it that will compete on the implementation. But the whole notion of the protocols, how it’s done, that’s all in these WSTrust standards. Believe me, we know a lot about this. When we did Hailstorm, four or five years ago – it wasn’t a plot to be the central root of trust or anything like that, but it was perceived as such. Our guys who work in this area have made it so clear that this is open, that everybody connects up to this. We are so clear on this.
FT: Is this the Hailstorm vision under a different name?
BG: No, no, it’s not even worth going back to that. We partly didn’t know what it was, and certainly what the press said it was wasn’t what we thought it was, but even what we thought it was we didn’t end up doing all of that. That’s old history. This is very simple. There are statements like, “I, the employer of this person, have given them a secret” – either a password or even better a big number, a key. So I, Intel, say if they present this secret back to me, I, Intel vouch that they are an employee. Then we at Microsoft collaborate with Intel, and we decide do we accept statements of that type to decide who can get into various collaborative websites for joint projects. That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much. In a lot of countries, statements like “this person is over 18”, “this person is a citizen”, the governments will sign those statements. When you go into a chat room, for example, in Belgium, they’ll insist that you present not necessarily the thing that says who you are, but the thing that says the government says I’m over 18. This trust ecosystem has so much good designed for privacy. This thing is amazing, where you can prove who you are to a third party and then, in the actual usage, they don’t know who you are. A lot of the previous designs had the idea that if you authenticated, then you gave up privacy. There are lots of cases where you want to be authentic but not give up your privacy – or not give up your privacy except in extreme cases. So all these things that exist in the real world about trust have to mirrored in these digital systems - and the real world is very complex in these respects. When you hear somebody on the phone, that’s enough evidence that you’re willing to tell them some things. The basic architectural framework lets us mirror a lot of these real world things. But these real world things, they take no set-up time. Your brain is just so good at recognizing somebody’s voice, or somebody’s face, or somebody’s handwriting. It’s all just so implicit. When you leave your office, it would be strange for somebody nobody knows to come into your office and sit there at your computer – you didn’t write a memo to every body nearby, it’s so implicit: give me a break, you guys just let that guy walk in there and walk away with my computer! In the digital world, there’s far less that’s implicit like this. Describing these things is hard. Now in some ways, the digital world is superior. The ability to have anonymity is actually better when you want it. There’s no such thing as going to a soapbox and saying the government’s corrupt and not having the intelligence service see your face. In the digital world, that can be done.
FT: Unless you’re in China.
BG: No, in fact, it can even be done in China. Now China may not like that. There are many cases where – say you do a website’s that libelous of someone and a judge rules that website as libelous. It might not be libelous in every country in the world – there are different standards there. How do you make that website unavailable – should there be any such tools, or is libel not a concept that should exist any more? Say it’s stolen copyright materials, say it’s child pornography, say it’s a site that gets old ladies to pay $20,000 for a roofing job where the guy never shows up. There are websites that any government wants to block. The truth about the internet is that it’s extremely hard to block anything – extremely hard. You’ll never get perfect blocking. It is an interesting thing that the tools of technology are creating a level of openness that is good in some ways. But there are these things where – like child pornography – it’s harder to block or track than it would have been in the physical world.
FT: Microsoft announced a policy last week to only remove blogs from its services in China if it receives a proper legal order. By in the absence of the rule of law, surely you’re not going to get a proper court order?
BG: We’re going to get a government order before we do anything. It’s actually very clear who gives these orders. They haven’t authorised us to be a news service, so the information departments say that is a news/information thing that is not within the writ of your activities. We’re not the first media-related entity to have some activity in China.
FT: Do you keep information on servers inside China?
BG: Our servers are all outside China. This whole thing of inside versus outside China, I never understand that, it somehow comes up in the Google discussion. I don’t get that at all. This is not about where the servers are. We don’t have servers inside China, we just don’t. It may be that for responsiveness at some point we’ll do that, but that’s not the way we work today.
FT: Should the US government establish guidelines to regulate how internet companies deal with censorship in countries like China?
BG: I think something like the Foreign Corrupt Practices Act has been a resounding success in terms of very clearly outlining what companies can’t do and other rich countries largely went along with that. That’s a great thing. I think – [it] may be that idea [will] come along. I hope the people who make those things are sophisticated and not over-simplistic. You could make a rule – let’s say, should I be allowed to do business in Germany? Germany bans Nazi hate speech – the US clearly constitutionally protects that. Should I do business in Germany? Or child pornography, the US view is very different than others. I don’t think that a [rule] that said you shouldn’t do business in some place whose standards aren’t identical to the US would work. Clearly people like ourselves are glad to go along with whatever reasonable things gets laid down. That’s why its part of the dialogue. The internet overwhelmingly makes information available. It is not possible to block information, it is just not. You can make it so that the average person who just clicks on popular websites, with no extra effort, certain things don’t show up there. But in terms of actually blocking information… it’s bad news if you like to block libelous websites, or child pornography, or various things, copyright stealing. It’s very hard to do blocking. You can only take the very direct paths. And particularly if you put something up that says, we took this thing down, think of the time period between when you put it up and when it comes down and how people can cache that. It’s hard to block information. It’s so night and day versus when newspaper publishers and TV owners were small chokepoints that controlled the distribution of information. So, I think people have to [understand] what a open tool the internet is, despite any firewall stuff or any takedown orders that get given. People need to really understand what a tool for openness it is.
FT: Do you have qualms about self-censorship, for instance when you take down blog sites in China?
BG: We’re not involved in self-censorship. That’s not self-censorship. We are following those orders, that’s come up one or twice, I think.
