Brad Smith makes one hell of a convincing argument.
How else can you explain the following from Bill Gates’ foreword to his book, “Tools & Weapons: The Promise and the Peril of the Digital Age,” referring to Microsoft’s antitrust case in the late 1990s?
“After the case was settled Brad persuaded me and a lot of other people at Microsoft that we needed to take a different approach … [as] he argues in this book, there are also times when it is in everybody’s interest for the government to step in with more regulation.”
Let that sink in for a few minutes.
Nearly 20 years after the antitrust trial which almost broke up Microsoft, Bill Gates now says there are times when it makes sense for there to be more government regulation of technology.
That alone is a landmark. And as Gates himself says, it’s due in no small part to Smith’s arguments.
It’s enough to make you want to be a fly on the wall to hear some of the arguments Smith made.
“Tools and Weapons” is as close as we’ll get to be that fly on the wall. While it’s not as good as being in the room, it shows Smith making reasoned and reasonable arguments that are convincing enough, practical enough, and realistic enough that you can see how he won Gates and others over.
The title alone shows how Smith understands the dual nature of technology: any technology can be used for good, as a tool, or for bad, as a weapon. The title tells us that this book is meant as a tonic for the sometimes dangerously optimistic enthusiasm of technologists who see only the tool side of things.
In his book, Smith covers a broad array of topics, from privacy, security, AI, the talent gap, to the impact of social media on democracy.
In each section, he takes a current topic and focuses on one or two of the problematic issues surrounding it. He looks back to historical parallels or legal precedents that can inform the discussion. And finally, he talks about how he and Microsoft have steered through it, how he thinks the industry and government can and should navigate it, or both.
I spent ten years (2000-to-2010) working in security and privacy at Microsoft as part of the Microsoft Security Response Center (MSRC), so I found Smith’s sections on privacy, cybersecurity, protecting democracy and consumer privacy most interesting and want to focus on those for this review.
Lately, Microsoft has been notable for publicly taking stands in court against what it believes to be government overreach in accessing customers information that it holds. This book is especially useful in giving more context and background on that story.
In this book, Smith makes clear that he “gets” privacy, perhaps more than any other corporate leader in technology today. His section title on “Privacy: A Fundamental Human Right” echoes the language and spirit of the Charter of Fundamental Rights of the European Union and the EU’s General Data Protection Regulation (GDPR).
In his chapters relating to privacy, Smith shows he, and consequently Microsoft, take seriously the idea of “data custodianship,” an essential concept in the privacy world that views the holders of personal information to be like banks that have obligations to safeguard their customers’ assets from theft and illegal seizure by governments.
He also makes a business argument for the need for comprehensive privacy regulation at the national level in the United States; a patchwork of multiple, different, and competing privacy regulations at the state level will be onerous on businesses, Smith argues. He even talks about how complying with GDPR was good for Microsoft in surprising ways.
Unlike some privacy zealots, though, Smith shows that he recognizes the government and law enforcement side of the picture. One particularly interesting behind-the-scenes look he gives us is the process that Microsoft has put in place to expedite warrants requesting information and how that enabled Microsoft to deliver information authorities requested regarding suspects in the November 2015 terrorist attacks in Paris in less than 15 minutes. That alone is impressive and qualifies as a best practice for the industry to follow.
Smith’s book provides one of the strongest, most balanced, and realistic assessments of the importance of privacy and the way a technology company can try to balance the competing priorities it faces. It also gives a pragmatic point of view in terms of the need for reasonable privacy legislation.
In terms of security, though, the book is weaker.
In a way, this is understandable: in my experience, people on the legal side of the house are more comfortable in the privacy world than the security world. To his credit, Smith talks about the importance of security in general. He talks openly, sometimes surprisingly so, about nation-state actors, particularly Russia and North Korea. This latter point is refreshing as there’s a lot of self-censorship that companies engage in around naming names for fear of losing business, making themselves a target or both.
But Smith is detached from the nuts and bolts of security. He talks about successes Microsoft has had in thwarting attacks, but even those focus on legal actions the company has made to take over malicious domains and “sinkhole” them.
And, sadly, Smith is guilty of one of the chief complaints people in the security community have about Microsoft: a penchant for going at it alone and highlighting only their own work. I know from personal experience that Microsoft does excellent work on security. But I also know that a lot of that great work is done in conjunction with other organizations, researchers, and partners. If you only read this book, you wouldn’t know that.
Smith also focuses his discussion on security around attacks: the work that is done to thwart and prevent them. There’s a whole other part of the picture, a bigger and more important one, around building software and services to be more secure to prevent attacks. That was one of the pillars of Gates’ Trustworthy Computing Memo. Sadly, it’s absent here.
That said, these weaknesses security can be excused, in my opinion. Ultimately this book is focused on law, policy, philosophy and even history.
In this industry, we hear a lot about “thought leadership.” Often this is a jargon term for articles and whitepapers touting a new technology. Smith’s book is one that genuinely earns that moniker because of the way it puts hard policy and philosophical questions out there and wrestles with them. In many ways, this book is unprecedented: the closest analogy I can think of is the Trustworthy Computing Memo, in terms of aspiration and vision. Unlike that memo, though, this has a solid grounding in pragmatics.
I’ve dealt with the policy side of things and worked on Capitol Hill as an intern while in college: one thing I can say unhesitatingly is that this book literally should be required reading for all legislators and those involved in technology policy and regulation. Not so much for the policy positions he takes (though I tend to agree with them) but for the fact that no other book has outlined the junction between technology and policy so simply, clearly and compellingly.
This is also a book that other leaders in the technology space should read. Again, they may not agree with his opinions, but he puts the questions everyone should be thinking about and answering for themselves and their companies and organizations out there.
In this way, Smith’s book is a gift for the industry and government. And as discussion is increasing around the need for more regulation in this industry on several fronts, it’s very timely.