Inattention deficit disorder

In his series of blog posts about why context matters, Jamie Smith writes:

I believe that personalisation goes wrong when no one’s asking about the customer’s context, or no one’s listening. It’s being sent a ‘targeted’ advert for a car, not knowing you just joined a car club. It’s being recommended a book on Amazon based on your shopping history, not knowing you actually hate the author (your previous purchase was for a friend). It’s being sent coupons for pregnancy products based on your shopping history, when you haven’t yet told your family you are expecting a baby.

The best reason I can think of as to why context matters is that the highest aspiration of technology is to recede into the fabric of life.  Companies competing for our attention will soon find that we value much more those who compete for our inattention.  Philips made a really cool smart LED light bulb but it cannot be operated from the switch in the wall.  You must use an app to make it work.  The bulb is great but the implementation is exceedingly dumb.  At the very least, a new smart LED bulb should work exactly the same as a regular bulb because that’s how people know and expect to operate lighting.  What’re we supposed to do?  Duct-tape all our old iPhones to the wall next to a switch that has itself been duct-taped over?

[Read more…]

The ‘R’ in VRM

I’ve never really liked the laser-like focus on “intent to buy” as the primary VRM signal.  It seeks to intervene just prior to the exchange of value and makes too many limiting assumptions about what value actually is.  My usual example is that I’d like to communicate intent through policy settings such as “don’t show me DRM-enabled content when I search” or “show me DRM-enabled content only if nothing else is available.”  If people set these policies in sufficient numbers, it could send a clear signal to vendors.  When it comes to “smart” appliances and Internet of Things, vendors have been putting out crap and assume the lack of signal means we aren’t interested.  The MASSIVE success of crowdfunding IoT devices demonstrates that absence of interest signal is not signal of interest absence.

[Read more…]

Webinar: Security Defenses that Withstand the Test of Time

IIB-Security-Webinar-Banner

Please join AJ Aronoff and me for a Prolifics webinar: IIB: Security Defenses that Withstand the Test of Time

For the last 7 years my security focus has mainly been intrusion prevention.  That’s all the controls you use to keep unauthorized people out of the messaging network.  I’m happy to report that things have improved on that front.  IBM has greatly improved the software and customers are enabling the security controls in record numbers.  (Not that the secured systems are yet in the majority, but it’s MUCH better than before.)

Unfortunately, intrusion prevention is only one part of the story.  A comprehensive security design also includes intrusion detection, forensic capability and incident recovery.  One reason that these are needed is that the state of the art is a moving target.  Attack technology always gets better, defensive technology moves to keep up or stay ahead.  Over time the configuration you implement today gets weaker as the state of the art continues to advance.

This webinar will focus less on the specific controls and more on how to maintain security effectiveness over time.  We will be addressing IBM Information Broker (the software formerly known as WebSphere Message Broker) but since it is built on top of WebSphere MQ the content will also be useful for WMQ admins who do not have IIB.  I hope to “see” you there!

Much thanks to my friends at Prolifics for sponsoring the webinar.

Do We Need an Alternative to HTTPS and TLS?

“Do We Need an Alternative to HTTPS and TLS?”  This question came up in the Personal Clouds list recently.  Thanks to the well publicized problems with Certificate Authorities, variations on this question are a common theme among many of the communities in which I participate.  The CA has become the whipping boy for all the ills of authentication and network security.  Let’s just get rid of it, right?  It’s not that simple.

[Read more…]

Banks manage information, not money

In a recent thread on the Personal Clouds list discussing to Barclay Bank’s new secure document storage service, a correspondent wrote “I believe many banks will offer similar services as they move from managing money to “managing information.”  That many people still believe that the business of banks is primarily money and not information speaks to the effectiveness of the industry’s PR.  Banks have primarily managed information for decades.  They just didn’t want to tell retail customers until doing so was likely to yield a competitive advantage or a profit.  That time has come.

[Read more…]

Industry still puzzling over consumer reaction to tracking

Industry is still wondering what went wrong with tracking.

Industry is still wondering what went wrong with tracking.

Frank Hayes over at Storefront Backtalk asks “When Is Data Collection Creepy?”  That’s a really good question now that ordinary people are waking up to the possibility that anyone and everyone can track them online and in real life.  The post touches on but doesn’t quite illuminate that the biggest difference is one of atoms versus bits. When surveillance was physical Newtonian physics limited what could be done. We didn’t need laws or policies stating that you couldn’t surveil all of the people all of the time because to do so wasn’t physically possible. Because we have never had that capability before, we do not have any experience with it from a policy-making standpoint.

[Read more…]

Names matter more than you might think

Patrick McKenzie’s blog post Falsehoods Programmers Believe About Names raises some interesting questions about online identity.  He writes: “So, as a public service, I’m going to list assumptions your systems probably make about names.  All of these assumptions are wrong.  Try to make less of them next time you write a system which touches names.”

He then provides a 40-point list of ways in which computer systems break human names acknowledges it is an incomplete list, and asks readers to provide additional examples.  The most egregious item on his list, [Read more…]

My RBAC Manifesto

No one component taken out of context makes the Personal Cloud.

No one component taken out of context makes the Personal Cloud.

I’ve been following the Role Based Access Control thread on the Personal Clouds List and just sort of biting my tongue so as not to sidetrack any productive discussion there.  However, I cringe every time a new email comes out comparing Clique Space to RBAC.  One is a model, one is an implementation.  To compare them is like saying “China is not capitalism.”

I have issues on several levels with the whole discussion.  First, I believe that Role Based Access Control will be essential to the Personal Cloud architecture.  With all of the different functions proposed for Personal Cloud, it doesn’t seem scalable with the other types of access control.  Furthermore, there is no “personal cloud” if all the parts of it are developed in a vacuum.  Even though your component of the Personal Cloud may be simple enough to not require RBAC, how will it fit into the greater architecture?  For example, a smart light switch may have one role – either you can access it or not.  That’s a use case that screams out for simple Access Control Lists right up until you try to integrate it into a larger home automation system.  It isn’t so much that the switch now needs roles, but rather that the ability to manipulate or inquire on the switch from within the home automation system is itself a role of that larger system.  So as a designer the question becomes: In a larger cloud context where the owner manages using RBAC, do you want your device or component to be the only thing that requires the homeowner to program specific Access Control Lists?  How user friendly is that?

My answer to this is that as designers we need to recognize up front that the complexity of the Personal Cloud requires something more manageable than individual access control lists and then design our components to live in that greater context.

[Read more…]

Escaping advertising’s uncanny valley

You can't get there from here!

You can’t get there from here!

One of the major themes that I see driving Internet of People and Things, and commerce in general, is ultra-personalization.   Although not recognized widely as such, one of the “killer apps” that has emerged beginning with graphical OS’s is “themes” or “skins.”  Simply put, the OS exposes not merely the knobs and dials, but the size, shape and texture of the knobs and dials.  Not just audible and visual event notifications, but the sound, look and behavior of those notifications.  This was never recognized for the significance it has had in shaping customer expectations about responsiveness of products.  In fact though, as things get smarter and computing recedes invisibly into the fabric of life, there is no single killer app.  Ultra-personalization is the killer app.

[Read more…]

FT on How much is your personal data worth?

A recent Financial Times article asks “how much is your personal data worth?”  This sparked a thread on the VRM mailing list to which I’d like to respond.  Tony pointed out that their numbers are old.  I’d also add that the entire article is a bit disingenuous.  The headline “How much is your personal data worth” implies broad valuation as in “how much is a dollar worth?”  The article conveniently ignores many uses and markets for that data and in fact is extremely narrowly illustrated.  It should have read “What is your legally collected data worth to data brokers, assuming you are not a high value target?”

Let’s take these in reverse order.

[Read more…]