Open Letter to Chris Cox and Facebook

2015-02-14_13-58-05It was nice of Chris Cox to post an explanation of Facebook’s name policy and apologize to “the affected community of drag queens, drag kings, transgender, and extensive community of our friends, neighbors, and members of the LGBT community for the hardship that we’ve put you through in dealing with your Facebook accounts over the past few weeks.”

Except that the post doesn’t honestly explain Facebook’s name policy.  The real purpose of the policy is to force you to use a name on Facebook that can be matched to the name you use to make transactions – such as the one on your credit card – so they can correlate the ads you’ve been shown to purchases you make in the real world and charge the advertiser more money.  This is why in the old wording of the policy they asked for the same documents they match against – driver license, credit card, etc.

[Read more…]

What is your definition of personal?

Over at the Cloud Ramblings blog, John Mathon provides his list of Breakout MegaTrends that will explode in 2015.  There’s an entry in there about Personal Cloud rising to prominence.  Yay!  John and I often see eye to eye on our visions of the near future of computing and Personal Cloud is definitely huge in that future.  But it seems that once you get past the name “Personal Cloud,” our visions begin to diverge.  I’d like to explain how they diverge, why my vision is better, and beseech John and all the other pundits, analysts and trade journalists out there to adopt a slightly stricter interpretation of what, exactly, constitutes “personal.”

[Read more…]

What the Dark Web going mainstream means for you

Need some hacking done? Penetration testing for your web site? Change your college grades? Hack your ex’s email and social media accounts? Now you too can hire a hacker because marketplaces for freelance hackers are no longer the province of the dark web. Today they operate openly alongside the likes of other freelance sites offering more traditional work like graphic design, web site building, or fixing that shutter that’s about to fall off the house. In fact, there are now enough freelance hacker sites that at least one meta site, Hacker For Hire Review, has sprung up to review and rate them. Whether your company operates the legacy or the VRM model, there are a few takeaways here.

[Read more…]

Guest spot on The Allan Handelman Show

Yesterday I was a guest on The Allan Handelman Show for an hour, then stuck around a bit to talk with Steve Weisman of Scamicide.com.

Here are links from the show segments:

You can listen to my segments of the show on Soundcloud:

Online advertising is the new digital cancer

cancer cellMany news reports of late have described malware being delivered through advertising networks. But that leaves the impression that the AdTech itself is benign and being hijacked for nefarious purposes. While it may have started out that way, that is definitely not the case today. Kaspersky Labs mention several times in their latest report that the adware has become so aggressive, intrusive, and exhibits such bad behavior that they are now classifying the adware code itself as malicious.

According to AdWeek, global advertising revenues have reached $512B and they forecast declines in revenue growth for 2015.  Meanwhile, cybercrime is estimated to cost the global economy $445B annually and that cost is increasing steadily due to advances in technology and in part because victims pay the price over many years so the victim pool grows relentlessly year over year.

Online advertising has escaped its digital Hayflick limits and is spreading out of control. Online advertising is the new digital cancer.

[Read more…]

Online privacy as a policy issue

I’ve been spending a lot of time working with Qredo which is a company and a technology that seeks to provide in code many of the online privacy protections we fail to provide (or fail to enforce) in policy and law.  While I believe this is a Good Thing and necessary, it doesn’t eliminate the need to fix the policy and legal framework for online privacy.  In fact, it makes these things even more urgent.

[Read more…]

Busting the myth that people don’t care about privacy

There’s a fundamental disconnect in the discussion about online privacy.  We are told that people don’t care about their online privacy.  Evidence of people not reading terms of service, blindly accepting all permissions on their apps, and even filling out detailed questionnaires in return for an actual cookie, seem to support this position.  But in the aftermath of a breach, or simply a news story pointing out how invasive the Facebook Messenger permissions are, the reaction implies a strong expectation of better privacy.  It is as if people have an expectation of privacy but a contradictory expectation of not being required to do anything to get it.  These two things seem mutually exclusive and yet they exist simultaneously.  How can that be?  As with most mysteries of the universe, the answer involves some physics.

[Read more…]

Identity as a weapon

Writing about the recent phenomenon that is #Gamergate, Kirk Hamilton makes some interesting points about identity:

It makes sense that doxxing—sharing someone’s address and other personal information against their will—is one of the primary instruments wielded in this battle. Doxxers use identity as a weapon, and so much of this conflict is, at its core, about identity. There’s the stated claim that the gamer identity is under attack, and also the pervading sense that this “war” is less about journalistic ethics and more about the murk of entrenched identity politics. Video games have hugely informed our generation’s cultural identity, and so cultural criticism of games feels somehow personal, like we’re the ones being criticized. I get it. I do.

He’s describing a tectonic shift in gamer culture as gaming goes from being largely white, male and young, to being increasingly diverse of race, gender and age. The cultural realignment of broadly defined identity can be expected to set off aftershocks that ripple through adjacent populations and disciplines. In this case, there was an identity quake of about 6 on the Richter scale in the gamer subculture that is rippling through journalism, hardware manufacturing, marketing, law enforcement, and on down to individual people. Among the results is a much wider public perception of the danger one’s personal details represents when in the hands of people you don’t trust.

Gaming is a very geeky subculture. It is assumed by many that the Gamergaters would have no trouble getting anyone’s personal information. Another result then is a social laboratory environment in which we get to see how that assumption affects behavior. Certainly Felicia Day held this belief when she wrote:

I haven’t been able to stomach the risk of being afraid to get out of my car in my own driveway because I’ve expressed an opinion that someone on the internet didn’t agree with.

HOW SICK IS THAT?

I have allowed a handful of anonymous people censor me. They have forced me, out of fear, into seeing myself a potential victim.

And that makes me loathe not THEM, but MYSELF.

Within moments of posting this, someone tweeted Felicia’s address.

From its beginnings, the Internet was designed and built functionality first, with security and privacy a very distant second, if at all.  SSL was an afterthought.  DNSSEC was an afterthought.  The original Internet anticipated how functions would work, not how they could be exploited.

Then we built Internet commerce on that shaky foundation and following the same template.  There is a strong parallel between the architecture of the commercial web and toxic waste dumping of the late 20th century.  Both involved the externalization of costs extracted from a manufacturing process.  The manufacturing of things based on atoms resulted in escrowing those costs as time capsules of toxic waste that would become the problem of some future people in return for larger profits today.   In the case of bits, widespread failure to implement even basic security to protect personal data generates larger profits today but also creates a situation in which the incremental cost of retrofitting security into large established systems is cost prohibitive.  Since that personal data can be used as easily to harm people as to help them, large databases of personal information which lack adequate security are akin to undiscovered pools of toxic waste – cheaper to build today, someone else’s future problem if it is abused.

We are now in the stage where the toxicity of bad security is leaking into the digital groundwater.  Those regular reports of massive breaches on high-profile web sites are today’s digital version of yesterday’s cancer clusters.  They are the early warning signs that a Security Cleanup Superfund is needed.  Except that the maps we draw will have corporate names like Hannaford, Sony, Target and Lowe’s instead of geographic names like Love Canal and Lemon Lane.

We ramping up quickly to build the Internet of Things according to the same old template.  We hear about a new “smart” version of an ordinary device just about every day.  Just as rapidly we hear about these same devices being hacked, or that the security is so bad that no hacking is required.  Since the prevailing model is that the devices are modern Trojan Horses, built first as a portal to your most intimate data and second with the functionality for which you bought it, they represent simultaneously our greatest opportunity and our greatest threat on the network to date.

So when I write about false parallels between the worlds of atoms and bits, or the need to build privacy-protecting or privacy-enhancing architectures, I feel a sense of urgency.  I am very aware that the work underway at IIW, NSTIC, OIX and elsewhere in the Identity world potentially powers the world of tomorrow.  As Dave Birch says, identity is the new money.

But I’m also keenly aware that identity can be turned into a weapon.  I’m generally lonely in that view but the Gamergaters have demonstrated how effective even a small amount of identity information can be as a weapon.  People are taking notice.  If we embark to build Personal Clouds using the same template we’ve always used, if we assume that privacy and security are legal and policy rather than technical problems, if the individual does not have sovereign ownership of their personal data, then we might as well be honest about what it is we are building.  Research into personal data technologies without design goals of privacy, sovereignty and agency, and lacking state of the art security controls would be a digital Manhattan Project.  The commercially successful implementation of such a security-free Personal Cloud would be Cyberspace’s atomic bomb, capable of devastating millions of lives at one shot.

So, yeah, identity is the new money.  We definitely need to figure out the functionality of identity and the benefits it will bring to the digital world.  But the systems must be designed first for security, privacy, and personal sovereignty because it is from these attributes that functionality arises, not the other way around.

The latest malvertising incident and why you should care

Today’s news from Net-Security.org is that newly discovered malware was found on Google’s ad network and its purpose is to hijack your router’s DNS settings causing all devices behind your firewall to use poisoned DNS resolvers. That means even if *you* run NoScript, AdBlockPlus, HTTPS Everywhere, Ghostery, anti virus and avoid sketchy sites, a visitor on your guest network or even some anonymous neighbor leaching off your wireless signal can compromise your router.

Awesome.

Article: Attackers change home routers’ DNS settings via malicious code injected in ads

If all my ads were not so personalized and relevant, I’d be upset about this. But it’s SO worth it, right?

The funny thing is that the attackers have FAR more privileged access to your device and your data than do the malvertisers and yet so far they just want to take over your device and empty your bank account. If the attackers ever decide to go after your *data* they’ll not only find out your daughter is pregnant before you do, they’ll make her pay $100 to not tell you about it. Then you get an email asking what your conservative employer might think of your risque purchase history. They clean out your bank account and ruin you, it’s a 1-time profit. But if they blackmail you with your data they get a long-term income stream. They get a pension fund. Forget about calf-cow relationships. Start thinking ant-aphid.

But we’re good because there are lines – somewhere – that even creepy, invasive, malvertising adtech won’t cross and that will stop the spread of cybercrime over advertising infrastructure. Right? We’re good because the adtech industry is hard at work distancing themselves from organized crime and building security, accountability and user choice into the advertising system.

“Wake up T.Rob, you’re daydreaming again!”

Oh, right. I live in Bizarro World where adtech doesn’t acknowledge any responsibility for building the rails malware rides in on. They would side with us in our battle against against organized cybercrime, except they are too busy making advertising even more invasive: Targeted Online Marketing Got Creepier Again!

Note the exclamation point at the end.  Almost seems like the author is excited about this in a good way.  In fact, that’s the case.

So if you think of it – yes, it is very creepy. It goes to the extent that marketers will start knowing more about you than you do yourself.

But on the other hand we think it’s a great step forward. First of all it means that marketers are interested in finding out what we want to be offered. They are actually listening to us. Secondly this also means more targeted communications. Instead of being bombarded with advertisements you have zero interest in, you may find that eventually you start enjoy advertising as it fits seamlessly into what you are looking for.

But the Adtech folks aren’t stopping with impressively better tech, they are hitting new efficiency levels as well, as noted in Obama-Grade Ad Tech Coming to a Local Campaign Near You. “It’s been a challenge for even mid-range campaigns to be able to afford these online advertising capabilities. Today, it doesn’t matter if you’re running for city council or congress, because now you can reach voters in one of the most effective ways possible regardless of your campaign budget.”

Or if you go to Ad:Tech NYC next week, you can learn about the new frontier of tracking consumers offline in  Behavioral Breadcrumbs: New Tools to Read Digital Signals:

Most traditional digital tracking and measurement only works as long as a consumer sits in front of a browser. What happens when they disconnect? A new breed of technologies helps extend scalable insight into consumer behaviors beyond the screen. From RFID to Wifi to optical tracking, this panel will discuss methods that identify consumer behaviors, help test and ultimately measure.

Key Takeaways:

  1. Market to consumers using signals they’re pushing.
  2. Track behaviors using consumer signals.
  3. Create a type of interactivity and measurability in your campaigns.

I’m sorry, but I’m not PUSHING signal to your RFID reader, WiFi access point, or optical recognition tracker.

If you want to know what consumers pushing signals looks like, go talk to the folks at Customer Commons, whose QR-coded badges broadcast the intention to not be tracked in exactly these ways.  Does your optical tracker honor these signals?  I’m guessing not.

If you want to know what consumers pushing signals looks like, talk to the Respect Network who are building a platform specifically to exchange user-generated signal with marketers and businesses.

If you want to know what consumers pushing signals looks like, talk to me or my colleagues at Qredo who are building out the world’s first and best fully-encrypted, end-to-end communications and Personal Cloud platform that is mutually authenticated at the endpoints and yet the data and metadata are completely anonymous in the cloud servers.  We’re all about quality signal.

Most of all, if you want to know what consumers pushing signals looks like, read The Intention Economy.  Here’s a hint: when we customers push signals, it’s intentional, deliberate, and we like you for receiving them. If you have to hunt for the signal, if we don’t like that you received it, if stealth is involved, if it feels at all creepy to any of the participants, it probably isn’t being pushed.

I’m not going to reach anyone who honestly believes that signals received over passive RFID scans, Wifi hotspot scanning, and optical recognition tracking are being “pushed” by consumers.  However, there must be some marketing and advertising people who realize how incredibly wrong that characterization is and why.  To those people I plead: please side with the consumers against organized cybercrime.  Quit acting as the R&D arm of cybercrime who watch you lay the tracks, then ride them direct to your audience, poisoning the well for all involved.

We are on the verge of computerizing the consumer side of commerce.  When we computerized the supply side 30 or so years ago, it transformed the world.  But the consumer side is much larger and the transformation potentially that much richer.  Consumers want to build systems that send you signal.  Stop trying to sneak in and steal it and just partner with us.  Once we have some trust and accountability between us, organized cybercrime will have to do their own R&D.  And if you are wondering how to make those connections you’re in luck.  The next Internet Identity Workshop is next week.  The place is practically littered with common ground for us to meet on.

Marketers and advertisers, now you get to choose who you want to work with and for.  The customers, entrepreneurs, and identity geeks in the VRM community at IIW?  Or organized cybercrime?  Choose wisely because you’re running out of Mulligans on these compromised ad networks.

The Marketing/Cybercrime symbiosis

MalvertisingWhat would you do if you suddenly realized that your business model was indistinguishable from organized crime?  Or, worse, what if you realized that your business directly harmed people economically and physically?  Web Marketing has evolved to become the R&D lab for organized cybercrime and is currently in that unfortunate position.  Here is the life cycle we are stuck in at present:

  1. Users find new ways to block ads and preserve (or at least fortify) their privacy.
  2. Marketing devises new adtech to circumvent user controls.
  3. Cybercriminals exploit adtech to deliver malicious payloads.
  4. Lather, Rinse, Repeat.

News reports of people whose bank accounts are emptied or their identities stolen by cybercriminals are all too familiar.  Mostly forgotten however is that when some high-level SSL certificates were compromised a few years back, forged certificates were found proxying the communications of dissidents from inside of repressive countries to Twitter, Google, Facebook and so on.  What people thought was completely secure communication was in fact transparent to the authorities.  It is a certainty that people came to physical harm after the Certificate Authority was breached, and that breach was a result of malvertising.

 How did we get here?

The problem is that Marketing believes that it is in the business of creating content and cannot get past that worldview. The reality is that in the age of popular press, then broadcast radio and television, Marketing was reinvented as the world’s first micropayment system. Diverting a timeslice of the attention that a massive audience paid to the program content, and substituting commercial content, created a revenue stream out of thin air. With a large enough audience the aggregate value of attentional time slices could be monetized predictably and in sufficient quantity to fund both the content and the overhead of the micropayment system that generates the revenue.

What Marketing has lost sight of (or perhaps never realized) is that their primary business is distilling and aggregating micropayments to fund content, not in creation of content itself. Yes, it’s called “marketing” and that implies signal from advertisers to consumers. But marketing delivered in the context of program content is invisible if nobody likes the program content. No matter what you spend on a Superbowl ad, people who don’t like football won’t watch the game to see the ad.  Funding content is primary.  Making content is a means to that end but need not be in the age of the Internet.

How can it be fixed?

In the world of bulk print media, and of broadcast radio and TV, signal goes only one way and advertising content was required to close the signaling loop. It created an information stream from consumers in the form of increased sales and revenue.  In the world of atoms, it was actually necessary to prevent the possibility of consumers responding en masse and overwhelming the seller.

But we do not need that anymore. The Internet closes the signaling loop much more effectively. Consumers can send signal upstream without overwhelming the recipient in the process.  We are finally in a position to skip the commercial content and just pay directly for program content. But people don’t want to manage a million subscriptions and vendors don’t necessarily want to do that either.  This is especially true when the lowest practical direct payment is significantly greater than the value of the content provided.  So we still need to aggregate micro-revenue streams and distribute funds back to content creators.  The difference is that we no longer need that to be driven by marketing content.

In a world where it is possible to track every second of content performance, directly funding content through subscription aggregation should be easy to do transparently, accountably, and without the invasive malicious technology. Marketing owns this space but that’s due only to historical legacy.  Unless they remove the blinders with “content creator” printed on the inside they’ll soon cede it to someone else. Content creators just need funding and if they can get it without annoying the crap out of their patrons, and especially without delivering malvertising along with their content, they would be happy to do so. Content creators do not need to sell Bud Light.  They just need funds.

Will Marketing step up?

When it comes to building a subscription aggregation ecosystem, Marketing currently holds a marginal advantage in its existing relationships with content creators and distribution outlets.  This would help in the construction of a subscription bundling ecosystem if only Marketing realized they need to build it. But that advantage is eroding quickly as the Internet commoditizes those advantages so time is of the essence. Direct funding of program content is coming whether Marketing builds it or not. If they wait too long, they lose their main delivery channel as content goes ad-free.

Isn’t Marketing also content?

Creation of content, that thing Marketing seems to believe is their primary business model, is still required but as a subordinate function. It has been pointed out many times that sellers have a need to get information about their products out to the buying public and Marketing fills that need. Fair enough. But if you are in the market for a widget then marketing information about widgets is the program content and it will be sought out on that basis.

Anyone surfing the web ad-free who is in the market for widgets will – surprise! – want to compare widget features, read reviews on widgets, check widget prices, look for things that might fit their needs better than widgets, etc. The role of Marketers for these people will be to make sure that the information exists and is easy to find. Their role will not be to invade the privacy of potential consumers, attempting to claim every possible attentional timeslice by bombarding the consumer from all sides every waking second with brand messages.  In an ad-free environment consumers will self-select to receive Marketing content at the point in time that it is relevant to them.

 When advertising is voluntary and opt-in, *all* advertising is precisely targeted and extremely valuable.

Let me repeat that for Marketers whose attention timeslice I didn’t get the first time:

When advertising is voluntary and opt-in, *all* advertising is precisely targeted and extremely valuable.  No Big Data crunching required. No invasive ad-tech required. No need to cover every visual or auditory blank space with branding.  Furthermore, assuming the system monetizes sales rather than clicks or impressions, Every. Single. View. Or. Click. Is. Legitimate. Full stop.

Our current opt-out approach and consequent oversupply of marketing messages drives the incremental value of individual ads ever lower.  But it is a mistake to believe that the value of an ad can never be less than zero.  An oversupply of ads can in fact create negative value, especially when delivered coercively as is explained in the next section.

An autistic point of view

There is a relatively new model of autism called the Intense World Theory.  Past theories of autism have assumed it arises from functional deficits in the human brain.  But Intense World Theory posits that much of typical autistic behavior results from over-stimulation.  This model explains so much better things such as texture sensitivity, physical agitation such as hand flapping or head banging in response to strong stimuli, and situational escalation leading to autistic meltdowns.

Marketing when and where a consumer requests it is an essential service.  Marketing as it is practiced today on the web is more like a zombie apocalypse.  Nobody actually wants to be attacked from all sides, relentlessly, by mindless things that just want a piece your brain, but Marketing refuses to believe that and plows ahead undeterred.  When we put up defenses, Marketing invents new tech to circumvent them and tells us it has an absolute right to do so.  This is an “essential truth” as one marketer recently put it.  When we get infected and come to harm through malvertising, Marketing disclaims any responsibility.

Ask anyone familiar with autism and Intense World Theory what they would predict consumer response to be to Marketing’s current approach of carpet-bombing the consumer’s attentional landscape.  Marketers tell us that the web depends on this model, that everyone involved is better off for it, and that they have a right to get their branding messages into our field of attention.  But Intense World Theory tells us that beyond a certain point, people begin to feel violated, overwhelmed and out of control.  They withdraw from the stimulation or find ways to defeat it, even to the point of self-destructive behavior if the stimulus is intense enough.

Head banging, hand flapping and body tics are how an autistic increases signal in order to drown out noise.  Ad-Block+, Ghostery and other consumer-side controls perform the same function with respect to Marketing.  Escalation of confrontation leads to a meltdown in the case of an autistic person, or to Congressional hearings in the case of invasive adtech.  The parallels are obvious and the outcomes predictable.

You don’t need to be autistic to respond this way.  Dial up the unwanted stimulus enough and everyone eventually gets to this point.  Don’t believe me?  Watch the reactions to the sound of fingernails on a blackboard.  This is the first time in history that it has been possible to so thoroughly invade an individual’s cognitive space so we have not previously driven neurotypical people to autistic defensive behavior.  Now that we are beginning to do so, we should recognize the response as predictable given the level of stimulus and move to change the approach. At the very least Marketing needs to dial down the stimulus.  Better yet, Marketing should relate to people as respected peers rather than as subjects.  Our attention is a privilege, not a right.

Suggestions

Marketing needs to reinvent itself as a funding aggregator for content first, and as the delivery of brand messages second.

  • Create content subscription bundles so a single subscription reduces or eliminates ads across most or all web properties.  Cybercrime cannot ride in on your rails once you rip up the track.
  • Remunerate providers proportionally.
  • Make sure independent content providers can get paid on par with large providers.  Some might even say indie content is more valuable.
  • Stop with the invasive adtech already.  We hate it and we hate you for it.
  • Make it easy for prospective consumers to find your brand messages when they are actually in the market for something.
  • Turn your commercial content into program content.  Remember the people who aren’t football fans who don’t watch the game to see the ads?  They do go watch them on YouTube and vote on them in contests.  We don’t mind brand messages if the content is compelling.  (Clue!)
  • Finally, and this applies to pretty much any business, if your business model is indistinguishable from and directly enables organized crime, don’t spend a minute rationalizing the harm caused.  CHANGE THE MODEL.

Marketers, the countdown clock is ticking.  Will you continue on the current path, eventually driving the public to a meltdown?