The latest malvertising incident and why you should care

22, October 2014 by · 3 Comments

Today’s news from Net-Security.org is that newly discovered malware was found on Google’s ad network and its purpose is to hijack your router’s DNS settings causing all devices behind your firewall to use poisoned DNS resolvers. That means even if *you* run NoScript, AdBlockPlus, HTTPS Everywhere, Ghostery, anti virus and avoid sketchy sites, a visitor on your guest network or even some anonymous neighbor leaching off your wireless signal can compromise your router.

Awesome.

Article: Attackers change home routers’ DNS settings via malicious code injected in ads

If all my ads were not so personalized and relevant, I’d be upset about this. But it’s SO worth it, right?

The funny thing is that the attackers have FAR more privileged access to your device and your data than do the malvertisers and yet so far they just want to take over your device and empty your bank account. If the attackers ever decide to go after your *data* they’ll not only find out your daughter is pregnant before you do, they’ll make her pay $100 to not tell you about it. Then you get an email asking what your conservative employer might think of your risque purchase history. They clean out your bank account and ruin you, it’s a 1-time profit. But if they blackmail you with your data they get a long-term income stream. They get a pension fund. Forget about calf-cow relationships. Start thinking ant-aphid.

But we’re good because there are lines – somewhere – that even creepy, invasive, malvertising adtech won’t cross and that will stop the spread of cybercrime over advertising infrastructure. Right? We’re good because the adtech industry is hard at work distancing themselves from organized crime and building security, accountability and user choice into the advertising system.

“Wake up T.Rob, you’re daydreaming again!”

Oh, right. I live in Bizarro World where adtech doesn’t acknowledge any responsibility for building the rails malware rides in on. They would side with us in our battle against against organized cybercrime, except they are too busy making advertising even more invasive: Targeted Online Marketing Got Creepier Again!

Note the exclamation point at the end.  Almost seems like the author is excited about this in a good way.  In fact, that’s the case.

So if you think of it – yes, it is very creepy. It goes to the extent that marketers will start knowing more about you than you do yourself.

But on the other hand we think it’s a great step forward. First of all it means that marketers are interested in finding out what we want to be offered. They are actually listening to us. Secondly this also means more targeted communications. Instead of being bombarded with advertisements you have zero interest in, you may find that eventually you start enjoy advertising as it fits seamlessly into what you are looking for.

But the Adtech folks aren’t stopping with impressively better tech, they are hitting new efficiency levels as well, as noted in Obama-Grade Ad Tech Coming to a Local Campaign Near You. “It’s been a challenge for even mid-range campaigns to be able to afford these online advertising capabilities. Today, it doesn’t matter if you’re running for city council or congress, because now you can reach voters in one of the most effective ways possible regardless of your campaign budget.”

Or if you go to Ad:Tech NYC next week, you can learn about the new frontier of tracking consumers offline in  Behavioral Breadcrumbs: New Tools to Read Digital Signals:

Most traditional digital tracking and measurement only works as long as a consumer sits in front of a browser. What happens when they disconnect? A new breed of technologies helps extend scalable insight into consumer behaviors beyond the screen. From RFID to Wifi to optical tracking, this panel will discuss methods that identify consumer behaviors, help test and ultimately measure.

Key Takeaways:

  1. Market to consumers using signals they’re pushing.
  2. Track behaviors using consumer signals.
  3. Create a type of interactivity and measurability in your campaigns.

I’m sorry, but I’m not PUSHING signal to your RFID reader, WiFi access point, or optical recognition tracker.

If you want to know what consumers pushing signals looks like, go talk to the folks at Customer Commons, whose QR-coded badges broadcast the intention to not be tracked in exactly these ways.  Does your optical tracker honor these signals?  I’m guessing not.

If you want to know what consumers pushing signals looks like, talk to the Respect Network who are building a platform specifically to exchange user-generated signal with marketers and businesses.

If you want to know what consumers pushing signals looks like, talk to me or my colleagues at Qredo who are building out the world’s first and best fully-encrypted, end-to-end communications and Personal Cloud platform that is mutually authenticated at the endpoints and yet the data and metadata are completely anonymous in the cloud servers.  We’re all about quality signal.

Most of all, if you want to know what consumers pushing signals looks like, read The Intention Economy.  Here’s a hint: when we customers push signals, it’s intentional, deliberate, and we like you for receiving them. If you have to hunt for the signal, if we don’t like that you received it, if stealth is involved, if it feels at all creepy to any of the participants, it probably isn’t being pushed.

I’m not going to reach anyone who honestly believes that signals received over passive RFID scans, Wifi hotspot scanning, and optical recognition tracking are being “pushed” by consumers.  However, there must be some marketing and advertising people who realize how incredibly wrong that characterization is and why.  To those people I plead: please side with the consumers against organized cybercrime.  Quit acting as the R&D arm of cybercrime who watch you lay the tracks, then ride them direct to your audience, poisoning the well for all involved.

We are on the verge of computerizing the consumer side of commerce.  When we computerized the supply side 30 or so years ago, it transformed the world.  But the consumer side is much larger and the transformation potentially that much richer.  Consumers want to build systems that send you signal.  Stop trying to sneak in and steal it and just partner with us.  Once we have some trust and accountability between us, organized cybercrime will have to do their own R&D.  And if you are wondering how to make those connections you’re in luck.  The next Internet Identity Workshop is next week.  The place is practically littered with common ground for us to meet on.

Marketers and advertisers, now you get to choose who you want to work with and for.  The customers, entrepreneurs, and identity geeks in the VRM community at IIW?  Or organized cybercrime?  Choose wisely because you’re running out of Mulligans on these compromised ad networks.

Filed Under: Blog, Personal Clouds, Privacy, Security, Vendor Relationship Management · Tagged: , , , , , , , , , ,

The Marketing/Cybercrime symbiosis

17, September 2014 by · 5 Comments

MalvertisingWhat would you do if you suddenly realized that your business model was indistinguishable from organized crime?  Or, worse, what if you realized that your business directly harmed people economically and physically?  Web Marketing has evolved to become the R&D lab for organized cybercrime and is currently in that unfortunate position.  Here is the life cycle we are stuck in at present:

  1. Users find new ways to block ads and preserve (or at least fortify) their privacy.
  2. Marketing devises new adtech to circumvent user controls.
  3. Cybercriminals exploit adtech to deliver malicious payloads.
  4. Lather, Rinse, Repeat.

News reports of people whose bank accounts are emptied or their identities stolen by cybercriminals are all too familiar.  Mostly forgotten however is that when some high-level SSL certificates were compromised a few years back, forged certificates were found proxying the communications of dissidents from inside of repressive countries to Twitter, Google, Facebook and so on.  What people thought was completely secure communication was in fact transparent to the authorities.  It is a certainty that people came to physical harm after the Certificate Authority was breached, and that breach was a result of malvertising.

 How did we get here?

The problem is that Marketing believes that it is in the business of creating content and cannot get past that worldview. The reality is that in the age of popular press, then broadcast radio and television, Marketing was reinvented as the world’s first micropayment system. Diverting a timeslice of the attention that a massive audience paid to the program content, and substituting commercial content, created a revenue stream out of thin air. With a large enough audience the aggregate value of attentional time slices could be monetized predictably and in sufficient quantity to fund both the content and the overhead of the micropayment system that generates the revenue.

What Marketing has lost sight of (or perhaps never realized) is that their primary business is distilling and aggregating micropayments to fund content, not in creation of content itself. Yes, it’s called “marketing” and that implies signal from advertisers to consumers. But marketing delivered in the context of program content is invisible if nobody likes the program content. No matter what you spend on a Superbowl ad, people who don’t like football won’t watch the game to see the ad.  Funding content is primary.  Making content is a means to that end but need not be in the age of the Internet.

How can it be fixed?

In the world of bulk print media, and of broadcast radio and TV, signal goes only one way and advertising content was required to close the signaling loop. It created an information stream from consumers in the form of increased sales and revenue.  In the world of atoms, it was actually necessary to prevent the possibility of consumers responding en masse and overwhelming the seller.

But we do not need that anymore. The Internet closes the signaling loop much more effectively. Consumers can send signal upstream without overwhelming the recipient in the process.  We are finally in a position to skip the commercial content and just pay directly for program content. But people don’t want to manage a million subscriptions and vendors don’t necessarily want to do that either.  This is especially true when the lowest practical direct payment is significantly greater than the value of the content provided.  So we still need to aggregate micro-revenue streams and distribute funds back to content creators.  The difference is that we no longer need that to be driven by marketing content.

In a world where it is possible to track every second of content performance, directly funding content through subscription aggregation should be easy to do transparently, accountably, and without the invasive malicious technology. Marketing owns this space but that’s due only to historical legacy.  Unless they remove the blinders with “content creator” printed on the inside they’ll soon cede it to someone else. Content creators just need funding and if they can get it without annoying the crap out of their patrons, and especially without delivering malvertising along with their content, they would be happy to do so. Content creators do not need to sell Bud Light.  They just need funds.

Will Marketing step up?

When it comes to building a subscription aggregation ecosystem, Marketing currently holds a marginal advantage in its existing relationships with content creators and distribution outlets.  This would help in the construction of a subscription bundling ecosystem if only Marketing realized they need to build it. But that advantage is eroding quickly as the Internet commoditizes those advantages so time is of the essence. Direct funding of program content is coming whether Marketing builds it or not. If they wait too long, they lose their main delivery channel as content goes ad-free.

Isn’t Marketing also content?

Creation of content, that thing Marketing seems to believe is their primary business model, is still required but as a subordinate function. It has been pointed out many times that sellers have a need to get information about their products out to the buying public and Marketing fills that need. Fair enough. But if you are in the market for a widget then marketing information about widgets is the program content and it will be sought out on that basis.

Anyone surfing the web ad-free who is in the market for widgets will – surprise! – want to compare widget features, read reviews on widgets, check widget prices, look for things that might fit their needs better than widgets, etc. The role of Marketers for these people will be to make sure that the information exists and is easy to find. Their role will not be to invade the privacy of potential consumers, attempting to claim every possible attentional timeslice by bombarding the consumer from all sides every waking second with brand messages.  In an ad-free environment consumers will self-select to receive Marketing content at the point in time that it is relevant to them.

 When advertising is voluntary and opt-in, *all* advertising is precisely targeted and extremely valuable.

Let me repeat that for Marketers whose attention timeslice I didn’t get the first time:

When advertising is voluntary and opt-in, *all* advertising is precisely targeted and extremely valuable.  No Big Data crunching required. No invasive ad-tech required. No need to cover every visual or auditory blank space with branding.  Furthermore, assuming the system monetizes sales rather than clicks or impressions, Every. Single. View. Or. Click. Is. Legitimate. Full stop.

Our current opt-out approach and consequent oversupply of marketing messages drives the incremental value of individual ads ever lower.  But it is a mistake to believe that the value of an ad can never be less than zero.  An oversupply of ads can in fact create negative value, especially when delivered coercively as is explained in the next section.

An autistic point of view

There is a relatively new model of autism called the Intense World Theory.  Past theories of autism have assumed it arises from functional deficits in the human brain.  But Intense World Theory posits that much of typical autistic behavior results from over-stimulation.  This model explains so much better things such as texture sensitivity, physical agitation such as hand flapping or head banging in response to strong stimuli, and situational escalation leading to autistic meltdowns.

Marketing when and where a consumer requests it is an essential service.  Marketing as it is practiced today on the web is more like a zombie apocalypse.  Nobody actually wants to be attacked from all sides, relentlessly, by mindless things that just want a piece your brain, but Marketing refuses to believe that and plows ahead undeterred.  When we put up defenses, Marketing invents new tech to circumvent them and tells us it has an absolute right to do so.  This is an “essential truth” as one marketer recently put it.  When we get infected and come to harm through malvertising, Marketing disclaims any responsibility.

Ask anyone familiar with autism and Intense World Theory what they would predict consumer response to be to Marketing’s current approach of carpet-bombing the consumer’s attentional landscape.  Marketers tell us that the web depends on this model, that everyone involved is better off for it, and that they have a right to get their branding messages into our field of attention.  But Intense World Theory tells us that beyond a certain point, people begin to feel violated, overwhelmed and out of control.  They withdraw from the stimulation or find ways to defeat it, even to the point of self-destructive behavior if the stimulus is intense enough.

Head banging, hand flapping and body tics are how an autistic increases signal in order to drown out noise.  Ad-Block+, Ghostery and other consumer-side controls perform the same function with respect to Marketing.  Escalation of confrontation leads to a meltdown in the case of an autistic person, or to Congressional hearings in the case of invasive adtech.  The parallels are obvious and the outcomes predictable.

You don’t need to be autistic to respond this way.  Dial up the unwanted stimulus enough and everyone eventually gets to this point.  Don’t believe me?  Watch the reactions to the sound of fingernails on a blackboard.  This is the first time in history that it has been possible to so thoroughly invade an individual’s cognitive space so we have not previously driven neurotypical people to autistic defensive behavior.  Now that we are beginning to do so, we should recognize the response as predictable given the level of stimulus and move to change the approach. At the very least Marketing needs to dial down the stimulus.  Better yet, Marketing should relate to people as respected peers rather than as subjects.  Our attention is a privilege, not a right.

Suggestions

Marketing needs to reinvent itself as a funding aggregator for content first, and as the delivery of brand messages second.

  • Create content subscription bundles so a single subscription reduces or eliminates ads across most or all web properties.  Cybercrime cannot ride in on your rails once you rip up the track.
  • Remunerate providers proportionally.
  • Make sure independent content providers can get paid on par with large providers.  Some might even say indie content is more valuable.
  • Stop with the invasive adtech already.  We hate it and we hate you for it.
  • Make it easy for prospective consumers to find your brand messages when they are actually in the market for something.
  • Turn your commercial content into program content.  Remember the people who aren’t football fans who don’t watch the game to see the ads?  They do go watch them on YouTube and vote on them in contests.  We don’t mind brand messages if the content is compelling.  (Clue!)
  • Finally, and this applies to pretty much any business, if your business model is indistinguishable from and directly enables organized crime, don’t spend a minute rationalizing the harm caused.  CHANGE THE MODEL.

Marketers, the countdown clock is ticking.  Will you continue on the current path, eventually driving the public to a meltdown?

Filed Under: Blog, Featured, Privacy, Vendor Relationship Management · Tagged: , , , , ,

Marketing Week’s flawed IoT survey

20, August 2014 by · Leave a Comment

marketing_week_infographicA few hours ago, Marketing Week published an article in their Trends section titled Smart Homes Lack Consumer Connection.  Although I’m an eager proponent of Internet of Things, I don’t find much insight or any actionable conclusions here for a number of reasons that I’ll explain below.  Do you find it insightful or helpful?  Does your answer change after you read this post?

What, no privacy concerns?

When it comes to people declining to install “smart” devices, the breakdown of their reasons as provided in the article is:

45% - Cost
44% - Unimportant
23% - Complexity
21% - Inappropriate data collection
18% - Intrusive
 3% - None of the above

Apparently it is possible to drastically reduce the ranking of privacy concerns by distinguishing between “too intrusive” versus “data being collected and used inappropriately.”   That’s quite a fine line to draw considering the lack of granularity in the other categories and instead of “Privacy – 39%” which would have trumped Complexity, we get two separate line items falling below everything else on the list except for “None of the Above”.  On the one hand it’s great that the study authors found something nuanced to look at.  On the other hand, gaaaaaaa!

What does “cost” mean here?

For example, a plethora of issues appear to be lumped into “cost.”  We all know that “cost” really means “cost versus benefit” and the article fails to distinguish whether people actually like the devices on offer and in their current form – i.e. see the devices as as highly beneficial.  Maybe respondents love the devices but lack the funds to buy them, in which case a plausible ROI demonstration is appropriate.  A good example of this is 40 watt equivalent LED bulbs that used to cost $30 ~ $50.  Now that they sell for < $10 they have gone mainstream.

That seems to be the direction the authors are going when discussing energy saving devices and use the phrase “save money” four times in the article.  On the other hand, “cost” may mean it isn’t worth paying the price for the devices on offer because the additional benefits derived simply aren’t compelling.  A good example of this was when there were no 100 watt equivalent LED bulbs or 3-way LED bulbs.  You had to pay a lot more money for something that wasn’t as functional as before.  Kinda like buying a “smart” bulb and then having to duct tape the wall switch to the On position and use your phone to control it, or having no control over a “smart” device when the Internet goes out.  Too bad the study authors didn’t see the need to find any nuance here.

Relevance

Revolv Hub

This image embodies much of what’s wrong with IoT. Rather than replacing devices with functionally equivalent smart devices that provide enhancements, today’s IoT expects you to buy new types of devices, designs them as though you wish to feature them in your decor, and requires you to control everything over the phone.

Just as a raftload of sins are hidden under “cost” in the study, so too are they aggregated under “not considered important in my life.”  Does that mean “not considered important enough to find a place to put this new device on display so my friends will know how cool I am” (see the Revolv hub photo in the article) or “because I’m a Luddite,” or something in between?

Notification

Every single person who enables the buzzer on the washer and dryer has indicated their desire for those devices to notify them.  Everyone whose telephone is not set to mute, whose doorbell is operational, who use an alarm clock, who use a kitchen timer, have indicated a desire for notifications.  It is impossible to argue that notifications themselves are unimportant, so what is it about these notifications that is not compelling or relevant?  Perhaps it is because the notification destination is almost always the phone and that ambient notification devices are never used?  Of course, use of ambient notification systems would require integrations to a wider variety of devices and Industry seems to be well aware that Internet of Things is not about that.  No, the IoT is apparently about controlling, rather than enabling, all your device integrations.  That may be significant part of the problem but you’d never know it from reading this study which never considers whether the prevailing device architecture is part of the problem.  The article not only fails to provide any insight in this area, but it doesn’t seem to recognize that there’s any nuance to be found.

Actuation

The other side of smart devices is actuation.  The primary time most of us wish for actuation is along the lines of “did I turn off the [insert name of device here] before I left the house?”  We’ve had device-issued notifications forever, even to some extent remotely, but we have not had a lot of “smart” actuation before.  For many people “not considered important in my life”  probably means exactly what you’d think and what the article suggests: we haven’t had this capability up to now and we don’t generally sit around wishing we did.

But “not considered important in my life” could also mean that the functionality of the devices on offer is perceived as laughable.  “You want me to replace a perfectly good wall switch with…my phone? BWAHAHAHAHAHA!”  This is the group into which I fall.  Admittedly this conclusion requires an informed and tech-savvy consumer.  However, targeting the portion of the market who do not understand the problem with this creates an incentive and business model based on keeping them clueless, and which also happens to facilitate the device-as-data-collection-portal paradigm.  Anyone but me have a problem with this approach?  Anyone else believe that devices should first act like the analog thing they replace and then provide enhancements as a secondary function?

It is also possible that “not considered important in my life” means “the device on offer doesn’t have the integrations that would make it compelling and traps me in a walled garden making it unlikely I’ll ever get the desired integrations.”    Call me crazy but when my deaf aunt comes to visit, I might actually want the doorbell, fire alarm, toaster, washer and dryer to talk to the house lighting so she can receive notifications just like everyone else in the home.  Anyone else believe that all devices should have open APIs so that prosumers and integrators can build compelling functionality with the mesh?  Or believe that a mesh of connectivity across all these unlike devices from different vendors needs to exist in order to realize the potential of IoT?  Maybe doing that would make IoT more relevant to the average consumer.  The study or authors, not sure which, or both, don’t seem to care how the “not important” category breaks out or whether the architecture is part of the reason people decline to buy.  Too bad.  We might have learned something by drilling into these issues.

Privacy – it’s in there

Marketing Week screen shotThe one area in which the authors found some nuance was privacy concerns.  It is unfortunate that the result of granularity in this category is to drastically understate the relevance of privacy in consumer minds as compared to the other categories.  The effect is apparent in the summary  that Marketing Week uses when referring to the article from elsewhere on the site: Consumers cite cost and lack of usefulness as barriers to adoption.  No, they didn’t.  If you combine both of the Privacy categories, there is a total of only 6 percentage points separating Cost (45%), Relevance (44%), and Privacy (39%).  Complexity (23%), which is the next closest category, comes in a distant 12 points below Privacy.  The concerns expressed seem to cluster around Cost, Relevance and Privacy as the barriers to adoption.  Odd that privacy would get dropped like that.

Perhaps when your audience is an industry driven by the collection and analysis of consumer data, to suggest that consumers have significant privacy concerns is taboo.  Or perhaps the researchers genuinely wanted to drill down in this area because it is important, created sub-categories for privacy, but that intention got lost in publication.  Hard to say what is going on and since the usefulness of the conclusions varies so widely depending on how you read the intent here, any credence we each give the study will tend to align with our own confirmation bias.  Anyone can interpret the results according to their own views and that, for me anyway, renders the results meaningless.

Does anyone other than me believe that devices should default to not sending data to the vendor and instead allow the device owner to optionally enable vendor access to the data based on receiving something of value in return?  That model would not only significantly improve consumer perceptions of data collection and intrusion, it would actually contribute to consumer confidence in IoT privacy.

Spin doctoring

Marketing Week Screen Shot

The article features an infographic, followed by this opening text.

I’m forced to make a lot of assumptions here because the study isn’t linked from the article and not accessible through Google search or anywhere else that I’ve found.  Since we do not have access to the study or information about its origins, we have to work with what’s in front of us.  Unfortunately, what’s in front of us doesn’t hold up well under close inspection.

Strangely, the first words in the article (at least those that aren’t a headline) are “The study, seen exclusively by Marketing Week, reveals…”  To which study are they referring, and what do they mean by “seen exclusively by”?

Are they trying to imply that someone independently and spontaneously funded this research without Marketing Week’s involvement and then gave Marketing Week exclusive access to it? The headline mentions “new research,” a non-specific phrase which could be plural or singular and suggests no connection exists between the reporter and the news being reported.  The rhetorical device of starting the article copy by back-referencing an unnamed but specific study from among all the available “new research”, and the passive construction using “seen exclusively by” combine to reinforce the suggestion that this is independent news reporting. So too do the references to “Source: Gekko” as the authors of the research.

If all that is true, then who commissioned the research?  And how did it end up as a Marketing Week exclusive and with their branding all over it?  Did Marketing Week vet the provenance of the study before publishing it?  Or did they in fact commission it themselves?  Why not just tell us the origins, scope and charter of the study or make it available, unless the intent is to deliberately put some spin on it?

To be fair, my suspicions of deliberate spin doctoring assume that the article was written by someone whose core competency is the use of English language in the art of persuasion, for example a marketing professional or experienced reporter in that field.  Someone like that doesn’t end up with a product like this by accident.  On the other hand, one could (some might say should) could give Marketing Week the benefit of the doubt and assume that the unusual rhetorical construction isn’t actually deliberate framing but rather a case of sloppy as hell writing and editing that managed to get past all the approvals required for a high-profile feature article.  Hey, it could happen.  Decide for yourself.  Got a different interpretation?  Let me know about it in the comments.

Personal conclusions

My issues with the methodology, the article’s interpretation of the results and the apparent framing lead me to conclude that there’s enough of an agenda showing through to distrust the whole thing.  I would have much preferred if the authors had drilled deeper into the broad spectrum of reasons consumers give for not buying today’s IoT devices.  There are very few devices on offer today that provide a combination of compelling functionality, an open API, operate when disconnected from the Internet, and integrate with anything.  Any study today would therefore be constrained by consumer perceptions of the crippled proprietary devices we have now as being representative of the possibilities of IoT, and thus such a study would be marginally useful at best.  But it would at least be more useful than the study presented.

Filed Under: Blog, Featured, Privacy · Tagged: , , , , ,

Shedding the light on the “going dark” problem

30, December 2013 by · 2 Comments

My theory about the “going dark” problem is the opposite of the official government explanation. They claim that they need to be able to read the communications of bad actors. (“Bad actors” in the security sense here, not the Hollywood sense.) But the back doors they’ve engineered have more to do with weakening the keys than with breaking the algorithms.  Mitigations are simple: introduce additional entropy while generating the key, use uncommonly long keys, use protocols with Perfect Forward Secrecy.  Anyone serious about preventing eavesdropping can reasonably expect to do so with a bit of work.

If that’s true, then what’s the big deal about lots of ordinary people who are *not* surveillance targets also using encryption?

[Read more…]

Filed Under: Blog, Privacy, Vendor Relationship Management · Tagged: , , , , , ,

Industry still puzzling over consumer reaction to tracking

19, September 2013 by · Leave a Comment
Industry is still wondering what went wrong with tracking.

Industry is still wondering what went wrong with tracking.

Frank Hayes over at Storefront Backtalk asks “When Is Data Collection Creepy?”  That’s a really good question now that ordinary people are waking up to the possibility that anyone and everyone can track them online and in real life.  The post touches on but doesn’t quite illuminate that the biggest difference is one of atoms versus bits. When surveillance was physical Newtonian physics limited what could be done. We didn’t need laws or policies stating that you couldn’t surveil all of the people all of the time because to do so wasn’t physically possible. Because we have never had that capability before, we do not have any experience with it from a policy-making standpoint.

[Read more…]

Filed Under: Blog, Featured, Privacy, Vendor Relationship Management · Tagged: , , , , ,

Escaping advertising’s uncanny valley

27, June 2013 by · 4 Comments
You can't get there from here!

You can’t get there from here!

One of the major themes that I see driving Internet of People and Things, and commerce in general, is ultra-personalization.   Although not recognized widely as such, one of the “killer apps” that has emerged beginning with graphical OS’s is “themes” or “skins.”  Simply put, the OS exposes not merely the knobs and dials, but the size, shape and texture of the knobs and dials.  Not just audible and visual event notifications, but the sound, look and behavior of those notifications.  This was never recognized for the significance it has had in shaping customer expectations about responsiveness of products.  In fact though, as things get smarter and computing recedes invisibly into the fabric of life, there is no single killer app.  Ultra-personalization is the killer app.

[Read more…]

Filed Under: Featured, Privacy, Vendor Relationship Management · Tagged: , , , , , , ,

FT on How much is your personal data worth?

16, June 2013 by · 6 Comments

A recent Financial Times article asks “how much is your personal data worth?”  This sparked a thread on the VRM mailing list to which I’d like to respond.  Tony pointed out that their numbers are old.  I’d also add that the entire article is a bit disingenuous.  The headline “How much is your personal data worth” implies broad valuation as in “how much is a dollar worth?”  The article conveniently ignores many uses and markets for that data and in fact is extremely narrowly illustrated.  It should have read “What is your legally collected data worth to data brokers, assuming you are not a high value target?”

Let’s take these in reverse order.

[Read more…]

Filed Under: Blog, Identity, Privacy, Vendor Relationship Management ·

Swedes: Closet VRM activists?

14, June 2013 by · Leave a Comment

deadpeople560x288

A recent post by Mary Hodder on the VRM list discussed the news of the Swedish Data Inspection Board banning Google cloud services such as Docs, calendar and email over privacy concerns.  Mary writes:

It’s going to be a PR struggle to convince regular people that “personal” or personally directed services (VRM) style are different than general cloud services.. because I bet that Google would argue that Google apps are personally directed.. nothing happens unless the individual uses the services, from Google’s perspective. But the individual’s data  isn’t controlled by the individual, VRM style.

So I think this will be the pivot point.. convincing the public, as well as the companies and governments, that it’s not “personal” unless the individual controls their own data, not just the use of the product.

What is interesting to me about the privacy issues unfolding of late, especially in the wake of the PRISM revelations, is that VRM-y cloud apps already exist that address the issues raised by the Swedes and for privacy in general.  If Cole Sear were here he’d tell you the same thing:  “I see VRM apps. Floating around the cloud like regular apps.  They’re VRM except, they don’t see each other.  And they don’t say they are VRM.  They don’t even know they’re VRM.”

[Read more…]

Filed Under: Featured, Personal Clouds, Privacy, Vendor Relationship Management · Tagged: , , , , , , ,

Duking it out with miicard

17, May 2013 by · Leave a Comment

In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again.  They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts.  But they are not without some issues.  In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post.

[Read more…]

Filed Under: Blog, Identity, Personal Clouds, Privacy, Security, Vendor Relationship Management ·

Minimal web security recommendations

14, May 2013 by · 1 Comment

For many years now, I have made an effort to contact owners of unsecure web sites and attempt to persuade them to fix the sites.  Lately as I have become increasingly involved with the Personal Clouds and Vendor Relationship Management communities, I have found many unsecure web sites within that community.  These communities are relatively new, fast growing and potentially transformative of Internet commerce and culture at large, so it’s important that security does not become a choke point for growth.  It is also my contention that the consolidation of one’s information into a personal cloud results in greater risk and therefore requires consistently strong and effective security design.  With this in mind, I offer my minimal list of requirements for any non-trivial web site.

[Read more…]

Filed Under: Identity, Personal Clouds, Privacy, Security, Vendor Relationship Management ·
« Previous Page