Law enforcement v Minimal disclosure

Posted on April 2, 2008 by Joe Andrieu

The Washington Post today exposed considerable excesses by “fusion” centers organized post 9/11.

Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver’s license photographs and credit reports, according to a document obtained by The Washington Post.

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

The list of information resources was part of a survey conducted last year, officials familiar with the effort said. It shows that, like most police agencies, the fusion centers have subscriptions to private information-broker services that keep records about Americans’ locations, financial holdings, associates, relatives, firearms licenses and the like.

Centers serving New York and other states also tap into a Federal Trade Commission database with information about hundreds of thousands of identity-theft reports, the document and police interviews show.

Pennsylvania buys credit reports and uses face-recognition software to examine driver’s license photos, while analysts in Rhode Island have access to car-rental databases. In Maryland, authorities rely on a little-known data broker called Entersect, which claims it maintains 12 billion records about 98 percent of Americans.

In its online promotional material, Entersect calls itself “the silent partner to municipal, county, state, and federal justice agencies who access our databases every day to locate subjects, develop background information, secure information from a cellular or unlisted number, and much more.”

“There is never ever enough information when it comes to terrorism” said Maj. Steven G. O’Donnell, deputy superintendent of the Rhode Island State Police. “That’s what post-9/11 is about.”

The last statement pretty much sums up current institutional thinking on individual liberty and national security: in the fight against terrorism, we have a moral obligation to do everything we can. Everything.

It’s scary how much that position echoes that of fascism. As promoted by Mussolini, fascism builds a moral framework based on the primacy of the state. Fasciste means a bundle of sticks, symbolizing that the group is stronger than any individual. Fascism extends that thinking, declaring that each individual’s rights exist only insofar as they support the state. Or to restate, in the defense of the state, there are no individual rights.

Which, if you think about it, is exactly what anti-terrorist programs assert when claiming that terrorism trumps the rights and privileges of the suspect or accused. Due process, protection from unreasonable searches, freedom of speech. All of these have rights have been trampled on in the name of the War on Terror. The fusion centers are just one more institution created by the mindset that brought us illegal wiretaps, extraordinary extradition, secret prison camps, extra-territorial detention, and torture.

I understand law enforcement’s position. It is easier to enforce laws when you know everything about everyone, just like in a police state (see The Lives of Others for an Academy Award-winning story of pre-information age East Germany’s police state). But it is impossible for a police state to generate the economic and social well-being that emerges in a free society… and it is that well-being which, ultimately, is the core of U.S. global power. Simply put, undermining freedom undermines US security.

In contrast, consider the subtle brilliance of Kim Cameron’s Laws of Identity, in particular, law 2:

2. Minimal Disclosure for a Constrained Use

The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

At the same time, the value of identifying information decreases as the amount decreases. A system built with the principles of information minimalism is therefore a less attractive target for identity theft, reducing risk even further.

By limiting use to an explicit scenario (in conjunction with the use policy described in the Law of Control), the effectiveness of the “need to know” principle in reducing risk is further magnified. There is no longer the possibility of collecting and keeping information “just in case” it might one day be required.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

In the same way, unique identifiers that can be reused in other contexts (for example, drivers’ license numbers, Social Security Numbers, and the like) represent “more identifying information” than unique special-purpose identifiers that do not cross context. In this sense, acquiring and storing a Social Security Number represents a much greater risk than assigning a randomly generated student or employee number.

Numerous identity catastrophes have occurred where this law has been broken.

We can also express the Law of Minimal Disclosure this way: aggregation of identifying information also aggregates risk. To minimize risk, minimize aggregation.

Whether or not you think the War on Terror is being handled well, it is a demonstrable fact that human systems fail. People make mistakes.
And that means we can guarantee that institutions–even when acting in our own best interest–will make mistakes, like the admitted errors of the FBI, as reported by the NYT:

F.B.I. Made ‘Blanket’ Demands for Phone Records

WASHINGTON — Senior officials of the Federal Bureau of Investigation repeatedly approved the use of “blanket” records demands to justify the improper collection of thousands of phone records, according to officials briefed on the practice.

Under the USA Patriot Act, the F.B.I. received broadened authority to issue the national security letters on its own authority — without the approval of a judge — to gather records like phone bills or e-mail transactions that might be considered relevant to a particular terrorism investigation. The Justice Department inspector general found in March 2007 that the F.B.I. had routinely violated the standards for using the letters and that officials often cited “exigent” or emergency situations that did not really exist in issuing them to phone providers and other private companies.

F.B.I. Says Records Demands Are Curbed

WASHINGTON — The Federal Bureau of Investigation improperly obtained personal information on Americans in numerous terrorism investigations in 2006, but internal practices put in place since then appear to have helped curtail the problems, Bush administration officials said Wednesday.

The Justice Department’s inspector general is expected to issue a report in coming weeks that updates the findings of a major investigation last year into the F.B.I.’s use of so-called national security letters, which allow investigators to obtain telephone, e-mail and financial information on people involved in investigations without a court warrant.

Last year’s report caused an uproar in Congress when it was disclosed that the F.B.I., under powers granted by the USA Patriot Act, had misused its authority to gather records in thousands of instances from 2003 to 2005. The new report from the inspector general will examine the bureau’s use of the records demands in 2006.

At the end of the day, this isn’t about any particular individual, nor even any particular violation of our constitutional rights.

It’s about addressing the systemic problems of the information age. There will always be threats to national security. There will always be the drive to get as much data as possible into the hands of a few, elite law enforcement agencies, capable of acting in the “public good”. And there will always be those individuals who break the rules, whether for good intent or malicious device. We don’t need conspiracy theories to point out the dangers of centralizing all the information about everybody.

What we need is an open-eyed approach to building information systems on user-centric principles, such as Cameron’s seven Laws of Identity. Do that and a vast number of systemic risks of the information age go away.

Posted in Identity | Tagged , , , , , , , , | Comments Off on Law enforcement v Minimal disclosure

NY State strikes out against unapproved privacy invasion by online advertisers

Posted on March 20, 2008 by Joe Andrieu

Kudos to Assemblyman Richard L. Brodsky in the NY State Assembly for taking on GoogleClick and the rest of the back-end invisible online tracking services.

The NYT reports A Push to Limit the Tracking of Web Surfers’ Clicks:

AFTER reading about how Internet companies like Google, Microsoft and Yahoo collect information about people online and use it for targeted advertising, one New York assemblyman said there ought to be a law.

 

Michelle V. Agins/The New York Times

Assemblyman Richard L. Brodsky, the sponsor of a New York bill to limit how companies collect data on computer users.

So he drafted a bill, now gathering support in Albany, that would make it a crime — punishable by a fine to be determined — for certain Web companies to use personal information about consumers for advertising without their consent.

And because it would be extraordinarily difficult for the companies that collect such data to adhere to stricter rules for people in New York alone, these companies would probably have to adjust their rules everywhere, effectively turning the New York legislation into national law.

“Should these companies be able to sell or use what’s essentially private data without permission? The easy answer is absolutely not,” said the assemblyman who sponsored the bill, Richard L. Brodsky, a Democrat who has represented part of Westchester County since 1982.

“A law like this essentially takes some of the gold away from marketers,” said Joseph Turow, a professor at the Annenberg School for Communication at the University of Pennsylvania. “But it’s the right thing to do. Consumers have no idea how much information is being collected about them, and the advertising industry should have to deal with that.”

This is an absolute no brainer.

If you don’t have permission, don’t track users.

In the physical world, we have developed fairly robust rules of social etiquette and even laws regulating this sort of behavior. Can you imagine how creepy it would be if some stranger surreptitiously followed you around, noting where you go, what products you buy, even what sections in the supermarket you lingered in? Yech! Get that stalker away from me.

new carAnd yet, that is exactly what most (if not all) online ad networks do to maximize their ability to sell high margin ads targeting Internet users. It makes sense. If they can tell from your clickstream behavior that you are likely looking for a new car, then they can create a lot of value by showing you new car ads. Value for advertisers and value for you… after all, you ARE in the market for a new car, right?

When it works, it’s cool. But what about when you don’t want it working? When you want a little discretion as you window shop? When you’d like some privacy? Unfortunately, it doesn’t work that way. Users can’t tell when the ad networks are, or are not, tracking–it is all invisible to them–and there’s no equivalent of a “do not call list” to turn off such tracking.

The right answer is to move toward user-centric advertising, where the user is explicitly in control of all the data used to offer them ads and can even limit the types of ads shown. This resonates with Esther Dyson’s testimony to the Federal Trade Commission at their Townhall on behavioral targeting and her subsequent article at Huffington Post, where she proposed using a “Disclosure 2.0” approach to this issue.

handshakeIf advertisers and ad networks can create real value with behavioral tracking and targeting, then full disclosure–and even full user control–will only enhance trust and deepen the relationships between businesses and customers. The long term value of a customer depends on building viable, healthy relationships. Relationships depend on trust. By engaging openly and responsively with their customers–with full disclosure and as much user control as possible–companies can craft entirely new, more trusting and more profitable relationships while customers feel more comfortable about their personal boundaries, have increased confidence in their vendors, and get easier access to better products and services.

Advertisers need to get this. Ad networks and search engines need to support it. And it may be that regulators need to enforce it.

[This is precisely the sort of payoff for vendors that Project VRM is working towards.]

Posted in Vendor Relationship Management | Tagged , , , , , , , , , , | Comments Off on NY State strikes out against unapproved privacy invasion by online advertisers

Microsoft’s SearchBar: an integrated tool for Advanced Searches

Posted on March 18, 2008 by Joe Andrieu

Microsoft Research recently revealed a new interface, called SearchBar, for tracking Advanced Searches. It’s pretty cool. The video is a must see for anyone interested in next-generation search. And the PDF is solid detail well worth the read. [You might also want to see their other Search UI innovations.]

The new SearchBar addresses a lot of the needs I’ve been talking about for Advanced Searches, although with some slight variations and a few key missing ingredients, which I’ll be talking about soon. (Hint: it’s not quite a User Driven Search solution.)

postit faceWhat’s great about SearchBar is how thoroughly Microsoft has investigated the value of managing Advanced Searches explicitly. Although the simplicity of the Google-style keyword search has empowered a generation of people to find what they need online, it essentially breaks down for Searches that pass a certain threshold of complexity. Searches that take us to multiple search providers and last more than a few minutes, even days or weeks, are essentially managed in whatever ad-hoc way we can find: we keep it in our heads, open in new tabs, cut & paste into Word, bookmark, print to PDF, whatever works.

One of the hard questions we’ve been facing at SwitchBook is how can we simplify that complexity enough so Mom & Grandma will be able to use our software. This is particularly challenging in light of data from Jacob Neilson showing that for a shockingly high percentage of people, just getting to Google is hard. Read that again. In a recent study, 24% of “above average” Internet users failed to reach Google despite a stated desire to do so.

gooogle.comThat seems crazy to those of us who earn our living online in some fashion, but this is the crazy truth of the mainstream Internet user. These are the folks who turn a blogosphere buzz into a $200 million acquisition or billion dollar IPO. Folks need it simple. No, even simpler than that. Nope. Think again. EVEN SIMPLER. 24% couldn’t get to Google. Amazing.

So, we can build a solution for Complex Searches. We can provide software with a great interface that does all sorts of amazing things. But how, oh how, do we remove the complexity so that the average Grandma can use it?

Well, that’s the $640 million question. I like the work Microsoft has done so far. Much better than anything from Google in this area. Even better, they published the results of their user testing. It is excellent validation that smarter tools improve search efficiency for Complex Search. Read the paper when you get a chance.

Grandma LaptopIt is truly groundbreaking research, even if the technology is straightforward. I look forward to it translating to groundbreaking consumer education. After all, it was only a few years ago that Internet email and Microsoft Word seemed impossibly complex for Mom & Grandma. Today, we’ve both simplified the tools and educated users enough for both of those applications to pass into mainstream use. As far as I’m concerned, every dollar Microsoft spends educating the public about the value of Advanced Search tools, the easier it will be for people to understand the SwitchBook value proposition.

[Update 5/3/2009 : changed “Complex Search” to “Advanced Search”. Changed “user-centric Search” to “User Driven Search.”]

Posted in Search | Tagged , , , , , | Comments Off on Microsoft’s SearchBar: an integrated tool for Advanced Searches

NewsGang talks data portability. Next up: Service Portability.

Posted on March 14, 2008 by Joe Andrieu

data and globeExcellent chat today by Steve Gillmor, Chris Saad, Mary Hodder, Karoli Kuns, Robert W. Anderson, Matt Terenzio, and Bruce Lerner about data portability. They get to the nitty gritty about data portability, licensing, and social networks. Perhaps the best Gang I’ve ever heard.

So, Steve, if you’re listening, take this to the next level and talk about service portability.

It’s great to be able to move my data from service to service. Data portability is a good thing–and we absolutely must address the licensing and privacy issues that cloud that horizon. We also need to be able to move our services from provider to provider.

We can do that today with domain names that we own. We can move our blog or our website or our email from one hosting provider to another. The next step is to extend that to user-controlled services that expose data on our terms, under our control.

Data portability lets everyone pass data around so different service providers can do smart things with that data. Ok. But we learned long ago that software systems are more robust, more scalable, and more maintainable when rather than exposing the data, you expose functions that use that data.

email imageI don’t want people who email me to have direct access to my email data file a server somewhere. That would be insane. I want them to have a well-defined, constrained, complete service interface for sending me email, no matter which service provider I choose. An interface that lets them reach me, but keeps them from reading and deleting other email.

Similarly, we need to take user data, place it in a personal data store (yea! portability!), then provide specific, well-defined access services to third party service providers, using that data, where the user controls those services completely: what services are available, who can access them, and even who the underlying service host is. This is how email works. How websites and blogs work. Next is to take this to user-centric services with complete, seamless data and service portability across the entire cloud.

We know that we need to be able to move our email service from one service provider to another. We know that we need to be able to move our websites to the host of our choice. We know that we need to be able to move our cell phone number from one carrier to another. And we know that we need to be able to change our attorney of record, our doctor, our insurance provider, etc.

We also need to be able to move our MySpace profile and Facebook page anywhere, anytime, on our terms… not just the friends list, but the entire visual gestalt. We need to be able to move our IM and our Twitter services. We need to be able to move our search history from one search provider to another. Pick any service you have come to depend on and understand that dependence creates the need for liberation, the need to get that service on your terms with the provider you prefer, under your complete control.

Without complete portability–services and data portability–innovative service providers will corner markets with data silos and service lock in. Only with transparent, seamless portability, can we leverage the open market and open network to drive to the most desirable and most useful services.

Hey YouThe user-centric identity community is way ahead of the curve on this one, and I’m looking forward to the data portability movement re-discovering the architectural realizations learned the hard way by OpenID, CardSpace, Liberty Alliance, and Higgins, just as the identity community begins to extend from the hard core technology built for identity and starts working towards the applications that will connect ultimately to real value for real users. And it has all been learned and continues to be built through collaborative efforts toward real portability and interoperability at the heart of the infrastructure. In particular, XDI has made great progress hashing out exactly the sort of licensed-based identity-authorized data access that Steve talked about in the podcast. ProjectVRM is driving a user-centric approach to commerce in this conversation and I encourage folks to join us all at the next IIW unconference and to keep an eye open for a VRM workshop sometime later in the year.

Posted in Identity, Personal Data Store, ProjectVRM, Vendor Relationship Management | Tagged , , , , , , , , , , , | 1 Comment

Powerset in detail

Posted on March 11, 2008 by Joe Andrieu

For those of you who are curious about Powerset‘s natural language search, here is an excellent, in-depth presentation (~1 hour 10 min) at the 2007 International Semantic Web Conference by founder & CTO Barney Pell.

Worth watching if next-generation search is on your radar.

Posted in Search | Tagged , , | Comments Off on Powerset in detail

Pricing for Charities: Pay-What-You-Want and VRM

Posted on March 9, 2008 by Joe Andrieu

Charitable giving has an intriguing relationship with rational pricing theories. The supply of charitable products is essentially inexhaustible. Price of a charitable gift is not based on supply and demand, with curves meeting at an efficient clearing price.

And yet, there is a competitive marketplace connecting patrons and charities. From schools and radio stations to global conservation and intervention, millions of charities compete for attention and dollars.

In my last post, I argued that markets are about more than prices. So too is the world of charities. Today the NYT reports on current research by John List and Dean Karlan investigating how and why people give, and what makes them give more or less to a particular cause at a particular time. A good read.

The research highlights several unique influences on charitable giving, with many lessons about which conversations matter most.

In particular, people give for that “warm glow” rather than for any perceived material return. Perhaps that isn’t a surprise, but when connected to economics it changes the conversation. It turns out that matching donations, from employers for example, are valued more as a social trigger than as an economic motivator. People give until the trigger is reached–until they’ve met the socially determined mark for making a difference–and they don’t give more just because a match is a greater multiplier, even though economic theory would suggest the greater multiplier would create more giving.

So one of the questions for charities is how then do you maximize the warm glow and the amount of giving it triggers? And not suprisingly, ROI calculations and traditional economics have little to do with it.

At Project VRM, we’ve talked a lot about how markets are more than transactions, more than just prices. Markets are conversations and relationships. That makes much of List & Karlan’s research applicable to all of VRM, and especially for Doc Searls‘ efforts to reinvent our relationship with Public Radio.

Radiohead and Nine-Inch-Nails have already broken ground with commercial Pay-What-You-Want product launches, which is in practice a lot like the Public Radio mantra that turns 10% of listeners into subscribers every year. Both bands’ efforts were huge successes as promotions, although the jury is still out on the longer term impact. (It should be noted that Nine Inch Nails was more of a “freemium” model as they offered limited editions and additional tracks for a fee.)

As digital products become “free” to distribute, it may be that artists can generate more interest, greater goodwill, and greater profit, by thinking more like charities and less like lawsuit-wielding rabid dinosaur music studios. In which case, it behooves them to read up on List & Karlan’s research.

And apropos for VRM, it behooves us to do so as well.

Posted in ProjectVRM, Vendor Relationship Management | Tagged , , , , , , , , | Comments Off on Pricing for Charities: Pay-What-You-Want and VRM

Pricing, Markets, and Demand, VRM style

Posted on March 7, 2008 by Joe Andrieu

Economists often talk of markets as price discovery mechanisms, and the freer the market, the more efficiently those prices can be discovered. In fact, in the absence of all transaction costs, free markets assure the efficient allocation of resources, regardless of initial distribution—that’s the core tenet of Law & Economics as proven by Coase ’60. Of course, we can’t ever actually get rid of transaction costs completely, but that’s ok. The lower they go, the more efficient the market, the better the overall utility of the economy.

But let’s not confuse making markets more efficient with making everything about pricing. Only in the simplest commodity markets is pricing ever the sole factor. Whether you focus on relationships and conversations or the 20th century model of brand-driven differentiation, there are lots of factors that influence a transaction at least as much, if not more, than price.

I think it makes more sense to think of markets as “value” discovery mechanisms. It just happens that the industrial age conflated price and value, so the distinction was often ignored. When we have efficient markets, everyone has the simplest, fastest way to find the highest value we can, including price, quality, aspirational expressions, relationships, and moral or ethical congruence (such as being “green” or animal friendly).

So, there are at least two distinct ways VRM can help reinvent the market. First is providing a more efficient value discovery mechanism, in part by reducing transaction costs. That is, helping us find the good stuff more easily, more quickly, and more cheaply. Second is by helping to define new avenues for creating value, through richer, more meaningful relationships, better service, and greater customization in product and service offerings.

One particular false hope for VRM that I don’t want us to get distracted by is the illusion that by moving power from Vendors to Customers we can force better prices. That’s a win-lose game that is actually wasting resources trying to shift the line of marginal value towards the individual. It doesn’t result in any new value in the system and yet it increases transaction costs. This is clearly a net loss for the overall economy.

A related architecture with a much more satisfying win-win outcome is aggregating users to define & document demand in order to encourage vendors to fulfill that demand. This isn’t about market power, it is about market validation.

Eventful’s Demand service does this by letting people state their interest in having a particular event in their neighborhood. Like a petition, this demand is aggregated and presented to the event organizer to get them to actually bring the event to locations with the most demand. This not only helps bring the product to the individual, it helps the performers understand and meet market demand. This type of demand discovery actually creates value. There is more profit for the performers—or they wouldn’t bother doing the extra show—and end users get to go to an event they otherwise may have missed. This is such a VRM-style win-win that I have asked the founder of Eventful to join the conversation.

I’m looking forward to seeing how we might build on Eventful’s approach.

Posted in ProjectVRM, Vendor Relationship Management | Tagged , , , , , , | 1 Comment

PocketMod: The origami PDA

Posted on March 2, 2008 by Joe Andrieu

I used to carry a small notebook (~2″x3″) with an equally small pen and would jokingly refer to it as my non-digital PDA whenever I took it out in front of fellow digerati. I mostly kept track of to-do items, shopping lists, and inspirations, just stuff.

Forward to 2008 and enter PocketMod. Mash up your design, print, fold, cut, fold some more. Instant paper PDA. Nicely done and just enough fun to try out.

Tip of the hat to Peter Duke.

Posted in Uncategorized | Tagged , , , | 1 Comment

Tufte would be proud–the world through new (data) eyes

Posted on February 17, 2008 by Joe Andrieu

Rarely does presentation of statistical data make me say “wow” out loud.

This did. Hans Rosling talking about the state of the world: third world, health, wealth, changes over time. Great data. Great presentation. Worth thinking about.

In addition to the impactful visualization of the worldwide transitions in wealth & health since 1960, Hans also makes extremely clear the dangers of averaging over too large of a data set. I can only begin to highlight how critical that is in understanding the future of the web, search, and Internet services.

Centralized views of the world, such as those underlying Google’s PageRank and the Semantic Web, presume too much about finding the “one true answer”. For Google, it means trying to find the “best” results for a simple keyword query–for some verson of “everyone”. For the semantic web, it means trying to connect all the meta-data and data on the web to provide one true verson of reality that can be reasoned over. And yet, we know that trying to make all of the people happy all of the time is a recipe for failure: it can’t be done. Hans makes this clear in terms of dealing with the ails of the world: poverty and life expectancy. Planning for HIV in the top quartile of Africa needs to be profoundly different than how we deal with it in the bottom quartile.

So beware of average approaches. Beware of universals.

Instead, find the solution that is properly contextualized, preferably customized for each individual.

That’s the direction of VRM (Vendor Relationship Management), by the way. Figure it out for the individual user first, then find ways to use technology to scale efficient solutions. Averages need not be applied. Monolithic approaches to marketing and product development need not apply. Micro-focus at a mega scale.

Tip of the hat to Noah Brier for the Hans Rosling presentation at TED.

Posted in Vendor Relationship Management | Tagged , , , , , , | Comments Off on Tufte would be proud–the world through new (data) eyes

Europe continues to lead privacy conversation with IP ruling

Posted on January 22, 2008 by Joe Andrieu

The EU is years ahead of the US in user rights and privacy. For a VRM example, see the UK’s Buyer-Centric Commerce Forum.

Now, according to the Washington Post, an EU judge has pushed the privacy envelope even further, saying “IP addresses are personal data“:

BRUSSELS — IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union‘s group of data privacy regulators said Monday.

This will be interesting to watch…

Posted in Identity | Tagged , , , , | Comments Off on Europe continues to lead privacy conversation with IP ruling