Bartering our Privacy

Many years ago I worked for a brilliant man, an industry analyst who did groundbreaking work in developing models for delivering broadband services to residential customers. I recommend you check out his current company, DEEPfutures.

Last August, he wrote a post on LinkedIn discussing new business models for Internet services. It’s a good read, but I disagreed with a key point that he made about the business model of presenting ads based on personal data:

“That business model is an unequal barter. In old-style, traditional barter, a farmer might trade a sheep and two chickens to have the barn roof repaired: both sides would have calculated the value and benefit. In our unequal barter, we trade all our personal information for…cat videos [and] free-to-us online services: Gmail, Facebook, Whatsapp, Twitter, etc. It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data. It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.”

I disagree with this statement in two key areas:

  1. “It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data.” Yes, it may be unequal, but it’s certainly not unfair. In the old-style barter system, we assume that the farmer traded his sheep or chickens to the roof repairer so that the latter could feed his family. But what if the roof-repairer had discovered a way to make chickens lay golden eggs and he could generate millions of dollars in income going forward? That’s still not an unfair barter, since the farmer received something valuable — a now leakproof roof — in exchange for something he considered valuable. In the same way, companies like Google, Facebook and others who give us cat videos or apps in exchange for our data are providing something of value — we don’t lose in the bargain if they are smart enough to turn our data into something more valuable than we consider it be when we hand it over.
  2. “It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.” Here again, that doesn’t really make the barter unfair — if adtech companies find more value in a billionaire banker’s data than they do in the data from a farmhand, but are willing to provide the same free services to both, that’s not really unfair to the banker or farmhand. These individuals, as well as the adtech companies, are willing to enter into a barter relationship for something they each perceive to be of value.

This should not be interpreted as any kind of defense of Google, Facebook or others who have clearly demonstrated that they often play fast and loose with others’ data. Nor is it a defense of adtech companies and others that take your data without permission. For example, TechCrunch has found that companies like Air Canada and Hotels.com will record your mobile phone interactions, sometimes without permission. That’s not barter, since something of value has been taken from you without your consent in exchange for nothing in return.

Instead, I believe the fundamental problem is that too many aficionados of cat videos and various types of “free” apps place too little value on their privacy. They are too quick to hand over their data without first considering the consequences of doing so. The transaction is fair, but the adtech companies are thinking critically about what they can do with data owned by people who don’t think critically about entering into a relationship with them.

Any unfairness in the bartering between individuals and adtech companies will be solved only when the former begin to think seriously about the implications of handing over data without first considering the consequences.

Some Ideas, Other than Fines, to Reduce Data Breaches

An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.

The truth might lie somewhere in the middle.

In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.

The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.

Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.

The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.

Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.

What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.

So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:

  1. Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
  2. Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
  3. Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.

While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.

Information Overload is a Myth

A search for the term “information overload” in Google returns 3.68 million results, the second of which is a good definition of the problem: “exposure to or provision of too much information or data.” Wikipedia expands on the issue by defining it as “…a term used to describe the difficulty of understanding an issue and effectively making decisions when one has too much information about that issue. Generally, the term is associated with the excessive quantity of daily information.”

While the definitions are accurate, the fundamental issue with information overload is not really a problem with having too much information. Instead, it’s that we don’t have information curated in such a way as to present a limited set of the right information. For example, when I type “who starred in the movie grand prix” into Google, the first thing that shows up are photos of the cast. Google also provided many pages of additional search results, but curated a limited set of options that were most relevant to my inquiry, and it was the first one that satisfied that query. So, if Google had returned 300,000 other links and images, I would not have been overloaded with information because I could disregard everything but the right answer presented to me at the top of the list.

Similarly, if I need to find an email I sent to a prospect three days ago, does it matter if I have 36,745 emails in my inbox if my search returns just the email I was seeking? Not really.

So, what we’re really talking about with information overload is a lack of good search and good curation, which often begins with inadequate archiving of the right information. In the workplace, that lack of good search, curation and archiving manifests itself in a number of ways, most notably in the amount of time that employees spend searching for information. For example, a Software Advice survey found that some employees spend at least six hours per week searching for paper documents. A McKinsey report discovered that employees spend an average of 9.3 hours per week searching and gathering information. When it comes to information that is even more difficult to find, such as the job and client experience of my fellow employees that I might bring to bear on solving a problem, it may take even longer to find this information, if I can find it at all. Add to this the problem of information held in various silos across the enterprise and the situation becomes untenable, leading to regulatory, legal and employee productivity problems of various types.

Consequently, information overload really is not a thing — but inadequate search, curation and archiving definitely is.

What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and IBM has integrated Watson with Alexa/Google Home, to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

Microsoft vs. Google vs. IBM

While there are a large number of cloud-based communication and collaboration solutions available, the “Big Three” in cloud-based communication and collaboration today are Microsoft Office 365, Google G Suite and IBM Connections Cloud (which includes a very good email solution called IBM Verse). I won’t go into what you get with each offering, but you can check out the various components, features and capabilities at the following links for Office 365, G Suite and Connections Cloud.

All of these offerings include robust email, instant messaging, document collaboration, file sharing and other tools, as well as lots of storage. All of these solutions are reasonably priced, although Microsoft’s high end plans are significantly more expensive than the other two (but they also include more capabilities). Microsoft’s solutions require the least disruption to the way that most information workers work, since the vast majority already use the Office suite of Word, Excel and PowerPoint; and Office 365, from a desktop productivity standpoint, is nothing more than a switch from purchasing a perpetual license for these applications to renting them in perpetuity.

From a long-term perspective, however, particularly for enterprise customers, IBM’s solution should be the subject of most decision makers’ serious consideration because of Watson Workspace. Watson, the “computer” that trounced Ken Jennings and Brad Rutter on Jeopardy back in 2011, uses cognitive capabilities to analyze social interactions among information workers. Watson is currently being used for cancer research, tax analysis and other data-intensive applications, but Watson Workspace is specifically focused on using these cognitive capabilities in the workplace. The goal of Watson Workspace is to help workers manage information overload, present the right data at the right time, and otherwise streamline work processes with the goal of making people more efficient. Microsoft and Google have analytics and other capabilities that are focused on similar aims, but neither of these vendors have capabilities that compares to Watson at this point. In short, Watson has the potential to revolutionize the way that people work with one another.

The problem for IBM, however, is two-fold:

  • First, IBM is generally more bureaucratic than either of their key competitors and has a more difficult time moving products from the conceptual stage into stuff that people can actually deploy.
  • Second, Microsoft and Google make it easy to buy Office 365 and G Suite, respectively. IBM does not.

As a test of the latter point, I had one of our researchers run a test to see how long it would take to set up an account in Office 365, G Suite and IBM Verse. She started on a weekday afternoon and found that it took six minutes to complete setting up an Office 365 account, four minutes to set up an account in G Suite — and 31 minutes to set up an account in Verse.

Now admittedly, IBM is not really focused on the single user market to nearly the same extent as Microsoft and Google. But the difficulty and length of time associated with setting up an account are indicative of IBM’s need to make its account acquisition process a bit easier and more transparent. This one-off market can result in the deployment of perhaps a few million seats, a market that just about any communications and collaboration vendor should pursue for its own sake, but also for the potential impact it could have on making these tools more familiar in the enterprise space.

In short, IBM’s communication and collaboration solutions are the best of the Big Three, but also the most difficult to acquire.