Identity / Profiles / Trust

Worrying news from Ars Tech re Journal of Consumer Research* paper on making people hand over privacy data - we are not ratinal and and over more intimate details to (probably) riskier sites:

The researchers set up two survey web pages, one of which looked very official: it had the Carnegie Mellon University seal, and referred to a "Carnegie Mellon University Executive Council Survey on Ethical Behaviors." The other, well... Comic Sans featured heavily in the site design, and the survey page was entitled "How BAD Are U???" In a pre-test, far more people rated the official-looking page as a safer option for transmitting personal information.

When put to the test, however, the exact opposite occurred. Depending on the question, participants who used the How Bad ARE U version admitted to unethical or embarrassing activities at a rate of 1.74 to 1.98 times that of those who were given the professional version. In a separate survey, participants rated the same questions as less intrusive if they were presented in Comic Sans—even though there was no difference in the ratings of the activity's social desirability between the two survey populations. In short, an unprofessional-looking interface seemed to loosen participants up in the same manner that approaching a question indirectly did.

Also.....

[The researchers] collaborated with The New York Times to create a web survey entitled "Test your ethics," which asked participants to rate the ethicality of a set of actions. But, in the process, users were asked to indicate whether they had ever engaged in those activities, under the pretense that it might color their ratings.

Answers varied a great deal based on the perceived intrusiveness of the question, but one pattern became clear: it was possible to get more people to answer that they had engaged in a given behavior if their own behavior was approached indirectly. If participants were asked about their participation as part of the rating process, they were about 1.5 times more likely to admit an ethical misstep than if they were simply asked point blank as a separate question. This suggested that a casual approach, which puts a participant at ease, is more likely to get them to cough up personal details.

Add to that the way gaming reward functionality is increasingly used (Gaming rewarsd have been shown to be effective at getting people to divulge stuff as they rewad them for it) and you have a perfect culture for privacy raiding.

*There is no link to the paper unfortunately, so I haven't actually read it. Ars Technica is one of he more sanguine blogs however.

Both Forrester and Ars Tech try and explain why the Intel/McAfee deal is being done:

Forrester:

1. This is not just about “antimalware-on-a-chip-for-smartphones”. Another side-effect of people not understanding the deal is that they oversimplify it by reducing it to this one aspect...... this is about a wide range of embedded security features (not just AV, but data security and system integrity) on a wide range of devices.

2. Intel needs McAfee to thrive as a software business in its own right. In some areas, embedded security will be fully contained In the chip/system: such as Intel’s XD bit technology.

3. We need to look beyond Wind River as a model for how McAfee/Intel should evolve..... The wisdom of the Intel-McAfee deal and long-term success of McAfee will hinge both on future acquisitions and support of its growth as a stand-alone security business and also on Intel’s ability to combine McAfee technologies and its own in new ways.

4. Anti-trust concerns are avoidable or surmountable.

5. The price is quite reasonable. McAfee..... is at a 3.4x multiple. Compare that to other security acquisitions .... such as Websense's 2007 acquisition of Surf Control (3.8x), Check Point's 2007 acquisition of Pointsec (8.8x), or IBM's 2006 acquisition of ISS (3.2x).

Ars Tech:

Security is Job One

At the most recent Intel R&D day, Intel CTO Justin Rattner did a Q&A session with the press in which he was asked something to the effect of, "What do you spend most of your time working on these days?" Rattner didn't hesitate in answering "security."

Moving up the stack, and then off the stack

Intel's years of experience with vPro and its predecessors have no doubt confirmed to the company that providing silicon-level support for advanced security and remote management technologies is a waste of time if no systems integrator or popular software vendor implements them in some kind of consumer- or business-facing product or service.

Why they did it

In explaining its purchase of McAfee, Intel has clearly indicated that the real impact of the purchase won't really be felt in the computer market until later in the coming decade—this is a long-term, strategic buy. This statement fits with the idea that acquiring McAfee is Intel's way of bringing vPro and subsequent security efforts directly to businesses and consumers by just buying out the middle-man. The McAfee purchase gives Intel an instant foothold on countless PCs, a foothold that Intel itself would have to spend years building (if it were even possible).

I'd be happier if (i) they agreed with each other and (ii) that word "strategic" didn't keep popping up (I ciulled a lot of the text in both articles, so you can't see it but you can get the sense even from what I pasted up).

In other words I still don't think anyone really knows what is going on.

Intel bought McAfee fo 60% over share price today - GigaOm:

Intel CEO Paul Otellini said in a statement: “In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences.” The price Intel agreed to pay for McAfee — which had revenue of $2 billion in 2009 and has gross profit margins in the 80-percent range — is a 60-percent premium to its trading price prior to the announcement.

Quite - its all about The Cloud - but McAfee? And a 60% premium - $7.7bn for the thing, in cash - at exactly the time when many newer, cheaper (and dare I say better) security software companies are popping out the woodwork? Elsewhere its been justified as a deal "about mobile" but I don't get that either for the same reason as above.

I rather liked a comment on TechCrunch:

It’s simple really. McAfee’s software slows down your computer enough that you need a faster Intel CPU. Intel now has direct influence over the main driving factor behind people purchasing new PCs…

That is about the only way this makes any sort of sense to me at the moment. To be watched.....

People are not ready for the Technology Revolution says Eric Schmidt - RWW:

Eric Schmidt spoke at the Techonomy conference in Lake Tahoe today and dropped some serious rhetorical bombs. "There was 5 exabytes of information created between the dawn of civilization through 2003," Schmidt said, "but that much information is now created every 2 days, and the pace is increasing...People aren't ready for the technology revolution that's going to happen to them."

This does't really bear up under scrutiny - what he means is that (i) more of the information is created digitally today (people have been creating information since the dawn of time, its just that until Twitter your inane witterings about your cats and lunch were lost on the wind - probably a good thing really), (ii) there are more people on the planet than ever (talking about lunch and cats etc) and (iii) more of it is stored online - and searchable by Google - than ever (I have had photos in my computer for at least 15 years, its only more recently that Flickr, Facebook etc arrived).

As one wag remarked in the comments, most of the new information exabytes are arising because the web porn industry is converting all its pictures to HD. (It also begs the question about whether a lot of this newly capturable information is worth having).

But that is just standard corporate stuff, and serves more to illustrate how dim many of the pundits are when they don't pick up on the obvious logical fallacies in the argument. Far more serious is his latest broadside in his War on Privacy:

"If I look at enough of your messaging and your location, and use Artificial Intelligence," Schmidt said, "we can predict where you are going to go."

"Show us 14 photos of yourself and we can identify who you are. You think you don't have 14 photos of yourself on the internet? You've got Facebook photos! People will find it's very useful to have devices that remember what you want to do, because you forgot...But society isn't ready for questions that will be raised as result of user-generated content."

In addition to predicting personal behavior, diseases and other crises will become predictable as well, Schmidt said.

On the misuse of information for criminal or anti-social purposes:

"The only way to manage this is true transparency and no anonymity. In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it."

Lets just unpick that line of reasoning:

- Firstly he is arguing that if Google et al can see enough of your on-net activity they can predict our behaviour very accurately

- Secondly, he is arguing that you have a duty to be totally transparent and visible to make it easier to do this

- Thirdly, that this is OK as its being "ready for the Tech Revolution" and because Governments will demand it anyway.

In other words its Big Brother Time (and I mean of the Orwellian variety, though it may look like turning everyone into a contestant on Big Brother in execution - Reality TV becomes Reality).

Of course, one could be a mite cynical - as one RWW commentator put it:

Once again, the end of anonymity predicted by a tech entrepreneur who personally stands to gain many billions of dollars just as soon as people give up their privacy (or have it banned). Never would have seen that coming.

One could also argue that ths is typical Google in its lack of a "social" DNA - if the Algorithm can't be reprogrammed to predict The People, then godammit we need to reprogram The People until it does.

Nevertheless, this is quite worrying stuff given that (i) this chap runs Google who is spending a lot of lobbying and influencing money globally, (and is given "Techonomy" platforms and the like), (ii) he is not the only tech entrepreneur who can make billions out of reneging privacy and (iii) so few people are protesting about all of its implications.

But for the record, you do not have to believe in the wholesale loss of anonymity, 100% transparency and total subjugation of your data to Google and Government to be "Ready for the Technology Revolution. In fact I'd argue that any "Revolution" that demands this is more about Enclosure and Control than any form of Liberte, Egalite and Fraternite.

Fred Wilson on RWW talking about premium privacy:

Wilson suggests that while large companies like Twitter, Facebook, Google and Yahoo could set a precedence for privacy, from an infrastructural outlook it is harder for them to roll back and scale permissions to their huge social graphs.

He says, "The challenge for large social networks is to undo permissions that they've already given. Meanwhile, a startup is at an advantage as they can build something from scratch that allows the user to predefine the data terms for sharing."

Our own Marshall Kirkpatrick has criticized a number of Facebook's privacy policy decisions, and Wilson echos this need for user education and control.

"When you reveal your specific location, it's very important that you have control over that... There are business opportunities in privacy-related services," Wilson says. "The challenge is to get someone [whether business or consumer] to pay $2-$10 dollars per month to ensure that sort of premium privacy."

Three very interesting implications which come out of this:

(i) There is an increasing opportunity to use privacy as a differentiator vs the existing SocNets - my own view is stronger than Fred's in that I think there will be a large backlash against the current privacy scrapers. You won't see it in massive user turnoff, more just the slow reduction in activity and people who still "live" on that site until it becomes an online Ghost Town.

(ii) Privacy potentially has a business model of its own, called pay-conomics - but how to get most people to pay $24 - $120 per annum is not easy. I thus suspect these services will have to offer more than simple social connectivity. Clearly location based gaming is one extra suit, but (in my view anyway) its possibly a fad, or (more likely) a feature that will be integrated into more comprehensve services.

(iii) Who will use Premium Privacy? In my view it will be the same outcome as Free to Air (Ad supported) TV - ie the people with money will opt for a No Ads / No Scrape service (thus removing the most valuable people the Ads / Scrapers want to target) while the remaining 80% get left to the mercy of crappy "Free to Scrape" SocNet services.

I await with interest to see which Private SocNet Fred winds up funding

Rather interesting observation yesterday - I was busy with client work so couldn't attend the Grauniad Activate 2010 conference, so I dipped in (as is my wont) to the User Generated Twitterstream (#activate2010). At the same time there was a Guardian liveblog and a moderated Twitterstream from its Journalists was going on.

What was interesting to me was the massive degradation in the User Generated Twitterstream. Last year, and early this year, you could tune in to such Twitterstreams and get a fairly decent "user generated media" view of what was going on. The "User Generated" Activate Twitterstream yesterday was....well, "unhelpful" would put it mildly.

Key issues I spotted were that retweeting of content was far more focussed than before, but not in a good way - the main focus was on:

(i) Uncritical mass retweeting of "soundbite sayings" - "Kool aid" homilies etc

(ii) Similar mass retweeting of very dubious statistics, again totally uncritically.

(iii) In fact my impression overall is that the Twitterstream was becoming an "empty vessels making the most noise" mode of communication. The Retweeting seemed more about marking cyberterritory by pissing on the digital lamp-posts than actually communicating anything.

The disparity between the Twitterstream and the Grauniad "Journalist Generated" Liveblog and Twitterstream became more and more marked as the day wore on, leading me to ormulate two hypotheses for "User Generated Media" going forward:

(i) The "Citizen Reporter" on the twitterstream, who was a pretty reliable eyewitness 2007-9. is increasingly being drowned out by flacks, fanbois and noisy numpties. "Proper" mainstream media journalism again is becoming a far more trusted source. The age of "You Media" is over.

(ii) I eventually stopped watching the Twitterstream, setting up a temporary stream from a group of people whose views I trust that were there. In other words, the Twitter Signal to Noise ratio is gettng to the point where filtering the folksonomy by trusted source will be essential.

The obvious lesson for presenters from yesterday is that using mental bubblegum soundbites that send the twitternumpties into RT frenzy is a far more effective way of getting your message across than any reasoned argument. That was ever thus, true - but the only danger with this, I would argue from my reasoning above, is that over time it degrades to lowest common denominators sans moderation - a tragedy of the commoners, as it were. It will work like online advertising - you do it to get to the most influential people, but they are the first to avoid it - so you wind up banging your gong to the digital peasantry.

And on the way, the countless retweeting empty vessels toll the death bell for Citizen Journalism on Social Media platforms.

No what surprises me a lot about this post is that I wrote it! I'm no friend of the MSM, and a fan of the whole "2.0" thingy in general, but what this showed me is that, left to its own unfiltered devices, "User Generated" content is a lot like a the h3nry Sewer of Life - what you get out of it depends on what you put into it. And like that sewer, if what is being put in is a lot of crap.....

As an aside, it may also mean that the Good Stuff in future will be found behind Times style paywalls and what you get for free is increasingly Ad-peddled and raddled sh*t (as the Economist implies today - but the article is, newly, behind a paywall.....).

News reaches us today that Facebook has reacted to the global worres about privacy abuse by hiring a Beltway Lobbyist - Washington Post:

Facebook said Thursday that it is expanding its global policy team and poached from the White House, hiring as its new vice president of global public policy, Marne Levine, chief of staff of the National Economic Council.

In her new role for the Silicon Valley social networking Goliath, Levine will oversee the company’s interaction with governments and non-governmental organizations around the globe as the company reaches 500 million users worldwide, Facebook said in an announcement Thursday.

She will be based in Washington, just as the firm builds its local policy and lobbying team to address growing interest by lawmakers and regulators on how the social networking giant is dealing with issues such as copyright, security of children online, and privacy.

Levine will also help the firm build its policy teams in Asia, the Americas and Europe, the company said.

If you can't beat 'em, buy a Lobbyist (or, if you pefer this homily; when the going gets tough, the tough get lobbying). We have thus updated our Facebook Privacy Algorithm to take this new step into account (see above).

The serious (as opposed to satirical) point is that Facebook has gone from groovy startup to large lobbying corporate in remarkably short time, driven in the main by the increasing conflict between their commercial model which demands exposing ever more private user data, and the growing concerns of privacy activists, legislators and - increasingly - citizens.

This follows fast on the heels on the publication of a Facebook Fanbook (every large US privacy invading company has one....)

Apple is the latest to get into the location data mining gold rush - LA Times:

Apple Inc. is now collecting the "precise," "real-time geographic location" of its users' iPhones, iPads and computers.

In an updated version of its privacy policy, the company added a paragraph noting that once users agree, Apple and unspecified "partners and licensees" may collect and store user location data.

And if you don't agree to the new T&C?

When users attempt to download apps or media from the iTunes store, they are prompted to agree to the new terms and conditions. Until they agree, they cannot download anything through the store.

Charming. Nothing like a spot of voluntary opt in via involuntary service cessation. This is but the start, as you can still switch your location tracker off on the iPhone - no doubt over time many functions willl just stop working if you do though.

Apple says the data is anonymous and does not personally identify users, but that's incorrect - as the LA times notes, large specific data sets can be used to identify people based on behavior patterns. Why the move - Advertising, of course:

On Monday, Apple also rolled out its new advertising platform, iAd, for the latest version of its iPhone operating system (iOS 4). The company may well be integrating the location information into its advertising system -- for instance, to help local shops sell coupons to users in the neighborhood.

They are already taking revenue from selling the device and aggregating/selling the content, to take a rake from location and Ad serving is as close to a total end to end value extraction as you can get.

The quid in this pro quo seems to be to give the vendor access to your location data too.

An increasing number of iPhone apps ask users for their location, which is then used by the application or even uploaded to the app's maker. Apps like the Twitter application Tweetie and Google Maps make frequent use of location data, either to help the user get oriented geographically or to associate the user's action with a specific location (as when a tweet is geotagged).

However, owing to the value chain lock-up there certainly won't be much value left for any application content provider (assuming there is any now), so this is not just caveat emptor, its caveat vendor as well.

One of the main points of mobile telephony over the last two decades has been its closeness to the user, and its use as a private device. I await with interest the public reaction to apps that won't work unless iPhone location beacon is turned "on". Maybe is just my view, but over the last decade many location tracking devices have been trialled and failed as people - by and large - do not like to be tracked all the time, or set the expectation that they are alwys trackable.

It would seem those nice people at Google were forgetting the "Do No Evil" motto when it came to sending out their StreetCars with the desire to sniff Wifi while snapping Pix - El Reg:

The software worked with Kismet - packet-sniffing software. gslite then parsed header information from any unsecured wireless network it passed. Kismet hopped channels five times per second in order to grab as many networks as possible.

The paper said that frames from encrypted networks were discarded by gslite. Unencrypted bodies were written straight to disc, but not parsed by the program.

Privacy International believe this represents criminal intent - data protection law does not normally allow the interception of communications in this way.

PI said: "This action by Google cannot be blamed on the alleged 'single engineer' who wrote the code. It goes to the heart of a systematic failure of management and of duty of care."

Gslite made no attempt to parse the body of any messages or file transfers, but it also collected numerical identifiers of kit attached to the network.

The program linked the information collected with GPS data from the car. The analysis notes that the GPS system provides geolocation data rather more slowly than network data so gslite corrects the difference between the two
before storing the file.

PI's blog post is here, and it also has a link to the pdf report.

The "rogue engineer" theory was further undermined by Google's legal eagles' earlier moves to patent the network sniffing technology.

Anyone remember the "Rogue Interns" that were wheeled out at various times by companies last year when they ushed the boat ou too far?

Anyway, we have - after painstaking analysis - realised we can discern the Google Algorithm used for making privacy decisions in this case (see above diagram). One wonders if it applies more generally.....

Following the Facebook (un)privacy furore that Facebook initiated with its F8 revelations, they have now got to that stage in the process where the Apology and the Promise of Changes is made (see our analysis of the Facebook Privacy Foxtrot here). Today it came, in the Washington Post:

We have also heard that some people don't understand how their personal information is used and worry that it is shared in ways they don't want. I'd like to clear that up now. Many people choose to make some of their information visible to everyone so people they know can find them on Facebook.

That's the apology, in case you missed it - you dumb or something? And now, a restatement of the Credo:

We already offer controls to limit the visibility of that information and we intend to make them even stronger.

Here are the principles under which Facebook operates:

-- You have control over how your information is shared.

-- We do not share your personal information with people or services you don't want.

-- We do not give advertisers access to your personal information.

-- We do not and never will sell any of your information to anyone.

-- We will always keep Facebook a free service for everyone.

Cough! You Wot? The systemic abrogation of the first 3 (and some suspect 4) points is the reason so many people are up in arms, dont'cha know! Still, this sort of doublespeak is pretty bog standard Facebook practice, what is more interesting is what they will actually do about it all:

There needs to be a simpler way to control your information. In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services. We are working hard to make these changes available as soon as possible.

Ah, the fine balance between giving the users what they want (easy and powerful control of privacy) and what Facebook wants (economic advantage from passing their data on) . Still, lets see what actually gets done - that after all is the acid test.

But something we suspect we will never see from Facebook (probably until regulation enforces it) is to move the default mode to Opt In, rather than Opt Out.

So, to help that process along, I include the helpful cut-out at the top of the post.....