Thursday, August 23, 2012

Personal Information. How much is too much?

I read the blog post by Patrick Townsend recently about how Personally Identifiable Information (PII) is protected by law and it got me thinking...  First, PII is information that, alone or with other information, can be used to uniquely identify, contact, or locate a single person. (See also the definition on Wikipedia).  However, in the US, what's considered personally identifiable varies by state.  Some don't give any guidance, some just copy laws from other states verbatim.  Some really try to think about it.  The EU seems to be much more strict than the US, and Germany most strict of all I've studied.

Obviously, a first name + last name + US Social Security Number (SSN) would uniquely identify me.  But so would  my email address.  And my name + date of birth + place of birth is probably close to unique.  My fingerprints or other biometric data clearly would be PII.

But what about protecting or limiting it?  Massachusetts courts have crafted rules to say PII must be protected in documents that will be made public during a legal case.  They give some ideas of what's acceptable and how to fix it:
...In the case of a social security number, taxpayer identification number, credit card or other financial account number, driver’s license number, state-issued identification card number, or passport number, only display the last four digits... 
Do these rules really help?  Probably.  But I don't mind some people or places having my PII.  It can make for a better experience (pre-filled forms on web sites, for example) or that by knowing my location and age they can potentially provide better content for me.  For example, if I'm currently in Tokyo but live in NYC, then based on my age, a website could give me tourist information about either Tokyo Disneyland or Tokyo night clubs. It could do it based on my age obviously, or where I'd traveled before (scary!).  If based on my credit card data or FourSquare checkins, I'd been to Disney World Florida, I might be a good candidate for Tokyo Disneyland.  If I spend hundreds in NYC bars, then maybe something more apt to my tastes.

Also, I know that certain government agencies need PII to do their job (taxes, passports, etc), but the real trick is how to limit PII sharing to a "need to know" basis.   And of course, the devil is in the definition of "need".   Citibank wants to know my total net worth determine if I'm a wealthy investor or a lowly serf (the latter, I assure you).

But it's the aggregation of PII that scares me.  The web site aggregates twitter location data, plus Google Street View to make it easily available to see where someone lives, what's nearby and display local;y-relevant ads.  See NakedSecurity's blog for more.  More scary is Take This Lollipop which is meant to scare you about what you're sharing on Facebook.  It's worth a good viewing.  Just lock the front door first.

Chef Julia Childs would have turned 100 last week.  Did you know she was a spy in WWII?  Her records as from the US OSS (precursor to the CIA) are out in the public domain after being declassified.  This includes mundane stuff like her commendations and pay from 1944, but it also included her SSN and a copy of her physical exam.  She was 6'1" and weighed 155lbs. Her blood pressure?  Vision? Hearing?  Heart Rate? They're in there.  (note it's a 280mb PDF).  Clearly that's going too far in sharing PII. Even for someone who's been dead since 2004.  There has to be information, and I'm generally of the opinion that open is better (especially for governments) but, releasing medical records is too extreme for me.

I guess it's like pornography, I'll know there's too much PII when I see it, but defining how much sharing of PII is too much is complex.  There's certainly no easy solution.

Please comment if you have other good examples of how PII has been used for good or evil.

Wednesday, August 22, 2012

Radical changes in data storage

My first hard drive for my Mac Plus had just 10mb of storage.  It seemed like a huge improvement compared to floppy disks.  It made boot up and program access faster, didn't fail, and fit neatly below the form-factor of my Mac.  Jump forward to today, and I can easily get a USB stick that stores thousands times more data in a fraction of the space.  However, we have more and more data to store. And those files are getting bigger and bigger.

So while Word file size is growing due to increased use of graphics, revisioning and embeddeding, the cost of that hard drive space has gone from over $100/mb in my Mac Plus to below $100/1,000,000 mb today ( or roughly $100/tb).  Huge improvement.

Now comes the interesting partThere are new storage tools coming.  Amazon just launched their Amazon Glacier product for long-term storage, at $0.01/100,000 mb ("a penny/gb").  That's game-changing.  Well below 1/10th of current providers. But, be sure, there will be other similar one too.  Now you know yet another reason why Google is terrified of Amazon.

Oh, and by the way, it's moving stoarage from a CapEx to an OpEx expense too, but that's a story for another day.

DNA Strand image

Now, what's really interesting is what's next-- DNA.  People have know there's lots of data in DNA.  But gene sequencing has become cheaper and faster, it's potentially the next wave of storage.  Harvard cracks DNA storage, It may not be as fast as a hard drive, but for offline archival needs, 700 tb of data that takes up no power, is stable long term, and is about the size of a raisin is a pretty good start to revolutionizing the storage industry yet again.

Wednesday, August 15, 2012

Spoiled by video collaboration

I re-learned a very important lesson yesterday. Video collaboration is useful when everyone can follow along, but where it becomes priceless is when you're confused.

I requested a presentation on a particular topic from a partner.  They arranged a salesperson to come and present to us.  The problem was, he didn't understand our business, my goals in asking for the meeting, or the problem I wanted to solve. It was not even a close fit.  We were looking for apples and we got t-shirts.

Don't miss the feedback!
The worst part was, the salesperson didn't know.  We were on an audio call.  The presenter sent along slides just before we started.  (They were from 2005!).  Had I seen them before hand, I could have called it off.  But I didn't.  I just let him go on and sat through his presentation. (Keith Brooks would say it was a Sales Presentation that Sucked).

But that was my fault.  The presenter was on audio.  There was no out-of-band feedback mechanism.  Had he been on video, he could have seen our eyes glazing over.  He would have known we were confused.  Maybe bored.  Or worse.  He could have known to ask questions to ensure our engagement.  But he didn't know. No feedback.

Sleeping?  At least you know how much
I'm paying attention to the presentation.
When you're on video, you can see the audience.   You know when it's time to stop with the slides.  When you have to grab their attention back, be it with a joke, a stretch, or just a check-in.  It's this ability to get the non-verbal feedback that I really appreciate.  It's something that I become so accustom to using video working at Polycom, that I took it for granted.   Just doing an audio-only sales presentation (even with HD Voice) is not interactive enough.

If you think low-quality postage-stamp video is useless you're right.  But today's HD video collaboration, 1:1 or with multiple participants  on the screen, really helps me be more effective.  Certainly it would have helped this seller know that his message didn't get through. I can't imagine having meetings where we're not face-to-face anymore; where audio is my only option.  To me, I've re-learned the lesson:  you're engaged when you can actively participate.   Verbally, non-verbally, some other way.  I'll take video every day.

By the way, don't have business-quality video yet?  Download Polycom's free video client in your favorite device's app store (search "Polycom")  or for your Mac/PC.

Friday, August 3, 2012

Poor password capabilities frustrate me

There's really no excuse.  There's no excuse at all for weak password capabilities, especially for financial services companies. 

Outline of security
I recently attempted to increase the complexity of my online banking passwords.  It should have been simple, but the dizzying array of requirements made it more difficult than it needs to be. And the requirements were awful!  I don't mind if complexity isn't required (ok, I do, but that's a different issue)  but let me pick whatever password I can remember.

There are dozens and dozens of sites that describe what is a good password, and how to choose it.  For example, see Microsoft, Google, Naked Security and xkcd sites.  However, the password capabilities on the system have to support strong passwords.  I found that many banking systems did not.  Let's start with what I wanted to use.  It was similar to:
      ValidSpeedLimitzR: {30|45|55}nearHome
but I couldn't even come close. Forget that it's 37 characters, it's easy to type, secure and I can remember it.  The problem was the password capabilities on the online banking system.  They limit password entropy and make it less secure.  See below: 

American Expreess:
  • Must be different from your User ID
  • Must contain 8 to 20 characters, including one letter and number
  • May include the following characters: %,&, _, ?, #, =, -
  • Your new password cannot have any spaces and will not be case sensitive.
  •  Must contain 7-32 characters
  •  Must include at least one number and one letter
  •  Cannot include special characters (&, %, *, etc.)
  •  Cannot be the same as your User ID
  •  Cannot be the same as any of the last five Passwords you've used
  • Password must be 6 to 32 characters long and contain at least one number.
  • No special characters 
Fidelity Investments: 
  • Use 6 to 12 letters and/or numbers
  • Do not use symbols, punctuation marks, or spaces (e.g., #, @, /, *, -.)
Granted, some special characters are hard to type on mobile devices like iPhones and iPads. And in the "olden days" you worried about people embedding html or javascript inside an improperly parsed form field so that may be a motivation not to allow special characters.  But, there's no reason not to allow a long password.  No real reason not to allow special characters or spaces today.   And certainly there's no possible reason NOT to make it case sensitive. I'm not saying require them because that's a whole other discussion, just permit  it. 

How can we expect to have encourage users to strong passwords if the systems don't support them!  Come on financial companies, you must do better!


Update 1: 2012-08-03

I was so frustrated, I sent this tweet to @AskAmex:
@AskAmex I changed my online password and found weak pw policies--not even case sensitive! Why not?

to which @AskAmex replied:
@luriep Hi Peter, thx for feedback. Our PW policies meant to be secure but easy for our customers to use. Use %&_?#= for addl security. ^M

Which, of course, is bogus:

AmEx suggests {AZ09%&_?#=} = 42 characters
Stronger way: {azAZ09%&_?#=} = 68 characters (although I'd argue you should support 32 and not 6 special characters, but that only makes the point much bigger)

42 is less than 68 and the difference skyrockets  when you take it to ^8 or ^20 (based on pw length).  I don't see their password policies as anywhere near secure as they very easily could be...

Wednesday, August 1, 2012

No Microsoft allowed? Really!?!?

I had a meeting with a customer (who shall remain nameless) and the account rep told me that I was not allowed to bring in any Microsoft products.  The customer was adamant.  None!

No Microsoft?Now I am a tech guy with an android phone, an iPad, and a few PCs.   I have WinXP, Win7, and Ubuntu running on different laptops.  I run virtualization software and  have several images with other OSes.  Our corporate standard is Win7 and MS office suite.  Not the most "non-Microsoft" environment.  I find the right tool or environment for the task and get the job done. Isn't that really what productivity and work are all about?

However, even for me to go Microsoft-free takes some planning.

In addition to PowerPoint, I have OpenOffice and Lotus Symphony, so doing the presentation was easy.  I converted it to PDF, to make it universal and I preloaded the presentation onto my iPad.  I run both IBM Sametime and Microsoft Lync, so I had to hide the latter client on my devices.

I am not anti-Microsoft bigot, but I do try to respect the client's wishes, no matter how unusual. But I learned something from this.

When I was done, I realized that I had a pretty much open source or freeware PC environment.  I had a bunch of $0.99 apps, and yet could be productive.  I don't know if it makes me flexible or foolish wasting time managing and learning different environments.  All I know is the client's requirement was understood, and they were able to listen to me without distraction.

Thankfully, I didn't have a windows phone.

Oh, and this post was done on my iPad, using a Linux based MiFi, typed in a paid app and uploaded in Safari onto Google Blogspot. Microsoft free.