Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

rwandering.net

The blogged wandering of Robert W. Anderson

Archive for Attention

Digital Signatures != Notary Public

I am in the “pro email encryption” camp. If encrypting all email communications was easy enough, I would do it. I won’t get into “easy enough” here, but the issue is really about encrypting for a particular recipient, most of whom don’t care about encryption in the first place. I used to routinely digitally sign my emails as well, but stopped doing that for the same reason — most recipients didn’t know what to make of it.

Anyway, I’m coming to this topic now indirectly because of Google’s new “End to End” product / plugin / stance.   Sounds cool, and I’m sure I’ll check it out.

In A World without Hearsay, Jon Udell tackles the question of why he used to digitally sign his emails and then discusses an argument made by Yaron Goland in a post with a very long title: Why Google’s support of PGP Mail might not be such a brilliant idea – Or, why I don’t like digital signatures for social networking and how Thali addresses this

In that post, the author likes digital signatures to a roving notary public:

A digital signature is intended to be an authenticator, a way for someone other than us to prove that we did/said something. When we use digital signatures for momentous things that should be on the public record, like mortgage documents perhaps, then they serve a good purpose. But with PGP Mail we suddenly sign… well… everything[2]. It’s like having a notary public walking behind you all day long stamping every statement, note, mail, etc. as provably and irrevocably yours.

I don’t think we want such records to exist. I think we want a much more ephemeral world where the bulk of what we do just quietly vanishes into the ether leaving as little of a trail as possible.

I completely agree that we would be better off in a more ephemeral world, but the notary public analogy is completely wrong.

A notary public does in fact record (in a physical record book) every action, along with a physical signature and a fingerprint (noting that the specifics may differ across jurisdictional boundaries).  Signing one’s own email does no such thing.  It does not create a record, and does not make cause the email to become more permanent than it was without a signature.

It may be harder to deny that you wrote it; however, the more automated (or easy) it is to make such signatures, the less likely that such emails will have any weight over a non-signed email in a court of law.

To be clear, I’m not harshing on Thali — I have no opinion on that right now — I just don’t think the signature/notary argument has merit.

 

Tags: ,

Recording your Energy Attention

Attention applied to Internet and media use has come to mean the what, where, and how you do and don’t spend time.  For example, are you reading your news on Google or NYT? Do you use a portal like MSN or Yahoo? What do you do on Facebook?  Such information, or attention data, can be quite valuable, especially when correlated with other information.  Many companies rely on this concept, both implicitly and explicitly.

This use of the word attention, though, doesn’t apply only to the Internet and media.  It also applies to plain-old products too – which cereal you eat and where you vacation, etc. – in fact, it can apply to everything.

So, it follows, that energy attention is the subset of your attention as it applies to energy:  what, where, and how, you do and don’t use energy.  Just like the more general attention data, such data can also be quite valuable, both to you in reducing your energy use and costs, but also to third-parties for marketing and sales purposes (note that carbon attention overlaps with energy attention, but I am not going into that now).

Electric and Gas utilities record one major aspect of your energy attention today:  your electricity and gas usage data.  Most utilities provide these data back to their customers in summary form on bills, and many provide it in more detail.  My local utility, PG&E, provides me with hourly electricity and gas usage data through their Web portal.

While functional, I wanted real-time usage data.  My first thought was to use the GE SmartMeter that PG&E installed.  While the data could be retrieved from there, my access to it is on an unknown schedule with an unknown feature set.  The California Public Utilities Commission, utilities, vendors, and other stakeholders have been wrangling over issues central to the ownership and sharing of such energy attention data.  Both the Commission and PG&E have good reasons to be careful with this data:  PG&E installed and owns that meter and paid for it with rate-payer monies.  There is a decent (though somewhat dated) overview at Giga OM.  And while the Commission released an update to their proposed decision (PD) yesterday (here), the wrangling isn’t over.

So instead of waiting for this to all get resolved, I followed Jon Udell’s lead and installed The Energy Detective 5000 (TED 5000).  This monitors my home electricity usage in real time, giving me immediate access to my own energy attention data.  This to me, is exactly in the spirit of the Attention Trust (AT), an organization that I did some pro-bono work for in the past along-side of Steve Gillmor.

Now what does this have to do with attention and the AT?

Back in 2005, the AT was formed to assert user rights over attention data, specifically as it related to that data collected by Internet  services.  For example, Google tracks user attention (through clicks and time on pages, etc.) and uses that  information for operating their various services.  You consent to their right these data  through their Terms of Service (TOS).   The AT asserted that the user also owns these data.  To assert this ownership, the AT provided the Attention Recorder with which a user could record their own attention data from the browser.  The act of capturing such data from the user side of the firewall ended the discussion of who owned the data.  Yes, the Internet service has their copy and can use it based on the TOS, but the user owns the data too.

So, the TED 5000 is my own personal Energy Attention Recorder.  I assert ownership over the data and authority to do anything I want with it – including exposing it to any third-party service I so choose.

Interestingly, the PD issued yesterday names the TED 5000 specifically (although in reference to a utility comment).  This is in response to one of the CPUC questions (paraphrased):

Does the Commission have authority over entities that receive information on a consumer’s energy usage from meter sources other than a utility?

While the Commission has deferred this question, it is clear that they will face an up-hill battle on protecting consumers from their own
actions.

I, for one, claim ownership of my own energy attention.

Tags: , , , ,

Angels don’t belong in hell

Robert Scoble makes some good points about Angel Gate in his post The secret hell of tech industry angel investors.

I mostly agree with what he says, except I think his underlying premise is wrong:

It’s good for entrepreneurs and good for users to have angel investors caught in hell. When they feel they have to spend more money to stay in the game, that’s good for all of the rest of us (press, users, entrepreneurs).

First, there really is a place for the classic angel – that is, the Ron Conway kind that is in it to help entrepreneurs succeed.  I don’t think it helps anybody if these angels are “in hell.”  The angels that Robert talks about are really VC in my book and frankly I don’t think they belong “in hell” either.  Now some do, of course . . .

Second, more money thrown at entrepreneurs is not in and of itself a good thing. On some level it gets more people building companies, but does it really get more people innovating?  Before the “dot bomb” hit, the same thing was happening in VC.  Everyone and their brother formed a venture company and all sorts of things were funded that were patently ridiculous.  That was a part of why the crash happened.

Tags:

PDC 2009 Day #2: Silverlight 4

Lots of great new stuff in today’s beta.  A few things that stand out:

  • Hosting HTML
  • Context menus
  • WCF and REST enhancements
  • Support for RIA Services
  • Drag & Drop
  • Running out of sandbox for trusted apps
  • Sharing components between .NET 4 and SL 4

Lot of other things too.  I’m excited to start using this.  Also a shout out to Tim Heuer – he has helped me on a few things before and I got a chance to meet him today.

Those of you following NewsGang will know why I am very excited about these Silverlight developments.

Tags: , , , ,

Facebook backs down

Yesterday I posted about the change in Facebook’s TOS.  I thought they might back down, but I didn’t think it would be this fast.

The old terms are back in effect: delete your account and so goes your data.

A minor success for users everywhere – even those who don’t think this stuff matters.

Tags: , ,

User-beware of Facebook

Plenty of people are up in arms about the recent Facebook TOS change. 

The change?  Before Facebook relinquished their rights to your data if you deleted your account.  Now they don’t. 

I don’t have a problem with this new policy.  I do have a problem with the new part.

Of course, I’m not arguing whether Facebook can legally make this change, but it does violate their user contract.  I’m not talking about a legal TOS, but of an understanding with their users.  What is the problem?

  • Facebook has just asserted ownership to something that they didn’t claim ownership to before.  And this isn’t future data, this is past data.  Data you already contributed to Facebook with an understanding that they wouldn’t keep it.

This is another example of what I call the user-beware contract – where the TOS can change at any time without notification. 

So, what is the user-aware way to make such a change?

  • Maintain their old policy for data in Facebook before the change.  This bifurcates user data between before and after the policy. Delete your account?  Old data goes away, new data does not.

OK, but this is still a user-beware contract.  What else should they do?

  • Require users to opt-in to the new policy.  If they opt out, either delete them or let them continue the old policy.

I’m sure Facebookians (and any one hosting a large service) is rolling their eyes at this point.  But just because being user-aware is inconvenient doesn’t make it infeasible.

And a shout out to Ned Sykes for prompting this post: no, I’m not concerned about Facebook stealing my tweets, but as a voice in user rights, I am interested in promoting TOS that are pro user.

BTW: The user-beware/user-aware terms are defined in my post User Contracts – Part II: User Beware.

Tags: ,

Live Writer 14.0.8064.206

I just recommended the new Live Writer for having a “check for updates” feature, but apparently that feature didn’t work.  From Joe Cheng of Microsoft:

Well… this is embarrassing. We just released an update that’s newer than 14.0.8050.1202. One of the two bugs it fixes, is that our “Check for updates” mechanism broke irrevocably in 14.0.8050.1202 and earlier builds. :(

If you download the new version from http://download.live.com then “Check for updates” will work again. Sorry for the inconvenience!

So, if you aren’t at least at version 14.0.8064.206, then you should upgrade again.

Tags: ,

Live Writer 14.0.8050.1202

livewriteraboutI just upgraded to the latest Windows Live Writer. 

It looks better and now it renders my blog template correctly.  Maybe there are more features I’m missing.

It is worth upgrading it just to get the “Check for updates” feature.  So you never again have to figure out how to upgrade it (see Jim’s rant here: Sighcrosoft – Why Can’t I Just Love Live Writer Without Confusion?).

Strangely enough, its now easy to upgrade here:  http://download.live.com/writer.

Tags: ,

OpenID and the Relying Party Patchwork

Recently I have been thinking and writing about OpenID.  My thoughts have centered around two topics:

  1. Sharing one credential across all of your Internet services is not a good idea.  See How many OpenIDs do I need?
  2. The OpenID vision isn’t ready because there is not yet an ecosystem for Internet services (i.e., Relying Parties) to rate the trust level of an arbitrary Identity Provider.  See OpenID isn’t ready for prime time.

This led to a conversation with Bill Washburn, Executive Director of the OpenID Foundation. He was a pleasure to talk to and receptive to my ideas and concerns.  I left that conversation with an interest in contributing to OpenID through my writing.  I have been pretty pegged lately on other activities, but found the Microsoft HealthVault announcement interesting because it is at the intersection of these two topics. 

What is the announcement?  That Microsoft’s HealthVault will become an OpenID Relying Party later this week. 

Very cool news.  Congratulations to Microsoft for becoming the first big player to be an OpenID Relying Party in a significant way.  Also, congratulations to the OpenID Foundation and Bill Washburn for their role in this.

Now how is this intersection of these two topics?

1. Sharing Credentials

I’ll start by partially answering my first question:

How many OpenIDs do I need?

Partial answer:

I need one for each health information provider; for exclusive use with that provider.

I just don’t want to share these with any other Internet service. 

So the premise that OpenID allows me to share credentials across sites is of no value to me here.  (Note: that said, there are good reasons I might choose other Identity Providers for this application).

2. How do Relying Parties know who to Trust?

There are a growing number of providers out there, new implementations of custom coded OpenID providers, established businesses, startups, etc.

So if you want to become a Relying Party, who do you trust?  Everyone?  No.  The answer is easy.  From Sean Nolan,

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

You, the Relying Party, choose an explicit list of trusted Providers.  This is a completely rational approach.  Especially if you are responsible for protecting confidential data. 

Before you know it, more and more companies/services will become Relying Parties.  Each service — at least those that protect valuable confidential data — will have to perform a risk analysis to determine which Providers to accept.  Each Relying Party will end up with a different set of accepted Providers — a different set in constant flux.

Earlier I suggested that I could choose how to consolidate my OpenIDs, but the reality may be much different where I have to choose OpenID providers based on the services I use.  This reality seems like a complicated, user-hostile patchwork of Identity.  Kind of like what we had before OpenID.  Only more complicated.

What do I think should be done about it? 

One answer is that the OpenID Foundation fast-track efforts to formalize trust and reputation resources for Relying Parties. Bill Washburn had some other ideas too, and maybe this Microsoft announcement is in support of that effort.

How long will any of this take?  Can’t say, but I will continue to look on with interest and write about OpenID.  Despite my criticism, I am a fan.

Tags: , , , , ,

Google Reader Misappropriated Our Shared Items

image_thumb[1]Earlier in the week I stopped using Google Reader for a few days.  Every time I started it, I would be reminded of their new sharing features (see the dialog on the left).  Then I would close the browser tab. Why?

Google changed the Reader user-contract with no notice.  This rankles me.  I’ve lost control of my shared items.  This is a dramatic change with only the weakest of opt-outs.  What’s more, any opt-out is too late.  My items have already been shared.  What kind of opt-out is that?

Oh, but there are more options.  They give us the ability to manage who gets to see our shared items.  But only after others have a chance to read them.  For example, I can hide my items from my “friends” who are on Google Reader.  Other “friends” that start using Google Reader will get to read my shared items immediately.  The onus is on me to make sure I actively manage the list. 

And the icing on the cake?  “Friends” wasn’t a word in use by Google Reader before.  Now it has been defined to mean my Google Talk contacts.  No fair.  This is not analogous to Facebook “friends”.  In Facebook, I accepted people as “friends” based on the Facebook definition.  Now my Google Talk contacts are my “friends” based on Google’s new definition.  This is clearly backwards. 

Is Google breaking their terms of service?  Almost definitely not, but they are changing a basic part of the user-contract: that user data won’t become more public without user consent. This is a perfect example of the “User-Beware contract“, summed up as: “we’ll change the user contract whenever we feel like it.”

What’s next? 

Your email contacts have been shared with your friends

Your emails have been shared with our advertisers

You calendar entries have been shared with your . . .

You get the idea.  This may seem like a joke, but frankly I don’t know what is in store for the user contract.

Steve Gillmor suggests this is arrogance on Google’s part, and he’s probably right.  Yet mostly people are ignoring this or don’t get it (e.g., Scoble doesn’t seem to get why anyone would care). 

Why is the blogosphere giving Google a free pass on this one? 

Tags: , , , , , ,

Next entries »