I’ve just finished reading Denise Caruso’s book, Intervention: Confronting the Real Risks of Genetic Engineering and Life on a Biotech Planet. I absolutely love it! As the book’s subtitle suggests, Denise recounts the tragedy of how hubris in the biotech industry — compounded by sub-standard risk assessment methods used by government regulators — has blinded us to potentially catastrophic consequences of releasing billions of living, reproducing, evolving man-made organisms the environment, the long-term effects of which are completely unknown.

But Intervention delivers a much broader message, about how the human propensity for hamartia isn’t miraculously expunged by mathematics, statistics, or the scientific method.

In proving her point about assessing the risks of genetic engineering, Denise calls into question the seemingly unassailable position of science in our culture. The book suggests we desperately need “a new kind of science” (to borrow Steven Wolfram’s phrase) — one that accounts for the nature of the beings (i.e., us) who are wielding its increasingly powerful tools. Try as we might, whatever model we create to try and describe reality, our scientific models inescapably say much more about human beings than they do about some objective reality. In the book, Denise exposes our lapses in rationality due to cognitive, social, and technological realities. Such lapses are everywhere in the areas I cover (technology, social trust, and privacy).

So while reading the book, I decided present my views on these issues in a blog post. Admittedly, going into some depth on Denise’s book on the Hybrid Vigor blog (which is Denise’s creation) seems almost self-congratulatory. But I think the larger themes in Intervention are relevant to most of the really difficult problems we’re trying to solve globally today, and understanding these issues will help focus our discussion at Hybrid Vigor. Continue reading »

This post isn’t about Eliot Spitzer. Yes, of course I’m as outraged as anyone over how this scandal takes the wind out of Cathouse: the Musical. But something else about the Spitzer incident really hit home: The confirmation that my financial institution is a federal agent.

According to this USA Today article, financial institutions reported 17.6 million transactions to the Federal Crimes Enforcement Network in 2006. Does this fact imply that 17.6 million transactions in 2006 were criminal in nature? No, they were simply “transactions of interest” (my term). In addition, financial institutions filed about 1 million “suspicious activity” reports in 2006 (up from 413,000 in 2003) to government agencies. Allegedly, it was the suspicious activity reports that linked Spitzer to the prostitution ring.

But most of the people behind the other 17.59 million financial transactions aren’t accused of any crime. Still, their spending habits are monitored, and if anything sketchy turns up they’ll then be accused of a crime. This seems afoul of the Fourth Amendment, Continue reading »

Last week, Melissa Lafsky cited some statistics on the rampant growth of click fraud and then punctuated the absurdity of the situation by questioning, rhetorically, whether everyone on the Internet is now a criminal for clicking with unlawful intent. Just who made it a fraud to click on a link, anyway? But to people whose immense fortunes are tied to sorting out honest clicks from false clicks, click fraud isn’t absurd at all. So after a flurry of comments about the piece, Lafsky clarified her position in a follow-on post.

Happily, Google’s got click interpretation down to a science, so we’re all off the hook (although the algorithm apparently still struggles with interpreting wit, sarcasm, irony, rhetoric, and French). So now I’m anxiously anticipating the beta of Google Intentions: an app for searching everyone’s click streams, categorized by intent!

I got a comment on a blog post last week that was simple and to the point: “Interesting post. Thanks.” Reading between the lines of code accompanying the post I found this gem:

{sentby:program running on server}

Very cool! It seems I’ve become popular with the blog-spambot audience. It reminded me of Jemaine Clement’s introduction to “The Humans Are Dead”:

Thank you. That’s overwhelming…. This next song we’re going to do isn’t really intended for humans; it’s probably more for robots, in the future when the robots have killed all the humans. That’s the sort of market we’re trying to get into.

What some vendors won’t do for marketing attention. This bot’s purpose is to post meaningless comments on blogs in order to drop the vendor’s URL on the site. The irony in this case was that the spambot’s owner was a “trust vendor.”

Glad to know the foxes are trust-guarding the hen house. I only hope the subtle allusion to the vendor’s name won’t shake up my spambot fanbase!

Gerry Gebel of Burton Group wrote an excellent post last week called “Moving Beyond Command and Control.” It’s the kind of thing I’d like to have written. It’s the kind of post everyone who cares about Internet security should read.

Gerry’s referring to the prevailing style of computer security, in which an administrator creates IDs and manages access to the system. The phrase “command and control” comes from a militaristic style of management with centralized or hierarchical authority. There’s nothing inherently wrong with the command/control model; the issue is that it’s a horrible fit for Internet security, where authority is unavoidably distributed.

Here are some simple shibboleths to detect a person’s managerial orientation:

If you hear frequent repetition of the words identification card, identity assurance, encryption, rights, management, access control, and policy …

BINGO! This person is a command and control disciple.

If instead you hear frequent repetition of words like reputation, reciprocity, empathy, signaling, collaborative action, recognition, shared experience, social interactions, ceremony, and connection …

Then they’re talking about social trust — and that person needs to SPEAK UP and start blogging about it!

Technologists have long admired the almighty algorithm: the piece of patentable code worth millions of dollars. While computer hardware has gone the way of commodity pricing, software and online services companies insist that consumers pay big bucks for use of their proprietary algorithms (when most consumers can’t even say “al-go-rhythm”), in the form of the software packages they buy, or use online for a fee.

But how much is your personal information worth? One woman, Raelyn Campbell, claims her information is worth $54 million. Campbell says she took her $2,000 computer for repairs at BestBuy more than six months ago and hasn’t seen it since. BestBuy offered to settle for about $2,000 to cover the lost hardware. But Campbell rightly points out that in losing her computer, BestBuy also lost her personal information, including account information to a variety of online sites.

Hopefully, Campbell stored only her own information on this computer, and not any HR information from her employer. Stolen or missing laptops are common types of data breaches, as attested to by the Privacy Rights Clearinghouse. These cases are usually multi-million-dollar lawsuits. Curiously though, Campbell draws on a dry cleaning incident as precedent for her suit. In that case, a customer sued a dry cleaning establishment for losing a pair of paints (see the link to the Campbell story for more details). The $54 million law suit was eventually dismissed after costing the dry cleaner $100,000 in legal fees. Campbell, it seems, has an elevated sense of dramatic irony by attempting to take BestBuy to the cleaners for the same amount as the case of the purloined pants. But keep your shirt on — Campbell admits to using an inflated amount to get media attention. Nice move.

I’m sure that encryption vendors love this kind of story. And yes, encrypting our data is a good idea in theory. But it’s not particularly easy or convenient. It messes up indexes, so you can’t ever find stuff when you need to. Simply put, we’re a few ideas short of a solution to this problem.

The juxtaposition of two events in the last week exemplified the growing tension of social trust on the Internet. First, the OpenID Foundation announced the additions of Google, IBM, Microsoft, VeriSign, and Yahoo! to their board. A few days later, the New York Times reported on people’s frustrated attempts to delete their Facebook accounts.

It seems identity theft is officially passé: now you have to worry about “soft” identity theft by social sites that play keep-away with the information you provide. Thankfully, some users have reportedly succeeded in getting their accounts permanently excised from Facebook (for example, see this post on the 2,504 steps to closing your Facebook account).

But their Pyrrhic victories do little to stem the deluge of personally identifying information pouring into and being captured on the Internet.
For example, how do I delete my profile from Spock, when I didn’t even set it up in the first place? Can I instruct Google not to index information about me?

So, last week while technologists were building out the apparatus for connecting people’s information across sites, real people confronted an Internet that neither forgives nor forgets.

Of course, the OpenID folks are convinced that their approach — a decentralized, single sign-on system — will improve privacy by reducing the number of accounts people need. Control of one’s personal data is a tenant of the “user-centric identity” movement that OpenID represents. But OpenID is an identification system, not a trust system (in either the technical/cryptographic or the social sense), by the designers’ own admission. So while I’m encouraged to see an impressive list of tech companies working together on identification systems, it’s unfortunate that they’ve wholly missed the point. It’s not the ID system that needs fixing.

Sure we’re all bugged to have to remember 57 passwords, but it’s a nuisance, not a betrayal of trust. The announcement I’d like to see is that the same list of companies is collaborating on an apparatus for improving social trust online. For those of you frustrated with the eternal stickiness of social sites, I recommend never using your actual identity—create a persona instead. Unfortunately, personas aren’t that easy to create and maintain at the moment, but it’s something we’re working on here at Hybrid Vigor.

When Denise Caruso asked me to become a regular contributor to the Hybrid Vigor blog, I jumped at the opportunity. Since late 2006, I’d been developing ideas for building social trust and reducing fraud on the Internet by way of a blog I started at Burton Group.

That blog holds a lot of sway with Burton Group’s readership—IT professionals and software vendors—but after Denise brought some of our ideas to a wider audience with her article in the New York Times, it drew the attention of important new communities, such as (for example, this interview with Emergent Chaos, this post from Jim Harper, and this one from Michael David Cobb Bowen).

I realized that any successful approach to building social trust online would require the attention of a broad-based, interdisciplinary community — a blending of ideas from social science, evolutionary biology, human factors, economics, mathematics and engineering. The technical design requires tempering by our best understanding of political science, psychology, philosophy and the law.
Continue reading »