Author: JP

What does bad look like? And related questions

I was in conversation with an old colleague, Sean Park, a few days ago; with a little bit of luck, we’ll be able to spend a little time together next week in San Francisco, at Supernova. During the conversation, this post by Chris Skinner came up.

First, a few disclaimers.

One, I am not against cyberlibertarians. I count many cyberlibertarians as my friends. In fact I’d even let my daughter marry one. Some people think I am a cyberlibertarian. And I don’t argue with them.

Two, despite all that, I signed up with the UK Border Agency IRIS scheme as soon as I could, use it regularly, and will probably sign up with its equivalent for the US and Europe as soon as I can. So I am not against the technology.

Three, I like what Bruce Schneier has to say about many things, and particularly about things to do with security. This liking predates (by a long way) and is completely unconnected with, our becoming colleagues much later. [Incidentally, we have never met, either as colleagues or before then, although we’ve been in the same room quite a few times. Maybe this will change, we’re both at Supernova.]

Having said all that.

There’s identity and there’s identity. “Identity” covers things I assert about myself, things that only I can assert about myself. It covers things that others assert about me, things that only others can assert about me. It also covers things that I assert, but where my assertion is weak unless it is backed up by someone or something else.

When I say that I like Grateful Dead or Traffic or Crosby Stills Nash and Young or John Mayall or Jim Croce, I am asserting something about myself. A last.fm audioscrobbler attached to iTunes can see whether my listening habits match my stated likes, but it cannot say what I like. That is for me to say. When a bank says that I have a credit rating of X, they are asserting something about me that I cannot assert about myself. When a government gives me a token to help me assert who I am (such as a passport or a driving licence), the government is doing something I couldn’t do as well.

So there’s identity and there’s identity. It’s all the rage, it’s the happening thing, there are now more people working in the identity space than in call centres worldwide. [Doesn’t it feel like that to you?].

And, as Chris Skinner says, it looks like biometrics will become more important, more dominant, more pervasive. Shivers down spine. Collywobbles. Paroxysms of sweat. I begin to get a teensy weensy bit concerned.

Why? Not because I think someone’s going to gouge my eye out and re-use it. Not because I think that someone’s going to chop my finger off. [Yes, there are times and there are places where this can and probably will happen, but in this conversation I consider the Chopping Off argument to be a Red Herring.]

I’ve been concerned about the use of biometrics in everyday life for a few decades now. Nearly 30 years ago, when I worked for Burroughs Corporation, we had a division that manufactured ATMs. And I remember seeing a presentation where people queued up to a hole in the wall to draw money, presented their eyeballs to an even smaller hole in the wall, had their retinas scanned before the hole vomited out cash. And I thought to myself, who designs these things? Who imagines that someone would actually do this? Did they talk to anyone, any would-be customers?

If you want to understand the pros and cons of biometrics, you must read this article in ACM by Bruce. So what if it’s almost a decade old, the points he makes still hold true. It’s an expansion and improvement on an another note by him, written a year earlier in his Crypto-Gram newsletter.

Here are some excerpts:

  • [B]iometrics work well only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can’t do that, it can’t work
  • Biometrics are unique identifiers, but they are not secrets. You leave your fingerprints on everything you touch, and your iris patterns can be observed anywhere you look.
  • Once someone steals your biometric, it remains stolen for life; there’s no getting back to a secure situation.
  • Biometrics are powerful and useful, but they are not keys. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy.
  • [B]iometrics are necessarily common across different functions. Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications. If my fingerprint is used to start my car, unlock my medical records, and read my electronic mail, then it’s not hard to imagine some very unsecure situations arising.

As a frequent traveller, I am happy to use biometrics-based processes when it mean my immigration and security queues are shortened significantly. IRIS has been a boon for me.

But if my bank asked me to start using iris recognition based schemes, I would probably change bank.

Why?

Now you must be used to people tritely asking you “So what does good look like to you?” [What an appalling question. Why can’t they ask you what you want? I’m old and patient now, so I forgo the temptation to “throw them under that question”, a la that other appalling phrase “throw them under the bus”. Who thinks this unadulterated crap up anyway?]

So humour me for a second and allow me to use the phrase “What does bad look like?” When I use IRIS, “bad” means that someone has managed (a) to get a copy of my iris as stored in some humongous central database somewhere (b) convinced some hardware and software in a booth that he/she is me returning to the UK. Depending on my actual travelling status, that may throw up some conflicts and errors, and the worst that could happen is that I spend some time sorting out the mess when I next pass through. But the facts will be on my side, and I don’t live in a police state. People may be appalled by CCTV Britain, by Guantanamo Bay, by 42 day detentions, but none of that is as scary as The Emergency was to me in 1975-77. Not even close.

It’s not as if someone can leave my iris behind at a crime scene. If someone finds my eyeball rolling around alongside a corpse, the chances are the corpse is me. if someone leaves a photograph of my iris behind as a calling card, not even the Keystone Cops will assume that I’m the likely perpetrator.

So bad doesn’t look too bad in many of these cases.

When it comes to banking, it’s a different story. Bad can look bad. If you’d like a humorous way of finding out why, listen to this clip by Mitchell and Webb. [Oh the humanity. Worth listening to for that line alone.]

We already use biometrics for banking, the common-or-garden signature is a biometric, particularly if you start analysing pressure and time and emphasis and all that jazz. People have tried to forge signatures, and if electronic signatures become more common, then I am sure that people will try even harder to forge signatures.

I try and adapt to changes in the environment around me. For example I think about where I want to use my credit or debit cards so as to minimise the risk of cloning, and avoid the places where I think the risk is high. If my bank said I could use iris recognition in order to withdraw cash, I wouldn’t sign up. I would use other ways. if they said that it was the only way, I would use other banks. Simple as that.

It doesn’t mean that I am against the use of biometrics. Rather, I am against the use of biometrics in environments where the weaknesses of biometrics overwhelm the strengths. As stated before, I use biometrics to enter the UK. And I would be happy to use biometric locks in my front door, as Xeni Jardin refers to here.

As Bruce says in that article, if someone wanted access to my house, they can make a surreptitous copy of my key or throw a rock through my window. They don’t have to cut my finger off.

Biometrics aren’t bad. Biometric banking is already here, as in the use of signatures. But we need to think hard about allowing increased use of biometrics in banking. Because bad could then look very bad.

Let’s be careful out there.

Musing about lazy Saturdays and unGoogleable things

I grew up in a family where we were intense, almost obsessive, about many strange things. During my mid-to-late teens, I don’t think a day passed without there being a “session” at home. What do I mean by “session”? A gathering of people, numbering greater than 10, all focused on some activity or the other. What activities? They varied, in mini-seasons lasting a week or two, and included:

  • Carroms (played in fours lying at odd angles on the floor)
  • Table-tennis (on the dining table, using books to form the net
  • Card games aplenty (from “56” to Memorial Power, finding pairs, to Canasta, to TwoToTheLeft)
  • Chess (not as many takers though
  • Categories (which we called NamePlaceAnimalThing and played with real gusto).
  • Scrabble (played with an incredible intensity)
  • Board games in general, particularly Cluedo, but including Ludo, Chinese Checkers and Snakes & Ladders

That’s when it was too hot to play outside. Participant ages ranged from 6 to 60 (really) and everything was played with ferocious yet humorous spirit. Wonderful times. Usually half the people present were friends of one family member or the other, the rest were family or neighbours.

Sure we fought. It wasn’t always all sweetness and light. But in the main we played, played as close family and close friends, and we’ve stayed close ever since.

What I described above  was a daytime and weekend and holiday thing for the most part. Weekday evenings were all about hanging around together and listening to music; when it got late the scene shifted to playing duplicate bridge. And we read. We read by the shelf-load, by the truck-load. Draped in strange positions all over the place, usually munching on the food that would materialise by magic.

And one more thing. We were trivia freaks, but we didn’t call it trivia. We called it quizzing. It was perfectly normal for any one person to pull a dictionary, a book of quotations or a volume of an encyclopaedia off a shelf and then start asking passers-by questions. Calcutta had a brilliant quiz scene in those days, probably still has.

[Strangely enough, I don’t remember seeing anyone study. Or do homework. I can’t imagine where they could have, every room was packed with other, ultimately distracting, activity].

Anyway. As I was saying. We loved trivia. And we didn’t treat trivia so much as a test of knowledge but as a test of recall. More importantly, quizzing was a team sport and individual machismo was of no value.  Sure, “golden” answers were appreciated and respected, where you knew something that no one else on the team knew. But the important thing was the team.

These values made their way into the DNA of the quiz scene in Calcutta, particularly the “recall not knowledge” principle. Any fool could come up with a question that no one could answer. The challenge was to come up with a question that every team could answer, but not necessarily within 30 seconds while under competitive pressure.

It became a fine art, setting questions that danced teasingly on the tips of tongues. Those were the days Before Google. Nowadays it is actually quite hard to set a question that’s unGoogleable, and as a result the “recall versus knowledge” principle must be under severe attack. Particularly in today’s age of ubiquitous communication. I lost interest in the UK quiz scene once mobile phones with Web browsers and Shazam entered the scene; too many people resorted to, shall we say, alternate and assisted modes of recall.

Since then, just for fun, I’ve been quietly compiling lists of questions that can’t be Googled. Which means I look at many things with an unusual perspective. Take today for example. I was “watching” the cricket in Dhaka, and when I ran down the names of the Indian team, I noticed something:

The average surname-length of the team was below 6 letters, just 63 letters across the eleven people. Very unusual. [Incidentally, I also noticed that I have children older than half the team, a sure sign of my age].

So. Cricket fiends amongst you. What’s the shortest team you can come up with, the one that would trouble the scorers the least to put up. 63 is the target to beat. Sehwag Gambhir Sharma Singh Pathan Dhoni Raina Pathan Chawla Kumar Sharma. [I remember some Leicestershire and Northamptonshire teams in the early 1980s that had quite a few short-named players, must check].

Incidentally, the full name letter count could also be a record. 68 plus 63 makes 131. That’s low. That is very low … for a country that has had a President named Sarvapalli Radhakrishnan, a singer called Madurai “MS” Subbulakshmi, a composer named Laxmikant Kudalkar;  and cricketers named Srinivasa Venkataraghavan and Bhagwat Chandrashekhar. [My own name and surname take up 21 letters].

Self-fulfilling prophecies? Or trends before their tipping points?

I’ve been spending some time reading The Internet and Consumer Choice, a report produced by the Pew Internet and American Life Project a month or two ago.

The report makes four key statements:

  • The internet helps music buyers connect with artists and learn more about music, but it doesn’t strongly influence what or how they buy
  • The internet is an influential source of information and options for those purchasing feature-rich items such as cell phones
  • The internet is an efficiency-enhancer in searching for new housing
  • Few internet users bother to rate or comment on their purchase, even for a digital good such as music

I’ve read the whole report, and I think there’s a deeper point to be made here.

When it comes to physical goods, the internet reduces search costs and informs the buyer, but fulfilment does not necessarily take place there. While the ability of the internet to disintermediate continues to grow, the fact is that disintermediation is not the norm as far as physical goods are concerned. Where it does take place for physical goods, the drivers tend to be simplicity and convenience of engagement and breadth of inventory rather than price and distribution capacity.

But when it comes to physical goods that have a digital alter-ego, I think the story is completely different. I think the digital world can and will strongly influence buying decisions for such goods. If the digital world was allowed to. Particularly with music and film, and increasingly with magazines and books, people are going to be influenced in their physical purchases by the nature of access they have to their digital counterparts. So I don’t buy the first point made in the Pew report. I think the market here is not about searching and finding, it’s about tasting and coming back for more. And I don’t mean a trailer or sampler model either, I’m talking about access to the whole thing.

There’s a big Because Effect looming here, a big abundance-versus-scarcity tension. Makes me think of the restaurant business. I get the impression that many restaurants make their money on the liquor and soft drinks they sell, and loss-lead on the food. They’re in the business of keeping their customer satisfied, and making money as a result. They don’t care whether they make money on the food or not, as long as they have satisfied loyal customers and they make money overall.

Merchandising and memorabilia have been around for a long time. So when it comes to music and films, the money may well continue to migrate to physical goods like merchandising and memorabilia, with the Kevin Kelly “Better Than Free” model coming more and more into play. Immediacy and authenticity will command greater premiums.

More later. There’s some stuff I want to share on one aspect of this, primary and secondary markets for memorabilia and suchlike.

Continuing with ramblings about syndication in the enterprise

When I started talking about the Four Pillars model (search, syndication, conversation and fulfilment) four or five years ago, I had some very specific views about syndication. And, as I see the new generation start entering the workforce, if anything those views have been reinforced.

Let’s take reports and enquiries. In this context, when I use the word “report”, I mean something paper-based, chundered out of a giant enterprise system. And when I use the word “enquiry” I mean something that is similarly yawned out, but online rather than on paper. Both these things come in two flavours, regular and ad-hoc. If you haven’t had to come across such things so far, count your lucky stars.

When I started working in the industry, listing paper grew on trees. And global warming was but a glint in Al Gore’s eye (he was 32!). I was surrounded by ream after ream of paper, green-lined and perforated, in a size I would have guessed as A3-ish. Your desk was dominated by large “trays” marked IN and OUT and, if you were important, maybe even one called URGENT. Sometimes you were even more important, you could decide to suspend work, you had a tray marked PENDING. When you “arrived”, became someone, you were probably given a tray marked FILING, with a person to do that job for you. This usually happened around the time you had the Ceremony of the Keys, when you were finally allowed to use the Executive Toilet. [That’s if you were male, of course.]

But I digress. IN trays. Reams of listing paper. I used to watch what happened to that listing paper with some bemusement. It arrived magically in on a desk in the morning, patiently gathering dust and meeting like-minded reams for a few days. Then, when the pile grew too high, it would get moved. To the floor alongside the desk, en route being junked.

I kid you not. Offices (we didn’t use words like “enterprise” in those days) were full of printed reports that seemed unstoppable, they had a life of their own. They’d get produced, hang around for a while and then get junked.

The advent of the PC and the AT bus changed all that, we stopped using terms like “console printer” and “dot matrix printer” and settled down to the good old laser printer. [I think inkjet and bubble came around the same time, but I was a laser man myself. You haven’t lived until you’ve changed a ribbon on a free-standing console printer.]

So much for the reports of yesteryear. When it came to enquiries it was more of the same, except that you didn’t have reams of paper. Instead you had a new problem. Or rather a new opportunity. You could spend your life figuring out how many ways there were to get the response “Invalid Code”. No more, no less.

Some people think that sticking decal-like things on your computer is a very cool Generation M thing to do. Not true. People were sticking things to the side of their 80×24 dumb terminals thirty years ago. But what they stuck was different indeed. They were lists of “valid codes”, usually scribbled on paper and sellotaped on to the side of the terminal.

You see them nowadays as well, often at cashtills.

What’s the point of all this? Where am I leading? It’s simple. Syndication in the past was a complete nightmare. if you asked for reports you got broadcast grapeshot that then became impossible to turn off. If you asked for enquiries you dealt with unforgiving deterministic forms. The upshot was the same: no personalisation, a firehose that won’t turn off, a deterministic rather than probabilistic process of enquiry, intolerant and not fit for purpose.

Why did I put up with it? I had no alternative. Worse than that, I hadn’t ever seen an alternative.

Well, today’s kids are different. Generation M is different. The generation entering the workforce is different. They are used to RSS, to feed readers, to Google, to iGoogle, to Netvibes, to Pipes, to relevance and ranking, to wild cards.

And they won’t put up with our trashy way of doing things.

Not even for money.

So next time you look at a humongous monolithic system using arcane meaningless codes and chundering out pages of tripe, start planning to replace it. That’s if you want to attract employees from the coming generations.

And by the way, do bear this in mind: Generation M has no border: India and China and Chile and Mexico and Russia also have kids who think the same way. You’re not going to be able to offshore this sucker for long.

Demonstrating Moore’s Law: A sideways view

Here’s the start of the wikipedia entry for Moore’s Law:

Moore’s law describes an important trend in the history of computer hardware: that the number of transistors that can be inexpensively placed on an integrated circuit is increasing exponentially, doubling approximately every two years.[1] The observation was first made by Intel co-founder Gordon E. Moore in a 1965 paper.[2][3][4] The trend has continued for more than half a century and is not expected to stop for another decade at least and perhaps much longer.[5]

Here’s the diagram that tends to go alongside such text, also from Wikipedia:

The trouble with all this is that normal people are not necessarily used to log scales, nor to statements about exponential growth in the capacity for placing inexpensive transistors in an integrated circuit. Which means that people’s eyes glaze over when I start talking to them about Moore’s Law. [Well actually most people make sure their eyes glaze over as soon as I start talking, regardless of subject, but that’s another matter.]

Where was I? Oh yes. Moore and his Law. I find this a simpler way of explaining it:

The chart above tracks the price per gigabyte storage in an iPod, and how that has varied over the years and generations. I’ve been using it for a while, and now it’s getting a little dated. Haven’t seen a more recent version, I sourced the chart from a James Stoup article in AppleMatters a few years ago.

If anyone has a more recent iPod/iPhone version i’d love to see it. Comments? Views? Have you found better ways of explaining Moore’s Law to my grandmother?