Celebrating data privacy day should be everyday

Are you familiar with the term dark patterns? You probably are if you do any online shopping. The term has been in use in the UX world for a decade and refers to a design choice that makes a user decide on something that they might not have otherwise chosen, such as adding a product to a shopping cart that wasn’t selected, running a deal countdown clock, or warning that a product you are thinking about buying is running low in inventory. These are also called nudging, where the website designer places the preferred answer in larger font or bigger icons such as the image below.

Last fall a group of academic researchers found more than 1,800 instances of dark pattern usage on 1,254 websites, which likely represents a low estimate. Many of these websites had pretty deceptive practices.

Dark patterns are just the latest salvo in the attempt to keep our privacy private. An article posted over the weekend in the New York Times documents the decline of this notion. “We have imagined that we can choose our degree of privacy with an individual calculation in which a bit of personal information is traded for valued services — a reasonable quid pro quo,” writes the author, Shoshana Zuboff. “We thought that we search Google, but now we understand that Google searches us. We assumed that we use social media to connect, but we learned that connection is how social media uses us.” Our digital privacy is now very much a publicly traded service. Zuboff’s study of this erosion of privacy is just in time to honor this year’s Data Privacy Day. She mentions a series of examples, such as Delta Airlines’ use of facial recognition software at several airports to shave seconds off of passenger boarding times, with almost everyone opting in without nary a complaint.

The other news item in time for DPD is the UK’s Information Commissioner’s Office (ICO) recent publication of a series of design guidelines called Age Appropriate Design Code to help children’s privacy and online safety. Let’s discuss what they are trying to do, what some of the issues are with enforcing their guidelines, and what this all has to do with dark patterns.

The ICO rules haven’t yet been adopted by Parliament – that is several months away if all goes well, and longer if it turns into another Brexit debacle. And that is the crux of the problem: “Companies are notoriously bad at self-regulating these things. Guidance is great, but if it’s not mandatory, it doesn’t mean much’” says my go-to UX expert, Danielle Cooley. And Techcrunch likens this to the ICO saying, “Are you feeling lucky data punk? How comprehensive the touted ‘child protections’ will end up being remains to be seen.”

Cooley gives the ICO props for moving things along – which is more than we can say for any US-based organization. “It is a step in the right direction and a good starting point for other government entities, much like GDPR was for motivating California to pass their own privacy legislation. However, there is really no way to enforce much of this and there are multiple ways around it too.” She gives the example of American alcohol manufacturers that prohibit people under 21 from entering their websites. Can they really stop a minor from clicking through the age screen? Not really. “At least, the ICO addresses dark patterns and nudging.” One point Cooley makes is proving the opposite of dark patterns is a lot harder to do, and few analysts have done any research.

The ICO has specific examples of nudging, which “could encourage children to provide more personal data than they would otherwise volunteer.” There is a total of 15 different categories of guidelines, ranging from transparency, dealing with default setting and data sharing, and parental controls. The rules are for all children under the age of 18, which is a wider scope than existing UK and US data protection laws that generally stop at age 13. It is extensive and mostly well thought out and applies to a wide collection of online services, including gaming, social media platforms and streaming services as well as ecommerce sites.

Another plus for the ICO rules is how it adopts a risk-based approach to ensure that the rules are effectively applied. However, while that sounds good in theory, it might prove difficult in practice. For example, let’s say you want to verify the age of a website visitor. Do you have one version of your site for really young kids, while another for teens? Exactly how can you implement this? I don’t know either.

Naturally, the tech industry is not happy with this effort, saying they were too onerous, vague and broad. Like GDPR, they apply to every online business, regardless of whether they are based in the UK or elsewhere. The industry reps do have something of a point. What is interesting about the ICO rules is how it places the best interest of children above the bottom lines of the tech vendors and site operators. That is going to be hard to pull off, even if the rules are passed into law and the threat of fines (four percent of total annual worldwide revenue) are levied.

The UK tech policy expert Heather Burns wrote an extensive critique of the ICO draft rules last summer (while there have been some changes with the final draft, most of her issues remain relevant), calling it “one of the worst proposals on internet legislation I’ve ever seen.” The draft proposed a catch-22 situation: to find out if kids are accessing a service, administrators would be required to collect personally identifiable data about all users and site usage, precisely the sort of thing that the ICO, as a privacy regulator, should be dissuading companies from doing. Another issue is that the ICO rules, which were written to target U.S. social media giants, could be onerous for UK domestic startups and SMEs, at a time when many are considering their post-Brexit options. “If the goal of the draft code is to trigger an exodus of tech businesses and investment, it will succeed,” she writes. Additionally, no economic impact assessment of the proposals, as is required for UK legislation, was conducted.

Her section-by-section analysis is well worth studying. For example, she wrote that the draft proposal associated “the use of location data with abduction, physical and mental abuse, sexual abuse and trafficking. This hysteria could lead to young adults being infantilised under rules prepared for toddlers; rules which could, for example, ban them from being able to use a car share app to get home because it uses geolocation data.”

Only time will tell whether the ICO rules are helpful or hurting things. And in the meantime, think about how you can do something today that will help your overall data privacy for the rest of the year. Ideally, you should celebrate your data privacy 24/7.Instead, we seem to note its diminishment, year after year.

Do you really need to learn calculus?

I was talking to a friend of mine who teaches middle school math this week. It brought back all sorts of memories about my career in math, how I picked my classes over my primary and secondary schooling, and what I would tell my teen-aged self with the benefit of hindsight if such self would actually listen to an adult back then.

I come from a family of math geeks: my sibs and my parents were all good at math, and all of the kids were on the “math team” that met after school to solve problems and compete for prizes. Looking through my old report cards, rarely did I get a grade less than an A in any of my classes. When it came time for college though, I started out as a physics major, quickly changing to math when I got frustrated with all the prerequisites, and eventually graduating with a roll-my-own major that combined independent study classes in science, art and math.

What many parents don’t realize until their kids have been through middle school is that there is in most districts a separation of kids into two math tracks. One is the basic math curriculum which involves teaching algebra, trig, geometry and some statistics by the time you finish high school. The other is a more advanced series of classes that ends with students taking calculus in their senior year in high school. If you are good at math, you end up with the latter program of study.

Why does anyone need to study calculus? There really isn’t any good reason. It is more custom than necessity. In my case, getting calculus “out of the way early,” (as I look at it now) allowed me to get AP credit and graduate early from college. It also enabled me to take more advanced math classes too. I asked Arnold Seiken, one of my former college math professors, why anyone should take the class. He was mostly bemused by the question: “Calculus was always part of the requirements for graduation – students assume that it is part of the burden of life and just grin and bear it. I assume you took my courses because you liked the jokes. I can’t think of any other reason.” He was right: he was always a crack-up, in class and now in retirement. Interestingly, he told me that he got into math by accident in high school because he couldn’t do the science labs, much like I decided. “Math was a fallback for me, I was always breaking stuff in the labs.” He was an excellent teacher, BTW.

When you are a college math major, there are basically two different career paths you hear about: to teach or to become an actuary. I wasn’t all that excited about teaching (although I did dabble with teaching both a high school computer class and a graduate business class later on in life), and when I took the first exam of many to become an actuary, I got the lowest possible passing score. That first exam is calculus, and my justification for the miserable score was because I hadn’t had any calculus for several years by the time I took the exam. But it didn’t bode well for a career in that field.

But having plenty of math classes – including one on linear algebra taught by Seiken — also enabled me to have a solid foundation for graduate school study of applied math topics that were part of my degree in Operations Research. That took me to DC and to do math modeling for supporting government policy analysis, and eventually on to general business technology.

My master’s degree was issued in the late 1970s. Back then we didn’t have personal computers, we didn’t have spreadsheets, we didn’t have data modeling contests like Kaggle. What we did have was a mainframe on campus that you had to program yourself if you wanted to do mathematical models. Today you can use Excel to solve linear programs and other optimization problems, set up Chi Square analyses, run simulations and other things that were unthinkable back when I was in school – not that I would know how to do these things now if you forced me to watch a bunch of videos to relearn them.

Seiken reminded me of a part-time job that I had in college, repairing these ancient geometric string models that were used in the 1800s to teach engineering students how to draw conic sections. I didn’t need calculus to restring the models, although it helped to understand the underlying geometry to figure the string placement. It did get me started on my path towards problem-solving though.

And I think that is what I would tell my teenage self. Whether or not I took this or that math class, what I was good at is solving technical problems. Having a math background made it easier for me to pick a more technical career path. Had I not moved into the calculus track, I probably would still have been interested in math of some kind, but probably wouldn’t have been as challenged to take the advanced classes I was doing as a junior and senior in college. So yes, calculus per se isn’t really relevant to debugging a network protocol stack, or figuring out the root cause of a piece of malware, but it does train you to learn how to pick apart these problems and find your way to an answer. Now, your kids may have a different path towards developing their own problem-solving skills, but math was my ticket and I am glad I took the path that I did.

FIR B2B podcast #132: Worst PR Nightmares of 2019

This week we take a moment to reflect on the past year’s major PR blunders. Thanks to the folks at Crain’s Chicago Business, we have five doozies to relive with you. They run the gamut from Hallmark’s lesbian bridal spot to Sallie Mae’s Hawaiian junket to the various missteps of Boeing’s now ex-CEO.  All have a few things in common:

  • The companies were culturally tone-deaf, whether to gender, racial, or other sensitive topics. Being woke isn’t just a fixed state of mind but a commitment to keep up with the cultural norms and mores and memes in this diverse world.
  • They failed to talk. The first hours after a crisis are critical and require a response — even if it is “We are working on a response and will get back to you.” Crickets will just inflame passions and create the impression that the business fails to understand its mistakes. “An organization is more likely to survive a crisis with its reputation intact if it immediately speaks for itself rather than allowing others to speculate about its motives and behavior,” Crain’s wrote.
  • They reinforced stereotypes. The Peloton ad would have worked if it had showed the woman gifting her husband, not the other way around. Why not run these ideas by impartial third parties who can identify the land mines? Hire a couple of journalists to poke holes at your message.
  • The companies waffled in response. Hallmark first pulled then reinstated its bridal TV spot. The ad was bold and progressive. Why not stand your ground instead of yielding to criticism that you know is coming?
  • Don’t be Facebook. We have beaten up repeatedly on the social network over the past year (#117 on alternatives  and #102 on how to fix some of their most egregious flaws).  Crain’s gives Facebook a dishonorable mention for stating that it won’t vet political campaigns ads.

You can listen to our podcast here:

A field guide to Iran’s hacking groups

Iran has been in the news alot lately. And there have been some excellent analyses of the various hacking groups that are sponsored by the Iranian state government. Most of us know that Iran has hacked numerous businesses over the years, including numerous banks, the Bowman Dam in New York in 2013, the Las Vegas Sands hotel in 2014, various universities and government agencies and even UNICEF. When you review all the data, you begin to see the extent of its activities. It is hard to keep all the group names distinct, what with names like Static Kitten, Charming Kitten, Clever Kitten and Flying Kitten. (This summary from Security Boulevard is a good place to start and has links to all the various felines.) Check Point has found 35 different weekly victims, and their latest analysis shows that 17% of them are Americans. Half of the overall targets are government agencies and financial companies.

To get a more detailed analysis of the various groups, Cyberint Research has published this 30-page document that describes the tactics, techniques and procedures used by ten such groups, matching them to the MITRE ATT&CK threat and group IDs. The group IDs are useful because different security researchers use different descriptive names (the Kitten ones come from CrowdStrike, for example).

What comes out of reading this document is pretty depressing, because the scale of Iran’s efforts is enormous. They are a very determined adversary, and they have taken aim at just about everyone over the past decade. Part of the problem is that there are many private hackers who are taking credit for some of the attacks, such as the recent defacement of the Federal Depository Library Program, although “hacker culture in Iran is gradually being forced into submission by the regime through increasingly controlled infrastructure and internet laws, and recruitment to state-sponsored cyber warfare groups,” according to a report from Intsights.

And a recent news report in the Jerusalem Post says that Iranian hacking is getting increasingly more sophisticated and broadening their targets  The story cites two former Israeli government cyber agents that claim Iran is now using Chinese hacking tools in their attacks, which can be useful if Iran wants to confuse the attack origins. According to these sources, Israel gets more than 8M daily total cyber attacks.

To add insult to injury, other attackers are leveraging these threats by using them as a phishing lure, sending a message that pretends to be from Microsoft and asking you to login with your credentials. (A word to the wise: don’t.)

The US National Cyber Awareness System through CERT issued this alert last week. They recommend that you have your incident response plan in order and have the key roles delineated and rehearsed so you can stem any potential losses. Lotem Finkelstein, head of Check Point’s cyber intelligence group, agrees: “You should ensure that MFA is enabled and you brush up your incident response plans.“ Other suggestions from CERT include limiting PowerShell usage and log its activities, make sure everything is up to date on patches, and ensure that your network monitoring is doing its job.

Digital Shadows, a security consultancy, also has plenty of other practical suggestions in this blog post for improving your infosec. They recommend being able to keep lines of communication open and help your management understand the implications and risks involved. You should also have a plan for potential DDOS attacks and work through at least a tabletop exercise if not a complete fire drill to see where you are weakest.

Iran is a formidable foe. If they haven’t been on your radar before now, take a moment to review some of these documents and understand what you are up against.

Review of Thales’ SafeNet Trusted Access

Thales SafeNetTrusted Access (STA) offers a compelling blend of security solutions that bridge the MFA, SSO and access management worlds in a single, well-integrated package. STA does this by offering policy-based access controls and SSO with very strong authentication features. These policies are flexible and powerful enough that you can address a broad range of access scenarios.

Because STA covers multiple security workflows, there are several places that it can fit into your overall data protection needs. Part of your own motivation for using this product will depend on the particular direction that you are coming from. What you need STA to do will depend on what you have already purchased and where your existing security tools are weakest.

If you presently use another SSO tool, or if you aren’t happy with your existing identity management product, you might examine whether they can support or integrate with STA and use it as your principal identity provider. This will give you greater automation scope and move towards better MFA coverage for your consolidated logins.

If delivering MFA is your primary focus for purchasing a new identity product, STA should be on your short list of vendors. If you are rolling out MFA protection as part of a larger effort to secure your users and logins, then things get more interesting and the case for using STA becomes more compelling. For example, it can handle a variety of application authentication situations and be granular enough to deploy these methods for particular user collections and circumstances. Many older IAM products bolted-on their MFA methods with cumbersome or quirky integration methods or required you to purchase separate add-on products for these features. STA has had this flexibility built-in from the get-go and has a well-integrated MFA set of solutions.

If you presently use another vendor’s authentication app or have a collection of hardware tokens that you are trying to migration away from, you might want to examine whether STA’s MobilePass+ offers improvements to the user workflows that could increase MFA coverage across your application portfolio.

Thales SafeNetTrusted Access is available at this link. Pricing starts at $3.50 /user/month, which includes access management, SSO, authentication tokens and services support. A premium subscription which adds PKI MFA support is also available.

You can read my full report here. And here is my screencast video that points out the major product features:

 

Medium One-Zero: How to Totally Secure Your Smartphone

The more we use our smartphones, the more we open ourselves up to the possibility that the data stored on them will be hacked. The bad guys are getting better and better at finding ways into our phones through a combination of subtle malware and exploits. I review some of the more recent news stories about cell phone security, which should be enough to worry even the least paranoid among us. Then I describe the loss of privacy and the how hackers can gain access to our accounts through these exploits. Finally, I provide a few practical suggestions on how you can be more vigilant and increase your infosec posture. You can read the article on Medium’s OneZero site.

How theme park technologies have helped museums: a case study of the new St. Louis Aquarium

I am a big patron of museums. I go to many of them and try to fit in a visit whenever I am out of town. But what I have seen lately is how they have begun to use the same technologies that entertainment companies have been perfecting for movies and theme park rides, all in the interest of capturing more visitors and increasing visitor engagement. I think this a positive development, and this blog explains its evolution and why it is welcomed.

I have written about this trend before: once for the NY Times when I visited the Lincoln museum in Springfield Ill. back in 2008, and once for HPE’s blog posted two years ago. In those posts, I talk about how the best museum designers combine exhibits involving non-visual senses (not just reading some text plastered on the wall) and using technologies such as RFID and touchscreens to personalize the visit. (I’ll talk about these in a moment.)

You might call this when museums become theme parks. And while this isn’t quite as dire as this might sound, it does show how hard museums have to work to gain notice in this Snapchat world where attentions can shift in a matter of seconds. It also shows how the technology developed for the theme parks (including higher-definition video, complex theatrical control systems and the like) can be deployed in ways to improve learning and make the visits more memorable. These technologies can also help those of us that want to learn more and take a deeper dive into what is being shown in the museum.

I got a preview of the latest example with a new aquarium here in St. Louis that will open next week. The aquarium is part of a major redevelopment of our Union Station, a building that hasn’t seen any scheduled passenger service for many decades and is more than 100 years old. When I moved here more than ten years ago, the building contained a shop-worn mall that had lost its luster. Then a few years ago it began to be redeveloped by its current owner, Lodging Hospitality Management (LHM). That company continued its adaptive reuse with various entertainment improvements: besides the aquarium, there is a Ferris Wheel, new restaurants and an indoor ropes course.

But just saying we have a new aquarium isn’t really doing the place justice. It is probably the most technologically advanced aquarium that I have seen. Its use of technology is done so elegantly that you may not really notice it as you drag your brood through the place, looking at the tanks and the sea life. A preview of what you can see in its tanks is linked here. (There is also this story on a local TV station here.) Let’s stop in and see what is going on.

First is using the latest high-def video in interesting ways. When you first enter the complex, you are in a soaring grand lobby that appears to be sitting at the bottom of a tank, as waves of water wash over you. The wall you are facing has loads of gears and a huge analog clock face, which plays off on that you are located inside a former train station. You then realize that you are looking at various video screens, and some very nice ones at that. The screens are delivering twice 4k resolution. That grabbed my attention. According to Andrew Schumacher, the main architectural designer at PGAV Destinations that lead the project, they spec’ed out the lobby ceiling with projection video three years ago when they first began. “But then LED technology became a better solution, so we made that change.” It is certainly stunning.

PGAV Destinations is based in St. Louis and has been designing various attractions for more than 50 years. They have created exhibits for the Atlanta Aquarium, including building a new shark tank for them. They were excited about creating an entire aquarium from scratch, and were challenged by LHM to incorporate technology in interesting pedagogical ways that combined both “high tech and high touch,” according to Schumacher. I think they have succeeded quite well. When you think about their design challenge, they have to meet three different goals:

  • First, the animal or fish has to be comfortable in its habitat.
  • Second, the keepers have to be able to do their jobs, feed the critters, and maintain the tanks.
  • Finally, the guests have to have something interesting to see.

Balancing these three goals isn’t easy, and given that each animal is unique and that the aquarium has more than 13,000 different “residents,” that adds to the complexity. And the trick is making sure that in the future we still have all of these residents alive and well.

But it isn’t just having tech for tech’s sake. The designers wanted to “bring the visitor into the story, something we learned from Disney and other theme parks,” said Ben Davis, the CTO of MoonDog Animation Studio in Charleston SC. This means you have to craft a compelling story from the moment you purchase your ticket to when you inevitably exit through the gift shop. I think they have succeeded. MoonDog designed the stories that are used throughout the aquarium, something they have done for other cultural institutions. “We were trying to get the aquarium to talk back to you, to bring you an emotional experience and keep you in a state of awe,” he told me. I agree completely. This isn’t your grandfather’s fish tank.

Once we leave the lobby, we then move into what appears to be a mockup of a train car. Instead of the windows on the sides and ceiling of the car, you have additional video screens that take you on the start of your journey to the wonders of the rivers and oceans around you. Once you exit the train car, there are six different major galleries to explore that are defined by various ecosystems, including one that covers the nearby confluence of the Missouri and Mississippi Rivers.

Smart Monkey’s ISAAC show control system runs the screens in this and other areas at the aquarium. You can see this company’s work to operate the media installations such as at the Bradley LAX international terminal (shown here) and at numerous museums around the world, including the Shedd Aquarium in Chicago, the US Mint in Philadelphia, and exhibits at the Kennedy Space Center. This makes it easy to coordinate and operate all the various digital media and to program some very sophisticated special effects.

The ISAAC system at the aquarium is running seven VMs and contains all the digital media assets for the place, along with housing a scheduling system and various databases and workspaces. The key, as explained to me by their director of technology Mitch Schuh, is to enable the graphic and exhibit designers to have tools to make it easier to realize their vision, without having to worry about the underlying networks, servers and other infrastructure. The system also has an active-active failover, in case one system goes down. All of this can be managed remotely via a web portal too, so the aquarium systems can be operated anywhere in the world. “I can think of several cases during the construction of the exhibits where we were able to make quick decisions and adjust show runtimes and make other changes on the fly,” said Schuh. “These would have taken a lot more time and effort without Isaac.”

Besides all the HD TVs, there are also touchscreen kiosks. They are popping up at many museums. The aquarium has them sprinkled throughout its galleries, and they are set in an attractive steampunk-like setup. Why steampunk? This is because the designers wanted to evoke what early 1900s-era train travel was like, paying homage to the early days of the station. These screens can provide a simulated 3D display of the sea life you are looking at, along with a map showing you where you are located and other data such as diet and habitat that can help amplify your visit and provide more context about what you are seeing in the tanks. They are also used to support a personalized game designed for kids visiting the museum. (More on that in a moment.)

Second is its use of music and sound and lighting effects. In my walkthrough I met Michael Gleason, the head composer, who told me that he had written more than 75 minutes of music that will play in different galleries and for different situations. That is more than many feature films have and is indicative of the sensory experience they are aiming towards. But it isn’t just the sound effects, but its combination with theatrical lighting too. I first saw this in the Lincoln museum, but the lighting is used in our aquarium in more clever ways to amplify the music you are hearing and what is swimming in the tanks in front of you. These digital assets are part of what the Isaac show control systems are managing.

Next is animation along with virtual/augmented reality. One of the exhibits is the three otters that live there, and of course they are named Thatcher, Sawyer and Finn. There is another animated one called Tommy that you can interact with is manipulated via computers. This was created by the folks at Groove Jones.  Tommy is next to the same gallery where you can see the real ones swimming around. The human operator has cameras to judge the audience response and answer their live questions. Like the Wizard of Oz, the operator is manipulating the controls in a hidden booth. There is also a sandbar touch tank that has a layer of projected video on it, making it more enticing and interactive for the visitors. The goal here is to engage the visitor and have them literally get their hands wet exploring the life aquatic.

Personalization is also a big plus. When I visited the Chopin museum in Warsaw, we got a RFID tag that would allow us to hear the content in our language of choice, along with further personalization depending on our age and musical sophistication. Museums are getting smarter about making these visits more personal. A good example of this can be found at Atlanta’s College Football Hall of Fame. When you purchase your ticket, you get a lanyard with an RFID chip that is set to a particular team and player. As you move around the museum, you see statistics that are filtered which are relevant to that player. At the aquarium, children get RFID cards that are age-matched and allow them to participate in a scavenger hunt and knowledge quizzes with results that get posted to their profiles.

Sometimes the personalization doesn’t have to be too high-tech: if you visit one of the Titanic Museums in either Branson or Vegas you will be given a random paper “passport” to allow you to assume the identity of one of the passengers. You get to find out where that passenger lived aboard the ship and whether they survived the accident.

We have come a long way since museums started using AcoustiGuide technology to play recordings of their curators explain their collections to us. MoonDog’s Davis sees one way to make this tech more location-sensitive, to further increase personalization and as a way that it could be driven by an ISAAC or other show-control system. He sees that movie producers and museum curators are converging, so that visitors can create their own stories with their visits.

There is a fine line between putting so much sensory information in a museum that it can overwhelm and defeat its purpose of improving the visitor’s experience. You do want to leave time for visitors to think about what they are seeing and hearing and feeling. While I am excited to see these other, non-visual, elements appear, I do understand that you need to integrate them carefully and ensure that you aren’t becoming a theme park version of the museum. I welcome your own thoughts about this. Please share other examples of museums or places that you have been that have resonated with you in the comments.

How tech can help eldercare quality of life

If you are supporting an elderly member of your family, you might be interested in a collection of home tech devices that can help extend their ability to live more independently. We all need help as we get older, and I write this column based on the experience of my family and caring for my 95 year-old mother-in-law.

She has been living independently for the past 18 months using these three technologies:

  • Hero automated pill dispenser (It now costs at least $30 per month with a $100 initial purchase and 12-month commitment. There are other plans that cost more and provide additional monitoring and support.)
  • BlipCare BP blood pressure monitor (We bought it on Amazon for $159, although it currently is no longer being sold there.)
  • And an Amazon Alexa Show 5 ($89) or 8 (for $129) (These are list prices and are discounted heavily for various promotions.)

The three devices allow us to ensure we can reliably dispense her meds, take her blood pressure, and talk to her when we aren’t able to visit. I’ll explain the limitations and decisions behind each piece of technology. When we brought all this gear into the facility, the medical staff was impressed and also unfamiliar with each of them, which motivated my purpose in writing this column. Note that my mother-in-law lives independently in an eldercare facility, although step-up care is available in other parts of her building. This is a common arrangement.

Each device works with its own smartphone app to setup, but not to use: that is an important distinction as my mother-in-law doesn’t have a smartphone. They also all require decent Wifi service in her room, which could be an issue in some facilities. (This means that you should test the signal strength in your family member’s room ahead of time.) All three units sit nestled together on her desk, which is also important, and I will get to why in a moment.

The Alexa Show is a voice-activated home hub device, similar to what Google and Apple sell with one difference: it has a very simple video conferencing setup. The video screen (either five or eight inches on the diagonal) is critical, because it allows us to “drop in” on her and have a video chat, see what she is doing. This is critical during the pill-taking and blood pressure processes, which is why all three devices are near each other on her desk, and also used to contact her in case we can’t reach her on her cell phone. And it helps that the Alexa show is very simple to use. You do need a smartphone app to make the call. A second benefit of the Alexa-brand of devices is that they have a better event notification process. That is useful for verbal reminders of daily events. Other home hubs, such as from Apple or Google, aren’t as convenient or as capable in this regard.  (Also, Facebook has its Portal, but I haven’t tried it out yet.) BTW, we have had mixed success with her giving Alexa voice commands. You might want to try out one of these devices in your own home with your elderly family member and see how it goes.

The Blipcare device is a bit quirky to setup. It uses its own web server and has alarmingly lax security, but what is nice is that you don’t need anything else to record her blood pressure once you get it working. Results are automatically posted within a few minutes to a special dashboard webpage that family members can check periodically and also share with doctors. If you have two family members to care for, it can track their stats separately.

Finally, the Hero device is used to dispense her pills. It needs to be periodically loaded with them, of course, but it is basically very simple to use: my mother-in-law just presses a button, and the pills drop down into a cup, similar to how a soda machine dispenses its product.  You set up a schedule and which pills get dispensed when.

The notion of having these three devices is to postpone having nursing care or other options for my mother-in-law. While these devices aren’t cheap, using them for several months can have a big payback given what the step-up nursing care charges would be. And they also offer a sense of security for our family. While for our situation the devices involve us in her care, your own family situation might not make this possible or desirable. And like any home tech, you have to be prepared to do some tech support to handle problems.

BTW, I have been using a different device to monitor my own blood pressure, the Qardio Arm ($99). It requires a bluetooth connection to a smartphone to post its results and is somewhat difficult for an elderly person to put over their arm and get it aligned in just the right spot for accurate measurements. I have been using one for many years. And although have had to replace two of the devices, the company quite willingly sent me these replacements at no charge.

Feel free to share your own eldercare tech solutions here.

RSA blog: Why you need a chief trust officer

Lately it seems like trust is in short supply with tech-oriented businesses. It certainly doesn’t help that there have been a recent series of major breaches among security tech vendors. And the discussions about various social networks accepting political advertising haven’t exactly helped matters either. We could be witnessing a crisis of confidence in our industry, and CISOs may be forced to join the front lines of this fight.

One way to get ahead of the issue might be to anoint a Chief Trust Officer. The genesis of the title is to recognize that the role of the CISO is evolving. Corporations need a manager focused less on talking about technical threats and more about engendering trust in the business’ systems. The CTrO, as it is abbreviated, should assure stakeholders that they have the right set of tools and systems in place.

This isn’t exactly a new idea: Tom Patterson (seen here) and Bob West were appointed in that position at Unisys and CipherCloud respectively more than five years ago, and Bill Burns had held his position at Informatica for more than three years. Burns was originally their CISO and given the job to increase transparency and improve overall security and communications. Still, the title hasn’t exactly caught on: contemporary searches on job boards such as Glassdoor and Indeed find few open positions advertised. Perhaps finding a CTrO is more of an internal promotion than hiring from outside the organization. It is interesting that all the instances cited above are from the tech universe. Does that say we in IT are quicker to recognize the problem, or just that we have given it lip service?

Tom Patterson echoes a phrase that was often used by Ronald Reagan: “trust but verify.” It is a good maxim for any CTrO to keep in mind.

I spoke to Drummond Reed, who has been for three years now an actual CTrO for the security startup Evernym. “We choose that title very consciously because many companies already have Chief Security Officers, Chief Identity Officers and Chief Privacy Officers.” But at the core of all three titles is “to build and support trust. For a company like ours, which is in the business of helping businesses and individuals achieve trust through self-sovereign identity and verifiable digital credentials, it made sense to consolidate them all into a Chief Trust Officer.”

Speaking to my comment about paying lip service, Reed makes an important point: the title can’t be just an empty promise, but needs to carry some actual authority, and must be at a level that can rise above just another technology manager. The CTrO needs to understand the nature of the business and legal rules and policies that a company will follow to achieve trust with its customers, partners, employees, and other stakeholders. It is more about “elevating the importance of identity, security, and privacy within the context of an enterprise whose business really depends on trust,” advises Reed.

Trust is something that RSA’s President Rohit Ghai speaks about often. Corporations should “enable trust; not eradicate threats. Enable digital wellness; not eradicate digital illness.” I think this is also a good thing for CTrO’s to keep in mind as they go about their daily work lives. Ghai talks about trust as the inverse of risk: “we can enhance trust by delivering value and reducing risk,” and by that he means not just managing new digital risks, but all kinds of risks.

In addition to hiring a CTrO, perhaps it is time we also focus more on enabling and promoting trust. For that I have a suggestion: let’s start treating digital trust as a non-renewable resource. Just like the energy conservationists promote moving to more renewable energy sources, we have to do the same with promoting better trust-maintaining technologies. These include better authentication, better red team defensive strategies, and better network governance. You have seen me write about these topics in other columns over the past couple of years, but perhaps they are more compelling in this context.

Lessons tech startups can learn from the history of 3Com

Many tech startups of today just assume that the Internet is ubiquitous, that bandwidth is plentiful, and that everyone can connect anywhere and at anytime. Well, that wasn’t always the case, and back in the day when I was a young IT professional, we didn’t have the Internet. We didn’t have Wifi. And we just barely had PCs on our desks.

Then a company by the name of 3Com came into the picture, and our world changed. Never heard of them? They were the early innovator of Ethernet computer networking, and back then you had to use wires to connect computers together and special circuit boards that had to be installed inside a computer, not to mention special software to run it all. Those early networks required skills to get all of this setup properly. 3Com figured this all out, and the company existed for 40 years before eventually its assets were sold to HP for $2.7B a few years ago. They had a good run for the first ten years of their corporate life until they started making major mistakes in the middle 1990s.

If you are involved in a tech startup, there are lots of business books that you can read. But Jeff Chase’s 3Com chronicle will be one that can help guide you. He takes us through their founding, their success, their collapse, and their eventual end with a lot of insider information, which isn’t surprising given that he worked in their corporate audit department for nearly a decade. What is also important is how he describes the many lessons to be learned from this history of the company, how it took advantage of the early networking technologies and then squandered this lead.

First, let’s look at their major successes:

  1. A key recipe for any business’ success is whether or not teams have an emotional commitment towards their managers. This is something that 3Com had in spades and was noted for its staff loyalty. One reason for this is the company had a very open and transparent culture, sharing weekly results at all-hands meetings every Friday, even numbers that were generally only known by top executives. Contrast this with many tech companies that are very secretive today.
  2. Understand your go-to-market and channel strategy. One 3COM CEO, Bill Krause, put it this way: “All our VCs thoughts that if you were going to sell networks it had to be done through their IT departments. We were determined to sell our products through computer stores because they were easy to install and use. That turned out to be successful.” That was an understatement. Back in those early days, this was ground-breaking.
  3. 3Com didn’t only develop and commercialize Ethernet products, but it also developed new distribution methods and innovative manufacturing processes to make these products. It kept up – for a time – in advances in network speeds and contributed to the open standards that made Ethernet the only networking technology to survive to the present day.
  4. They understood innovation, at least for their first decade. They had the patience to trust their instincts and initially took the right bets to stay ahead on Ethernet innovation, with the caveats mentioned below. They also understood that they had had sticky products that were put together well, and drove loyalty in their existing customer base.
  5. 3Com was one of the first companies to go global in a meaningful way, hiring offshore R&D talent and focusing on partnerships with Chinese companies long before either of these became fashionable. They coined a term for the later, “China Out,” which enabled them to enter the Chinese market, license their technology to a leading Chinese networking company, and re-energize the company in its later years. How this happened is worth reading these chapters alone.

But here are their major blunders:

  1. 3Com blew a major decision to upgrade to Fast Ethernet and gave away that market to Cisco. The two companies had big differences in their focus on sales, marketing and engineering. 3Com failed in the Fast Ethernet market, was late to recognize its role and never recaptured its lead as an innovator that it had with its early Ethernet products. Part of the problem here was that they focused on their most profitable products, ignoring potential game-changing disruptive new technologies. But part is that they rested on their laurels with their Ethernet business and stopped innovating, losing ground to others.
  2. They didn’t carefully plan their acquisitions. Early on, 3Com had a few successful acquisitions based on complementary strategies and product lines. But then in the middle 1990s they blew it with the US Robotics/Palm purchase. 3Com bought the modem company for $7.3B, eventually spinning off the Palm subsidiary for an IPO that generated $1B in cash profits. But 3Com was never the same after this acquisition, and it led towards their eventual downfall.
  3. It lost its vision, misunderstanding its customers and what their priorities were. They became tactical, not strategic. They forgot about their customers which were the major banks and largest enterprises in the world, and what they purchased and how they bought their equipment. In essence, they basically exited the large enterprise market in 2000 and could only recapture this in later years with great difficulty.
  4. They had a strong CTO (Paul Sherer) but when he left the position wasn’t filled. In the book there is this delightful story about how Sherer had to come in over one weekend after he resigned and help fix a bug that no one else could quash after weeks of work.

Spend some time learning from the successes and failures of 3Com if you are working for a tech startup. You will find them instructive, and Chase’s book a worthwhile read.