Social media and charitable giving: my own philosophy

Posted on by
1

It seems as if my email and social media feeds have been filled with fundraising requests ever since Thanksgiving. As these requests pile up, I have been thinking about my own charitable giving policies and how they have evolved over the years.

The spread of social media has provided a ready-made pathway for asking our “friends” for money  — and tor them to return the favor. Back in the day when MySpace was the main social network, fundraising was conducted by individual emails or even letters in the mail. Now, thanks to Facebook (and other sties such as Causes and GoFundMe) it is very easy to set up your own personal campaign and you too can be asking your friends for money. In one way, that is progress: we should encourage more philanthropy and provide help to others when we can.

But the proliferation of sites has raised problems for us all: To which cause do we contribute? How can we be sure that a personal appeal in a GoFundMe campaign is legitimate? What do we really know about the causes we are being asked to support?

I confess that this tsunami of appeals causes me internal conflict. I want to be a good person, but my resources of money and time to sort out many requests are both limited.

 

I asked two of my friends how they sort out these person-to-person (p2p) requests they receive:

  • Sarah, a non-profit CEO, told me “If the request doesn’t really speak to me, or I feel like it isn’t really an urgent need, I pass it over. If I see it as making a difference, I usually try to support it in some way.  I typically make my decisions based on how well I know the person, or the specific need for the campaign. If it directly helps someone who has experienced a crisis or has a critical need, I am more inclined to give and at a more significant level.”
  • Kitty, a development director, contributed to her high school friend’s medical bills as he was dying of cancer. “I did this so his wife, whom I’ve never met, wouldn’t be burdened with these bills after he was gone.” She told me that she was generous with her donation because of the personal connection, even though the connection was established long ago.

For myself, I draw on my upbringing. When I was a teen, I learned about the Talmudic sage Maimonides and his concept about having eight different levels of charity. The highest levels have to do with what I will call double-blind giving: you don’t know the beneficiary, and they don’t know you are the specific donor. The modern style of p2p giving would be very far down Maimonides’ list.

For many years, my own charitable giving has tried to adhere to the Maimonides model. Almost 20 years ago, I decided to get involved in raising funds for curing various diseases: Juvenile Diabetes, AIDS, cancer, and Multiple Sclerosis. I knew friends and family members who suffered from them and that connection caused me to want to help. I ended up doing an annual bike or walkathon and using my contacts – namely those of you who are reading these missives – to raise money. And thanks to you, for many years I have often been very successful in providing meaningful support for these causes.

Then in 2002, I broke my shoulder training for a ride a month before an event. When I called the organizers, they told me to come to Death Valley (where the event was taking place) anyway: they wanted me to participate, even though I wasn’t going to be able to ride. I was glad I did, because my now wife Shirley (shown here at the JDRF finish line) was also a volunteer for the event, and that is where we met.

I was deeply moved that when I told the people who had made pledges to support the ride that I was not able to participate, virtually everyone said that their support was for the cause, not my individual participation, and they wanted to make the contribution in spite of my injury. That is truly the spirit of philanthropy that inspires me and that inspires you as well.

I asked several of my readers to their reactions to an early draft of this column. “An explanation of why and what you are riding helps me in my decision to give you funds,” said one. “I grew up in a time when asking for donation was an in-person activity,” said another. “Nowadays, we have no sense of community. Instead, these p2p donations have become nothing more than feel-good tax deduction trading.” Another supporter said she gives to my causes because I am doing something (the ride or the walk) in addition to “the ask.” And one reader said he is suffering from “donation fatigue,” even though he tries to give up to 10% of his income every month to various causes. And another wonders when did this public begging become so acceptable? She thinks we are taking a step backwards.

So, with that background, I will continue asking from time to time where I believe in the cause. I will happily consider requests where a broad-based benefit is the object of the giving. Together, each of us choosing our own causes, we can make a real difference.

You are welcome to share your own charitable giving philosophies with me or my readers.

FIR B2B podcast #112: What it means to be true to your brand

Posted on by
Reply

Welcome to the new year and we hope you all have had a nice holiday break. In today’s episode, Paul Gillin and I talk about what it means to be true to your brand and why marketing managers need to pay more attention than ever to branding in an age in which customers increasingly control the message.

What makes a brand? First off is understanding what are your core values and what lies at the heart of your business. This post for B2B Marketing tells how Burberry, the British clothing maker, literally torched its merchandise in an effort to sustain its premium pricing, a move that turned out to be a major faux Other prominent examples of companies whose bad actions have undermined their brand are Uber and Facebook.

Will brands without social purpose thrive? A new survey finds that two-thirds of consumers expect companies to create products and services that “take a stand” on issues that they also feel passionate about. A great case study can be found in, of all places, with a new British bank called Monzo. It’s trying a new approach to gain customers: raise funds via crowdfunding, open its API, run meetups and hackathons and become more transparent about trying to attract millennial as its customers. Regardless of whether it’s successful, you have to give Monzo credit for originality.

Finally, we offer up a few suggestions on how you can stay true to your brand using storytelling and social media techniques. You can listen to our podcast here:

CSOonline: How to secure your WordPress site

Posted on by
Reply

If you run a WordPress blog, you need to get serious about keeping it as secure as possible. WordPress is a very attractive target for hackers for several reasons that I’ll get to in a moment. To help you, I have put together my recommendations for the best ways to secure your site, and many of them won’t cost you much beyond your time to configure them properly. My concern for WordPress security isn’t general paranoia; my own website has been attacked on numerous occasions, including a series of DDoS attacks on Christmas day. I describe how to deploy various tools such as WordFence, shown below and you can read more on CSOonline. 

Helm Email Server: secure and stylish, but has issues

Posted on by
1

I had an opportunity to test drive the Helm personal email server over the past couple of months. I give them an A for effort, and a C+ for execution. It is a smallish pyramid that can be used to self-host your own email domain.

It has some great ideas and tries hard to be a secure email server that is easy to setup. And its packaging and reviewer’s guide is a design delight, as you can see from the photo below. But it has a few major drawbacks, especially for users that want to do more than protect their email correspondence.

If you want to read a more thorough test, check out Lee Hutchinson’s Ars review here. While I didn’t test it as thoroughly or write about it as much as he did, I did try it out in two different modes: first, as a server on a test account that Helm reserved for me. Then I reset the unit and tried it to serve up email on one of my existing domains. I will get to an issue with that latter configuration in a moment.

My biggest issue is its lack of support for webmail clients. I understand why this was done, but I still don’t like it. I have been using webmail exclusively for my desktop and laptop email usage for more than 10 years, and only use the iPhone Mail app when I am on the phone. Certainly, that leaves me open for exposure, man-in-the-middle, etc. But I am not sure I am willing to give up that flexibility for better security, which is really at the center of the debate.

Brian Krebs blogged that users can pick two of security, privacy and convenience, but only two. That is the rub.

If you are concerned about privacy first and foremost, you are likely to want to use encryption on all of your emails. That is probably for very few folks. Even with zero-trust encryption, this isn’t easy. Helm doesn’t support any encryption such as PGP, so this audience is off the table.

If you are concerned with convenience, you are probably going to stick with webmailers for the time being. So this audience is off the table too.

If you are concerned with security first, maybe you will consider Helm. But it is a big maybe. If you already use a corporate email server and your company has hundreds of mailboxes, I don’t think any IT manager is going to want to have a tiny box like Helm at the center of their email infrastructure. And if you are a SMB that has < 100 mailboxes, perhaps you might move from GSuite or O365, but it will take some work. Certainly, the pricing tipping point is around a dozen mailboxes, depending on the various options that you choose for these SaaS emailers.

Hutchinson’s piece in Ars says, “Helm aims to give you the best of both worlds—the assurance of having a device filled with sensitive information physically under your control, but with almost all of the heavy sysadmin lifting done for you. If you’re looking to kick Google or Microsoft to the curb and claw back control of your email, this is in my opinion the best and easiest way to do it.” I would agree with him.

However, the issue for this last group isn’t the email, but the other things that depend on email that they already use seamlessly: calendars, contacts, and email notifications. Setting up calendars and contacts will take some careful study before you actually configure them. This is because you have to read and understand the web-based support portal pages so that you know what the steps are before you do the configuration. I ended up creating several device profiles before I got all this together, because I couldn’t access the existing details to set up the servers etc. (I understand why you are doing this, but still calling them “device profiles” is confusing.) And then I still had issues with getting things setup for my calendar and contacts. The pretty reviewer’s guide really falls down in this area.

One plus for the security audience is that it supports DMARC/SPF/DKIM with no extra effort. (See the screenshot below.) They don’t make a big deal of this, other than a brief nod to it in the support pages here. My report from mail-tester can be found here, showing that this was implemented correctly.

Another sticking point for me is the use of the smartphone app for configuration and reporting. I have had problems with other consumer-grade products that do this – such as most smart home devices, the Bitdefender Box (I did an early review of this for Tom’s Hardware but haven’t looked at it for a while since then), and some SMB router/firewalls. The problem is that your screen real estate is very limited, forcing you to make some bad UI tradeoffs. For example, a notification alert comes up on my phone during certain times.

One issue that Hutchinson also had is that if you use Helm to serve up your own domain, it needs to take control over your domain’s DNS settings. You can use its smartphone app to add your own custom DNS records, but it isn’t as flexible as say the average ISP DNS web-based management screens. Speaking of DNS, Helm doesn’t support DNSSEC because of the way it moves your email traffic through its AWS infrastructure.

Finally, the backup process didn’t work for my pre-configured unit and I never got a successful backup, even after initiating several of them. It worked fine for my hosted domain. There is no phone message notification of either success or failure: you have to check the app, which also seems like a major omission.

If you aren’t happy with the security implications of Microsoft/Googleplex owning your messages and are a small business that doesn’t use much webmail, then Helm should be a great solution. It costs $500 initially, with $100 annually for a support contract.

 

Both real and fake Facebook privacy news

Posted on by
1

I hope you all had a nice break for the holidays and you are back at work refreshed and ready to go. Certainly, last year hasn’t been the best for Facebook and its disregard for its users’ privacy. But a post that I have lately seen come across my social news feed is blaming them for something that isn’t possible. In other words, it is a hoax. The message goes something like this:

Deadline tomorrow! Everything you’ve ever posted becomes public from tomorrow. Even messages that have been deleted or the photos not allowed. Channel 13 News talked about the change in Facebook’s privacy policy….

Snopes describes this phony alert here. They say it has been going on for years. And it has gained new life, particularly as the issues surrounding Facebook privacy abuses have increased. So if you see this message from one of your Facebook friends, tell them it is a hoax and nip this in the bud now. You’re welcome.

The phony privacy message could have been motivated by the fact that many of you are contemplating leaving or at least going dark on your social media accounts. Last month saw the departure of several well known thought leaders from the social network, such as Walt Mossberg. I am sure more will follow. As I wrote about this topic last year, I suggested that at the very minimum if you are concerned about your privacy you should at least delete the Facebook Messenger app from your phone and just use the web version.

But even if you leave the premises, it may not be enough to completely cleanse yourself of anything Facebook. This is because of a new research report from Privacy International that is sadly very true. The issue has to do with third-party apps that are constructed from Facebook’s Business Tools. And right now, it seems only Android apps are at issue.

The problem has to do with the APIs that are part of these tools, and how they are used by developers. One of the interfaces specifies a unique user ID value that is assigned to a particular phone or tablet. That ID comes from Google, and is used to track what kind of ads are served up to your phone. This ID is very useful, because it means that different Android apps that are using these Facebook tools all reference the same number. What does this mean for you? Unfortunately, it isn’t good news.

The PI report looked at several different apps, including Dropbox, Shazam, TripAdvisor, Yelp and several others.

If you run multiple apps that have been developed with these Facebook tools, with the right amount of scrutiny your habits can be tracked and it is possible that you could be un-anonymized and identified by the apps you have installed on your phone. That is bad enough, but the PI researchers also found out four additional disturbing things to make matters worse:

First, the tracking ID is created whether you have a Facebook account or not. So even if you have gone full Mossberg and deleted everything, you will still be tracked by Facebook’s computers. It also is created whether your phone is logged into your Facebook account (or using other Facebook-owned products, such as What’sApp) or not.

Second, the tracking ID is created regardless of what you have specified for your privacy settings for each of the third-party apps. The researchers found that the default setting by the Facebook developers for these apps was to automatically transfer data to Facebook whenever a phone’s user opens the app. I say was because Facebook added a “delay” feature to comply with the EU’s GDPR. An app developer has to rebuild their apps with the latest version to employ this feature however. The PI researchers found 61% of the apps they tested automatically send data when they are opened.

Third, some of these third-party apps send a great deal of data to Facebook by design. For example, the Kayak flight search and pricing tool collects a great deal of information about your upcoming travels – this is because it is helping you search for the cheapest or most convenient flights. This data could be used to construct the details about your movements, should a stalker or a criminal wish to target you.

When you put together the tracking ID with some of this collected data, you can find out a lot about whom you are and what you are doing. The PI researchers, for example, found this one user who was running the following apps:

  • “Qibla Connect” (a Muslim prayer app),
  • “Period Tracker Clue,”
  • “Indeed” (a job search app), and
  • “My Talking Tom” (a children’s’ app).

This means the user could be potentially profiled as likely a Muslim mother who is looking for a new job. Thinking about this sends a chill up my spine, as it probably does with you. The PI report says, “Our findings also show how routinely and widely users’ Google ad ID is being shared with third parties like Facebook, making it a useful unique identifier that enables third parties to match and link data about an individual’s behavior.”

Finally, the researchers also found that the opt-out methods don’t do anything; the apps continue to share data with Facebook no matter what you have done in your privacy settings, or if you have explicitly sent any opt-out messages to the app’s creators.

Unfortunately, there are a lot of apps that exhibit this behavior: researchers found that Facebook apps are the second most popular tracker, after Google’s parent company Alphabet, for all free apps on the Google Play Store.

So what should you do if you own an Android device? PI has several suggestions:

First, reset your advertising ID regularly by going to Settings > Google > Ads > Reset Advertising ID. Next, go to Settings > Google > Ads > Opt out of personalized advertising to limit these types of ads that leverage your personal data. Next, make sure you update your apps to keep them current. Finally, regularly review the app permissions on your phone and make sure you haven’t granted them anything you aren’t comfortable doing.

Clearly, the real bad news about Facebook is stranger than fiction.

iBoss blog

Posted on by
Reply

I wrote for them from 2016-2018. They have removed most of these articles, contact me if you want any copies of them.

  • We still have plenty of network printer attacks (3/18)
  • A tour of current blockchain exploits (2/18)
  • Ten ways to harden WordPress (2/18)
  • The year of vulnerabilities in review (12/17)
  • What is HTTP Strict Transport Security? (12/17)
  • How to cope with malicious PowerShell exploits (10/17)
  • How to secure containers (10/17)
  • Implementing better email authentication systems (10/17)
  • What is WAP billing and how is it being exploited? (9/17)
  • The difference between anonymity and privacy (9/17)
  • What is OAuth and why should I care?  (8/17)
  • The dark side of SSL certificates (8/17)
  • What is the CVE and why is it important (8/17)
  • Why you need to deploy IPv6 (7/17)
  • Three-part series on the new rules of MFA (7/17)
  • What is fileless malware? (6/17)
  • How ransomware is changing the nature of customer service (6/17)
  • WannaCry: Where do we go from here? (5/17)
  • What is a booter and a stressor? (12/16)
  • The challenges and opportunities for managing IoT (12/16)
  • Who are the bug bounty hunters (11/16)
  • How to heighten HIPAA security (10/16)
  • Why grammar counts in decoding phished emails (10/16)
  • How to communicate to your employees after a breach (9/16)
  • 6 Lessons Learned from the US Secret Service on How to Protect Your Enterprise (9/16)
  • Economist paints a dark future for banking industry (8/16)
  • Wireless keyboards vulnerable to hacking (8/16)
  • Hacking Your Network Through Smart Light Bulbs (8/16)
  • Windows 10 Anniversary security features: worth the upgrade (8/16)
  • How to implement the right BYOD program (8/16)
  • The benefits and risks of moving to BYOD (8/16)
  • There is no single magic bullet for IoT protection (7/16)
  • Beware of wearables (7/16)
  • Understanding the keys to writing successful ransomware ((7/16)
  • It’s Time to Improve Your Password Collection (6/16)
  • Euro banking cloud misperceptions abound (6/16)
  • Beware of ransomware as a service (6/16)
  • When geolocation goes south (5/16)
  • Turning the tide on polymorphic malware (5/16)
  • How stronger authentication can better secure your cloud (4/16)
  • The Internet-connected printer can be another insider threat (4/16)
  • Beware of malware stealing credentials (4/16)

FIR B2B podcast episode #111: Why marketers should care about privacy invasion

Posted on by
1

Perhaps the most important B2B marketing story of 2018 is the invasion of our privacy. In our final podcast of the year, Paul Gillin and I talk about how companies have been so cavalier in abusing the data that their customers give them. This invasion has happened through a combination of several circumstances:

  • In the case of Facebook’s failures, the combination of a lack of transparency and an immature and misguided management team.
  • In the case of Google,not being truthful about what its incognito browsing mode is actually doing and how it is doing it. This is from a report from one of Google’s competitors, DuckDuckGo, which found that Chrome personalizes search results even when users aren’t signed in.
  • Abusing smartphone app permissions, as a new study by the New York Times revealed this week. Apps were tracking users’ movements and despite claims that identifying information had been removed, the Times reporters were able to track down a few users and interview them for the story. How they did their research is a fascinating look at how difficult one’s privacy can be to protect today.

Certainly, next year is shaping up to be a watershed moment in resolving these micro-targeting issues and being more parsimonious in how our data privacy is protected. We welcome your thoughts on the matter, along with a few suggestions for marketers to better audit what their developers are doing with respect to privacy.  You can listen to our 15 min. episode below. Have a happy and healthy holidays and a great new year!

Screencast review: Managing enterprise mobile device security with Zimperium

Posted on by
Reply

Zimperium is very useful in finding mobile device risks and fixing security issues across the largest enterprise networks.

It includes phishing detection and has the ability to run on both a variety of different cloud infrastructures as well as on-premises. It has deep on-device detection and a fine-grained collection of access roles. It uses a web-based console that controls protection policies and configuration parameters. Reports can be customized as well for management and compliance purposes. I tested the software in December 2018 on a sample network with both Android and iOS devices of varying vintages and profiles.

Pricing decreases based on volume starting at $60/year/device

Keywords: David Strom, web informant, video screencast, mobile device security, mobile device manager, MDM, mobile threat management, Knox security, iOS security

The end of IBM/Lotus Notes

Posted on by
4

Last week, IBM sold off its Domino/Notes software business unit to HCL. While you probably haven’t heard of them, they are a billion dollar Indian tech conglomerate. Sadly, this represents the end of one era for Notes. It certainly has had a long and significant life span.

 

“Notes’ longevity is amazing,” says David DeJean, who co-wrote one of the first books about it back in 1991. “What other corporate software product has had that kind of run? Notes’ success started with its chameleon-like ability to go into a company and work the way the company worked. It let companies computerize their operations at their own pace. Other software packages have been the software of “No” where Notes was almost always the software of ‘Sure.’”

I was present at its conception in the late 1980s, when Ray Ozzie had the idea for what was then an unknown software category that was labeled at the time as groupware. It was the first time that a PC software program could be used to connect multiple computers in a meaningful way, and be used to create applications that leveraged the group. DeJean recalled that these apps were at the heart of what made Notes work: “During a crucial moment in the computerization of the enterprise in the 1990s, Notes applications proliferated like rabbits. It was very easy for companies to get into Notes, and very hard to get out.”

When Notes came out. I was working as an editor at PC Week. My colleague Sam Whitmore told me that “it took us a while to get our brains around the idea of its replication feature. Most of us found it redundant to email.” That was its biggest challenge, and well into its middle age Notes’ biggest competitor continued to be ordinary email. Many of my press colleagues carried a long-standing hatred for it. Nevertheless, Whitmore also recalls that “Lotus appreciated how technical we were, that we understood what Ray Ozzie was bringing to the world. Perhaps because of this, Lotus offered PC Week a lot of money to produce a special report on Notes.”

I had first-hand experience using Notes when I worked at CMP in the early 2000’s when I was an editor at VAR Business and also at EETimes. The CMP IT department had written quite a few Notes applications for various editorial and sales tracking purposes, again showing how extensible it could be.

This is something that many of its critics didn’t really understand, both then and now. One of its earliest customers was  PriceWaterhouse, now PwC. Sheldon Laube was running the IT operation there and made the decision to purchase 10,000 copies of Notes back in 1990. He told me that this “started a transformation at the firm. Notes was truly the first personal computer software product that changed the nature of how people used PCs. Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”

This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.

Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.

This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use. “It was enterprise software before enterprise software was cool.” He wrote about how Notes had elements of Salesforce, Dropbox, Atlassian, Zendesk and ServiceNow — years before any of these products were even invented. Another aspect of Notes that doesn’t get much attention is its integrated group calendars and contacts. Now we take these elements for granted — until they don’t work — and expect them in many communications tools. Back in the early 1990s, this was a rare feature. Scott Mace, who runs the site CalendarSwamp, remembers complaining about how hard shared calendars were back in the late 1990s, and how Notes was an early standout then.

Notes has gone through many transitions in its long life: After IBM acquired it, Big Blue extended the software to Domino, which combined Notes with web services and eventually was used to provide a managed hosting solution as well. Ozzie told me that  Notes was in essence an amazingly powerful applications server with captive clients. This differed from the web model, where web clients were free and Netscape and others made money from selling their own application servers. IBM added the web server because they had to: Ozzie said if they hadn’t, Notes would have died quickly in the web era. Instead, it still flourishes.

Another thing that doesn’t get much attention is that IBM believed so much in Notes that it made it its corporate communications standard for many years. One of their reasons — and a major motivation for many other customers — is that Notes offered an end-to-end encrypted email system, something that wasn’t common at the time.

Even so, IBM was a poor fit for Notes because it was too slow to innovate. While having a web front-end solved one big problem for Notes (its very thick client software), it wasn’t enough to compete against the world of open source and the rich software development of the web. As the web took over the software world, Notes became more of an anachronism, and more nimble solutions (including one product called Nimble, btw) became more attractive to corporate software developers. Ozzie said, “Shame on IBM for losing the corporate email market” to Microsoft and then Google. He reminded me that back then, we had different email systems that couldn’t connect with each other, even within the same office.

Betsy Kosheff, who did PR for Lotus back when it was sold to IBM, told me, “IBM had no business doing software innovation. That point was very obvious right from the acquisition. It’s not their fault – IBM is just not designed that way. I imagine their India-based buyer will be looking for more operational efficiencies. They’re probably not looking for the next big idea, which is what was so much fun about Notes and being part of that product in the early days. I’m not saying you can’t possibly create an entrepreneurial division with exciting innovations from within a larger company. I’m just saying they didn’t do it at IBM and probably not at any other billion dollar IT company.”

Ozzie reminded me that when Lotus was sold to IBM, they were in a head-to-head battle with Exchange. Microsoft had the edge because they owned the operating system and had majority share with office applications. IBM could offer a broader software portfolio that could attract customers.

Was Notes too early for its time? Ozzie says no: “I am just pleased that things have continued to evolve in collaboration tools.There are still things related to human interaction, such as distributed trust and managing overload that we first learned in Notes that have yet to be embraced by anything in the enterprise social world.”

Jon Callas on joining the ACLU

Posted on by
Reply

I have known Jon Callas for many years, tracking back to when he was part of the PGP Corporation and bringing encrypted email to the world. He has been a long-time security researcher who has been part of the launch teams at Silent Circle and Blackphone. Recently he has moved from Apple to the ACLU, where he is a technical fellow in the Speech, Privacy and Technology Project.

I spoke to him last week and caught up with what he is working on now, and thought you might be interested. His job now is to help the mostly legal team at ACLU to understand the technical issues, especially from someone who has been deeply steeped in them over the years. “Technology is such a part of the modern world that we need more people to understand it,” he said. One of his focus areas is the recent changes in Australian encryption laws. He is still trying to figure out the implications, and so far he views this bill as more guiding government assistance than actual intervention. The bill also raises more questions than it answers, such as how does a developer secretly insert code into a system that has tracking or build version controls? He is also watching the revelations around the Facebook document trove that was released this week by British lawmakers. (Here is the backstory and ProtonMail’s comments on the law is here.) “Clearly, there are contradictions between what Facebook management said they were and weren’t doing and what was mentioned in these documents,” he said. When I asked him what he what do if he were CTO of Facebook, he just laughed.

One other area of interest is how to understand how the government is acting to curb freedom of speech, and what is going on at our borders. “The government quite reasonably says that they can look inside your suitcase when you cross into our country. That I understand, but shouldn’t your electronic devices be treated differently from what else is in your suitcase? There are many answers here, and we need to have legal and policy discussions and understand exactly what problems we are trying to solve.”

We also spoke about the recent actions by Google employees protesting their Chinese-specific search engine. “I find it encouraging that tech people are looking at the consequences of what they do and where this technology is going to be used and what it all means,” he said. Now, “we are more in tune with privacy concerns. People are thinking about the ethics and consequences of what they are doing. They want to have a part in these discussions. That is what a free society should do.”