Securing Very Important Data: Your Own(NYTimes, 10/7/07)

October 7, 2007
Re:Framing
Securing Very Important Data: Your Own
By DENISE CARUSO
AS long as we are willing to relinquish some personal data, Web applications have long allowed us to create virtual identities that can conduct most of the social and financial transactions that typify life in the real world.
But the newest generation of these services is starting to collect and store far more than just the standard suite of identity data — name and address, phone, Social Security or credit-card numbers — that populates the databases of banks and credit-card processors. They increasingly store information, generated by us, that is directly linked to those virtual identities.
And users are loving them.
For example, the start-up Mint.com won this year’s TechCrunch award for its Swiss Army knife approach to personal financial management. In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards.
A powerful project management and collaboration tool called Basecamp allows teams to store online entire project management plans, including performance targets, to-do lists, files, collaborative documents and messages. Provided by 37Signals L.L.C., based in Chicago, Basecamp has more than a million users around the world, including me.
Another site, Dopplr, from a company of the same name based in Finland, is still in its beta-test phase. It lets users upload and share their travel itineraries with a group of “trusted fellow travelers.” The site can connect with Facebook friend lists, and in September it announced that it had opened an invitation-only social network to business travelers from 100 leading companies and international organizations, including Google, I.B.M. and Nokia.
This type of sensitive, sometimes proprietary information was once locked up on hard drives or in file cabinets far away from anything resembling a global or even a local distribution network. Yet none of the users flocking to these services seem perturbed that they have relinquished personal control over this data to companies that, even with the best of intentions, may not be able to keep it safe.
The incidence of data theft — from wallets to data breaches, computer viruses or Dumpster diving — is soaring. This year alone, the security of nearly 77 million Americans’ records has been breached, according to the Identity Theft Resource Center in San Diego, nearly a fourfold increase over 2006.
Governments around the world are passing and enforcing laws that increasingly hold businesses financially accountable for avoidable data losses. Just last month, the TJX Companies, which owns T.J. Maxx, Marshalls and other retail stores, made a settlement offer, subject to court approval, to victims of a huge data breach, in which 45.7 million customers’ credit- and debit-card data was exposed to identity thieves.
As a result, some security experts are starting to ask whether the “identity data-for-services” business model, which is the engine for virtually all e-commerce companies, is a fair trade — not just for consumers, but for business as well.
In response, they are coming up with new protocols and frameworks for collecting, using and governing identity data. Given that virtually all businesses today collect and use these kinds of data, they aim to shift the status quo in ways that could help companies both improve their reputations with customers and avoid the mounting legal liabilities that now face companies that lose control of customer data.
“The myth is that companies have to know all this information about you in order to do business with you,” said Drummond Reed, vice president for infrastructure at Parity Communications, an identity technology company in Needham, Mass. “But from a liability perspective, the less I know about my customers the better.”
Parity is sponsoring a number of open software projects to shift more control to the users whose identity data is at risk. One of the most intriguing is called the CloudTripper Project, which is developing a way for individuals to “take their data with them” as they traverse the Web, just as they keep their wallets and checkbooks with them as they move around in the real world.
Another project, the Identity Governance Framework, aims to help organizations comply with national and international regulations, including the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. It establishes a new approach for securely sharing and auditing sensitive personal information, and has been widely embraced by major enterprise software vendors as well as providers of identity technology. While such projects are helping to close security gaps that should have been addressed long ago, at least one security expert says that such efforts are trying in vain to solve a social problem with technology.
“We’re in a situation where business holds all the cards,” said Mike Neuenschwander, vice president and research director of identity and privacy strategies at the Burton Group, a technology research and advisory service based in Midvale, Utah. “Businesses put the deal in front of the consumer, they control the playing field and the consumer doesn’t have any say in how the deal plays out.”
ONE way to change this, he said, is to make people more like organizations.
To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing.
Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said. Other benefits include the ability for “personas” to limit their financial exposure in ways that individuals cannot.
“When you enter into a relationship with a company and give them your personal information, you’re at tremendous risk — and they aren’t,” he said.
“In the U.S., certain kinds of personal information aren’t treated like property at all. It’s very difficult to sue someone for misuse of personal information. And even if you do, they can never give you back your mailing address, your Social Security number or your DNA, for that matter.”
But if a company loses or tampers with an L.L.P’s data, “the law allows me to sue them because it’s corporate information,” Mr. Neuenschwander said. “It’s digital-rights management,” he added, referring to the access control technologies used by publishers and other copyright holders to limit use of digital media, “only you’re acting on behalf of your own organization.”
Mr. Reed of Parity agreed. “Companies use digital-rights management technology to protect their data from us,” he said. “But they’d be better off if we used it to protect our data from them.”
Denise Caruso is executive director of the Hybrid Vigor Institute, which studies collaborative problem-solving. E-mail: dcaruso@nytimes.com.

The Unsung Heroes Who Move Products Forward (NYTimes, 09/30/07)

September 30, 2007
Ping
The Unsung Heroes Who Move Products Forward
By G. PASCAL ZACHARY
AT first blush, the iPhone from Apple, the new microprocessor family from Intel and the ubiquitous Google search engine have nothing in common. One is a gadget, one is an electronic part and one is a service.
Yet all of these products — much acclaimed for their creativity — depend on obscure process innovations that, while highly complex and lacking glamour, are an essential part of establishing a winning edge in commercial electronics. Indeed, the success of Apple, Intel, Google and scores of other technology companies has as much or more to do with their process innovations as the products that inspire loyalty among fans and admiration from foes.
First, a definitional detour. Processes are the stuff in the proverbial “black box,” the alchemy unseen by consumers or the inelegantly termed “end users” who buy computers, cellphones, cameras and all manner of digital devices and services.
Snazzy products are the stuff of legends, romanticized by “early adopters” and skewered by neo-Luddites. Yet while these products bring glory to companies, novel processes are often more important in keeping the cash registers ringing.
The proof of this proposition is that while companies often spend millions to advertise and market new product designs and innovations, they guard intensely the details of their process innovations.
Consider the question of Google’s greatest business secret. Is it the algorithms behind its search tools? Or is it the way it organizes vast clusters of computers around the globe to answer queries so quickly? Perhaps predictably, Google won’t disclose the number of computers deployed in its vast information network (though outsiders speculate that the network has at least 450,000 computers).
I believe that the physical network is Google’s “secret sauce,” its premier competitive advantage. While a brilliant lone wolf can conceive of a dazzling algorithm, only a superwealthy and well-managed organization can run what is arguably the most valuable computer network on the planet. Without the computer network, Google is nothing.
Eric E. Schmidt, Google’s chief executive, appears to agree. Last year he declared, “We believe we get tremendous competitive advantage by essentially building our own infrastructures.”
Process innovations like Google’s computer network are often invisible to the public, and impossible to duplicate by rivals. Yet successful companies realize that maintaining competitive advantage depends heavily on sustaining process innovations. Great process innovators often support basic research in relevant fields, maintain complete control over the creation of every aspect of a product and refuse to rely on outside suppliers for important components. Certainly, there are exceptions to these patterns, but even companies like Apple that buy essential processes on the open market nevertheless invest in gaining a working knowledge of the technologies and an understanding of their future arc.
Intel treats its process innovations as a competitive weapon, striving to create a “new generation” every two years. That enables the company’s chips, even if there were no changes in their design, to perform better and cost less to make.
Consumers are usually blind to the importance of novel processes. Even when they learn about these innovations, they tend to think only of the product itself.
“The average consumer doesn’t care what processes are used,” says Mark T. Bohr, an Intel physicist who oversaw what is arguably the most important advance in decades in the technology for making microprocessors, the brains inside computers and other digital devices.
Faced with ever-faster chips that threatened to explode into flames, Intel searched desperately for new processes to make microprocessors. Enter hafnium, a rare metal. Designers led by Mr. Bohr in Hillsboro, Ore., chose hafnium to replace silicon oxide, the venerable insulator in chips and a material used in making glass. Mr. Bohr also helped to identify new materials, whose identity Intel is keeping secret, for the crucial transistor “gates” that sit atop a chip’s insulators.
On Nov. 12, Intel will begin shipping its first chips using the new processes. Gordon E. Moore, Intel’s co-founder, recently declared that the hafnium-and-gate process innovations should allow his so-called Moore’s Law, whereby chips grow ever faster and less expensive, to hold true for some time.
Despite the enormity of the achievement, Mr. Bohr is relatively anonymous, even within Intel. “The work of process development comes second to creating new designs for chips,” he says. Not surprisingly, when Intel starts shipping the new chips, neither the hafnium nor the gates innovations will be trumpeted as selling points. Rather, Intel will emphasize how customers can benefit from using the chips.
If process innovations are unheralded, consumers may misunderstand the nature of technological change.
“Process innovation tends to receive less attention from the informed public for the same reason that incremental innovation tends to receive too little attention: it is more difficult to encapsulate in a press release or photo opportunity,” says David C. Mowery, a business professor at the University of California, Berkeley, and a scholar of technological change.
“Process innovation, even more than most product innovations, also tends to realize its economic potential through a lengthy process of incremental improvement based on learning by doing and other types of learning,” he added. “So ‘breakthroughs’ in process engineering are, if anything, even rarer than in product innovation.”
As a result, process gurus are resigned to playing in the shadows, leaving fame, if not fortune, to others. John Feland, human interface architect at Synaptics Inc. in Santa Clara, Calif., knows this enduring truth of invention. He helps design arrays of sensors that drive the touch screens in the newest cellphones like the Prada from LG. Such touch screens are earning raves from consumers, yet Mr. Feland is essentially an invisible man.
“My job is to make our customers look like heroes,” he says philosophically. Then he sums up the special role played by fellow members of the process tribe: “We are like Q to James Bond.”
G. Pascal Zachary teaches journalism at Stanford and writes about technology and economic development. E-mail: gzach@nytimes.com.

At Starbucks, Songs of Instant Gratification (NYTimes, 10/01/07)

October 1, 2007
At Starbucks, Songs of Instant Gratification
By MATT RICHTEL
Like that song you hear playing at Starbucks, but just cannot wait until you get to a computer to download the song?
Starting tomorrow at certain Starbucks stores, a person with an iPhone or iTunes software loaded onto a laptop can download the songs they hear over the speakers directly onto those devices. The price will be 99 cents a song, a small price, Starbucks says, to satisfy an immediate urge.
“For the customer it’s an instant gratification,” said Ken Lombard, president of Starbucks Entertainment. “You’ll hear the song, be able to identify what it is and download to the device.”
And it’s just the tip of the iced latte. Businesses are using new technologies to enhance the impulse buy so consumers can purchase their temptations whenever they want, wherever they are, before the urge passes.
Amazon.com pioneered one-click shopping to speed purchases, whether made at home or on an employer’s time. But the development of more capable gadgets, coupled with mobile payment mechanisms, is allowing people to buy not just media, like music, videos and ring tones, but also hard goods, on the go.
This evolution follows the popularity of debit, gift and refill cards, which allow buyers to fill accounts and make cashless payments. Payments made with those cards exceed the payments made by cash and check, according to the Nilson Report, a credit industry newsletter, which used Commerce Department data.
Credit card companies in particular are experimenting with ways to turn the phone into a conduit for card purchases and to offer incentives, like coupons, for mobile purchases. Visa, for instance, is developing technology that will allow people to wave their cellphones in front of a reader to pay for items under $25 without a signature. (Swiping the card through a reader, an innovation several years old, is apparently too much of an impediment.)
The idea is no waiting, cashier or other buying barrier — aside from the charges that show up on a credit card or cellphone bill. And there, along with challenges revolving around security and business models, lies a chief rub.
The mobile-payment technology can create a desensitizing and seductive purchase experience, said James Katz, director of the Center for Mobile Communications Studies at Rutgers University.
“The more people think about a purchase decision, the more likely uncertainty creeps in,” he said. “One frame of mind is you’re helping create in consumers’ mind a source of pleasure, and enabling them to fulfill that pleasure,” Mr. Katz said of the mobile impulse temptation. Another is that “they’re preying on our materialistic souls.”
For now, the new Starbucks service’s preying capabilities will be limited. The concept is being introduced in around 600 cafes in New York and Seattle only, though Starbucks, based in Seattle, and Apple, of Cupertino, Calif., plan to offer the service in other major cities late this year and in 2008.
Impulsive music lovers will have to sign onto the cafe’s Wi-Fi network to discover what song is playing over the Starbucks speakers. With a few taps, users can download the song onto their iPhones (which double as an iPod), or the new Apple iPod Touch with its wireless connection. The 99-cent charge will appear on their phone bills.
Other coffee drinkers who have iTunes software loaded on their notebook computers can do somewhat similar things. When they open their laptops while sitting in a participating store, a Starbucks icon will pop up, giving them a chance to click and buy.
Starbucks said it was the first retail outlet to offer such capability. It is certainly not on the cutting edge of the downloadable music experience. For more than a year, Verizon Wireless has offered technology that lets consumers buy songs over the air. Other carriers, including Sprint and AT&T, allow over-the-air downloads.
Roger Entner, a communications industry consultant with IAG Research, which advises mobile carriers, said Sprint and Verizon were each offering around 60 million songs a month for downloading.
Verizon and others also allow users to buy video, pictures, wallpaper, ring tones and games — none of that revelatory anymore. Verizon also experimented with music fans’ buying concert tickets over the phone, then turning that phone into a bar code for concert entry.
John Harrobin, senior vice president for digital media at Verizon, said, “The fact that when you want something, you can get it instantly through the phone is something we believe in.”
Mr. Entner said the sticking point on the growth of the phone as a full-service payment device had less to do with technology, which is adequate, and more to do with business questions. He said that all the potential participants — phone carriers, retailers, credit card companies, music labels — wanted a cut of the action, and it was not clear how the money for over-the-air payments would be divided.
For example, he said, the mobile-carrier profits for downloadable songs were about 3 cents a song, which he deemed “razor thin.”
Visa, which takes a piece of the action of credit purchases and would love to see buying opportunities blossom, introduced a new microcard last week. It works like a credit card, but it is small enough to fit onto a key chain. At merchants equipped with wireless payment systems, consumers wave the card to pay; purchases under $25 do not require a signature.
Visa is also rolling out a “mobile payment platform.” That’s marketing-speak for software that not only lets consumers pay by waving their phones, but also lets merchants beam coupons to their customers on the go. For instance, Visa has experimented at its headquarters in Foster City, Calif., with sending employees coupons for discounts in the company cafeteria.
The plan got a strong reception by consumers, said Pam Zuercher, Visa’s vice president for innovation.
“Think about this as an extension of direct mail, but you have a much lower chance of leaving your coupon at home,” she said, adding that the technology “provides the ability to influence experiences within a retail location.”
Ms. Zuercher said Visa planned a test of its mobile payment system with its partner, Wells Fargo. It is already testing the system in South Korea and Taiwan. (Some of the mobile payment systems are more advanced overseas, where wireless networks are faster, allowing more complex services. But, Mr. Entner said, the United States may wind up in the forefront because credit payments are so tied up with consumer culture).
The prospect of coupons by phone, or location-based advertising, might give shivers to people already distressed by seeing every nook and cranny of public space crammed with commercial messages.
They are getting trade-offs. Services including the Internet and e-mail, like television before it, are subsidized by advertising and those who respond to it.
“One of the great steps forward for denizens of the online world was the development of one-click buying,” Mr. Katz from Rutgers said. Before that technology, “there was a vast amount of evidence that a small percentage of people who started the checkout process actually completed it.”
In the mobile world, the barriers fall further. No checkout aisle, cashier or money changing hands. Just an impulse — click and a buy.