Tuesday, July 28, 2015

Do I have a right to be anti-monadic?

Having discovered the word that describes well the actions of the cyber giants that results in our being squeezed into one single identity, it struck me that perhaps my human rights are being eroded. Monadism, yet another term from philosophy, it effectively describes the GAFA activities that are driving us toward a single identity.

Being able to represent my self in one of my many web based personas has become increasingly difficult, as first one of the GAFAs and then another manage to fuse my different personas, their clear target is to know me as a single individual. (See my recent Apple Watch example)

My grandfather persona is one I am still trying to protect though at least two of the GAFAs have managed to attach that persona to their monadic view of me.

My Jericho Forum colleague Paul Simmonds is working towards protecting our ability to uniquely represent ourselves as multiple personas, while maintaining our ability to have agency over our identities. His Global Identity Foundation is unsurprisingly currently making little headway against the huge combined gravitational forces of the GAFAs.

Perhaps what is needed is public awareness of the implications giving control of our identities to third parties and the development of a clear desired identity state. The current issue is that the frustration with the difficulty of maintaining identity control, is actually resulting in individuals handing control to the GAFAs.

A recent purchase of an Amazon Fire TV device demonstrated to me just how attractive it is to pass control over. The device arrived with the identity of the purchaser pre-loaded, we had after all purchased it from Amazon so they already knew who the purchaser was. There was no effort involved in claiming ownership of the device as the device apparently already "knew" who it's owner was. The truth is that it is Amazon who knew the identity of the owner, and they had asserted their control over the device. The experience was far simpler and less weird than the Samsung TV Identity ownership ceremony. The underlying issue is that we have passed control to Amazon and they had chosen not to authenticate the Identity of the owner.

Amazon have not yet made the jump to combining monadic identities into family groups, that Apple have made. This action would further pass control to the provider of identities, this would not be an issue if that were all they provided, the issue comes from the fact that they also provide products and services.

Anti-Monadic Rights

So, should we give an individual the right to create separate identities and maintain them separately.

The difficulty comes when such separate personas are used to hide illegal or immoral activities.

The state will likely press for monadic identities, using terrorism, tax evasion and crime as their primary drivers.

So what are the key elements of a successful identity model in the 21st Century

Data Agency: Having control over the transparency, privacy and usage of our data.

Identity Agency: Having control over the creation, use and deletion of multiple separate personas

These two elements should apply equally to all entities, whether person or organisation.


So my conclusion is, yes, I should have the right to control multiple separate identities.

Clearly that does not give me the right to use any of these for illegal or immoral purposes.

The challenge will be to create the legal and digital ecosystems that will allow CyberAgency, while maintaining a civilised and moral society.

Thursday, July 02, 2015

Eliminating Passwords: The Latest #AgencyFail Fashion

The latest fashion amongst

hi tech service providers,

is eliminating passwords.

They understand that their customers hate passwords however they are taking shortcuts that are denying their customers the ability to control their devices or services. Worse these shortcuts are passing the risks onto their customers

Apple have added a new feature to their Personal Hotspot service on the iPhone. Basically once you've set it up you can no longer turn it off. Sliding the switch in the iphone settings panel to off does nothing. A device that you have allowed to use the Personal Hotspot service on your phone somehow knows that the phone is near, and advertises Personal Hotspot availability. But wait it's switched off right... nope! if the devices user just connects to your phones Personal Hotspot from the device. Your phone will switch the Personal Hotspot service to <ON> and allow the connection!

This is not good, an iphone owner that allowed someone to use their Personal Hotspot doesn't appear to be able to stop them having access.

Oh wait, all one needs to do is change the Personal Hotspot password right? Well actually no, Apple have thought of that too! If you change the password, the device that you have already allowed to access the Personal Hotspot has apparently been given a magical password.

To recap: Hotspot switched off on the iPhone, Personal Hotspot Password changed.

When a device that has previously been allowed to connect to your Personal Hotspot comes close to your iPhone, the device will be informed and offer the Personal Hotspot to it's user, who can request connection and "Open-ses-a-me" the device is connected, as if the password change never happened.

This is an issue Apple!

How Apple should have designed the new "Instant Personal Hotspot" feature, was to add it as a selectable option. An option that would allow the iPhone user to have control, ie have agency over their phone. By quietly adding the option and leaving the iPhone owners assuming they had the ability to switch off their iPhone's Personal Hotspot feature, they have demonstrated the worse sort of Password Elimination: #AgencyFail

Another example of Password Elimination: #AgencyFail has been perpetrated by Amazon. When a user is shipped a new Kindle, they ordered it from their Amazon account, with their password.

Amazon must have thought "So we know it's them right, and they won't want the hassle of a password, will they?"

Having ordered the Kindle for my wife, I handed her it to her boxed. Yes, I was very surprised that she could order e-books on her new Kindle from my account without needing my password. She had gone through the install process, which assumed that I was her, and at no time was she asked to authenticate.

This is an issue Amazon!

How Amazon should have designed the no password "One-Click" feature, was to add it as a selectable option. An option that would allow the Kindle user, once they had authenticated, to enable the "One-Click" Kindle purchase feature, ie have agency over their Kindle. By deciding to ship a Kindle that assumed it's user was it's owner and did not require authentication for purchases, they too have demonstrated the Password Elimination: #AgencyFail

I believe that these features are often driven by marketeers who like the idea of making users life so simple it will delight them. But they are missing the opportunity of delighting their users by informing them of and giving them control of new features.

In both instances my experience was far from delightful, in fact it diminished my trust in both companies.

In your own organisation's quest to make your customer's lives easier, be wary of losing their trust and loyalty by denying them the right to control or have Agency over the devices or services you provide them.

As the Internet of Things explodes into our lives, let's hope the growing Password Elimination Fashion is delivered in a manner that does not eliminate our Agency, but enhances our Agency. Though sadly hope has never been an effective strategy!



Why should CISOs get involved in mapping?

Sadly many CISOs have yet to discover the existence, or power, of mapping, as described by LEF's Simon Wardley. So what is mapping and what has it got to do with a CISO? Happily Simon has made gaining an understanding of mapping a trivial activity, as those who follow his Blog already know.

Firstly do not assume that trivial always equates to quick, for to fully grasp the intricacies and power of Simon Wardley's mapping tool is the work of a lifetime.

While attempting to describe Simon's Mapping Tool in a single paragraph brings the danger of over simplification and trivialization, I will attempt it in order to whet your appetites. After running companies and developing strategy for others, and much else besides, Simon saw the light. More correctly he derived the mapping tool after much research and data gathering and analysis. The tool helps map the flow of things business related through four phases shown in his graphic below. It allows the development of a unique awareness of your business and its competitive environment, allowing the development of strategic and defensive plays, that will strengthen any organisation. As Simon implies "No military commander would consider going into battle without a map, so why should business leaders attempt to do business without a map?"

Used under Creative Commons License with no changes made.

Mapping has many benefits but one that will appeal to CISOs is that it helps identify the changing flows of information across organizational boundaries, as well as identifying services that are candidates for outsourcing.

In truth, there are many valuable benefits of Mapping, to numerous to enumerate here.

So, find out if your organisation is Mapping and if they are; get involved. If they are not, start Mapping yourself and bring the tool and your findings to the attention of the strategy planners in your organisation.

In either case you win!


Sunday, June 28, 2015

Asimov's Laws of Robotics do not enable Human Agency

Reminding ourselves of Asimov's Laws:

A robot 
 - may not injure a human being or, through inaction,  allow a human being to come to harm. 
 - must obey orders given it by human beings except where such orders would conflict with the 1st Law. 
 - must protect its own existence as long as such protection does not conflict with the 1st and 2nd Law.

It seems that a robot following the above laws receives no admonishment to obey it's owner.

Or does it? There maybe some that argue that the action of not obeying its owner could be seen to cause some sort of injury to the owner in question. Is distress an injury? This is rather a complex equation for a robot or the law to establish.

For the sake of clarity and simplicity perhaps an additional Law is required, to enable Agency;
What should it be?  Perhaps....

A robot :- 
 - may not injure a human being or, through inaction, allow a human being to come to harm. 
 - must obey orders given by its master or master's agents, except where such orders would conflict with the 1st Law. 
 - must obey orders given it by human beings except where such orders would conflict with the 1st, or 2nd Laws.
 - must protect its own existence as long as such protection does not conflict with the 1st, 2nd or 3rd Laws.

Such a formulation would add the concept of Human Agency to the Laws of Robotics.
The definition of Master will need to be carefully developed in Law, as it is likely that producers of robots will attempt to retain ownership of them.

Now all we need are four things
0) A human right to Cyber Agency, or simply and more generally a Right of Human Agency
1) Cyber Agency Awareness and Skills, and the desire to attain and maintain Cyber Agency
2) Ceremonies that unequivocally connects persons and things conferring ownership and Agency
     (Such ceremonies would have both legal & technical components)
3) The Laws, Technology and Ecosystems to enable 1 and 2, thus enabling 0

If we had these constructs in place, our ability to achieve Privacy and/or Transparency would be greatly enhanced. Sadly we have yet to even get to the Cyber Agency rights or first part of thing 1, namely Cyber Agency Awareness. We currently prefer to assume that the individuals who run Cyber Space are totally benign and have our personal interests at heart.  Hmmmm!

(While I was aware of the existence of the Zeroth Law, at first glance I felt that it served no purpose in this debate, though on second thoughts perhaps it does? Could we use Hybrid AI to run the COW? I created the concept of Cyber Over Watch in an earlier post? )

Friday, June 26, 2015

Agency requires recording and authentication of Intent or Accord

Those nine words represent a need that is very poorly delivered in today's world. I fear that while it is being less well delivered in Cyber Space, Things are going to make it far worse. In the current world our accord is often recorded by our signing and dating a document, and more recently scribbling onto the small screen of proffered device. Authentication is rarely if ever attempted. Repudiation is thus, in most cases, a trivial activity; "That isn't my signature/scribble".

Intentification, a neologism, describes the act or process of determining someone or something's intent.

In Cyber Space this is going to become more important, for in the near future our identity and location will be known to a very high degree of confidence. Our mere presence at the location where an event was triggered will likely be misused as proof our intent to trigger the event.

A current example are the pocket calls that we all have made. We should all be aware that having an International Phone Number as the number most likely to be used by our phones in such pocket calls can be a costly experience. Mobile phone operators quite happily bill us for such pocket calls, they do not care if we intended to make them or not.

The Law has addressed our ability to regain control of contracts signed remotely, the Consumer Credit Act gives us a cooling off period, but the act does not appear to address transactions under a previously agreed contract. "I did not switch on the Under Floor Heating over the summer, my Smart Home did!"

In the future Things will be able to trigger many more costly and perhaps more dangerous events, this may be as a result of accident, duress, mistake or malicious remote attack. If our presence at the point of the event being triggered is assumed to prove our intent or accord, we will be in trouble or out of pocket much more frequently than the current issue Out of Pocket calls. We seem to have accepted the lack of Intentification in pocket calls, will we continue to accept the lack of these authentication process.

Our Things will need to get much better at determining our intent and accord, as the frequency, danger and cost, of mistakenly determining our intent and accord increases this will become more a more evident need.

Trust and Safety requires an effective combination of the Identification and Intentification processes, we should not allow the continued oversimplification resulting from assuming that authenticating identity and location is all that is needed to record and authenticate our intent or accord.

This is actually quite an important Cyber Right that we have yet to acquire, mostly because an effective capability of authenticating intent or accord in Cyber Space has yet to be developed. Just as it has yet to be developed in the old paper based world, but remember repudiation is much harder in Cyber Space.

How are we to take control of our cyber space without this right and capability?


Friday, June 19, 2015

WiFi Access Fail O2

In a great pub on the Norfolk Boards I wanted to access the Web to give them a Trip Advisor review, one of my last Reviews as I have lost faith in Trip Advisor. Though that's another story.

The Wifi Hotspot was provided by O2, it popped up very easily asking me to sign in with my Mobile Phone Number, something that I really did not like!


But as there was no useable data signal anywhere close, I swallowed hard and signed up.


Then I waited for the SMS code to arrive. I use Giff Gaff which is O2 based.


Yep... you've got it there was no viable O2 signal in the pub, so I went outside and still no viable signal. I never did get connected.


Why!??! In this day and age!!! Why???

Sunday, May 24, 2015

So what are the measures of Agency?

In my role as Leading Edge Forum research associate I had been pondering the implications of this question when I saw this link. I will be honest I am no-where near answering the question yet...

At first sight it might not be obvious that the Netflix link, (Yes; you should have read the link to make sense of this post!) relates to Agency. Closer inspection shows that Netflix is working to eliminate friction and delay in the process of their viewers getting to, or back to, exactly where they want to be in Netflix on different TV sets. They are measuring Agency, with the goal of increasing it! Of course this is very much in the interest of Netflix, as well as their viewers

Consideration of the activity will show that if Netflix succeeds, the Agency of BOTH Netflix AND their customers can be increased.

From this we may conclude that Agency does not conform to the Law of Conservation.

I suspect that Google and Facebook see control over our data as a Zero Sum Game, i.e. If we (the Masses) have control over our stuff, they (the MegaCorps) don't, and they think that is bad for them. So they strive, by fair means or foul, to reduce our agency over our things and data, in order for them to gain that control for themselves.

Sadly many politicians and technologists, still see this as a Privacy problem. This encourages the idea that Agency, or Control, has to conform to the Law of Conversation. However in the digital world Win-Win positions are easy to develop and benefit from. It does however takes an Outside-In and Clockwise mentality to be able to attain this apparent Nirvanah. The truth is that joint e-trust and control can be achieved, if only we put our minds to it, that can be of benefit to all parties.

Could it be that Netflix might be preparing for a better world, where entities are given frictionless and rapid control over their own Things, data and destiny? Of course that is taking their actual behaviour, and stretching it a little bit too far, but we can hope!

Actually, better still, we can start taking this stance in our own organisations, imagine what it will feel like, when you realize that you have taken your organisation to the high ground in time to avoid the Cyber Agency Flood. (This is an imagined future where the masses rise up in frustration over their loss of control over, and the unimaginable amount of time it is taking them to manage, their cyber interactions.)

What are the key Agency measures and win-wins that your organisations can find in your customer interactions, that will help to gain value for all parties.

Please get back to me as I have a sneaking suspicion about what one of the measures of Agency is but, I have been proven wrong before, so I'd like to gather data!


Wednesday, May 20, 2015

Security = Futility or Utility?

Or put another way: How secure are we really?


....it depends upon how empty or full you see your cup!

For those with a predilection for full, let me introduce you to the emergence of Weapons of Mass Cyber Destruction (WMCD).

Forget externally implemented Denial of Service attacks, think of previously embedded Denial Of Operation tools.

Think not of Back Doors, think of built in Kill Switches, either surreptitiously, or worse openly, installed by the manufacturers of the devices.

We already have EMP Nuclear Bombs that can destroy our unprotected electronic devices. By far the majority of our electronic devices would be permanently taken out by an Electro Magnetic Pulse triggered by the explosion of such a device. Few nations have the capability, or the capacity to develop such devices. So most electronic devices remain unprotected.

A single dedicated and suitably motivated individual could develop a digital equivalent of the EMP. However there are large corporations who have already demonstrated a predilection for developing and implementing digital kill switches.

Such code has been developed to "kill" or degrade charging cables not manufactured by Apple. It only takes a small step inside the innards of any electronic device to determine the capability of installing kill switches. The answer is simple: all could have one built in, most could have one added, the important question is how many already have? In the case of the Apple charging cable it is as a result of a licensing program that gives contracted companies the right to make Apple Cables, to achieve this right, they must build MFI Authentication chips into their devices. Apple has written code into the iPhones and iPads to allow them to degrade the performance of non licensed cables and then stop them working at all.

If it walks like a "Kill Switch" and quacks like a "Kill Switch"....

Apple is currently requiring that Home Automation Manufacturers build the same MFi Authentication chips into their devices if they want to interact with HomeKit. They will likely be building in the same kill code to disable operations of device manufacturers who have stopped paying the HomeKit licensing fee, as they have done with their cables. This sounding frighteningly close to a protection racket.

There is clearly a need for Trust Perimeters, and for a Digital Fabric that enables the development of e-trust, which is a requirement on the journey to true Cyber Agency. The challenge is to ensure that e-trust and Agency are achieved in an open, transparent and arguably free manner. Walled Gardens that do not allow the free flow of trust and agency will be a major disabler for economic growth in the not to distant future

But perhaps worse is that the practise of embedding "kill switches" into products, in the interest of protecting revenue generating license fees, may one day, be used against us all. Why would we allow the installation of components and/or code into our devices that enable Mass Cyber Destruction? It is quite clear that Nation States could trigger already embedded kill switches at a mere whim....

What systems do you already own that could be disabled by miscreants or manufacturers?

More importantly what systems have you sold to your customers that could be disabled by miscreants or manufacturers?

In an increasingly interconnected world of Things, protecting the Agency of our Citizens/Customers, must be one of our highest priorities, after delivering them value for their tax/money. Though protecting the Agency of our own enterprise is as equally important. Be aware of each and every reduction of Enterprise Agency, some of these reductions may be done for good business reasons, but be sure they are. Miscreants and Entropy acts on Agency in the most surprising of ways, just like the frog relaxing in a warm pool of water, we should always be very cognizant of the importance of Situational Awareness. For like the dozing frog, we may never come to the realization that it is in fact a pot on the stove, and never wake up!