Hell – The Right Approach to a Data Breach

There are any number of approaches to data breaches in business today.  Whilst regulation is ever trying to get to the point where notification of breach is mandatory there are still plenty of businesses out there who will go to all sorts of lengths to sweep things under the carpet rather than own up.

Not so Hell – a truly rocking pizza company in New Zealand.  Certainly no stranger to controversy – some of their marketing campaigns have been widely criticised, Hell seems to be taking the bull-by-the-horns and going all out to keep people happy.

Today I received an email from them…

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation.  The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint.  Hell
recognises the importance of protecting customer information and additional
security measures were implemented earlier this year when our new website
was rolled out (again, we reiterate that this is not an issue affecting the
new website). As a further security measure your may wish to consider
changing your passwords on other sites if they were the same as the old
Hell Pizza website.

We apologise for the incident and any inconvenience that this may have
caused.

Sincerely,
Stu McMullin – Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database
and we have only included you for the purposes of this notification.

No mucking about, no bull just a straight forward there might be a problem, we know, the police know so go do this just to be safe.

This IS the right approach to notification in my opinion.

I’m not totally up to date on NZ privacy law (a couple of years out of date), so it could well be that by now notification is mandatory.  Even if it is, props to Hell for getting it out there.

FYI: Hell pizza really is very very good.  Think PIzza Express with attitude.  Even better you can get them in the Hell Pizza UK – well London with branches in Fulham, Shepherds Bush and Clapham.

“Putting a Price on Data” or “Do Marketing People Get It?”

Here is my rapidly put together (and therefore apologies for it not necessarily being totally thought through) response to Ian Hitt’s post over on Reputation Online about “Putting a Price on Data.”

Many marketing professionals think that client data is something they own, have a right to or an ability to sell. Most data professionals will know they’re wrong.  Good data is indeed a corporate “asset” and if utilised appropriately have a high monetary value but…

The thing about client data is that most people in the marketing profession just don’t really understand “data” – sure they can get all righteous about lifeblood, insight and segmentation but actually data itself is not that simple; data is not a database.

Let’s break it “client data” down and see if we can’t get some clarity.

“Client” who’s client?

cli·ent  n.

1. The party for which professional services are rendered, as by an attorney.

2. A customer or patron: clients of the hotel.

3. A person using the services of a social services agency.

4. One that depends on the protection of another.

So from a marketing database perspective there are two clients; the first being the paying customer of the agency (ala point 1) and arguably the data subject, the end user about which data is collected (ala point 4).

It doesn’t take a rocket scientist (or a data professional) to work out that actually when marketing companies talk about a “client database” what they are actually referring to is the later; a database of stuff about any number of individual people, often collected overtime under various pretences and situations.

In this context the client (albeit often unwittingly) is an individual for whom they rely upon the protection of data about them by the database “owner” – or data controller.

“Data” who’s data?

da·ta  pl.n. (used with a sing. or pl. verb)

1. Factual information, especially information organised for analysis or used to reason or make decisions.

2. Computer Science Numerical or other information represented in a form suitable for processing by computer.

3. Values derived from scientific experiments.

4. Plural of datum.

The key part here is point 1; data is factual information organised for analysis or decision making and is surely the cornerstone of marketing?

And so to my thoughts on Ian’s post.

A business does not “optimise the value of its database” it seeks to gain value from the quality of the analysis of the data held within that database.

Looking at a couple of Ian’s individual points;

“Volume is important but data quality is paramount. Every record has a value and the whole list needs to be viewed as part of the corporate asset.”

Quality of data is indeed paramount but the very traditional process of acquiring, storing and analysing personal data undertaken by the marketing industry is counter-productive to achieving high levels of data quality.   Why?  As an example think of some of the simplest personal data held by marketing databases; contact information.  My email address, telephone number, even my physical address are not concrete – they change in time.  It doesn’t matter how rigid one’s checking for a valid postcode or email address may be when gathering personal data is, if the data you are gathering naturally decays then you’ve failed.

Several marketing insight groups are starting to see the light here.  Why pay to acquire and store stuff that is by its very nature junk.  Far better to ask for the information as and when needed, never to store it (for anything more than easing end-user experience) and to just accept that 100% cleansed data is a myth – it can’t be done.

As for being a “corporate asset” well not really.  Firstly as with the example above, it is patently a liability to pay cold hard cash to gather, store, analyse upon and market to data that is incorrect.  Secondly a corporate doesn’t “own” the data per se.  I won’t get in to the philosophical arguments over whether data is in fact even “ownable” here but the asset lies not in the data but rather the relationship with the data subject and their willingness to maintain that relationship.

“Customer relevance is key, and marketers need to understand consumers in order to appropriately segment them and track their behaviour over time, so that they receive market information which is relevant to them.”

There is, in my opinion, value in trying to understand consumers over time – especially where the level of financial risk (normally through long product lead-times) is high.  However this is becoming harder and harder to do.  Aside from regulatory restriction the simple fact is that consumers are spreading their attention more thinly across an ever increasing number of online and offline properties.  To capture a picture of that consumer through any single database is likely to become less and less accurate.

Loyalty schemes are a good example of this failing.  Not your local coffee shop and their paper based card but the big ones, the Nectar cards of the industry.  To the consumer they offer a perception of value exchange based on their loyalty to certain brands, in reality they are price discriminators trying to force consumer choice into any single outlet within a vertical market – that’s why you only ever get a single supermarket, garage chain or clothing outlet per scheme.

But the reality of life is that average consumers don’t just use a single supermarket.  Take me for example.  I use our local Co-Op on a day to day basis, but they don’t sell a particular brand of cereal that #1 son likes, so we do a weekly shop in Waitrose or Sainsbury.  Of course if we are over the river in Thurrock we might pop in to the Tesco superstore or if at Bluewater we might hit up the local ASDA.  We are kind of loyal to Co-Op but situation matters.

So our share-of-wallet spending in Sainsbury (on the Nectar scheme) is not actually representative of our food spend.

And the same goes for any insight gathering activity.

The “simple” answer actually lies in flipping the model to where the consumer requests stuff from the marketing agency.  It’s a wonderful utopian idea, but one which I’m sufficiently pragmatic to accept is unlikely – at least anytime soon.

For me the mid-term solution lays in a third party providing aggregation for consumer behaviour at the bequest and under the control of the data subject, the consumer themselves.

This intermediary, a broker, would offer a service where the consumer can easily record, augment and share their data with businesses they want to.

This doesn’t mean the end of marketing insight – but it would spell the end of marketing databases.  The playing field would be levelled with marketing agencies competing on their ability to analyse the data to which they are given privileged access rather than who can build the biggest database.

“Emails and resulting data should be collected as a matter of course. There are numerous opportunities to collect emails from customers and it’s surprising how many companies don’t prioritise this activity. Emails should always be as personal as possible. It doesn’t take much effort to have one-to-one communications with thousands, or even millions of customers.”

The enlightened have long since realised that email based marketing really isn’t the way forward.  Sure if you send out a million emails for £1 and get a handful of responses it seems like great R.O.I – but honestly I don’t want to get into this, you all know there are better, smarter, more elegant solutions out there.

“Ensure compliancy.  It sounds obvious but ensuring your email collection policy is compliant with data law is even more important when you remember that the ICO has the power to fine you up to £500,000.”

For anyone that knows me, or even hears me speak on this issue, I apologise you already know what’s coming.

Why is it that whilst many CEOs “think that client data arrives on its own, costs nothing to source and has little or no value” that many Marketing Professional’s think that data compliance is;

• only worthy of a fourth place mention in a list of deriving value from data,
• a purely legal issue,
• and in the event of failure only going to cost £500,000?

Compliancy is at a minimum two part.  Sure remaining within the legal framework set out by the ICO matters – A LOT.  But don’t forget that actually any business holding personal data in the EU is also beholden to the higher and more punitive powers of the EU.

The second part to compliancy is the real sting though, and the one which is often (as here) forgotten.  Breaching data protection legislation may result in fines or restriction BUT it will most assuredly have a greater effect on a business’ reputation.

Consumer trust in businesses holding personal data is already under great scrutiny, breaching that trust could very well cost an awful lot more than £500,000.  Just ask Phorm.

Opting In or Opting Out – I Was Confused

Came across the usual “click the box if you want to receive…” signup on OnlyMarketingJobs.com today, except on second reading (you also second read these things right?) the confusion was apparent.

You’re opting IN for more junk by NOT ticking just to be clear.

Spotify’s New “Social” Release Fails Basic Privacy Test

How excited was I to see the announcements for the latest release of Spotify this morning?  It allows for connecting to friends – albeit only via Facebook, integration of your existing music catalogue and a few other bits of awesomeness.

BUT (and I really shouldn’t have been that surprised given the Facebook tie in) that the default settings for the installation are to share anything and everything from installation.

So anytime you create a new playlist it gets shared.  Unless of course you go and manually disable automatic updates.

Given all the flak Google got over Buzz and it’s presumptions on automatically opting people in, given all the grief Facebook gets for it’s over sharing it is such a shame to see Spotify falling into such a simple trap.

Oh and don’t even get me started on seeing adverts re-appear on my desktop version – I am a paid up member of the premium subscribers gang which was supposed to be non-advertising!

UPDATE: It gets worse.  After a few minutes use adverts are popups, and also taking over other areas in the UI.  On a netbook this is unacceptable as pace given over to my music is already squeezed and now it’s even worse.  Also audio adverts have re-emerged.  Not happy at all

Want to Transform Your Business? The Power of Pull

As a consultant a lot of my work since the late nineties has been looking at how by using semantic technologies, data navigation techniques and internet scale identity product strategy can be subtely tweaked to better fit the rapidly evolving needs of consumers first, business second.

Why? Well for anyonewho has read The Cluetrain Manifesto it’s obvious, for everyone else; quite simply when a business actually places the needs, wants and desires of their customers above those of the business (or it’s share holders) then they thrive.

Since being back in London I’ve been lucky enough to meet many interesting people sharing similar ideologies.  From the wonderfully enthusiastic Jonathan MacDonald and his “Every Single One of Us” movement to the truly inspiring millitant in Adriana Lukas and “her” Mine project.   All these projects, startups and thinking pretty well follow up on where Cluetrain left off, each takes a slightly different direction or stance.

Thus far though, for all their efforts I have yet to see any single project offer up good solid advise on why business should adopt the thinking of placing the consumer in charge let alone pragmatic guidance on practical use cases for identity, semantics and generally doing things in this way.

I can’t even remember how I stumbled upon “Pull” now earlier in the week.   Twitter most likely but I could see instantly that the author (David Seigel) and his team at The Power of Pull had obviously been paying attention to all the work put in over the years by a great many technologists, marketeers, anthropologists et al.

I’m not even going to try to describe the book, rather I will paste verbatim their own description below;  BUT for those that have heard me talk on identity, privacy, trust, semantics, data – in fact ANYTHING over the last ten years then you simply must go and buy this book, read, remember, acknowledge and move your business forward.

Anyway here is David’s own blurb…

How the pull paradigm and the semantic web combine to help businesses face the challenges of the future.

The Problem

On the Web today, we see millions of web sites, each of which presents web pages and documents. These are simply electronic versions of the old paper-based ways of doing things: writing checks, filing taxes, looking at menus, catalog pages, magazines, etc. When you search for something on Google, you get a list of web sites that may or may not have what you’re looking for, based on keywords found in the text. You have to look at each one and decide whether it answers your question. Google doesn’t know where the information or answers are; it just knows which pages have which keywords and who links to them.

Our information infrastructure isn’t scaling up very well at all. The average person now sees over 1,000,000 words and consumes 34 gigabytes of information every day. Mike Bergman estimates white-collar workers spend 25% of their time looking for the documents and information they need to do their work. One billion people are online now, and 4 billion have mobile phones. Exhaustion of IPv4 addresses (limit is 4 billion) is predicted for sometime in 2011. By 2030, there will be a minimum of 50 billion devices connected via internet and phone networks. Our information infrastructure is built to haul electronic versions of 19^th century documents for humans to read, and it’s keeping us from using information effectively.

The solution to our information problem is the semantic web and the pull paradigm.

The Semantic Web

The semantic web is nothing less than an overhaul of our information infrastructure, according to these basic principles:

• Electronic information will become unambiguous. Another word for semantic is unambiguous. In the Semantic Web, we declare what we mean in precise, standardized terms. Data that is semantic means exactly the same thing to any system or person who uses it.
• Data will become findable. Already we are seeing the emergence of the Open Web, where information lives online and can be found easily. There will be central repositories and central hubs that link information together. This is called “linked data in the cloud” and is the next trans-formation after services and software go online (see linkeddata.org). Humans now use 1% of all electricity to power data centers. The percentage will quadruple in ten years.
• Data will be reusable. We’ll keep all our data online in semantic formats and use it over and over by pointing to it. Data will become like Lego building blocks of information that can be combined and recombined to suit each particular task.
• Data will be interoperable. We won’t have to translate from one system to another. As an example, Edgar.gov will soon become a cloud-based hub for XBRL data from companies reporting results. Since everyone uses the same standards, all the software will be able to tie into the original sources of data and use it in the way that’s most meaningful to the subscriber.
• Devices will be ubiquitous. There won’t be any more computers as we know them. Apple OS and Windows as well as Google Android, iPhone, Blackberry, TVs, and book readers will all be replaced by Net-based screens of all sizes that simply see the web and do everything online. The market for netbooks is currently growing at 40% per quarter vs notebooks’ 20%. Prices will drop through the floor. Screens will be on your wrist, on your car dashboard, or on your wall, and they will connect to the net, where everything will take place.
• Systems will be flexible. We’ll start using flexible knowledge models and declarative systems that use data, rather than encoded processes, to drive business systems. Today’s procedure-driven software has already broken (most enterprises spend 80% of their IT budgets on maintenance). Tomorrow’s flexible systems will be adaptive – they will respond in real-time to business events and change themselves daily as the business environment changes.
• Real time. The semantic web lets us close the gap between what happens in the real world and when we know it. When the processes and products themselves generate the data, we will go to a real-time economy that will be much more efficient than our time-lagged way of doing things today.

The Pull Paradigm

We are making the transition from pushing information to pulling it, and that will change everything. Originally, the TV networks sent out signals for shows according to a schedule that benefitted their advertisers. Then, VCRs let consumers watch when they wanted and skip the ads. Now on-demand services let consumers watch a handful of TV shows whenever they like. The future is online, where you can find and watch any video ever recorded any time you like on any device.

• This will happen in all industries. People will pull information to them whenever, wherever, however they like. People will use online data lockers to store and guard their information, and that will replace today’s computers. It will power everything. We’ll store all our preferences there, so rather than managing music we’ll manage our preferences. This will allow us to (finally) use software agents to look for things on our behalf.
• Many processes will invert, in favor of the customer. No longer will we “push” things through the supply chain. Instead, customers will “pull” items through. Consumers will pull services on demand. Marketing will change from outbound messaging to responding to queries. We won’t search for things; we’ll say what we are looking for and let things find us instead. Software will cost 10% of what it costs today and will be much cheaper to maintain. Everyone will be both a producer and consumer of information that becomes part of the ecosystem.
• Account portability will be a leading indicator. When people can port their accounts from one vendor to another, the power in the relationship will flip. An early project is called Vendor Relationship Management, which will get the whole process rolling, in the same way that the video recorder did for television. Imagine if you could port your entire checking account or brokerage account to another bank and have the new bank understand everything – that’s the semantic web. It promises to cut the cost of health care by 25%, and that’s just the beginning.
• The result is the performance economy, where companies can’t afford to be on the other side of the table from customers. In the performance economy, you gain only when your customers do. Many industries will be flattened. It’s just getting started, but this model will come to dominate in the 21^st century.

See? Like I said – go buy this book.

Update: There is a podcast interview with David Seigel over on the excellen IT Conversations website with the good Mr Windley and for those wanting a quick 62 minute intro it’s a great place to start.

Ads in My Twitter Stream – What Happened to Informed Consent Hootsuite?

A couple of days back I chose to follow my normal course of behaviour and play with any new Twitter clients for my much loved HTC Hero.  As yet there has been nothing on par with the truly awesome Gravity client on Nokia’s Series 60 by @janole so anything new gets a fair go.

I’d seen reviews of Hootsuite’s new client and after throwing a nice shiny baked ROM at the Hero I was able to download and install Hootsuite Lite.  There is a paid for version ($1.99 at time of writing) but as the only additional benefit I could see was the ability to handle more than 3 Twitter accounts (and I use but 1) there was little point in spending the cash just to see if it works.

Setup was simple enough, even though the you get hassled a couple of times to create a new Hootsuite account before being offered a connection to your Twitter account.

Now I’m not going to review the application other than to say it’s very usable, has some decent thinking around navigation and handles a Twitter account admirably – at least on par with the current leader Seesmic in my opinion.  But something odd happened after a feed refresh sometime on Saturday.

I was out and about, hit refresh and a curious new message appeared in my stream from someone I don’t follow.  This in itself given Twitter’s problems of last weeks with random tweets appearing was nothing too odd but this tweet had a different coloured background and the format of the message was odd.

I quickly sent out a tweet to the crowd asking if anyone else had seen these “ads” but everyone who responded hadn’t. Was this the first inkling of the much talked about Twitter advertising model.  If so it was pretty well exactly what I had expected it might be but had no knowledge of it having yet been enabled.

Of course being out and about research was a little hard to do.

So yesterday I sat down for half an hour and did some digging.  It turns out that Hootsuite have partnered with a third party Twitter advertising agency called 140Proof who’s model is to sell advertising messages injected directly into one’s stream by the client application.  They look and feel like tweets but they aren’t – they are put there ONLY in the application stream.

They are inoffensive and not at all obtrusive, as I said they pretty well looked and felt how I would expect a Twitter ad to be BUT I hadn’t asked for them and more importantly I couldn’t recall ever being informed that I was going to get them.  There were no signup T&C’s with the mobile app, no details easily found on Hootsuite’s web page, nothing.

A little more digging and it turns out that, according to this article on Techcrunch that,

Twitter clients pass 140 Proof a user ID list (with no names) and the public information contained in a Twitter users profile, and on the advertiser side, advertisers bid on ads to be directed toward users based on keywords in tweets, followers, as well as device, location and platform. 140 Proof’s algorithms calculates Twitterer’s “persona” based on public tweets and who they follow and serves ads to users based on this data.

YOU WHAT?  So without my permission Hootsuite passes my PI and graph to a third party who then does their thing with it, sells that bundle (anonymously granted) and throws back a targeted advert!

Now sure my stream is public and viewable by all but that doesn’t make it acceptable for a business to utilise that information for their own gain without at least first asking for permission.  What happens if you have a private non-publicly viewable Twitter stream?  Does Hootsuite not work or do they just blindly continue to pass that data on to 140 Proof?

I don’t mind the ads, they make sense, they (in theory and assuming I pay them attention) pay for Hootsuite to offer up their client for “free” (read no money there) but informed consent is required.

For the record NOT one of the adverts I  have seen over the last couple of days has been even vaguely “relevant” nor have I clicked through on any.

I’ll be having a chat with some people over just what consent they should have obtained as surely there must be a requirement in the EU but it’ll be more interesting to see just what sort of lifespan the 140 Proof model will have once Twitter actually do get their advertising live.

UPDATE: I am interested to hear from anyone who has knowledge of the BT/Phorm case being brought by the CPA;  specifically the abuse of Regulation of Investigatory Powers Act (RIPA).

If Hootsuite are intercepting my profile and tweet stream and shipping it off (hashed or not) to 140Proof for analysis and spam would this constitute a breach also?

Don’t get me wrong I don’t want Hootsuite punished I just wonder if this is/were the case what would be their knowledge of the issue and how would the choose to address it.

Can PI Ever Be Considered IP?

I have my own thoughts on whether or not personal information can be defined as intellectual property but I’d really love to hear some more opinions before espousing my own.

Please do comment especially if you have strong opine that falls one side of the fence or another.

Internet Eyes Under ICO Investigation

Well it was always going to happen but today The Register are running a story that the launch of Internet Eyes has been delayed whilst the Information Commissioner’s Office checks on the legality of the service after concerns were raised.

Assistant Information Commissioner Jonathan Bamford told The Register:   “CCTV operators should use appropriately trained staff to monitor images. If a CCTV system is established to help prevent and detect crime, it would be appropriate to disclose images to law enforcement agencies where a crime needs to be investigated.

“However, it is not appropriate to disclose images of identifiable individuals for entertainment purposes or to place them on the internet.

“If images are to be released for identification purposes, this should not generally be done by anyone other than the law enforcement agencies where necessary when investigating a crime.”

I for one am hoping that in this case the ICO really does step up and put a halt to Internet Eyes.

Internet Eyes on TV – Watch, Learn & be… Disgusted?

UPDATE: ITV have rescheduled the piece for 18th February.  Shame as I was hoping to hear what Internet Eyes had to say for themselves.

Internet Eyes the citizen snooping CCTV advocate, about whom I have posted before,  is to be  featured on ITV’s Tonight program on 11th February at 19.30 according to their facebook page. http://www.facebook.com/pages/Internet-Eyes/108455634071?ref=nf.

I’m personally still appalled at the idea of not only Joe Public having an eye into private CCTV footage for the purpose of reporting observed miscreants but also the notion of this snooping being in some way ranked into league tables of spotters with prizes/rewards on offer for reporting.

Are Modern HR Practices a Zero-Sum Game?

Today’s article entitled “Half of Employers Reject Potential Worker After Look at Facebook Page” In the Telegraph reports that;

Bosses are now using the popular social networking site as a tool to double check how likely it would be that their new worker would take a sick day for being hung-over or on drugs the night before.

And job seekers were being found out for lying about their qualifications, with employers checking their Facebook pages to see if their online details matched their resume.

No great surprises there.  After all background checks, references and such have been the bread and butter of the Human Resource industry for yonks and let’s be truthful here; business and HR in particular has never been great advocates of treating people as people.  Liri Anderson highlights some of the absurd thinking in her post here.

But the article had me thinking, especially in light of Mark Zuckerberg’s recent Crunchie Awards statements on privacy and sharing.  With open sharing of very personal information rapidly becoming “normal” (at least within a certain and growing portion of society) businesses are being offered up a far greater insight into who people really are, their true identity.

I recently spent a day being psychometrically tested, a practice I have had little respect for in the past.  But this time it was different.  After an hour of online tests prior to even leaving home, I spent the best part of 9 hours being subjected to a battery of tests, exams, questionings all culminating in a fairly probing interview with an industrial psychologist.

Throughout the whole process I was very conscious of the various (seeming) inconsistencies in my responses, my body language, volume, level of language – the whole performance. The psychologist then blew me away by not only articulating back to me all of those traits but painted a picture of me that was so close to my own view that I could not fail to be impressed.

And of course the whole exercise is designed to see through performance, misdirection and untruths.

With the rapid increase in sharing of personal information HR practioners now have the ability to undertake much of the due diligence that would be accurately be shown up by the above process themselves, in-house with no context, response or even the applicants knowledge.

I’m not going to argue the rights and wrongs of this surreptitious behaviour (although I give a nod towards Deep Packet Inspection) but I do want to pose a couple of points;

1) Are we going to see third party agencies now remotely scanning peoples online behaviour in order to offer up a “professional” opinion of that candidate based on nothing more than what is actually shared as opposed to that which is not expressed?  Where will the oversight come from and can these businesses build a credible model?

2) In Zuckerberg’s ideal world we all share more and share more openly.  Given this scenario when will the tipping point come where candidates are equally exposed and deemed inappropriate; what then?  Does this point surely not create a Zero-Sum game for this practice of pseudo-psychology, one where employers realise that the process will not actually highlight potentially “bad” employees but that people are just people.