To whom are these lectures intended?
Take two of the topics covered, ID theft and music file sharing. Everyone is concerned today, whether in a private capacity or while working on behalf of some organization. As a whole this lecture series aims to help:
to grasp these and similar manifestations of a fundamental problem of society in our Information Age: how to deal with dysfunctional information.
- students of business management
- practicing business managers
- specialists in human resources, law and management of information systems
- individuals curious about the Internet revolution
While business management is understandably more focused on creating value, dysfunctional information cannot be ignored and deeply affects the way business is or should be conducted for optimal performance.
Why should you be concerned?
Our reference to the Information Age needs be put in perspective. The reader is familiar with the expressions "primary industry" and "secondary industry". By primary one means an economic activity concerned with the production or extraction of raw goods, such as agricultural and mineral goods. By secondary one refers to the processing and manufacturing of goods in workshops, factories and plants. The so-called Industrial Revolution marked the passage, in the XVIIIth century, of our Western society from an economy based mainly on primary industries to one based on secondary industries.
Economists created the term "tertiary industry" to encompass activities which fell outside the previous classification. However many felt that what these industries had in common was to deal with "services", such as banking, education, entertainment, retailing, healthcare, transportation... With it came the realization that since the Second World War we are witnessing a new revolution, progressively making service industries the mainstay of economic prosperity.
We beg to differ. There is indeed a new economic revolution going on but we see it as giving priorities to the information industry, not to services. Services make an implicit reference to employing people to serve the customer rather than producing tangible goods. Yet, public relations aside, business practices convincingly show that employees are a cost to minimize, not a resource to expand. Rather new economic prosperity stems from producing and exploiting information, ever more in quantity, hopefully more and more refined in quality.
One should not misunderstand the lessons to be taken from this analysis. True, both the public and the political body are highly concerned to see outsourcing embraced by the very service industries on which they based their hope for job creation. Their fears are made even worse by the fact that outsourcing knows no border, thanks to the Information Revolution. Yet this pessimistic perspective but reflects their initial mistake. If we correctly identify information industries as the growth engine of the economy, employability should rather be sought as a response to an insatiable demand for information. For the XXIst century worker as well as the XXIst century organization, the question to ask is: what information am I suited to provide or exploit better than my neighbor? We believe optimistically that, by the very nature of information, this question will always have an answer, though not necessarily an easy one.
Taking information as the basis of economic prosperity for individuals, businesses and society, we are then confronted with a fundamental problem. Computer networks, especially the Internet, have removed almost all physical barriers to the remote distribution and access of information while computers themselves have made it much easier to reproduce. Unfortunately the same technologies allow one also to free information from ownership, to disguise its origin and ultimately to distort it. Meanwhile computer systems generate and store massive amount of traceable data, which may later be used in court to expose behaviors individuals and organizations had thought would remain undocumented.
Certainly human imagination and propensity to do evil are nothing new. But its more modern manifestations have all in common to focus on the undermining of digital information. As evolving public policies try to defend a society based explicitly on the availability of information, and implicitly on its trustworthiness, how are managers to fulfill their responsibilities, avoid liabilities, anticipate vulnerabilities and still exploit technology-driven business opportunities?
For the concerned reader we aim therefore at providing a useful foundation to enable him or her to face real life issues and master their solutions despite their unique and variegated circumstances. Without the common framework provided by these lectures, the risk is high for an actual business to paper over or wrongly address a specific issue and let it fester until it creates a major crisis. Even when experts are called, one must remember that, without reaching out of his or her domain of expertise, no specialist can hope to provide a lasting solution to what is a pervasive problem.
What are the topics covered?
In part I, we examine issues which stem from maintaining (for its legitimate owner) or ascertaining (for the intended users) an electronic identity.
In part II, we examine issues which stem from possession of personal, confidential data.
- The first chapter covers ID theft :
- - the seriousness of the issue has been highlighted by several major breaches of confidential, personal financial identifiers, one involving up to 40M accounts
- - the variety of reported causes offers a good view of real life complexity
- - the case illustrates the importance of the human factor
- The second chapter covers credit fraud :
- - remote payment services and credit reporting are large markets, the reliability and efficiency of which are necessary conditions for Internet to deliver expected growth and productivity gains
- - the complexity of a system involving users, merchants, banks and service providers with different, at times conflicting interests, shows the need for compliance regulation
- - the case illustrates how quantitative risk management can be used to minimize exposure
- The third chapter covers ambush marketing :
- - most Information Age concepts, such as ID theft, apply to organizations as well as consumers
- - law is not all about enforcing compliance by organizations, it also includes protection for them as well
- - the case illustrates how competition among organizations use the Information Age to break new ground on trademark protection
In part II-B, we examine issues which stem from the need to locate digital information from unknown external sources.
- The first chapter covers the healthcare industry :
- - the healthcare industry responds to a rapidly expanding market
- - because of the highly sensitive nature of the data concerned, the law gives a strong interpretation of the right to privacy
- - resulting regulations have been written with particular care, resulting in a methodology useful in many other situations
- The second chapter covers marketing campaigns :
- - direct marketing is a vital tool for most providers of consumer goods and services
- - because of rising concerns about abuses, there is an ever growing body of compliance laws
- - the case illustrates how laws are the result of implicit bargains among pressure groups
- The third chapter covers safe harbors in the context of customer data processing:
- - the globalization trend applies to information as well as any other aspect of the economy
- - it is important to understand how international laws induce new compliance tasks on domestic organizations
- - the case illustrates how laws can create new mechanisms or services
- The fourth chapter covers surveillance
- - businesses and governments alike are keen to record or access personal data to fight threats to their interests
- - all businesses known to possession such data bases, e.g. telecommunication services, are in need of protection
- - the risks associated with international terrorism put special trans-jurisdictional demands on businesses such as banking and transportation
- The fifth chapter covers viral marketing
- - viral marketing is an emerging tool which is a natural fit with the rising power of consumer self expression
- - consumers take possession of company data which the company normally considers proprietary
- - the acquiescence or even the active encouragement of the company blurs its right to control the outcome
In part III, we examine issues which stem from the defense of digital information.
- The first chapter covers Internet searching :
- - from the perspective of the source, the general case for a business, searching is all about to be found, i.e. one goal of marketing
- - for aggregators, especially information providers, the dilemma is between free advertising and aggregative power dilution
- - in business intelligence, Internet searches are both an efficient way to observe and a significant risk to be observed observing
- The second chapter covers Internet matching :
- - matching is a stronger form of searching and as such is another tool of marketing
- - unless a business defines the terms of the match, matching shifts business value from marketing back to production
- - for the purchasing department, matching can be a significant source of cost reduction
In part IV, we examine issues which stem from the attack of resources necessary to use digital information.
- The first chapter covers the protection of information :
- - "Information Security" is central to planning and implementation of today's organizations
- - successful organizations will integrate business continuity, compliance and business strategies into security planning
- - the chapter provides an overall methodology to develop and implement security policies
- The second chapter covers the disposal of information :
- - disposal and, by mirror effect, retention deserves a separate chapter within "Information Security"
- - this reflects the law, which is often very specific and demanding in this area
- - the case illustrates how privacy rights and business compliance can clash
- The third chapter covers the distribution of information :
- - publishing deals with information sent outside for public consumption, a pervasive activity
- - this is another case, copyright law, in which the law is written in favor of organizations
- - the case focuses on developing new business models, less dependent on legal enforcement
- The fourth chapter covers the recommendation of information :
- - recommendations is per force a major need behind publishing digital information of any kind
- - the choice of the right recommendation mix is becoming as important as channel management if not more so
- - Internet-based recommendations is a growing industry segment
The attacks covered in this part relate to and emphasize the importance of, at least one prior topic:
- The first chapter covers the stealing of time from information receivers, so as to maximize the reach of marketing. Techniques used are:
- - spamming (see chapter II-2 on marketing)
- - search salting (see chapter II-B-1 on searching)
- The second chapter covers the blocking of access to information senders, so as to pressure a target or eliminate a competitor. Techniques used are:
- - denial of service (see chapter I-3 on ambush marketing)
- - censorship (see chapter III-3 on distributing information)
- The third chapter covers the falsifying of the information context, so as to maximize personal gains or business profits. Techniques used are:
- - copying, which falsifies ownership (see chapter III-3 on distributing information)
- - plagiarism and forgery, which falsifies provenance (see chapter III-3 on distributing information)
- - advertising fraud, which falsifies readers' attention (see chapter II-B-1)
The content we have outlined is to be studied by the reader from his or her own perspective. Parts are bound to appear either trivial to someone who is an expert in the topic covered or shallow to someone who wants to become such an expert. The goal of these lectures is not indeed to bring more coal to Newcastle but, as it were, to help put Newcastle on a map together with all the cities with which Newcastle does business.
- - as a compliance officer, you will know how to make sure your organization is ready and accountable in case of information misshaps
- - as a staff manager, you will better understand how to integrate information-related risks into your own plans
- - as a line executive, you will be able to better carry on your responsabilities in balancing the inevitable costs of risk mitigation with the appropriate degree of protection
- - as a professional, you will learn how to better apply your expertise to business information-related problems in cooperation with experts from other disciplines
How is the material covered?
To the practicing manager, there is nothing new nor surprising in any of the topics listed above. One needs only to keep abreast of the many scandals and crises reported in the general public media. Our purpose is rather to develop a sound methodology to deal with a multifaceted problem. As much as it proves in our power, our approach combines the advantages of case-based discussions and theoretical discourse.
Case studies accommodate a realistic assessment of the subject matter:
However theoretical discourse has the power to highlight structure in what would otherwise be a hodgepodge of happenstance. Inspired by what we see as the unity of our subject matter, we have relied on a few encompassing principles which the reader will recognize time and again in the different chapters:
- differences between industries, e.g. whether it is banking or food processing, or functions, e.g. whether it is marketing or production, make it impossible to cover the whole field in a reasonable amount of space. For instance in what per force is an arbitrary selection of cases, nothing is said of industries regulated by the Food and Drug Administration, such as farms and pharmaceutical companies
- even in a single industry and a single function, such as the delivery of health-related services, dysfunctional information may never trigger exactly the same problem twice. Today it might be a case of penetration by an external hacker of a server holding unencrypted confidential information. Tomorrow it might be discovered at the same hospital that the head of pharmacy has been swapping personalized data on affiliated doctors' prescription patterns with some pharmaceutical group.
- such a diversity of situations makes it very rewarding to take the modern equivalent of a Grand Tour. Sampling industries (health care, banking, information services...) and functions (marketing, accounting, IS, compliance...) breaks one's parochialism and exposes one to a wealth of best practices which sprung in response to a wide array of special cases. Compare HIPAA to SOX, Gramm-Leach-Bliley to the EU Directive on privacy and electronic communications and learn.
- - laws and regulations as an intrinsic business factor
By this, we mean in contrast with more traditional economic analyses where the rules are taken as providing an external and fixed environment. This traditional point of view, of course, has always been more accurate in the breach, as lobbying by industries on the one hand and public pressure groups on the other constantly compete to bend the law to their interests. Still how the misuse of information is codified into law goes well beyond the attribution of a public contract or the search for a tax advantage. The closest comparison would be with the emergence of environmental concerns fourty years ago: a lasting trend, a pervasive impact, the weight of industry reluctance and the self-interested role of the executive branch of government, above all the difficulty to predict future regulations with any accuracy as to content and timing.
- - pattern recognition as the best scientific tool to rely upon for modeling
Business activity is more and more often carried out online, whether with a customer, a remote supplier or a telecommuting employee. On the other hand the most common attacks upon the information resources of an organization today are perpetrated online. One should therefore always ascertain data received is genuine and fits a legitimate context, a pattern recognition task. The foremost lesson of pattern recognition is a trade-off worth remembering. The more one strives to reject "bad data" as bad, the more likely one will reject some "good data" as bad.
- - risk management as the best management framework
Dysfunctional information is not the only risk facing businesses. General methodologies in risk management naturally apply to this case. Their most important feature is to proceed according to a cycle. Like a chore, risk management is never done. The sooner one thinks "everything is under control", a new crisis threatens. Obviously experts in risk management cannot be trusted in so self-serving an assertion. But remember that by its very existence, valuable information attracts attackers and a business needs to defend its own against them. How different is this from the age old contest between armor and projectile? Better projectiles inevitably come after better armor.
- - holistic approach as the required management tactics
To keep with military metaphors, we can picture any business at war against dysfunctional information. Because the threat is internal as well as external, the best approach is not to rely on some "magic shield" in the hands of war specialists but to involve the whole country, general public as well as professional elites. In particular the human resources function and the operational management of the business must be actively involved lest risk management, pattern recognition, information technology and law experts be turned into impotent Cassandras.
The metaphor conveys another useful lesson. Size is not a prerequisite. In proportion, Switzerland is as well war-ready as the United-States. Small businesses too are concerned by dysfunctional information and should be as well prepared in proportion to their resources.
Before starting on our Grand Tour, we need to pause and give the reader time to appreciate our four principles.
Take for example the uncertainty brought about by the rising tension between the public clamor for better protection of confidential information and the need of organizations to be free from unnecessary regulatory burdens. A year ago I quoted the bill introduced in April 2005 by Senator Dianne Feinstein aiming to bring California laws on identity theft to the Federal level. A year after this bill is still buried in the Senate Judiciary Committee. But wouldn't one more ID-theft scandal all it would take to resurrect it? Probabilities increase when one looks at all pending bills (see for example The Center for Democracy and Technology). Senator Feinstein will forgive me the comparison but the legislative landscape moves a bit like the ground in her state: lots of rumbles, no action and from time to time an earthquake.
Recent law has already witnessed surprising leaps of interpretation justified by the special needs of the Information Age. See for example the following explanation taken from an official analysis of the amended Computer Fraud and Abuse Act (18 U.S.C. § 1030.):
"Consistent with Congress's prior construction of § 1030(a)(2), 'obtaining information' includes merely reading it; i.e., there is no requirement that the information be copied or transported. This is critically important because, in an electronic environment, information can be 'stolen' without asportation, and the original usually remains intact. "
Compare this statement with the prior definition of larceny: "taking and carrying, leading, riding, or driving away with another's personal property" now extends to mere "reading".
For the reader unfamiliar with pattern recognition or risk management, we advise a visit to Wikipedia for a short introduction to their specialized jargon. However the reader will gain a better understanding of their fundamental lessons in looking up a definition of the two types of errors in classification and a visual rendition of the risk management cycle (from Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security, by Carol A. Siegel, Ty R. Sagalow, & Paul Serritella1, 2002).
We admit having second thoughts on bandiing about the much abused phrase "holistic approach". Let us hasten to give it more precise a meaning, i.e. in the present context to:
- - integrate security, compliance and business considerations, rather than treating security and compliance as burdens on business, as if business could exist in some ideal world devoid of such practical issues
- - identify the whole system and manage it as a whole, its security being as low as the lowest part of the fence.
- - take the human element into account as the cornerstone of security, since all systems encompass the people who interact with them, foremost the employees but including external agents whenever possible
- - recognize the complexity of dealing with business affiliates / associates, with the inevitable dilution in security and responsability
Finally we want readers to reach an independent assessment of the material. For that we need to warn them about our personal biases.
Following Joseph T Wells (Principles of Fraud Examination, John Wiley & Sons, 2005), himself quoting Henry Campbell Black (Black's Law Dictionnary, West Publishing, 1979), we use the following definitions:
In our personal opinion, nobody should use any profile information obtained on an individual except in one case: in principle, the narrowest construction of the purpose for which this information has been disclosed, and in ideal practice, the execution of a single, specific transaction. Any other usage should be considered a case of embezzlement and breach of fiduciary duty, when the information has been legally taken in possession, of larceny in all cases.
- - "larceny: a felonious stealing, taking and carrying, leading, riding, or driving away with another's personal property, with the intent to convert it or to deprive the owner thereof"
- - "conversion: an unauthorized assumption and exercise of the right of ownership over goods or personal chattels belonging to another, to the alteration of their condition or the exclusion of the ownser's right".
- - "to embezzle means willfully to take, or convert to one's own use, another's money or property of which the wrondoer acquired possession lawfully, by reason of some office or employment or position of trust."
- - "a person is said to act in a 'fiduciary capacity' when the business which he transacts, or the money or property he handles, is not for his own benefit, but for another person, as to whom he stands in a relation implying and necessitating great confidence and trust on the one part and a high degree of good faith on the other part".
We readily submit that this is an extreme position, especially when one compares it to currently legal marketing practices. But it does inspire a ideal program which, as the reader will recognize, would minimize the risks of dealing with dysfunctional information:
- - restrict profile data ownership to the original provider characterized by this profile
- - decentralize profile data to the local machine used by the profile owner
- - minimize profile data possession by others
- - insure that all exchanges of profile information are preceded by the recognition by the participants of a mutual interest
- - allow informal electronic exchanges to be conducted in total privacy between willing participants, total privacy defined by the status today granted to oral and postal communications
- - thus depriving profile data thieves from the huge productivity boost of breaking into a central site, forcing them instead to steal from people as in the "good old days", one at a time
In dealing with dysfunctional information, the practical reader should reach beyond any bias, including his or her own, and ultimately ask him or herself the following simple question:
how reasonable, how informed my decisions will appear to be whether to a shareholder, an employee, a customer or potentially, a jury member?
The author is also publishing a weekly column, Philippe's Fillips, which examines current challenges to the data rights individuals may have or wish to have. This column is polemical in tone and does not pretend to objectivity.
The author is President of ePrio Inc., a company which has developped and patented a way for interacting over the Internet which is both personalized and totally confidential. By the latter we mean that no one, not even an intermediary, has nor need to have, access to personal user profiles. ePrio Inc. currently markets an infrastructure service which allows so-called domain makers to deliver mutual, confidential matching services to their users.
While this lecture series aims to achieve the required objectivity and detachment of academic standards, it is possible that ePrio Inc. would benefit from some of the actions taken in accordance to the recommendations made.
On the other hand this lecture series refers to many fields, such as business management, human resources, law and management of information systems. When contemplating any practical course of action, the reader is urged to get professional help, within the reach of his or her budget, from experts in all such fields. This multidisciplinary approach is indeed a major lesson to be taken from these lectures and the author's academic discourse must not be construed as replacing expert advice.