How do you explain that Google doesn’t want to post a home page privacy link, and is willing to violate California law by refusing to include the privacy policy link on the Google homepage? It must hurt conversions.

Google is a serious web company and Google tests things before deploying them. The privacypolicy is an important aspect of web publishing, and even Google , with its significant investment in trading in people’s personal information, supports the idea that a privacy policy enhances trust and quality of a web site. Yet Google won’t put it on the home page, where the law says it has to be. Why not?

It must hurt the business, that’s why.

When you consider what would be important to Google, you first must consider profits. Conversions. How well the web page (and site) perform the intended tasks. And if testing shows that the presence of a privacy link on the home page reduces page performance (tracking whatever success metrics have been defined), then the wise business decision is to not post that link. If there is a law requiring the link, the wise business decision is to weigh the relative risks and rewards for compliance, and act in accordance withthe corporation’s best interests. Al lis not black and white in business. Any law is arguable, and arguing costs money. The balance has to be in the corporate favor. Otherwise, rst assured Google would post a privacy link.

So what is the defind conversion that is hurt by the presence of that link?

I’m betting it’s cookie clearing, but I haven’t studied the situation. If n% of readers click through to see they are tracked by cookies, m% of those n% may clear their cookies at that moment, or look to learn more about cookies and how to use cooies washers etc. But that’s just an off-hand opinion. You have to consider everything — click thru rates off the task of running a query, click offs to privacy web sites, secondary searches for Google and privacy, etc etc. Everythign detracts from the initial desired actionof user querying Google to find stuff. And that’s what Google will always choose to hide behind. Google can always say that the link detracts from the user experience. Privacy advocates argue back that a seven letter hyperlink doesn’t clutter the page much, doesn’t “detract” much, and Google can counter with the old web designer response “well, if everyone requested a 7 letter hyperlink from the home page, the home page would be all cluttered…” etc.

Google tests, and it is safe to assume testing has revealed that privacy homepage link hurts the page goal achievement rate. And it hurts enough to warrant resisting the laws of the state where Google is incorporated.

privacy rights clearing house

Who has the time or who can afford the effort required to manage the privacy issues under attack today?

A company in Ohio (Agent Technologies, see domain note below) is implanting RFID chips into the arms of employees, to see if the technology provides a good security solution for controlled-access areas. Ohio has introduced a law to make it illegal to require employees to be chipped. Wisconsin says you can’t chip people without their consent… isn’t it sad we need a law to say that? And it’s a state law, so don’t you wonder what it means when YOUR state doesn’t have that law, too? Rest easy when you go to bed tonight… unless you don’t live in Wisconsin, North Dakota (PDF), or California. Creepy.

The Ohio employees volunteered, so they would not be covered by the law anyway. Anyone who understands the concepts of harassment and constructive termination can see the headaches in the future with this stuff going on. And why RFID? What happened to biometrics, the last savior of the security industry, which promised to use faulty enrollment methods to almost guarantee a useless, but expensive invasion of privacy? Have we given up on that already, or have we just decided to install shoulder-height cameras at every teller window at the bank and collect iris data covertly without asking anyone’s permission?

A geek just demonstrated (again?) that he can easily clone an RFID chip… which ostensibly means he can access those “secure” areas the Ohio company is relying on RFID chips to protect. Since RFID chips can be read from a distance, I guess all a cloner needs to do is read the airspace in the traffic jam outside the offices, clone the RFID chips he discovers, and suck on one of the grain of rice sized RFID clones as he waltzes through the controlled-access areas. Ever wonder how those windshield washing homeless guys at the intersection can afford Air Jordan’s with the few bucks they get from scared drivers? I bet an RFID wand is just about the side of a squeegee handle… I’m just thinkin’, that’s all.

What a waste of time this all is, and challenge to our common sense. Who has time to fight the new laws that enable trade on our privacy, and support whatever efforts are truly designed to protect us (if there are any of those)? The EFF can’t do it all, can they? And if they don’t, what are we doing, letting the universe settle wherever it will via some theory of entropy or something? Clearly, this can’t be good.
Domain Note: The Ohio company is , but it seems they eiher allowed their domain to expire or decided against renewingit, because it’s owned by a domainer in the Cayman Islands right now. Tsk tsk…

Blog Courage: What it takes to publish a public opinion, despite.

This post over at Coding Horror highlights the silencing of Kathy Sierra, the Creating Passionate Users author, as one example of how blog success leads to blog shutdown. Kathy was a big success, and death threats and negative attention somehow caused her to stop writing a year ago. Another is Microsoft’s Dare Obasanjo, who quit writing due to the hassles of dealing with feedback, despite blog popularity (70,000 subscribers?).

I find it interesting that many artists are under-appreciated, abused, manipulated, or otherwise scorned while they are alive, yet celebrated after they are dead. A good deal of the worst of human nature is responsible, including fear and loathing and aggression, and… did I mention fear? But artists have learned to recognize the gift that is courage, as an artist. Many artists are able to do their thing for the sake of the art or themselves and not even say that much about it. Unfortunately, that approach involves a lot of poverty, a hefty dose of drug and alcohol abuse, and a kind of misfit syndrome that leads to .. again.. those manifestations of the worst of human nature (scorn and derision hurled towards those whom we see as “different”).

Did you ever discover a poem or short story or chapter of a book that was first published hundreds of years ago yet touches you deeply, makes you go “wow” and reminds you of just how vastly capable the human brain really is? So much has been written, we can’t know of it all, yet we also can’t search for it or catalog it. If we are lucky we get exposed to it via some passionate educator, and then we follow the stream to more. Otherwise, it sits quietly on a shelf somewhere waiting to be rediscovered by yet another previously unenlightened individual. Touching one person at a time. That’s good enough. But blogs reach a much wider audience in a viral way, and blogged ideas persist. It takes courage to post a public statement on a blog for all to see, now and later.

I’ve witnessed the hindrances to blog courage myself. Some not-very-good writer with a huge following will attack a blog post as if to counter the point, sway the readers, change the focus, or otherwise influence the audience. That person may have built up hir own following, but if your audience and hir audience overlap, you become the target of “effort”. Meh. Despite what that person or hir followers may think, I don’t write on my blog to provoke a response from those out there working hard to move the masses.

Blog courage is writing what you are moved to write. If you think that should come with responsibility to respond to responders, or counter the counter points, or otherwise deal with the hassles of the rest of the world, I suggest you may be part of that group personifying the lesser traits of human nature. Is the blogger an artist? If you witness an artist’s painting or sculpture you don’t like, do you expend effort to attack that artist? To what end? To stop the artist from making more art? Think about that… could we be reacting to the increased exposure of art in our world, reacting to the increased power the Internet has given to those gifted to move us emotionally, by harassing them and shutting them down? Is the collective “we” allowing that to happen?
You may prefer to compare the blogger to a journalist, wanting to hold the blogger to a set of standards for fact checking, source tracking, and etiquette. In that case, you need to re-define blogger, because the current population of bloggers includes many artists, not just journalists. All writers are not of one nature, on any medium.

I don’t mean to over simplify blogging. Business blogging, where the author deploys expository writing to educate and inform, is not the same as Creating Passionate Users or Helping Shed Some Light or Making People Think or Expressing My Perspectives. However, it seems those latter types of blogs are the ones people love, not the former. I believe that all writers are artists, but not all artists are writers. We need them all, but let’s keep in mind that the creative, opinionated editorial blog is not the Community Newspaper. It doesn’t belong to the community. It hasn’t been granted a license, and it doesn’t owe you anything. On the contrary, society may in fact be in debt to those creative risk takers, even if we don’t acknowledge it until after they are gone.

Just in case anyone was looking for Wikileaks.com, since their domain name was confiscated.

When Microsoft announced Microsoft Health Vault, for storing and retrieiving sensitive personal health records over the public Internet, I commented with “Microsoft is first out of the gate announcing Health Vault, an online personal health information database of Google proportions.” Now that Google has regained its composure in the health database area, it is testing a Google version of Health Vault in collaboration with the Cleveland Clinic.

Reportedly, this new sensitive medical data will be yet another aspect of the standard Google account. The same Google account that they use for tracking analytics, advertising spend (for those who advertise), ad consumption (for those who click ads), online video watching (for those who use YouTube), email (for those on GMail), saving whatever you search for on the Internet for practically forever, and so much more (”so much more” referring to DoubleClick data, library data being archived by Google, news wires, government records, etc).

Yes, the very same Google accounts which have been compromised by security holes in the very recent past (remember when we learned that others could read our GMail accounts?) will now be used to store and access your sensitive medical records. Hey, it works for YouTube, so why not your genetic screening test results?

This is under test with the Cleveland Clinic. Tests, of course, of how well it can make money for Google and the Cleveland Clinic. Oh sure the testing involves some safety issues, but the kind like “did any patients get hurt by errors?” (because that would create liability), and “did anything get seriously, obviously mucked up?” (ecause that would be ambrasssing). I doubt very much it is a test of real security or feasibility of exposing the records to International hackers via the Internet… youknow the people who sit back in their repaired Aeron chairs over in the-regions-recently-bombed-to-hell and try just about anything possible to access social security numbers, bank account data, or sensitive information that can be sold for currency.

Our commercial deployers of technology still insist on trying to promise security, while ignoring the obvious, known problems (storing encryption keys on local hardware(PDF)) and trying to convince us they are more innovative than everyone else (not).

If Google wants to test the feasibility of this Google Health Vault, they should put up billboards around the world saying “Solve this puzzle and get a job at Google”, and then challenge the worlds “brightest minds” to find a way in to that sensitive health data. Go ahead, Google. I triple dog dare ya!

Following Microsoft’s Health Vault, Google has announced that the Google Health Initiative at the Web Summit. As allof us involved with search already know, Google reminds us:

Google is already the starting point for a large majority of the health-related searches on the Web

Now we also hear that Googleis moving into local health commerce with “find a doctor” features:

Google has developed a prototype online platform for its health offering that incorporates personal medical records, health care-related search features, diet and exercise regimens, a localized “find a doctor” application, and other elements, Mayer confirmed. The company has shown the prototype to unspecified partners and is having both Google employees and “trusted testers” beta-test the system.

Google’s Mayer says that Google will help make sure you see even less of your doctor, as Google efficiencies help reduce the number of minutes a doctor has to provide to each patient:

“The goal for a lot of doctors is how many patients can they see in a day,” Mayer said. “That means their minutes per patient has got to go down, and the less time they have to spend finding and going over patient records the better. Ultimately we will design a product that’s useful for users, and also helps doctors do their job more quickly and more efficiently.”

Contrast this report to Microsoft’s Health Vault reporting, which was all about medical records, databases, and privacy. Where Microsoft announced the Health Vault to the world of medical consumers,it seems Google is going after industry support. No surprise there, eh?

Resources:

• http://www.searchenginejournal.com/google-health-coming-in-spring-2008/5852/
• http://blogs.wsj.com/health/2007/10/04/microsoft-google-aetna/
• http://blogs.wsj.com/health/2007/08/14/google-microsoft-health-care-giants/

Microsoft is first out of the gate announcing Health Vault, an online personal health information database of Google proportions. We can expect everyone to go after that gold mine, because such a database represents the single most profitable social media endeavor imaginable. Google will eventually build a health database. Yahoo! will probably try and add “your medical records” to MyYahoo! some day. This is scary, scary stuff, but it’s almost inevitable. People are willing to give away just about everything these days for a free email account, so I guess I can’t blame Microsoft for going after the Holy Grail of online databases with the Health Vault initiative.

Health Vault : Can it be Secure?

In a word, no. As everyone in technology already knows, whatever is connected to the Internet will be exposed to prying eyes. The credit card companies know this, the hackers know this, the information brokers and their customers know this, and the government (including the military) knows this. They have security systems in place specifically because they know nothing is secure on the web. Those security systems involve watching the hackers as they penetrate and look around, and tricking the hackers with fake servers full of fake data (honeypots). Millions and millions of social security records have been compromised every year for the past few years. In addition to this more obvious fact (that health Vault won’t be secure), this health Vault is from Microsoft - arguably not a prime example of companies doing well with software security (based on our experiences with Windows and other Microsoft products’ security).

Health Vault and Privacy

This one is easy. What people don’t know, won’t hurt them. Privacy is to be “user-managed” with Health Vault. That’s the short story - it’s left up to YOU what you expose via your privacy settings. The longer story is unknown, but it seems pretty obvious that this approach is an excellent way to get as much access as possible to people’s data before they know what they are giving away, or how they can change their own privacy “controls”.

Hint to the hackers: where there is trust, there is an exploit. As soon as there is a “privacy control” it becomes a target (like a lock becomes the target once placed on a door). If someone resets your “privacy controls” without your knowledge, how soon will you notice?

Health Vault: Why is it so Valuable?

You will hear about the obvious benefits of a centralized health database because that makes for good press and is supported by marketing dollars. You will hear about the crazy conspiracy stuff because it makes for good press. You won’t hear about the real deal, some of which I know from my back ground as a biomedical engineer and clinical researcher. The real deal is that personalized medicine is the most promising advance in health care coming down the pipe, and personalized medicine is based on genetics and intimidate knowledge of individual data like health history and medical records. Some day soon we will be able to do a genetic screen in minutes, and determine accurate probabilities of your future health. We can already check on many disease states using hair and saliva samples, or possibly skin flakes you might leave behind at the coffee shop, hair salon, or hotel bathroom. Without a court order or any permission, someone can follow you, pick up a that frappucino straw you threw in the trash and test it for various diseases. What can they do with such knowledge about you?

They can set your medical insurance rates, for one thing. They can deny you a job if they see you will get real expensive in the benefits department before the expected retirement age. They can run your DNA against a centralized paternity database, just to see if maybe somewhere in the past you perhaps unknowingly fathered a child that is now 16 years old and in need of college funds or 30 years old an recently un-incarcerated for sociopathy. Think about the potential of a Web 2.0 Social Media community site for adopted or otherwise fatherless/motherless individuals… tell your story, speak of your memories, and try to connect with your “real” family. Monetized via a paternity database… “send in your hair sample and we’ll check across 200 million medical records… all voluntarily submitted”. I bet that would be wildly successful. Or how about affinity groups like “people likely to get ALS before they are 35″ or “Preparing for Alzheimer’s” or even better a Mensa-like “Perfect People - Meet other genetically Perfect People Here” monetized via the mandatory DNA screen and Health Vault database inspection.

They can craft custom medications designed to work for YOU specifically, based on your own health profile. What would the profit margins be on such personalized medicines? I guess another way to ask that would be, how much would YOU pay for a medicine that could save YOUR life? Exactly.

Health Vault: Why should you care?

Well you may know enough not to participate in Heaqlth Vault, but who among us has not felt the pressures of social change involving risky technologies like unencrypted email? The vast majority of Internet email is still today sent around the world in clear text, stored all over the place, and yet nobody seems to care. Have you ever been asked for your credit card information and decided it was better to call it in? And after you placed your order by phone, did you get an email confirmation that showed most or all of your name, address, phone number, and credit card information? Sent over that Internet, in clear text (readable form), accessible to many, many otherwise unprivileged eyes and likely stored in multiple locations outside of your control.

Back office people send stuff by clear text (unencrypted email) all the time, in violation of policies and procedures and probably privacy and credit card laws, but nobody cares because it keeps commerce moving. The more momentum “the system” has the harder it is to resist participating. The more people accept Health Vault, the more health systems will require it, perhaps even using it via back office operations without your overt knowledge. If you have ever worked in IT or IS, I know you believe me. If you have ever been without a drivers license, how did you manage to “show ID” as you seem to have to all the time these days? I imagine the line for “people not in Health Vault” would be quite a bit longer than the line for “regular people”.

Health Vault. Should be good some day, but right now, I think this is pretty scary stuff.

Resources:

• http://www.google.com/search?hl=en&q=yahoo+medical+records&btnG=Search
• http://en.wikipedia.org/wiki/Medical_record
• http://www.privacyrights.org/fs/fs8-med.htm
• http://www.chron.com/disp/story.mpl/ap/fn/5188671.html
  
• http://www.nlm.nih.gov/medlineplus/personalmedicalrecords.html
• http://www.reuters.com/article/tnBasicIndustries-SP/idUSN0132605120071002

My first job was as an engineering tech for a small electronic instrument manufacturer. The company actually made things here in the US of A, by hand. They bought boxes of screws, drilled holes in sheets of beautifully-painted metal, and manufactured scientific instruments from the ground up. I put them together. Later, I was hired as an engineer and started designing and selling them.

Every day, I was reminded that the suppliers list, the customer lists, and the methods we used were trade secrets. I wasn’t reminded by some overly anal retentive Corporate Confidentiality Officer, I was reminded by the daily stories about who was discovered spying over at so-and-so competitor, who got a strange sales inquiry from a small town outside Berlin that just happened to also be the home of a competitor, or who at the European office was just fired for suspected espionage activities. And if our own paranoid CEO wasn’t enough, our customers were (at that time) building the super-secret stealth bomber using our instruments. They suffered their own security-clearance-driven paranoias, which of course propagated through to us once we were working on an order for them.

But they were right. Looking back, if I had their vendor lists, I could use my knowledge of their instruments to compete directly with them rather easily. It wasn’t about automation. It didn’t require a $2 billion dollar manufacturing facility. Sure there were patents, but there were also plenty of opportunities for leverage via innovation. The supplier catalog was indeed competitive intelligence. One of the most significant barriers to entry for that business would be finding the craftsmen and small tech shops that could fabricate parts from the special high-temperature materials we were using. Not every mechanic could spin graphite and machine small parts from high temperature quartz or sapphire, for example, without “learning on the job” with materials that cost as much as platinum and could not be recycled once broken.

Today we tend to get caught up in “tech world”. The Internet People are open, and use the Internet for everything. They move constantly from company to company, and work their networks to find jobs. They blog about their work. They give presentations and show source code, and contribute to Open Source. They rely on non-competes and non-disclosures to protect them.

But does that mean you should, too? Really? Are you sure?

I get asked to expand my LinkedIn network almost daily. I say no. It’s simply un-wise.

The Tech Companies ride the edge of innovation, which moves very, very fast. They can afford to be open about a lot of stuff, because no one can keep up with that pace of innovation anyway. It’s more about the pace at which you innovate (and work) than how you do it or what resources you use to get the job done. Their non-competes can be 1 year, and often proprietary knowledge lasts months. That is NOT the case in my business. How about yours?

I have some serious CSS people on hand, but I don’t own them. Fact is, you can have them at your disposal just like me, for the same great price I pay. Go ahead… but first you will have to find them (heh heh). Good luck. I went through dozens and listened to reports on dozens more before I found my “suppliers”. I won’t give that info up easily. If I LinkedIn my contacts, you’d be able to see my contacts in CSS land. They are very well-respected in CSS world.

I have some excellent database programmers at the ready. I pay them well for the work they do, but at best I probably cover their 4 weeks of annual Aegean vacation. They work for other people as well as me. And they could work for you. Good luck finding them. Oh, would they show up in my LinkedIn network? Of course… who else do I have to put in there but the people I associate with in my professional life?

When I need help on trends, I have some well placed people in advertising world of whom I can ask questions. Again… I suppose there’d be some serious vanity ego points gained for LinkingIn with them, but what do I gain from giving up my “suppliers list” like that? I suppose if I wanted to get a job I could work that extended network. Do I ever want to get another job?

So I routinely turn down LinkedIn requests, quietly and stubbornly declining. But the other day I got another one, from someone I don’t like. And it reminded me of this very topic. He reminded me by asking to “LinkIn” with me, when we are clearly not friendly. He digs through LinkedIn for competitive data he can use to make money on the web. I am just a name in his network, and a potential source of more names and contacts he can mine for free info to make money on the web. This guy is just like the temp at my first manufacturing job, who stole the wholesale client list and started cold-calling our customers the next day to sell them disposable static-control booties for $2 a box. He had no qualms about citing us as the source of his “referral”, and suggesting that they probably need to buy static control booties, and this was probably their lucky day.

Think your LinkedIn contacts are of a higher caliber than that dork? Think you’ve got the no-ass-clowns-in-my-network thing covered? Guess again. Your list is only as good as your vetting process, and hey… it’s all about being open and sharing, web two dot oh style, right?