It’s An Ill Wind All Right; Will It Blow Anybody Any Good?

Announced within days of one another, two developments, one bureaucratic, one nefarious, showcased the growing chasm between the dream and the reality of our increasingly interconnected world.  On December 4, 2020, President Trump signed into law the “Internet of Things Cybersecurity Improvement Act of 2020,” which establishes security standards for Internet of Things (IoT) devices owned or controlled by the Federal government. And this week, with everyone focused on the Electoral College and the Pfizer vaccine, we learned again just how vulnerable the systems we rely upon for, well, just about everything, really are.

As reported in Krebs on Security, Russian hackers (probably) hacked SolarWinds’ Orion platform software that, among other things, helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks.  If you have never heard of SolarWinds or its software, the scope of the problem might be lost on you. Make no mistake, it’s kind of a big deal.  SolarWinds’ customers include:

• More than 425 of the US Fortune 500
• All ten of the top ten US telecommunications companies
• All five branches of the US Military
• The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
• All five of the top five US accounting firms
• Hundreds of universities and colleges worldwide

Here is the eye-opener, as reported by David Sanger and his team at the New York Times: “The National Security Agency — the premier U.S. intelligence organization that both hacks into foreign networks and defends national security agencies from attacks — apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye.”  That’s right, the same seemingly all-powerful NSA that just a couple of months ago was in the news when the U.S. Court of Appeals for the Ninth Circuit handed down a ruling that the warrantless telephone dragnet that secretly collected millions of Americans’ telephone records may well have been unconstitutional did not know it had been hacked until FireEye, a private cybersecurity consulting company, told them so. And FireEye itself would not have known either but for its investigation of its own hack.

This brings me to my point:  it’s almost 2021 and the US has just now signed into law a bill requiring, among other things, the OMB to “develop and oversee the implementation of policies, principles, standards, or guidelines as necessary to address security vulnerabilities of information systems.” However salutary it is to require more care in how the US government buys connected devices, it sure seems like a belated drop in a very large bucket. In the meantime, everyone from Homeland Security on down is trying to figure out how something as innocuous-looking as a software upgrade could wreak such havoc.  It would take someone a lot less jaded than I not to think about horses and barn doors or days late and dollars short.

If you had “Entire Nation Hacked” on your 2020 bingo card, you may collect your winnings on the way out.  There is much to be done and in many ways, we are just getting started.  To paraphrase the Mishna: The day is short, the work is great, the workers are lazy, the reward is great, and the Russians are pressing.

Advertisement

Pardon My Drone

If we think about drones, we probably think about remote-controlled assassination machines manned by the Mossad or “fly-through” tours of the homes of the rich and famous.  What we (or at least I) didn’t think about were artificially intelligent police drones that can be sent out by 911 dispatchers to the scene of the crime and follow the bad guys around until they do something they can be arrested for.  At least four U.S. cities currently use these remotely-controlled – and self-controlled – investigation tools. No more out-of-shape cops trying to climb chain link fences in hot pursuit of more fit criminals!  Hill Street Drones.

Drones use is now exploding in creativity. “Dehogifier” drones with heat sensors will tell you when wild hogs are destroying your crops. The Spotify Party Drone hovers over you in line at festivals to play your favorite songs. Russia and China are using drones disguised as birds.

Which started me thinking.  Now that smart drones have utterly transformed warfare and policing, not to mention real estate, what’s next? I have ideas:

• Gecko Cam: GEICO Insurance customers are astounded to see their rates increase after the insurance carrier famous for its British spokeslizard deploys smart drones to watch your driving habits.  No word whether they will be disguised as pterodactyls or flying dragon lizards.  GEICO’s got you covered.
• The Daddy Drone: Helicopter parenting is so 2000.  Just program the Daddy Drone with your daughter’s favorite haunts and voila! No need to prowl the neighborhood with your lights off or to wake up her BFF’s parents to cross-check her alibi. Integrate with Alexa or Siri and you can ground your kid from the comfort of your bed in a variety of celebrity voices!
• Poli-Sci Fi: Did your favorite candidate just narrowly lose an election?  Are you a civic-minded soul who just wants every legal vote counted (as long as it was for your candidate)?  Well, no need to stand around all day in costume and argue with your neighbors; let your drone do the dirty work.  Available in red, white, and blue.
• Karen Camera: Are you tired of enforcing the homeowner association rules from your minivan?  Have you been assaulted by threatening bird watchers and need the proof before calling 911?  Smile, you’re on Karen Camera!
• The Gym Rat: Who didn’t wipe down the elliptical?  Who left those wet towels all over the locker room?  You did and we can prove it.  Your gym membership just became a little more expensive.  Feel the burn.

I could go on, but why should I when I have an audience of smart folks like you?  Send ‘em in and we’ll publish the best of them on HeyDataData.  In the meantime, might want to carry an umbrella the next time you want to do something a little shady.

Is Google Really the Borg?

“We are the Borg. Your biological and technological distinctiveness will be added to our own. Resistance is futile.”

 Now, I would never be mistaken for a Trekker, but there are some lines from the series that everyone of a certain age knows and this is one of them.

As a veteran of the mobile payment wars, I quickly learned the bête noire of merchants and banks is a clunky term better suited for the classroom than the boardroom: disintermediation.  In the case of mobile payments, that term describes the case where a competitor cuts you off from your valued customers using a shiny object as bait.  And no one cranks out shinier objects than Google. Now, Google is rolling out Plex, a digital bank account in Google Pay that will be offered by a variety of banks and credit unions.

American Banker reports that both Citigroup and Seattle Bank have partnered with Google Pay in an attempt to capture Gen Z and Millennial customers.   (Google has said it’s partnering with 11 financial institutions.)  So, is this a deal with the devil or a match made in heaven?  Like so many things, this is a case of “you pays your money and you takes your choice.”

On the one hand, banks like Citi and Seattle Bank see the partnership with Google as an opportunity to create scale, find new customers and grow into other products.  Or, as the CEO of Seattle Bank put it, it’s a chance “[t]o meet digital consumers where they are (on their smartphone), to reach a new market segment of digital-first consumers, and to move fast and at low cost with strong security.”  Banks like Seattle and Citi don’t fear disintermediation because they believe that their brands are strong enough to remain primary with their customers and that there is enough room on the field for a number of competitors to play.

Others are not so sure that such partnerships aren’t just capitulation and a digital coup de grâce delivered by Google in the competition for data.  According to Todd H. Baker, a senior fellow at Columbia University’s Richman Center for Business, Law & Public Policy: “What Google really wants to do is capture your information for everything, and this is the one piece they don’t have . . . [Google] get[s] to see payment, spending and savings behavior. Google gets what it wants and maybe it’s OK financially for the banks, but in the long term it’s disintermediating them from the experience. It feels a little bit like surrender.”

Will banks live long and prosper with Google Pay? The answer is written in the stars.

Red-Flagged by the Black Box: Nationalizing Apps to Fight COVID-19

Many of us have not read about China’s near-nationalization of payment and chat apps to fight the spread of COVID-19.  Widely-reported but little noticed, China has required citizens to use software on the chat and payment apps WeChat and Alipay that dictates whether they should be quarantined or allowed into subways, malls and other public spaces.

China’s state media calls the feature the Alipay Health Code. It assigns people a green, yellow or red rating accessible via a QR code on the Alipay app at subways and office buildings. People with a green status can be out in public, yellow status results in a request to stay at home for seven days and red status results in a two-week quarantine.

You don’t need me to tell you the myriad of privacy issues this state recruitment of ubiquitous apps presents. The New York Times reports its belief that health and location information from these programs is being shared with Chinese law enforcement in real time.  And it is unclear what a citizen needs to do to get her status changed back to green once the threat has passed.

My colleague Ted Claypoole recently reported in this space about a Dutch court tossing out a welfare fraud detection scheme because its AI component wasn’t transparent and thus violated European law against profiling.  As Ted wrote, the court had to weigh “the functional purpose of such a system against its impact on the human rights protected by the EU Charter.”  The court decided that protection of human rights trumped the obvious benefit of preventing fraud.

We know that such nice balancing is beside the point in an authoritarian country like China. But, would a court in a Western democracy come to similar conclusion in the face of rapidly-spreading pandemic?  I think the jury is out.  We have come to accept many restrictions on our liberty in the name of protecting the most vulnerable members of our society.  At least, many of us have.  And state and local governments are perfectly willing to tighten the screws if people don’t pay heed.  Governor Cuomo of New York spoke of turning a public “density valve” tighter and tighter: “We’re going to take it to the ultimate step, which is we’re going to close the valve,” Cuomo said. “Because the rate of increase in the number of cases portends a total overwhelming of our hospital system.” When spring breakers in Florida went AWOL on YOLO grounds, state and local officials kicked them off the beaches.

How short a step is it from ordering all bars and restaurants to close and shuttering all public schools to requiring mandatory app updates to protect public health?  I’d say it’s about a New York minute away.

Home Alone

There’s an old Yiddish saying, passed down to me from my grandparents, that is worth recalling in these uncertain and potentially infectious times: “When three people say you’re drunk, go lie down in the gutter.” So, when my brother the doctor (he’s the smart one) texted the family last night to say about COVID-19 “go out and buy two weeks of provisions; this is going to be bad”, I took heed and headed out to the store.

Which brings me to work.  Many of us are soon likely to told, not asked, to work from home (WFH). I have WFH for the better part of a decade and I can tell you that it takes, well, work to keep your productivity high when the couch, TV and ‘fridge are all within easy reach.  I have come to love WFH and like to think I’ve learned a thing or two about it.  It’s not for everyone, so here are few hard-learned lessons for those of you new to the art.

Know your tech:  One of the first things you learn when working from home is that all those nice folks upon whom you rely to do stuff for you at the office do not live at your house.  Rude.  So, make sure you know how to use the tech available to you.  And not just email and IM.  Know how to set up your own conference calls, schedule your own meetings, and create and file your own documents.  Make sure you have downloaded and know how to use any productivity apps, both those your firm uses and personal apps.

Security:  Keep your personal and work stuff separate.  Don’t use your personal laptop for company business and vice versa.  Make sure your home wifi is up to your company’s security standards.  Use anti-virus and anti-malware software and try not to connect to public wifi.

Wifi:  You will want to make sure you have the speed and reliability to handle your workflow.  You may need to upgrade your wifi plan.

Phone:  If your cell service is spotty, you will need to do something about that. (Ask me how I know.) You can enable wifi calling on your cell phone if your cellular service is subpar and you can obtain a booster from your cellular provider, sometimes for free, if you can demonstrate that your service is lousy at home. And you should finally learn how to use the conference call feature on your cell phone without hanging up on everyone.

You Do You:  It may take you some time to adjust to life without an office.  For me, the issue was that I was “always on”.  With no commute to deal with and the “office” steps from the bedroom, I would be at work from the time I awoke to the time I went to bed.  Not good.  As my wife succinctly put it to me years ago (while firmly closing my laptop mid-email one evening) “Office hours are over for the day.”  There may have been an expletive or two in there somewhere.  Anyhow, set reasonable boundaries.

Social Media:  Ah, the blessing and the curse.  For those WFH, social media, particularly chat and LinkedIn, keep you connected to your co-workers and friends.  Use them liberally, but judiciously.  Remember that people can interact differently from face-to-face, phone, email, text, and social media communications. Some of your co-workers won’t be comfortable on one medium or another, and frankly, some will be too comfortable on some media and keep you tied up all morning. Also, it is all too easy to find yourself down the rabbit-hole on “research”.  Check out the Digital Nomads and Remote Workers on LI groups on LinkedIn to connect with other “location-independent workers”.

And yes, I am writing this in my pajamas, ya filthy animal.

We Put the “Ow!” in Iowa

I woke up this morning to a text from a close friend wondering how long it would take me to write about the fact that as of this writing, we still do not have results from the Iowa caucuses last night due to problems with its untried voting app.  I guess I’m firmly established on the “get off my lawn” beat.

The little-known corollary to the time-honored maxim “if it ain’t broke, don’t fix it” is “if it’s broke, don’t replace it with something worse.”    The list of potential problems with using mobile technology for something as important as voting is long.  Rule One might be “don’t hire a company named ‘Shadow, Inc.’ to build your app.”  A fellow Hoya, Matt Blaze, a professor of computer science and law at Georgetown, said that “any type of app or program that relies on using a cellphone network to deliver results is vulnerable to problems both on the app and on the phones being used to run it . . . and that “[t]he consensus . . . is unequivocal . . .[i]nternet and mobile voting should not be used at this time in civil elections.”

Any remote access application will add complexity to a task due to the need for identification, authentication, authorization, and security, of both the device and the person using it, as opposed to a simpler system based on paper or a single machine for each location where any caucus participant could authenticate herself in person. Multiple technology platforms simply increase complexity and likelihood of error. And, as I learned in the mobile payment world, if you are relying on good cell service or wifi availability for your app to do its work, you’re gonna have some unhappy end-users.

Add to these inherent problems that the app was reportedly only put together over the last two months and was inadequately tested.  (Apparently, it was the back-up plan; the original plan was to use the phone to call in votes.  “Hi, do you have Pete Buttigieg in a can?”)

Just because you can doesn’t mean you should.  I have been bringing a yellow legal pad and ballpoint (or “ink pen” down here) to meetings for years.  Clients and colleagues regularly smile indulgently, as if I had just set a butter churn down on the table.  My stock response might be appropriate for the beleaguered folks in Iowa and I offer it here for free:  Paper rarely goes down, never needs to be recharged, doesn’t need an adapter and, best of all: I know how it works.

Is Plaid the New Green? Visa Seems to Think So

Two weeks ago, VISA announced that signed an agreement to acquire Plaid, a fintech that allows consumers to connect their bank accounts to apps like Venmo to enable mobile payments, among other things.  By all accounts, VISA paid a significant premium to buy Plaid, shelling out $5.3 billion, or, by one account, twice Plaid’s late-2018 private valuation.

If you know anything about VISA’s role in the payments ecosystem, it isn’t too surprising that VISA was willing to pay top dollar.  VISA views itself as the one indispensable player in the payments ecosystem and works hard to perpetuate its role as the ecosystem develops.  Because Plaid gives consumers a way around using its credit cards as the payment mechanism in consumer apps, Plaid was a potential threat to VISA’s hegemony.  Though Plaid, developers can enable apps to verify consumer’s banking credentials and accept payments directly out of their bank accounts.  Cheaper for merchants, convenient for consumers.  Maybe not so good for VISA and other credit card providers.

Plaid’s method for accessing consumer bank accounts, pejoratively known as “screen-scraping”, is not seen as ideal from a security standpoint and is unpopular with the banks because it tends to disintermediate their customers.  When you add your bank account to Venmo, you probably think that your bank has endorsed the connection.  It hasn’t and would prefer that transactions involving your bank account be conducted through the bank itself, not a third party fintech.

Nonetheless, VISA’s press release contained glowing praise from both JP Morgan Chase and PayPal.   Gordon Smith, co-president, JPMorgan Chase, opined that the acquisition was “an important development in giving consumers more security and control over how their financial data is used” and that Chase would “look forward to partnering with Visa to continue building a great experience for our shared customers.” For his part, Dan Schulman, President and CEO of PayPal, played the Swiss card, noting that PayPal has “strong relationships with both Visa and Plaid” and that the combination would give PayPal an opportunity to enhance its products due to “the security and scale of Visa’s global network.”

So, here you have Chase, the banks’ bell cow and one of the standard-bearers of Zelle (the banks’ payments consortium that competes directly with PayPal’s Venmo and with VISA) approving VISA taking Plaid, another fintech with disruptive technology, under its wing.  Why would that be?  One good theory is that the devil you know is less dangerous than the devil you don’t.  In the payments ecosystem, these players have invested heavily in the technology and security necessary to manage the enormous and complex risks in this highly-regulated, fast-moving world.  If security remains one of the main reasons that consumers are still wary of adopting new payments paradigms, wouldn’t it make sense to brand these new methods with trusted names like Chase, VISA and PayPal? And not incidentally, to set the bar for security?

Venmo’ Money: Another Front Opens in the Data Wars

When I see stories about continuing data spats between banks, fintechs and other players in the payments ecosystem, I tend to muse about how the more things change the more they stay the same. And so it is with this story about a bank, PNC, shutting off the flow of customer financial data to a fintech, in this case, the Millennial’s best friend, Venmo. And JP Morgan Chase recently made an announcement dealing with similar issues.

Venmo has to use PNC’s customer’s data in order to allow (for example) Squi to use it to pay P.J. for his share of the brews.  Venmo needs that financial data in order for its system to work.  But Venmo isn’t the only one with a mobile payments solution; the banks have their own competing platform called Zelle.  If you bank with one of the major banks, chances are good that Zelle is already baked into your mobile banking app.  And unlike Venmo, Zelle doesn’t need anyone’s permission but that of its customers to use those data.

You can probably guess the rest.  PNC recently invoked security concerns to largely shut off the data faucet and “poof”, Venmo promptly went dark for PNC customers.  To its aggrieved erstwhile Venmo-loving customers, PNC offered a solution: Zelle.  PNC subtly hinted that its security enhancements were too much for Venmo to handle, the subtext being that PNC customers might be safer using Zelle.

Access to customer data has been up until now a formidable barrier to entry for fintechs and others whose efforts to make the customer payment experience “frictionless” have depended in large measure on others being willing to do the heavy lifting for them.  The author of Venmo article suggests that pressure from customers may force banks to yield any strategic advantage that control of customer data may give them.  So far, however, consumer adoption of mobile payments is still miniscule in the grand scheme of things, so that pressure may not be felt for a very long time, if ever.

In the European Union, the regulators have implemented PSD2 which forces a more open playing field for banking customers. But realistically, it can’t be surprising that the major financial institutions don’t want to open up their customer bases to competitors and get nothing in return – except a potential stampede of customers moving their money. And some of these fintech apps haven’t jumped through the numerous hoops required to be a bank holding company or federally insured – meaning unwitting consumers may have less fraud protection when they move their precious money to a cool-looking fintech app.

A recent study by the Pew Trusts make it clear that consumers are still not fully embracing mobile for any number of reasons.  The prime reason is that current mobile payment options still rely on the same payments ecosystem as credit and debit cards yet mobile payments don’t offer as much consumer protection. As long as that is the case, banks and fintechs and merchants will continue to fight over data and the regulators are likely to weigh in at some point.

It is not unlike the early mobile phone issue when one couldn’t change mobile phone providers without getting a new phone number – that handcuff kept customers with a provider for years but has since gone by the wayside. It is likely we will see some sort of similar solution with banking details.

2020 Foresight: Doing the Vacuuming

Pick your aphorism.  Nature abhors a vacuum.  Markets hate uncertainty. Fools rush in where angels fear to tread.  Small is beautiful.  Whichever one you choose, my prediction for 2020 is the same:  we will see state legislatures acting to protect their citizens (and lure corporate taxpayers) by passing legislation aimed to plug the gaping holes gouged into existing law by tech.  And those efforts will be smaller-bore and more targeted than omnibus privacy bills like the CCPA. (All those who think we will see the federal government pass anything like GDPR here on a bipartisan basis anytime soon, see me after class.) States, it says here, will compete to address specific tech and data-related pain points of concern to their current and prospective taxpayers.   Much like the infamous “race to the bottom” for the most permissive corporation statutes in earlier years, states will attempt to add companies to their tax bases with friendlier tech legislation.

I think Ohio’s safe harbor law for data breach liability litigation was a bellwether.  Heretofore, the only thing we knew about data breach litigation is that whatever a company did to “harden” its defenses against unauthorized intrusions, it would be deemed woefully insufficient by a trier of fact in hindsight.  To give Ohio companies at least a puncher’s chance, Ohio passed a law that allows a company an affirmative defense based on the adoption of recognized security standards.  More on the Ohio safe harbor here.

Illinois gives us another, more recent example of a state setting ground rules for employers for the use of an emerging technology, in this case, AI, in hiring. Its “Artificial Intelligence Video Interview Act”, now in effect, requires notification to job applicants that AI will be used to consider their “fitness” for a position, an explanation of how the AI works, and what “general types of characteristics” the AI considers when evaluating candidates. The law also limits who can view an applicant’s recorded video interview and requires that companies delete any video that an applicant submits within a month of their request. You can learn more about the Act here. (Fairness dictates that I note here that Illinois is also the state that many corporations that use biometric data love to hate because of its private right of action for unconsented to collection of such data.  Read more here.) A foolish consistency is the hobgoblin of little minds.

To be sure, some states will continue their efforts to match or surpass California’s efforts to create a de facto national privacy standard (and we will continue to track those efforts here). Most, however, will think small and follow the money.  Which means more patchwork regulation to keep track of for us all in 2020 and beyond.  And there was much rejoicing.

Social Control App Tests Journalists and Citizens

There are so many intertwining threads in this story about this “re-educational” Chinese app, we could make some very high-quality bedsheets.  The ineffectiveness of “consent”.  Tech as a force-multiplier for the state.  The opacity of the black boxes we increasingly rely on to run our lives.  Big Brother, both Orwell’s and CBS’. Gamification.  The big lie.

Here’s the story.  A German cybersecurity firm, at the direction of the Open Technology Fund, hacked a Chinese android phone app called “Study the Great Nation” and reportedly found a “backdoor” that gives the Chinese Propaganda Department “Superuser” privileges https://www.washingtonpost.com/world/asia_pacific/chinese-app-on-xis-ideology-allows-data-access-to-100-million-users-phones-report-says/2019/10/11/2d53bbae-eb4d-11e9-bafb-da248f8d5734_story.html

These privileges include the power to download any software, modify files and data, or install a program to log key strokes. Although whether to download the app is in theory up to the user, in practice it is close to mandatory.  The Communist Party has directed members to download it as have many workplaces.  It already has over 100 million registered users.

While the backdoor itself is not public knowledge, the terms and conditions themselves are not exactly comforting to those with Western sensibilities.  They disclose that the app will “access and take photos and videos, transmit the user’s location, activate audio recording, dial phone numbers and trawl through the user’s contacts and Internet activity, as well as retrieve information from 960 other applications including shopping, travel and messaging platforms. It even requires the ability to connect to WiFi and turn on the flashlight.”

And, it assigns homework.  The app features quizzes on the app’s content and awards points for interacting with the app, like by reading articles and commenting on them.  Of course, the app tracks all that.  If you read Dave Eggers’ dystopian cautionary tale “The Circle”, you’ll be hearing disturbing echoes about now.

Here’s the really chilling bit:  10,000 Chinese journalists, compelled by their employers to download and use the app, will soon be “tested on their knowledge of Xi Jinping Thought”.  Those who pass get press credentials, required in order to work as a journalist in China.  I suppose the others have to stay after school or receive lovely parting gifts.

I wrote recently about China’s “top level design” approach to governance and social credit.  In this approach to governance, the state sets behavior standards (rather than enacting constitutions or laws), then monitors and reinforces desirable practices by harnessing the power of high-tech surveillance tools.  In that case, we were talking about surveillance tech and AI.  Here, we have the state actively “encouraging” its citizens to report on themselves.  It would be as if the state you live in strongly suggested that you install a tracking app (like Progressive’s “Snapshot) in your car.  Oh, you don’t have to do so, unless, of course you want a drivers’ license.  (Sorry, for using you as a metaphor, Flo.)

There is apparently a saying out in Silicon Valley about the government’s appetite for new technology:  “If you build it, they will come.”  Whether you end up with a Field of Dreams or The Killing Fields is anybody’s guess.