Andreas Weigend the former Amazon.com Chief Scientist gave a very compelling presentation on transparency today at Office 2.0.  He talked extensively about how companies have a “one way” view of data.  What this means is that a company looks at data given to them by their customers as owned by them, and gives customers no insight into the data itself.

An example would be when you sign up for a discount card at a grocery store, they know how many cans of tuna you buy, but you aren’t given access to that data.  The company believing that you are exchanging some of your anonymity for discounts.  Anyone who knows me would not be surprised to learn that when I check out from my local grocery store, I give them my ex’s phone number, and still get the discount.  Why do I do this?  Two reasons:  I don’t trust Safeway to handle my personal information, I also don’t want irrelevant coupons (and junk mail).

How much more effective would Safeway’s program be if I could log in, look at my user profile, and make choices about which offers I’d like.  How about no junk mail?  Also, how much sticker would Safeway be if I could look at my grocery purchases and see that I’m not buying enough nutritionally beneficial foods.

The issue of transparency often comes up in discussions with my clients.  There is a profound fear among businesses that providing information to customers may lead to litigation problems.  For example, when a host has a cable cut, clients often ask how much information they should give their customers.  Should they tell people how much of their network is affected, who might be at fault, and projected time to fix?  If they do so, are they giving their customers information they can use in litigation?  In general, I feel that more transparency is better.

From a litigation perspective, I don’t think providing that information will damage you.  The information exists regardless of whether you disclose it.  What does hiding it accomplish from a legal perspective?  Practically nothing.  A determined litigant is going to find it.  Indeed, it may be better from a risk mitigation to disclose the information.  For example, one of the best ways to mitigate your risk from downtime, is an effective SLA.  An effective SLA provides your customers with a remedy for problems with your network.  That helps reinforce your limitation of liability clause, by providing a remedy.

Providing information about an outage may do the same.  Think about it from a judge, or jury, perspective.  If you could show that you provided information to customers to allow them to mitigate their damages, and tools to contact you, you’ve provided a remedy for your customers.  Because no one expects businesses to operate perfectly, providing information to customers about problems helps them cope with problems, and mitigates your potential liability.  Hiding problems rarely works.

Two anecdotes reinforce this.  I have two clients who approached major outages in completely different ways.  One immediately established an outside of network blog, on which information about the outage, and even included pictures of the backhoe digging a trench to repair the cable cut.  The client feared a huge number of claims since their entire network was out.  While they had some SLA claims, there were no lawsuits, and even more amazingly, no nasty grams from lawyers.

Contrast this with another client who hid their outage.  When customers called in, they were informed that there was a problem, and that it was being worked on.  With almost the same facts as the client above, this client was sued by a customer, and received over 10 nasty grams, each of which required several different responses from me.

I believe more transparency is better, at least from a business standpoint.  Indeed, giving your customers insight into how you use their information may mitigate liability.

 

This is my second Office 2.0 conference, but this year I was asked to speak on legal issues that affect application and SaaS companies.  The panel was pretty unstructured, without presentations.  However, I took my thoughts on legal issues that affect application and SaaS developers and created an interactive presentation.

One of the legal issues that came up, and comes up all the time, is “how discoverable is on-line data?”  The answer:  completely discoverable.  The fact that data is online, or in “the cloud” (a term I hate), has no bearing on its discoverability.  Indeed online data is a fatter target for litigators.  More than paper, or even email, online data is richer, in terms of information, than other types of evidence.

Let’s look at a Twitter feed.  While I don’t know how Twitter’s backend works, it is fair to guess that the data retained by Twitter includes IP address, location, the tweet, visitors to the feed, followers, and marketing profiles of the Twitter member.  Then take a business dispute involving one of your employees who uses Twitter.  All this information, to the extent it’s relevant, would be very interesting in the litigation, and would contain much richer facts than paper.  Indeed, because Tweets are public, a court would likely hold that you have a lower expectation of privacy than other types of information.  All this is not to say that Twitter is bad, or some sort of litigation hole that businesses need to plug, but that online information is discoverable – and necessarily so.

Another question that came up is what are the ramifications of applications like Facebook, Linked In, MySpace as used in the workspace?  This issue often comes up in the context of employment law.  So can you look at someone’s Facebook page, and if you see something that you feel disqualifies them for employment, use that to deny them employment?  I’d say a qualified yes.  Really, at base, if you could use other public information to legally make hiring decisions, you can use online data.

One of the issues that follows on the Facebook question is how can a third party vendor be liable for the acts of its customers.  So, for example, if one of your customers misuses your blogging tool, can you, or might you, be sued.  In some cases the answer is yes.  While you are not generally liable for the acts of your customers, you may be liable if those acts were reasonably foreseeable, and you did nothing.

One of the ways to mitigate your liability, and actually bring in potential customers would be to help your customers understand how they might minimize risks themselves.  If you know that your blogging tool is often used in a corporate context, it may be helpful to provide your customers with suggested blogging rules.  These not only allow you to be proactive, but may in fact facilitate customer retention simply by deepening the connection you have with your customers.
 

One of the issues that came up in the metrics that matter panel at HostingCon was the Rackspace IPO. Rackspace's Red Herring estimated a $12-$16 price.  Lou Honick believed that the IPO would price out in the higer range ($14 to $16) Elliot Noss in the lower range ($12 to $14).  Each bet $500 on their position.  Based on a final price of $12.50 (and falling), I say that Lou needs to fly up to Toronto and deliver the novelty check in person.

One of the things I really need is personal finance software.  A number of industry friends have recommended mint.com.  I've looked at it several times and think it would be the right fit.  However, I'm skeptical about turning over all my personal financial information to another entity.  My major concern is not security, nor privacy (which I figure you just about give up when you sign up for any free service), but whether the company will stand behind its products.  To determine this, I looked at mint's Terms of Service.  Not surprisingly, it was disappointing.

As many of you who've seen me speak about "web 2.0" matters know, I believe that the Achilles heel of this new technology is how user's information will be used, disseminated and protected among the participants.  So in this case, will mint.com, and its sponsors protect my information once they're done using it, and will they stand behind these promises.  In the case of mint.com, it appears that the answer is "no."

The mint.com site contains significant information about how information is secured and protected, and how access and use of this information is restricted.  Indeed, the CEO points out that even if my credit card information is stolen, my liability is only $50.  However, in my view, my liability is much greater than that.  For example, let's say that one of mint.com's partners misuses my personal information and somehow damages my credit.  How will mint.com make me whole?

Looking at their Terms of Service, they won't.  Here's what their contract says:

MINT MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE CONTENT OR OPERATION OF MINT.COM OR OF THE SERVICE. YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK.

Further:

MINT'S LIABILITY TO YOU FOR ANY CAUSE WHATEVER AND REGARDLESS OF THE FORM OF THE ACTION, WILL AT ALL TIMES BE LIMITED TO $500.00 (FIVE HUNDRED UNITED STATES DOLLARS).

So in other words, if something goes wrong, it's my burden to fix – mint.com isn't going to help – no matter what their CEO says on their website.

So what's my point?  I think that companies need to stand behind their products.  That often means thoughtfully considering requests from your customers to change the terms of your contract.  In many cases, you can stand behind your product by agreeing to broader indemnification provisions, or listing a major customer as an additional insured on your insurance policy.  Considering a carefully crafted warranty might also help.  For example in my case, a warranty from mint.com regarding onward data transfer might satisfy my concerns.

While in a consumer context it's unrealistic to assume that a company will amend their contract, in a business context, remaining flexible about contract terms may help differentiate you from your competitors, and lead to a deeper relationship with your customers.

Today’s HostingCon keynote was a fitting capstone to a very good conference.  Although a bit personal at times, it reinforced for me the high emotion that goes into transactions.  For all of the “be objective” talk – deals are emotional.  This is true both for buyers and sellers – though particularly true for sellers.  I don’t see how it is possible not to get emotionally invested in a deal.  From negotiating to money, everything about a deal involves emotional investment.  In my mind, not being emotionally invested in a deal is akin to dating and only looking for friendship – a bit of an oxymoron.

Like dating, however, there are ways to participate in the process without getting completely heartbroken or frustrated.  From my experience the following points may help:

·  Don’t put all your eggs in the buy/sell basket.  Keep operating your business and innovating.

·  Know what your hard stops, or non-negotiables are, and realize that the deal will end if these are reached.  Only designate these as non-negotiables if you are willing to walk away.

·  Communicate with your advisors constantly.  Feel free to vent to us about your frustration – but try not to make it personal unless it really, truly, is deserved.

·  Hire people who have participated in deals before.

·  Don’t give yourself artificial deadlines.  If you want to take a day off to go see your kid’s swim meet, do it.  The deal will be there when you get back.

·  If the deal falls through, take time to deconstruct what happened, what you can learn, and try to reuse any documents that were created in the process.

The first session I moderated yesterday morning revolved around SPAM and new trends in dealing with this problem.  One of the questions I posed to the panelists was whether new ways of dealing with SPAM are simply RBL’s that you pay for.  I think, however, that that is not the case.  Dealing with SPAM and the way it affects your network is one of the key ways of dealing with, and minimizing risk, for your company.  Advanced methods of addressing SPAM are a great way of doing this.

 

From a legal perspective, SPAM poses two risks to your company.  The primary risk is that a  SPAM outbreak cripples your network.  Network outages lead to large contract claims, and may affect your ability to get reasonably priced insurance – the linchpin of any risk mitigation strategy.  The second is more of a nuisance issue:  e-mail outages are the largest source of  letters demanding “$100,000 for missed business opportunities”  because of a missed e-mail.  Assuming you have a decent TOS, these claims are typically easy to deal with.  However they take an inordinate amount of legal time to handle, and, depending on your settlement profile, may actually involve some outlay of cash to address.

In a prior post I opined that web hosts could use a good association to deal with a number of issues.  Thanks to the efforts of a dedicated team of core members, the hosting industry has a nascent association:  the Association of Internet and Hosting Service Providers or AIHSP.  The AIHSP is getting great send off here at HostingCon

thanks to the efforts of George Roberts and Frank Spaulding who have given AIHSP space to promote the association, and the opportunity to network with hosts attending the show.

As I’ve pointed out in the past, an association is good for many reasons.  The first is helping raise the profile of an industry that gets relatively little notice, and, honestly, that has relatively little cohesion.  Aside from HostingCon, and a couple of other events, it is rare for hosts to get together and compare notes.  Even when hosts do get together, only pressing issues are discussed.  There is little time for discussing standards, best practices and other issues that are hallmarks of an industry that has reached a bit of maturity.  An association gives companies the breathing room and time necessary to think and talk about these issues in more depth.

So what can you do?  Stop by the AISHP’s booth in the HostingCon exhibit hall and see what they’re up to, and what you can do to make the association what you’d like it to be.  If you’re unable to make it to HostingCon, just stop by the web site and get active – or at least sign up for news.  If none of those work, feel free to drop me an e-mail, or stop me in the hall at the show, and I’ll be happy to point you in the right direction.

As has been widely reported, three of the nation’s largest, ISPs have entered into an agreement with New York’s Attorney General Cuomo in which they will begin blocking certain sites alleged to contain child pornography.  While it’s unclear why these ISPs agreed to cooperate (although given A.G. Cuomo’s past law enforcement efforts, it’s certainly easy to assume that a certain amount of arm twisting was involved) the way this agreement will be implemented is quite illuminating. 

The press release issued by the A.G.’s office makes for interesting reading.  It appears that the State of New York will begin building a library of objectionable images and assign these images hash values.  This will allow the State to identify images across multiple networks without having to re-identify them.  The ISPs will also use lists of illegal images compiled by the National Center for Missing and Exploited Children (NCMEC) to administer the program and remove data.  In addition, in the release, we learn that the A.G.’s office “uncovered” a “major source” of the content, “known as news groups.” 

What is missing from the release is how these programs will be administered.  Predictably, this minor issue was not included in the press release, nor in reporting by major news outlets.  However, reporters from “Mashable” did some digging and found that each of the ISPs were going to approach the issue differently:  TimeWarner is blocking all USENET access; Sprint the alt* hierarchy; and Verizon different newsgroups on a case-by-case basis.

So what does this mean in a broad context?  In general, I believe it reflects a dangerous trend of placing law enforcement tools in the hands of private, or quasi-private, entities.  Make no mistake, child pornography is illegal.  As I point out in almost every presentation I make, U.S. child pornography laws are “strict liability:”  you violate the law when you view the content, no matter how noble your intentions.  However law enforcement tools exist to combat this material.  Agreements such as this reflect the thin wedge of private Internet censorship.

When I read this warning flags shot up all around.  Other entities are already trying to implement similar schemes for other types of content.  Indeed, the RIAA, MPAA, NAB, and similar organizations are currently lobbying Congress to rewrite Intellectual Property laws to require certain types of content screening.  Last year former U.S. Attorney General Alberto Gonzales embarked on a campaign to eradicate all pornography on the Internet.  Taken together, these events should alarm hosts and other Internet Infrastructure providers.

Hosts sit at a particularly unique point in the Internet Infrastructure.  Because such a substantial amount of Internet traffic must ping their servers, it is incredibly easy to use this fact to control content.  This fact already results in hosts receiving a significantly higher number of criminal and civil warrants and subpoenas.  Hosts simply have the information. Moving the policing of illegal and objectionable content from law enforcement and requiring private entities to assume this task is likely to sharply increase the cost of doing business and significantly raise the risk profile of hosts.

While we all take great pains to make it clear that child pornography is objectionable, and its content irredeemable, the simple fact is that this agreement results in two major ISPs blocking access to a part of the Internet that is of great utility for other uses.  Similarly the organizations representing copyright holders have argued that P2P networks should be shut down because they can function as conduits for piracy.  It is not a far stretch to speculate about a future in which new methods of content dissemination are studied not for their effectiveness in moving Internet traffic, but for their potential to offend.  A chilling development indeed.

Today’s keynote speaker at ISPCON was Elliot Noss of Tucows.  His keynote addressed how Internet Infrastructure companies can compete with the likes of Google and Go daddy.  His answer:  more customization and real personalization.  He used McDonalds to represent Google and Go daddy, and Starbucks as an example of customization and personalization.  In his presentation Rackspace is the Starbucks of the Internet world.  In his opinion Rackspace succeeds not because it is the cheapest, but because it provides a much more stable experience than most infrastructure providers.  Examples of this include robust mail service with large storage space.

As a frequent conference attendee, I hear this keynote often.  In other conferences the keynote has been entitled, alternately, “How to compete with 1and1 and Microsoft,” “Withstanding the entry of the giants,” and so on, and so forth.  Depending on the audience, the theme always seems to be “specialization and customization”

I wonder, honestly, how specialized and customized companies can get and still make money.  Early on in my practice, one of my clients had the idea of creating different brands for different segments of the hosting market.  The CEO called this the “supermarket” strategy:  he wanted to own the most shelf space in the hosting market.  Consequently the company had over 10 brands, each with a different message, back end, support needs, etc.  Needless to say, this level of specialization became uneconomical over the long term, and we ended up folding all the brands into two major brands.

Similarly, another client sought to compete in various segments of the market.  So he targeted lawyers, doctors and chambers of commerce.  This specialization required an enormous amount of sales time, and very expensive marketing (getting a lawyer’s attention isn’t cheap).  This marketing effort worked, but the customer market was so specialized, and the product not scalable to other markets, it was eventually folded into a standard “unlimited bandwidth, storage, 10 GB e-mail” plan, with resulting churn.

What Elliot talked about, that strikes me as true, based on those of my clients who are successful, is that successful Internet businesses are high touch, and that people will pay to have their problems go away.  Examples of this, and hosting companies that are taking business from 1 and 1, etc., include those that focus on customer support, implementing complex outsourced solutions like exchange, and hold the hand of overburdened IT departments. 

In each of these examples the customization and specialization is applicable across the entire product line, and is not feature based.  So instead of creating an e-mail solution that meets the unique needs of lawyers, they have support that teaches the lawyers how to create the e-mail product they need. 

I see an analogy in my own business:  clients pay me to make problems go away.  They’re not interested in the most recent regulatory pronouncement about green marketing from the Federal Trade Commission, they just want to be able to market their new “green” data center.  Similarly, the nuanced thread that has run through all these keynotes, whatever their title, has been that customers will pay you to make problems go away.  Seems to me that’s a great way to succeed. 

The Supreme Court of New Jersey joined a small, but growing, number of state courts who have ruled that individuals have an expectation of privacy in the IP addresses assigned to them by their ISPs.  The unanimous decision in  State v. Reid was based on the New Jersey state Constitution, rather than the U.S. Constitution. 

At base, the court held that a demand for an IP address must be connected with some sort of judicial proceeding, and not a simple subpoena issued by a court without any kind of review.  The court stated that the demand for the IP address must “bear some possible relationship” to an investigation.  That relationship can be demonstrated by requiring that the subpoena be issued as part of the grand jury process, rather than through a process in which a subpoena may be issued without any demonstration of relevance.  The court refused to go further, and require that a subpoena be issued by a grand jury only upon demonstration of probable cause (the standard necessary to issue a warrant).

This decision shows the difference in privacy rights that is developing between state constitutions and the U.S. constitution.  Federal courts have routinely held that there is no Constitutionally based expectation of privacy in IP addresses, while state courts are increasingly interpreting their constitutions the opposite way.   Like many similar state vs. Federal issues, these different interpretations are ironic since most state constitutions are based on the Federal constitution.  However state courts have a long history of interpreting their constitutions differently than the U.S. constitution.

For hosts, this decision reinforces the need to require some sort of service of process prior to disclosing information about your customers.  It’s important to note that the ISP in this case, Comcast, was not a party to the suit, and not held to be liable for its response to the defective subpoena.  However, what this case does illustrate is the growing body of law supporting customer’s expectation of privacy in information generated by their use of technology.

From a micro perspective, hosts should always require that any request for customer information be part of a judicial proceeding, or otherwise authorized by law.  From a macro perspective, it should cause those who are interested in commercializing this information to be careful in how customer information is used.  The line between a host’s ownership of information generated by customer’s use of its technology, and a customer’s expectation of privacy, becomes thinner with every decision in this area.