cyber security banner

Have you ever experienced identity theft that forced you into a zero-cash state for an amount of time that feels like forever? Or have you ever wondered how that app knows you so well—your habits, your route to work each week, your interests? The more we shift towards personalization, the more data is collected about your every move.  And that’s borderline cyber stalking, no?

This makes cyber security ever more important. What is it, you ask? According to TechTarget:

“Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access” [1].

For any app, website, or technology in this online economy that collects personal data, one may hope that the company does just as much to protect it. However, this is an area that constantly faces challenges. A survey conducted by the ISACA and RSA showed that 76.6% of respondents expected an increase in security attacks in 2014 compared to 2013 [2]. In fact, the top 5 cyber security risks for 2015 as mentioned by CNBC are as follows [3]:

  1. Ransomware: Malware that restricts access to your own data and then requires ransom payments for re-access.
  2. The Internet of Things: Vulnerability of physical devices connected to the internet.
  3. Cyber-espionage: A war between national governments fought on the keyboard.
  4. Cyber theft increases: Stolen financial information, such as credit or debit cards, on the black market
  5. Insecure Passwords: Passwords that can be cracked effortlessly

These are no small risks and they appear to be inter-related to a degree. Moreover, cyber security is a national security issue and a hot topic among presidential candidates – a cyber war against China and Russia [4]. Additionally, according to a report on CNBC, China attacked Apple’s iCloud to steal data related to iMessages, photos, and contacts [5].  Apple has the reputation of ultimate security, yet weak passwords and public access to data make it easier to crack passwords and answer security questions. On the other hand, as technology companies increase privacy and security on apps and devices, the country’s intelligence services will continue to go dark reducing their capability to prevent such attacks. Perhaps this is why cyber security continues to be a challenge, it is an ever-lasting complex battle with a lot of gray area.

Fortunately, VCs are continuing to invest in cyber security startups each year. In 2014, 240 cyber security startup deals collectively amounted to $2.5B in funding, and 2015 is on the same trajectory [6].  As startups continue to mobilize, founders should ensure that an adequate amount of resources are invested in cyber security.



By: Shemeka Neville


read more

With over 1.2 billion reported users and close to $200B in market capitalization, Facebook is undoubtedly the most ubiquitous social network today. For most users, the core value proposition of Facebook is simple – it is a means to stay connected with their friends (and acquaintances) and to share and learn about each others’ lives. And yet, over the years and over countless tweaks to Facebook’s NewsFeed algorithm (popularly known as EdgeRank), more and more users complain that they don’t get to see any updates from a majority of their friends. Indeed, the average user has over 300 ‘friends’ on Facebook, but thanks to Facebook’s determination of what’s relevant, they are likely seeing updates from only 20% (or less) of their network. What’s going on? Why is it that I have over 1200 ‘friends’ on Facebook, yet I never see anything from almost a 1000 of those? I used to believe they simply didn’t post as much, until I checked out several people’s profiles and saw major updates I would have liked to see, but never saw, despite logging in several times a day. Why is it that I see some stories over and over for days, and several never appear?

Keep it simple….

Several hours of tweaking Facebook settings, privacy controls and reading Facebook optimization controls told me one thing – it’s complicated by design. There is a lot on Facebook that’s simple and intuitive, but customizing your experience is definitely not. There is an option to sort your feed by ‘Most Recent’ but all it does is sort the pre-selected ‘Top Stories’ into reverse chronological order of any action taken by anyone, thus being not helpful at all as it doesn’t introduce new content and in fact increases repetition. You can unfollow or block users, you can tweak content settings for people and types of content individually, or you can organize your 1200 friends in lists you then follow (like really?). For the average user, it is too much to ask, but I’d venture to say that even for power users, it doesn’t really help much.

They have the edge

EdgeRank works in mysterious ways, and the best one can gather is that Facebook measures and ranks ‘edges’ connecting any one user to another user (or Page, Group, Brand etc) by the strength, time delay and frequency of their interaction. However, only active interactions count, i.e. liking, commenting, following or sharing. So if you passively enjoy reading someone’s updates but don’t actively ‘like’ them, chances are you’d stop seeing updates from them sooner than later. This is true for both your friends as well as pages you may have liked, unless of course they pay Facebook to promote the post. The problem arises when over time you see what you like becomes you like what you see, making your Newsfeed populated by the same subset of users and content types and effectively limiting the reach of content. And lest you figure it out, they tweak (and AB test) EdgeRank all the time. So you may not even realize that the reason some of your real world friends don’t comment on your exciting Facebook updates may be that they actually never got to see it, for no lack of intent whatsoever.

“Trust us, we know what you want to see”

Let’s face it, Facebook does know a lot more about us than we think. As long as you’re signed in, Facebook knows not just what you ‘like’ and who you stalk on their website, but also most likely what articles you’re reading and what websites you’re surfing for how long. Besides, information overload is a real problem. Between friends’ updates, activities, engagement content and brands, Facebook estimates they have thousands of news stories to show every user at any point. Surely some stories are better or more important than the other for every user. But by Facebook’s own estimate, only 0.2% of these stories are ever shown to the user. With no easy way to even access the remaining 99.8% and no straightforward explanation of how those 0.2% are determined, it is unsurprising that I see check-ins every time my dorm neighbour gets down to eat and I totally missed the news of wedding and first child of my high school best friend. And these were happy stories – considering Facebook doesn’t want users to not see many ‘negative’ emotion stories, I wonder what all I’ve missed that would have been relevant to know. Or not.

It’s all about the money, honey

All this brings me to the business of Facebook. It is not so hard to gather that the purpose of ‘optimizing’ your NewsFeed is as much to show you the most relevant updates from your friends as it is to show you ‘relevant’ sponsored stories by those that pay Facebook by creating real estate. Facebook marketing is, after all, a fast growing and rather effective (for now) channel for most brands’ marketing efforts these days. One can argue that, after all, it is a free service that Facebook is providing to the users and they deserve being compensated in some way for it by selling part of the user engagement it creates to the brands who want them. And these are brands the users want too, demonstrated if not explicitly by subscription then implicitly based on their behavior as Facebook understands. Perhaps the users shouldn’t complain so much, after all. Sure, they don’t get a perfect experience and sure, there are a few ethical questions because users don’t really understand how they are being manipulated. But what about the brands themselves?

Thousands of advertisers have spent precious time and money over the years building up reach on Facebook pages, but sometime last year they realized that all of a sudden their messages weren’t being shown to all the users who had ‘Liked’ and previously engaged with their page, never mind to new users. So unless they pay for each posting, or the user is a dedicated follower who actively engages with every piece of content posted since the beginning of the change, Facebook’s reach for most brands is basically a myth and the promise of building an engaged community with two-way communication hollow. I wonder how sustainable this is, in the long run, especially as Wall Street maintains earnings pressure on Facebook and non-advertising revenue on the website continues to slip.

Bottomline, friends are not really friends on Facebook. Fans are not really fans. Don’t like the Likes too much.

read more

 “One cannot improve human beings, but one can certainly improve systems. And the same flawed human beings with a better system will be able to produce better results”

RS Sharma, UIDAI Director

The Indian UID (Unique Identification) is certainly one of the most ambitious governmental projects ever attempted. Under the supervision of the UIDAI (UID Authority of India) created in 2009, it aims at providing a unique 12-digit identification number to the whole Indian population. Started in September 2010 in a few pilot regions, the UID has now been assigned to more than 200 million people. The code is assigned to each individual through one of the several hundreds purposely-built offices throughout the country, and is linked to a central database that records official document scans (passport, driver license, tax file number, ration card) as well as the biometric information that will later be used for secure identification: iris and fingerprint scansions.

The main goal behind the project is to provide a standardized, unique mean of identification that will be accepted by public and private institutions, in order to promote efficiency, safety and fight the widespread corruption and malpractices that hindered India’s significant development in the last few decades. Public offices and private businesses will receive from their customers a UID number combined with an on-the-spot iris and/or fingerprints scans that will be sent to the centralized government database and matched with the files of the resident, thus enabling the companies to access all the client’s necessary information (public and, if permitted, confidential information). As a result, residents would be spared the hassle of repeatedly providing multiple, identity related, documentary proof each time they wish to access services. Therefore, the UID number will provide easy identity verification and facilitate the provision of public or private services. It is also easily verifiable in an online, cost-effective way once the required inputs are entered into the specifically designed software and high quality scanners.  The most innovative feature of this project, and the basis for its reliability, is the inclusion of biometric parameters that ensure identity authentication. In fact, similar code-based projects have been implemented in many countries (Social Security Number in the US, Medical Card of services in Italy, India’s tax “PAN” card among dozens of others) and have often been successful: however, they always required a secondary mean of identification, and this strongly reduced the amount of procedural simplification they managed to achieve.

The UID, instead, will guarantee immediate identification with a scan and a code input. Given that the biometric characteristics recorded, unlike traditional ID documents, are not falsifiable, the probability of identity fraud is almost completely eliminated and the successful identification rate exceeds 99.9%. Additionally, errors that may occur can be checked and processed manually by the system’s employees, further enhancing the efficiency, reliability and security of the project. Nevertheless, several critics have raised doubts over the safety of the system and the critical consequences of a possible misuse of illegally acquired data. These voices of dissent, often coming from regional politicians, are raised in defense of their vested, non-legitimate interests that would be damaged if the UID system would be successfully implemented in all governmental agencies. The most recent ruling on the subject by India’s Supreme Court, on October 21st 2013, backed the legitimacy of the project and dismissed all the charges of privacy violation. Following this logic, the many critics that the UID project raised so far are a very good indicator of its enormous potential in fighting bribery and depriving corrupt officials of their illegitimate powers.

The UID system can be the source of important advantages to all the actors involved in its use. In order to better illustrate these advantages and what is required from the system to deliver them, it is convenient to separate the actors in two main categories: final users (Indian citizens) and institutions (the Indian Government and its agencies; private firms). The crucial point is that each member of a group needs a sizable number of users in the other group in order to maximize its own utility. The more people use UID, the more businesses will benefit from offering UID-based services; vice-versa, more businesses and government agencies accepting UID as identification directly translates into greater benefits for citizens. This twofold relationship is typical in the field of Information Systems (notable similarities explored in class can be found with the videogame and credit card industries) and is a textbook example of the ‘Network Effect’ model. The most important aspect derived from the application of the model to the UID case is the need for both groups of users to reach a Critical Mass in order for the cross–benefits to outweigh implementation costs. In other words, a sizable amount of users in a group (in theory, a precise number of them) must be using the technology to make it convenient for the other group to start using it too. The UID project managers need to acknowledge the importance of this relationship and promote the service to both groups in order to succeed in their ambitious plan. The group-specific benefits are described below, together with an assessment on the network effect externalities and the steps to be taken to reach the critical mass.

Final Users

Indian citizens that choose to apply for a UID will undoubtedly benefit from the technology in many different areas of their life. Firstly, they will obtain easier and legitimate access to welfare programs such as food distribution, direct transfers, fiscal reliefs, medical assistance and so on (recent studies suggest that 2/3 of the allocated aid resources are lost to bribery and illegal appropriation). In fact, even today only a small fraction of the population is able to establish its identity through traditional documentation. According to many Indian officials and researchers, the inability to prove one’s identity is one of the biggest barriers preventing the poor from accessing services and subsidies. Different service providers would require the demander to undergo a full cycle of identity verification, with many forms and documents to be filled out, leading to a high probability of demand rejection in case of noncompliance with the requirements. These situations constantly proved to be a waste of time and resources for both the organizations as well as the individual demanders. Furthermore, India is a country where corruption dominates large areas of government intervention, therefore the UID can significantly improve the effectiveness of the programs by ensuring that the final beneficiaries will receive what they deserve without having to bribe officials or wait too long.

Secondly, those who possess a UID can improve their interactions with private businesses and employers: easier and reliable alternative forms of payment, job applications, contracts, and so on. An interesting development in this direction is the MicroATM: a portable device that can verify one’s identity through UID code input and iris/fingerprint scan, and then wirelessly (thanks to a cellular SIM card) access the bank account of the user in order to perform safe transactions.

Thirdly, the UID can also greatly improve the quality of medical services.  In case that the patient is incapacitated, a simple iris or fingerprint scan would allow the medical staff to directly access all the vital information of the patient (blood type, allergies, medications and so on), therefore limiting errors, increasing the efficiency of the system and potentially providing a database for all medical facilities (including research centers and universities).

Given the importance of these benefits for the average Indian citizen, together with the relative ease of joining the project (UID registration is free), it does not come as a surprise that in just one year more than 200 Million people have chosen to request their new high-tech identification. However, these initial figures are likely to be over-represented by the lower-income classes, since they benefit the most from UID-based food rations. The project now faces the challenge to appeal to mid- and high-income citizens that are less interested in the ease to access welfare programs: the key to success is to reach the critical mass in the number of private businesses offering UID-based services. As of today this is far from being accomplished, as many firms still find the necessary equipment to be too expensive. The government therefore needs to find new ways to promote UID adoption by private firms.


Private and public institutions in India can benefit from the UID mainly in terms of cost savings, increased efficiency, and accuracy of transactions. Moreover, private firms can use UID-based services as a platform for differentiating their offer: consider, for example, mobile phone providers that could include in their plans SMS-based UID services monitoring; travel agents managing visa applications for their customers thanks to the access to the complete set of their customers’ documents; employers being able to track each worker’s activity thanks to daily fingerprint scanning.

In sharp contrast with the group of end users, however, institutions face important costs when deciding to embrace UID in their business: intuitively, the initial expenses to purchase equipment (fingerprint or retina scanners, terminals to access the central UID database); moreover, firms have to deal with ongoing costs related to the management of the new services, such as extra hiring, maintenance costs, and so on. This explains the initial reluctance expressed by private firms and even local public authorities. However, as stated above, the number of institutions using UID is crucial to the success of the technology among citizens: therefore, the government needs to implement further measures to encourage the adoption by firms and state offices. For instance, financing or tax reliefs should be granted to innovative businesses developing cheap connection terminals or biometric readers; public employees should be trained on the technology and motivated to use it; private businesses should receive support for early adoption. This phase is crucial in deciding whether the project will be a universal success or remain confined to those who do not have alternatives (lower income classes); the government needs to address the stated issues, possibly pursuing proactive solutions that can help reaching the critical mass in the near future.



read more

According to eMarketer, U.S. advertising spend on mobile platforms will reach $7.65 billion in 2013, nearly doubling its 2012 size of $4.36 billion. Smartphones, of course, store all kinds of personal information, ranging from deliberate storage of information like contacts to less intentional storage of information like products purchased and topics searched. However, unlike desktop computers, mobile devices cannot always rely on cookies to assess a user’s behavior. Mobile apps, for example, do not hold cookies. We can thus infer that much of the $7.65 billion spent on mobile advertising has a lot of room left for improvement when it comes to targeting end-users, and thus also significant potential for market growth. Smarter technology to track users’ tastes on mobile phones would likely be worth big bucks in the online retail world.

Drawbridge is one start-up making inroads in this space. As discussed in a recent NYTimes article, “Selling Secrets of Phone Users to Advertisers” (5 Oct. 2013), one of Drawbridge’s main goals is to connect a user across multiple devices. Since cookies gleaned from desktop browsing can reveal highly coveted information to merchants, consider how valuable it would be for a merchant to also know which mobile devices are connected to that desktop. If I search for “Best restaurants in Cambridge, MA” on my desktop, Drawbridge’s technology might allow advertisers from Grafton Street to display a message on my smartphone shortly thereafter because it would know which smartphone was mine.

This type of behavioral tracking and connecting, I am sure, is just the beginning of companies looking to piece together and profit from all of our online usage. Even if current privacy laws allow companies like Drawbridge to collect and share information, where are the users’ rights? The onset of mobile technology has been rapid and convenient for millions of users, but any relevant education of long-term implications has been heavily ignored, if not entirely absent. Is the challenge to make users more aware of the types of information they are making public and profitable for third parties? Or are the conveniences offered so great that users do not really care about the tradeoff? I consider myself a fairly educated consumer when it comes to privacy laws, but any fears I have of creating an entire cyber footprint of my life are outweighed by the benefits that come with using technologies like social media and online shopping.

As we continue to become a world that is less private, my biggest concern is that the monetary rewards of this alleged transparency will fall into the hands of only a few. What if, instead, the mobile revolution could lead to a new era of self-empowerment for users? What if users could sell their buying behavior and personal information directly to interested parties? Though the cost implications would undoubtedly be higher, the quality of the information would inevitably be much richer and more accurate, likely leading to a higher lifetime customer value.


read more

Internet and Information Privacy: The End of Innocence?

As most of us probably still remember, there was a time and age, not so long ago, when we felt that browsing the internet was like walking around while being invisible. Even when we started performing more formal tasks over the web, such as shopping or banking, we felt relatively safe that our data and personal information were secure and private – known only to systems and databases that need to identify users in order to allow access or complete a transaction.

Nowadays, it seems as if everyone is sharing and everyone is watching. Many of us have voluntarily opted to share private information through large scale social networks, allow access to our email accounts by search engines, permit cookies that personalize advertisements and other leads, and so the list continues. One of course can debate how voluntary the shift has been. Can a student at HBS these days not have a Facebook account? Can they really prevent classmates or friends from posting pictures of them even if they themselves don’t have a social media account? Can someone change their Gmail address or stop using YouTube to avoid Google’s ever expanding and ever-growing-in-sophistication data mining attempts? Can a user forego visiting certain websites due to their use of cookies? As cloud computing and cloud storage grows in popularity, will an internet user be able to opt out of using such services? What about when these services start integrating with existing products and/or services such users have accustomed themselves with? Location tracking, contacts and calendar sharing over different platforms, social networks integrated with numerous applications, personalized search, data mining regarding internet usage habits and patterns – these are all ways to gather and process information that constitute our digital footprint. And as more and more of our daily lives pass through the internet, this digital footprint begins to look alarmingly like our actual, real-life selves.

Regulation on the matter is obviously, as with many online-related issues, ongoing and varies wildly among countries – something of a paradox given that the online world seems to be almost unbound by national borders. And while the debate seems to center, if at all, around consumer protection issues driven primarily by concerns regarding data mining used for purposes of targeted/personal advertising, few seem to be worried about other parties potentially interested in our personal information and data. Numerous governments around the globe can gain access relatively easily, to one degree or another, to such data. And while efforts to prevent terrorism, uphold national security, and protect the public feel like noble causes, who can credibly guarantee that our personal information is not being misused by people, agencies, and organizations that have access to it? Where does one draw the line and how do we ensure that such a line cannot be crossed?

Sadly, noone can guarantee online privacy and personal information protection. Nor do internet users seem to care as much these days. Yet it was a mere 80 years ago when a democratically elected party rose to power in Germany and quite soon after that started using personal data gathered by census and processed by technology available at the time to ultimately commit some of the most appalling crimes in recent human history. And, more recently, while Shi Tao’s predicaments do not feel quite so widespread or disturbing a phenomenon, yet his story serves as a reminder of how weak private corporations can ultimately become in the face of political / government pressure, such as the one that the Chinese government officials seem to have exerted on Yahoo. Besides, no matter how much trust one is willing to show towards a government, no one can really claim they can protect themselves from the occasional rogue government employee. After all, worse government scandals than that are certainly not unheard of.

For the moment, online users appear to be feeling relatively safe and seem to be riding the wave of apparent convenience as well as perhaps fashion when it comes to sharing information over the web. While this trend seems unstoppable, it takes only a few, if not one, major events to shake peoples’ faith and peace of mind. If and when such a time comes across, when people collectively decide to start pushing towards a reversal of this trend, the online economy will have to radically change in order to re-adapt. Whole products, services, even business models have been built around the processing and use of data that could potentially be deemed inaccessible or become unavailable altogether. This would certainly be a much different world for the online economy and its participants.

Until then, we can all cherish the fact that we now can, on top of sharing our location with GPS-level accuracy and storing our contacts and messages in a cloud, scan our fingerprints on our smartphones to unlock them!


read more