Delusions of Self

Sometimes you don’t know what you are not … until you meet a real one.

I thought I was a powerful athlete for a brief moment until the 14 year old passed me in the triathlon (ages are often written on the athlete’s calf during such races).

I also thought I was a real CEO until I met John Slitz. There I was running my little 18 person company called Systems Research & Development (SRD) in Las Vegas when I chanced into him over dinner. It took considerably less than five minutes before I realized that he was a real CEO and I was not.

Hmm, I thought, how can I hypnotize him into thinking he should trade in all of his big games for my little game? It was a slow and thoughtful process that took about 90 days.

Once John Slitz came aboard, I demoted myself to chief scientist, was given no employees to manage, no budget, and was told I didn’t have to sell anything. A dream job!

With this new and welcomed adult supervision everything changed … for the better. The company became more prosperous and I was able to spend more time chasing technology, strategy, privacy and policy. A year later we doubled and a year after that IBM bought my little company. Inasmuch as I still report to Slitz I would like to recommend that hiring your boss is a good strategy.  :)

Net net: focus on what you are best at … hire pros to handle everything else.

Have I mentioned the 70 year old dude that actually passed me on the run during the Arizona Ironman.

Some Times "Good Enough" Just Isn’t

When I present these days I often show this photo of an outdoor banner which simply shows a chimpanzee and the words "99.4% human" (I found this advertisement for the Natural History Museum while in London). My notion then being if .6% makes this much difference, no wonder existing information systems are not very intelligent. The more I think about this the more relevant this seems.

Now think Web 2.0 and mashups.

I often hear in this context the term "good enough" being used to describe systems or widgets that while far from perfect are at least useful. Something like the 80/20 test. And while this type of technology and mindset work fine in many contexts and at times is well received in the market place, there are other contexts where this notion of "good enough" just isn’t.

Here is one blatant example. From time-to-time at the airport I notice the flight schedule monitors have crashed – displaying an operating system core dump. My think then goes: I am glad that this "good enough" operating system for the flight schedules is not the platform used for the plane’s flight systems! No debate here … it is just not good enough.

In space travel a few degrees off and you burn up during re-entry or fall outside of the solar system. Oops! No such thing as good enough in this department either.

High performance, high reliability and high accountability systems like those running in the financial services and communications sectors are no place for this emerging fascination with good enough componetry.

Detecting and preempting bad things from happening (e.g., million dollar fraud events, big things that go "boom" in the night) are also not well served by the good enough mindset either.

With respect to intelligent systems that deliver enterprise awareness (e.g., Perpetual Analytics) again this notion of good enough just isn’t. The DNA difference between chimpanzees and humans seems like another example – whereby .6% off the mark is not nearly good enough.

As a consequence of this thinking, I find myself spending time addressing subtle little things like Sequence Neutrality because, in this case, systems without such properties accumulate unacceptable biases. So my aspirations keep me focused on how to squeak as many .6% improvements into these enterprise awareness systems as possible.

[And on a Related Although Out of Place Thought: Since good enough is determined in relation to mission and expectations, maybe something to worry about is a "good enough" component for one mission getting mashed up into some other mission with very different reliability expectations. For example, using a match/merge engine designed to detect duplicates in customer lists for direct marketing (e.g., the consequence being more or less duplicate mail in the mailbox) later being applied in a law enforcement setting where action involves dudes with guns – think "danger Will Robinson."]

The Truth is Out There … Way Out There … and Some Times it Should Be Left There

When thinking about detecting and preempting fraud and evil acts it is often true that the piece of data one needs is not digital or not discoverable. In some cases, an organization should think about acquiring such data. And in other cases, one should not.

Despite the often insatiable appetite for more data, especially in crisis response, some truths are best left out of reach.

While there is an enormous amount of digital data, most of the happenings here on Earth are not being digitized and captured, and when they are, they are not captured in a useful manner.

Just for a sanity check on this point, look out your window at the events of the world. Note that, for the most part, sensors are not recording a multitude of events, including movements (e.g., the cyclist), orientations (e.g., the direction someone is facing), interactions (e.g., gestures between drivers), inflection (e.g., facial expressions), or dialogs (e.g., face to face conversations). [Fortunately, our thoughts, for the time being, are safely tucked away too – although there are emerging technologies that appear to be cracks in this sacred enclave – something I will try to blog on in the future.]

Many recorded events are still captured on "hardcopy" (via pencil and paper) - and if ever converted to a digital form later will be subject to serious data quality challenges. For example, many smaller road-side hotels still capture guest data on paper registration cards. Visitor sign-in sheets for building access are typically collected as paper scribbles. The same for taxi cab receipts, and so on.

Then, of course, there are millions of individual systems of record that are not part of a larger enterprise system. Think of the millions of individual word processing documents and spreadsheets, and think of all of those home grown systems and niche small business systems, many of which are not connected to the world. This data is, for the most part, undiscoverable, because unless you know who to ask, you will never find the data (See The Information Sharing Paradox).

So while it is true that a lot of digital data is available in this world, there is an even larger body of "happenings" that are simply not discoverable.

Yet it is natural to want it all.

What is the consequence of this? When seeking an information advantage over an adversary, organizations contemplate what additional relevant happenings can be sensed, recorded and made discoverable. The challenge then becomes acquiring and leveraging advantageous information, within the bounds of law and policy, in a manner that does not erode privacy and civil liberties, with enough transparency, oversight and accountability to reduce the risk of consumer surprise … and all the while hoping one does not tip off the bad actors resulting in a simple tradecraft change that blinds yours senses … again.

Some sensing and data collection is simply not worth the price. For example, if the country could save 1,000 lives a year if all humans over twelve years old wore little antennae on their heads, (each being geospatially tracked by government systems), would it be wise to opt into this utopia. Or, would we be way down the slippery slope into a dystopia? I think the latter.

[Sidebar: All this being said, I also think organizations have a lot more work to do towards taking advantage of their existing information assets they have already collected. And in many contexts this may be a more fruitful task than continuing to crawl the world for more.]

Related Posts:

Ubiquitous Sensors?  You Have Seen Nothing Yet

More Data is Better, Proceed With Caution

Source Attribution, Don’t Leave Home Without It

I use the word “attribution” to refer to pedigree-related metadata that is associated with a piece of data, e.g., the data source, transaction number, author, timeframe, location, etc.

When dealing with information sharing “source attribution” is essential.  By source attribution I mean the referential metadata that uniquely identifies the original copy of the record e.g., the originating system (“system of record”) and the unique transaction ID. 

Systems containing records without source attribution metadata have some rather unfriendly characteristics, specifically:

Accuracy and currency degradation: Without source attribution, reliable data tethering is not possible.  Records that have been updated or deleted in a system of record cannot then be simultaneously corrected in secondary systems.  Source attribution enables synchronization throughout an information sharing food chain.

Un-auditable: Without source attribution, information sharing systems are not auditable!  One must have source attribution if one wants to ensure that records and values in System A are accurately reflected in System B.  For example, how else can one be sure that watch list records deleted in one system are correctly removed from secondary systems?

Notably, I have seen some talk of anonymization systems whereby it is provable that one does not know the originating system and transaction.  While this might be appropriate in some contexts, when building systems that must be current and auditable, source attribution is a must. 

Anonymization systems without source attribution are provably un-auditable! 

From a privacy perspective, when thinking about information transfers (which for many reasons can and should be minimized), all information transfers should include source attribution (whether it is an anonymized information transfer or not).  Otherwise, organizations cannot audit their systems and cannot ensure a “non-arbitrary” process or outcome … a fundamental human rights “no no”.  This is because if an authority is operating on a “fact” for which they cannot establish its source … how could that not be provably non-arbitrary?  [See: Responsible Innovation: Designing for Human Rights]

Systems with guaranteed source attribution are capable of being accurate, current and auditable, and in the context of anonymization-based systems such pedigree pointers enable “selective revelation” … whereby the original data holder has complete determinism over any revelation (de-cloaking) event based on law and policy.