Monday, December 23, 2013

Big Data: Towards a "data driven audit"

This is the first installment of a multi-part exploration of the audit, assurance, compliance and related concepts brought up in the book,  Big Data: A Revolution That Will Transform How We Live, Work, and Think (the book is also available as an audiobook and hey while I am at it, here's the link to the e-book ). In this installment, I explore why this is a "must read" for those interested in data driven decision making, big data and information. I will also discuss some examples included in the book that make the case for "data driven audits". 

Why read this book?
This book is written by journalist, Kenneth Cukier, (who claims in this video to have to used the term "big data" before it was commonly used) and Viktor Mayer-Schönberger (an Internet and Governance professor at University of Oxford).

Given the background of the authors, it is an easy to digest book that gives the reader a good understanding of how access to large volumes of data and the use of correlations will change the way business is done and how society has a whole functions - without going into the technical detail of how big data is "crunched" at the back end.  The authors also discuss the following:

  • Why more is better: Algorithms improve by being exposed to more data - regardless of how messy it is. On the topic of size, it also comments how statistical sampling is a feature of an era when organizations could not wrap their arms around the data.
  • Consumer and business implications: The book is filled with examples that anyone can relate to, such as predicting whether the price of an airplane ticket will go up or down, as well as how Google uses search queries to predict flu outbreaks.
  • Enter "Datafication": It also distinguishes "datafication" versus "digitization", where the latter is making something into bits and bytes, whereas the former is something that can be analyzed by some sort of analytic engine. 
  • Potentially challenges and negative consequences of big data driven decisions: One of the challenges cited by the author is the "black box" nature of algorithms: how does a common person challenge the an algorithm, when it takes a rocket scientist to understand the algorithm itself? The authors also take the risk of explaining the  danger of subordinating human decision making to algorithms. For example, they note it would be problematic for governments to round up and quarantine people just because they looked up terms related to the flu. 
There are other interesting pieces, but I will bring them up over the next few blog posts. But if you want to get a full understanding, please buy the book - it's worth it!

The case for data driven audits
The book is filled with examples that illustrate the power of big data and how they impact business and society. However, there are a couple of examples that illustrate how financial audits can benefit from such techniques, given the way non-financial "audits" are using big data techniques to audit and assess information. 

Case 1: New York City and Auditing Illegal Conversions: As discussed in this excerpt of the book, Mike Flowers applied big data techniques to the problems of "illegal conversion" in New York city. As noted in the article, illegal conversions is the "the practice of cutting up a dwelling into many smaller units so that it can house as many as 10 times the number of people it was designed for. They are major fire hazards, as well as cauldrons of crime, drugs, disease, and pest infestation. A tangle of extension cords may snake across the walls; hot plates sit perilously on top of bedspreads. People packed this tightly regularly die in blazes". The data scientists working for Flowers, took the 900,000 property lots in the city and correlated "five years of fire data ranked by severity" against the following pieces of data:
  • Delinquency in paying property taxes,
  • Foreclosure proceedings,
  • Odd patterns in their usage of utilities, 
  • Non-payment of utilities,
  • Type of building,
  • Date building was built,
  • Ambulance visits,
  • Rodent complaints,
  • External brickwork.
By correlating all this and other information, they were able to improve the effectiveness of their 200 person inspection team from a "hit rate" of 13% to 70%. (Note: hit rate refers to conditions of building identified as being so bad that it warrants a "vacate order"). 

This is a pretty straightforward evidence for "data driven audits": financial auditors can identify correlations between financial data and non-financial data to determine which financial transactions need more scrutiny than others.

Not convinced?

Well, investors are already doing this. The book gives the example of how an investment firm is using traffic analysis, from Inrix, to determine the sales that a retailer will make and then buy or sell the stock of the retailer on that information. In a senses, the investment is using this as a proxy for sales. In an audit context, auditors can study the vehicular traffic around stores against the sales recorded against such stores and determine if there are issues worth investigating. 

Of course, this endeavor is not merely a matter of copying & pasting data from StatsCan and cobbling up a spreadsheet or two. It is a lot of hard work. However, this is not surprising to anyone who has been performing computer assisted audit techniques for the last decade or so. The challenge has always been in cleaning up the data and making it usable. Some of the challenges that the New York team of statisticians had, include:
  • Inconsistent data formats: The team had to bring together data sets from 19 different agencies. Each agency had a different way of describing location. Consequently, this has to be standardized so that each of the 19 data sets can be correlated to the same property.
  • Datafying expert intuition: The article describes how brickwork got added as an element to the correlation model. The data scientists on the team observed how the fire inspector could look at a building and know whether it was okay or not.
  • Understanding significance of each variable: Each variable must be assessed in its own right to avoid the problem of generalization. For example, rodent infestation is not uniform in its significance across New York city. As noted in the article, " A rat spotted on the posh Upper East Side might generate 30 calls within an hour, but it might take a battalion of rodents before residents in the Bronx felt moved to dial 311".
Although such challenges exist, there's a promise for big data to transform the way audits are done If you recall my blog post on the Oracle vs Google trial, I made a similar point: "the profession should use this opportunity to re-examine what aspects of technology should be a part of the audit practitioners skill set - given that is clear that society's attitude towards technology has clearly changed". Applying this to data driven audits, is actually less of a stretch as auditors have the skill set of dealing with data - instead of learning to code in Java. As a profession,  we need t o understand what data is out there and how this data can be correlated with financial data to make a more effective, efficient, and insightful audit.  

Friday, October 25, 2013

Materially Mistweeted? Tale of the Ticker Symbol

My coworkers informed of a fascinating story of how one letter and an overactive stock rumour mill can provide us a valuable lesson in defining materiality in the world of a 140 character "tweet". As described in this post on Tech Crunch, the stock, "TWTRQ", went from less than a penny to a high of $0.15, which works out to - I am relying on TechCrunch on the math on this one - to be a rise of 1,400%. Wow! Was it the birth of new valuation model that made Wall Street realize the value of TWTRQ? Did the Federal Reserve grant TWTRQ, or  Tweeter Home Entertainment Group, the right to print money out of thin air (as they do with other banks)?

Looks like the free market fundamentalist really got it handed to them on this :) 

Apparently, the collective "wisdom" of the markets that drove investors into a feeding frenzy over TWTRQ. The reason? Well, investors apparently bought the stock of this company, which has been bankrupt since 2007, thinking it was the initial public offering of Twitter (symbol: TWTR). Who would have thought to assess the materiality of a ticker symbol? Could the investors sue the auditors on this one? Now that would be a court case worth watching.  

Of course on a more serious note, it really illustrates how little people do when investing their money in stocks. We are not talking about running the latest financial model pulling XBRL tagged information in real time to determine the value of the company. We're talking about checking financial news sites to see when the stock was released. 

And to finish a lighter a note, we can at least chuckle at's take on this

Friday, October 11, 2013

UWCISA 8th Biennial Research Symposium: A Unique Experience

Last weekend UWCISA held it's 8th Biennial Research Symposium.

For those who attended, it was a great opportunity to get together and understand what is the leading edge in terms of research in information security, data analytics and assurance issues related to technology. For those that may not be familiar with the conference it is a truly unique format. The Symposium brings academics together to present papers, but also brings together discussants from academia as well as practitioners from the field (click here for the list of papers presented as well as the list of practitioner/academic discussants). It is this unique blend of perspectives that makes the symposium a unique experience.

In prior years, the conference was only on the Friday and Saturday. However, this year the conference included a special XBRL session on the Thursday. This portion of the conference was standalone and actually was sold out! Gerry Trites, head of XBRL Canada, informed the attendees at the conference that over 250 Canadian companies are working to implement XBRL because they file in US GAAP they are effectively forced to produce in XBRL tagged financial statements. He is in the process of pulling together a study that will explore this in greater detail.

On the opening panel, it was interesting to see the different perspectives that were presented about the current state of data and assurance. It really highlighted the challenge of innovation in audit. On the one hand, there is an agreement regarding the tremendous potential that exists due to automate audit tasks and identify issues through analytic techniques. But on the other hand, due to the regulatory nature of audits, there was a consensus that the slow pace that standards change, it will be a while before auditors can take advantage of such techniques. However, the challenge from the audit firm side (as noted by one of presenters) is that the cost or quality advantage gained through R&D will be lost if it is scrutinized and thereby shared with the rest of the audit industry. Another panelists pointed out to another conondrum; can auditors be truly independent of management? His argument was that a more data-driven audit would make the team more objective, which is a more attainable goal.

All in all, it was a great symposium. Special thanks to Efrim Boritz, Lia Boritz, Jenny Thomspson, and the others behind the scenes for getting this mammoth event up and going. Thanks to  Bill Swirsky for keeping us on track and going). And thanks, of course, to the presenters and discussants who presented their papers and views.

See you all in 2 years!

Monday, September 30, 2013

Porter's Outage: Dealing with an outsourcer's system failure

A couple of weeks ago, I got caught in the Porter Airlines network outage. I was heading back from a meeting from Ottawa and we had managed to get the airport on time, only to find that we could not get our flight because the "system was down". Although I was scrambling to figure out how to get back to Toronto, my colleague had it much worse as she had a connecting flight back to Windsor! For me it was one of those "check out" moments. You know when you are at the grocery store and the guy ahead of you is haggling with the attendant, and you think to yourself: "Should I wait for this situation to resolve itself or move to the next line?" As the Porter folks informed us that they will give us a refund, I decided to book the next Air Canada flight back to Pearson (instead of the Billy Bishop airport - where I had parked at. Although I was supposed to fly out at 9:20 PM, they managed to put me on the 7:30 flight. A number of us at the back were "refugees" from the Porter flight. It is tempting to get exasperated and complain in these situations, but one of my fellow refugees pointed out how this is essentially  "first world problem": we only ended up waiting about an hour and we had all the amenities (food, water, shelter, etc) waiting for us when we got back to Toronto!  
As reported in the Toronto Star, the source of the outage was due to a failure at Navitaire: the "reservation and flight planning system" that Porter outsourced to. It turns out that other airline companies, such as Air Tran, were also affected by the outage.

Surprisingly, this is not the first time that Navitaire has experienced an outage: the company also had an outage in 2010 that affected Virgin Blue airlines. As would be expected, Virgin sued Navitaire. The case was settled out of court. As noted by the Register (who commented on the 2010 outage):

"It is becoming more and more obvious that Navitaire's business continuance and disaster recovery provisions failed completely in this outage. There should have been standby systems ready to take on the load of any failed system or system component, but there weren't any. That is a blunder of the first magnitude by whoever designed, implemented and ran the system."

Well, it seems that the "blunder of the first magnitude" has repeated itself only 3 years later.

As you know from my previous posts, that I have written about the cloud from a CPA perspective, so the logical question is: where is the SysTrust or other third party review of their IT controls to ensure that this type of thing doesn't happen?

Well, I could not find it. The brochure for the services offered by Navitaire, does not make mention of the third party audit report. However, it is possible (although unlikely due to the cost) that Navitaire allows its customers to send in their own auditors.

Regardless, the incident illustrates the need for customers who outsource their operations to third parties to get an assurance report (e.g. Trust Services) that ensures that such controls (e.g. disaster recovery) are in place.

To Porter's credit they gave me a refund and they also gave a free flight to anywhere they fly. So from their end they did their best to make amends due to the fiasco.

Wednesday, September 4, 2013

Verizon Mobile Push into Canada Evaporates: The Data Privacy Angle

Canadians had been anxiously awaiting the entrance of American telecom giant into the Canadian mobile market. For years, Canadians have lived under the domination of a few giant players, which has resulted in Canadians paying one of the highest - if not the highest - cell phone rates in the world.

The government of Canada actually dedicated a website, which actually illustrates the level of concentration in the market. Apparently, to address the issue "Ottawa rolled out the red carpet to attract the U.S. mobile giant in the hopes of establishing a fourth mobile competitor in all provinces - not only in Quebec, where Quebecor’s Vidéotron is giving the Big Three a run for their money. "(see the Globe & Mail article for the full context of the quote). As this Globe & Mail article, suggests the hope was that Verizon would have entered the market and forced the incumbents to offer better prices.

However, Verizon announced that it has cancelled any plans to enter into the Canadian market and thus dashing these hopes.

An interesting point to note, however, is the data security and privacy angle that the incumbents took to bolster their case to the Canadian public. As per the FairForCanada website (which is supported by the Big 3 Telecoms), they claim:
"Who do you want to own your private data? 

Across the country, Canadians use their wireless devices to make calls, send text messages and emails, and browse the internet every day. That information should be safe, secure, and private. 

Will American companies say no to requests from U.S. government agencies, for customers’ personal data? 

Canadian wireless providers have a solid track record of protecting your data in compliance with Canadian laws. But what will happen with regard to the data of Canadians in the hands of foreign-owned wireless carriers? What laws will regulate the protection of your information? This is not a trivial issue. It is one that should be of concern to all Canadians."

It seems that the advocacy group was riding the fear of Canadians that the US will have access to their data.

It seems they have done their research.

As noted in this ZDNet article, "Since being signed into law in 2001, the Patriot Act has been cited as a viable reason for Canadian companies, government departments and universities to avoid the cloud due to the close proximity to the United States". In other words, fear of US surveillance has led to low demand for US-based cloud services. Applying the same logic, the incumbents were playing on this same fear that Canadians would stick to them.

However, this is only part of the truth. The reality is that Canadian companies have had to comply with similar legislation that requires them to divulge data to Canadian law enforcement. As noted by the Office of the Privacy Commissioner of Canada:

" In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities. Despite the objections of the Office of the Privacy Commissioner, the Personal Information Protection and Electronic Documents Act has been amended since the events of September 11th, 2001, so as to permit organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, if the information relates to national security, the defence of Canada or the conduct of international affairs."

This is on top of the recent CSEC scandal (where the secretive agency is alleged to have illegally spied on Canadians), but one could argue that such surveillance was actually illegal. Ultimately, I had hoped Verizon would have entered into the market, but only to push down the rates. I would have ended sticking with the Canadian mobile carriers because the data is one way or another in one jurisdiction.

However, all is not lost in terms of lower rates in the cell phone market.

It seems the government is hoping to entice voters by tackling a problem, which does impact the productivity of Canadians (see this post which compares Canadian mobile access to access in India/China). For example, the CRTC has mandated a number of changes to the cell phone contracts that the wireless industry can legally offer, such as restricting the minimum contract length to two years.

But from a data privacy perspective, it seems the only way to get privacy these days is to live a technology-free lifestyle of yesteryear!

Sunday, September 1, 2013

"Images can't be verified": The limits of social media?

In previous posts, I have illustrated how information integrity concepts, and assurance more broadly, have played a role in media reporting. In the post, I noted the following as way way to act as a check on the media:

"Another probably more plausible approach is to leverage crowd sourcing and organize it to enable people comment or blow the whistle on information that is produced in a manner that is inaccurate, incomplete or invalid. The Guardian actually did this for the MPs expenses: they built an app that allowed ordinary users to analyze MPs expenses (if interested check out the Google Docs Spreadsheet with this info). As noted in the article, there was another attempt to build such an app (see here for the alternative). This is both good and bad. It's good in the sense that no one organization has the ability to monopolize such initiatives. However, it is bad in the sense that the efforts of the crowd are effectively divided. Regardless, it does illustrate that the potential for "crowd sourced audits"."

However, the events in Egypt, Syria, and the coverage of  the Occupy Wallstreet Movement, illustrate the limits of social media on its ability to act as a check as a means to counter "official sources".  As noted in the following excerpt in the WSJ, there is a significant discrepancy in the death toll in the recent events in Egypt:

"The Associated Press cited the Ministry of Health as saying 525 people were killed across the country, with 3,717 injured. Interior Minister Mohammed Ibrahim said 43 policemen died in the assault, the Associated Press reported.

The Brotherhood placed the number of fatalities far higher—saying 2,200 people had been killed and more than 10,000 wounded."

To put the number of dead into perspective, the number killed (if the Brotherhood numbers are accurate) is the same scale as the number that died in September 11, 2001, which was 2,977.

What is interesting is that the Egyptian military actually targeted camera men to prevent images of the massacre from leaking out. For example, Mick Deane, a cameraman from Sky News was shot and killed by the Egyptian army. Also, as you can see in the video below, Ahmed Asem  (an Egyptian photojournalist) was killed while filming the Egyptian army kills others:

In Syria, even after horrifying images of chemical attacks were available from YouTube (no link was provided due to the gruesome nature of the attacks; however they can easily be found by putting "Syria Chemical Attacks" in YouTube), the mainstream continues to refer to them as "alleged".

With respect to the Occupy Movement, almost 8,000 people have been arrested. However, the mainstream media does not cover this and so a major crackdown on a significant social movement is effectively invisible to the mainstream society.

So what does this have to do with information integrity?

I have been fascinated with the portability of information integrity concepts to any information system, including the mass media system. For example, if one reads Manufacturing Consent, it is essentially a book that evaluates how the media is able to apply concepts, such as decision-usefulness, completeness, validity, etc to the way information is published or broadcast.

And this is the link to the social media.

One may think that with official media being unable to compete with social media, that the it will be replaced by social media. However, this is only from a business perspective. the real question is whether social media does actually alter the ability of the mass media to set the parameters of debate. In other words, can you or I can get on a blog expose the truth about something and create change society, based on the blog post?

As illustrated by the examples above, when the official media does not actually corroborate the social media, it effectively prevents social media from having an impact on society. I had mentioned in this in one of my earlier posts, the official media is still seen as a source of trust and verification, whereas social media is not. This ultimately prevents social media from ever truly supplanting old media, as people in a society ultimate rely on collective institutions to bind them together in a cohesive. So despite social media giving people the ability to contribute to the landscape ideas, it has not fundamentally altered the essence of power structures in society.

In other words, the "information system" that is within the society still remains where it always has.  And when the citizenry make decisions about societal matters, they ultimate rely on this information system for their opinions and beliefs, simply because the other sources can be doctored and faked, i.e. there are no official "information integrity" controls around social media. Consequently,  countries - be they dictatorial or democratic - can crackdown on their citizens and social media will not "materially" affect society's opinions or belief about the plight about that group or their cause.

Tuesday, July 16, 2013

The Power of Visualized Analytics

In my new role at Deloitte, I have recently come across tools, such as Tableau or Qlikview, that allow users to "visualize data". To be honest I didn't think they would add much value compared to "rule-based analytic tools", such as IDEA and ACL. However, after using these tools I realized the real power of being able to visualize data in contrast to producing an exception. It brings the dashboard concept within the executive management suite to the analyst or other business professional. But as they say "seeing is believing".

So let's try an experiment.

I recently came across an amazing visualization that really illustrates that power of visualization that visualizes economic data, specifically the distribution of wealth.

But don't click on it yet!

To get the most of the experiment first read this report (which the visualization is based on) to see how the stats hit you in terms of impact.

So here is an excerpt from the Oxfam report which the visualization is based on. (The numbers at the end of the sentence are footnotes; see the original report for the sources)


So now let's see how this data (plus other sources) hits you when it is visualized:

Is there really any contest?

What I've realized is that the visualization really enables the business user to bring together multiple dimensions into a single sheet of paper and enables you to tell the story about the underlying data. Having said that, I do believe that there is a complementary relationship between visualized analytics and rule-based analytics. For example, if you want to quantify the difference between budgets-and-actuals, produce a list of exceptions, etc, then rule based analytics are better for such a purpose. Furthermore, visualizations can help explain the results of rule-based analytic procedures.

Tuesday, July 9, 2013

Did McKinsey predict Google Now?

From a business perspective, one of the key publication on the phenomenon is the McKinsey report entitled, "Big data: The next frontier for innovation, competition, and productivity". Although the report does not specifically mention Google, it predicted that Big Data would enable personal productivity and noted the following example to support its case:

"An example is a mobile phone that has learned its owner’s habits and preferences, that holds applications and data tailored to that particular user’s needs, and that will therefore be more valuable than a new device that is not customized to a user’s needs"

Well McKinsey was right on the money as Google introduced "Google Now", which would announce scores of one's favourite sports team - based on the person's search history. However, where does Big Data fit into this?

One of the applications that really illustrates the power of Google Now is the linking of traffic data to one's calendar to inform the person that they are going to be late for a meeting due to traffic issues. The video here lists other features:

The price for this (of course) is giving up one's personal data.

Regardless, it illustrates how Big Data is being a ubiquitous part of life. One other Google product that was released at their recent I/O conference in May, is the ability to use speech to search for things.

As you watch the video, you can almost see the wheels churning in the background to process the query. (I was able to replicate the voice search in my Chrome browser, but was not able to get it to do a context search. But I am not sure if I had to enable something to do that)

This ability to process query by voice, of course, will be quite useful for the upcoming Google Glass (I wrote earlier about it here), which is expected to be released in 2014.

However, it must be repeated that McKinsey was dead on the money with this one. 

Thursday, May 9, 2013

Windows 8: Time to Eat Crow or Wait?

I have been mulling for some time whether it is time to eat crow over my previous post on how Windows 8 could potentially outrun the incumbent iPad, as the mobile device of choice. As I had noted in the post, I felt that the the Microsoft was attempted to ride the consumerization of IT wave and get the users up to speed on their "modern user interface" (Microsoft does not like the term "Metro" which tech journalist still use because that was its original code-name). Recent sales figures put Windows 8 roughly at the same level as Windows 7, when comparing the first 6 months of their sales. One may speculate that this was not the run away hit that Redmond was hoping for - this is based on the fact that they did not release the Windows 8 sales data during the Q3 earnings call. Reuters also points out that the average sales of Windows 8 is actually below Windows 7 and this could be due to the massive incentives that Microsoft was offering for people to upgrade their systems (e.g. buying a Windows 7 PC in the months before Windows 8's release an upgrade cost $15, in the few months after Windows 8's one could upgrade to Windows 8 for $40).

As I had noted in my post that there was tremendous room for Microsoft to shoot itself in the foot.  My analysis focused around the possibility of the Microsoft releasing Office on the iPad and Android mobile operating systems. However, the issue had to do with Microsoft's gamble that by forcing users to adopt the Metro interface (take that Microsoft!) they can move users away from the interface that they had got accustomed to years. John C Dovorak, a veteran journalist in the tech industry, noted in this PC Mag article (and many times on TWIT) that people like the simplicity of the desktop and there is no real compelling reason to leave this behind for the Metro interface. But to be fair, this is a hard call for Microsoft who did try to give the users the best of both worlds by giving the users the option to get to the desktop from the Metro interface.

One of the possible issues was Steven Sinofsky's approach to leadership (he was not known to be a nice guy), which may have prevented user feedback from being incorporated. Now that he's gone it appears that the next version of Windows, known as Windows 8.1 or Windows Blue will be bringing some features to "address customer feedback". Examples of such rumoured features include boot to desktop and bringing back the start button.

Although this may be good in terms of corralling the Windows faithful, the hope was that Windows 8 would give the iPad a run for its money.

Although a long shot, there is a possibility that Microsoft could still make this happen:  Amazon leaked this on their website: a $380 8.1 inch Windows 8 Tablet - that runs the full Windows 8 (i.e. not the more tablet oriented Windows RT) operating system. Although it does not come with MS Office 365, if you've bought for one machine you can share it with this tablet (and three other machines as noted in this previous post).

Although not likely a large factor in the overall success of Windows 8, the Washington giant did actually release a bizarre set of videos to advertise this OS (the Mashable links go to another YouTuber, but this one actually goes back to the official Windows 8 channel!):

As for me, I just ordered a Windows 7 laptop to replace the machine I am currently using. However, I am in the market for a tablet. If these tablet come in around the $300 to $400 range then I am definitely thinking of trying these machines out. In other words, I think I will wait before I eat crow.

Monday, April 22, 2013

Facebook Home: Privacy fears or a sign of decline?

As reported across the tech news sites, Facebook Home hit 500,000 downloads in the first 5 days. However, techcrunch gave some perspective. It noted that Instagram (which is owned by Facebook) had "over 5 million downloads in six days". So what is holding people back?

One possible issue is privacy. As noted in this previous post, the younger generation is privacy savvy and is opting for apps like SnapChat that don't retain pics and other personal info. So it may be possible that the not-so-hidden-cost of privacy is too high a price to pay. And many commentators have noted that this issue with respect to Facebook Home. As noted in this blogpost by GigaOm's founder, Om Malik, fears Facebook's past privacy issues will be especially problematic if Facebook can capture (and monetize) one location data. As pointed out by this can be turned off, but how many people are not going to use the map feature of their phones to keep this private?

On the other hand, is Facebook as popular as it used to be? Speaking to a colleague at work, he notes that his "tween" son is using... (drum roll please)... Google Plus! Yes, that's right Google Plus - the social network that people mocked as a possible Facebook competitor is now being picked up (anecdotally) by the youth. Although this may be anecdotal evidence, Facebook last redesign was viewed by some as an imitation of Google Plus. For Facebook's version of the story check here:

Overall, it's quite fascinating how the social media sites and tech companies wax and wane in popularity. Remember RIM? The company that could do wrong, now is on fighting (one could argue valiantly, but that could be the nostalgia in me talking.) for spot number 3 in the smartphone wars. Of course the biggest giant to fall from the public's favour is Apple with it's stock sliding from a height of $705 to a current price of just under $400.

However, as pointed out by Horace Dediu on this podcast, Facebook has effectively circumvented Google by making this the home screen on Google's real estate. He has good analysis of the whole supply chain, making an analogy of Facebook's strategy to Intel's strategy of "Intel Inside":

Furthermore, GM's back as an advertiser on Facebook. They made an exit last year, but has returned "and will take advantage of Facebook’s new mobile targeting features". So despite the slow number of downloads and potential privacy issues Facebook Home is hardly down and out.

Tuesday, April 9, 2013

Big Data, Facial Recognition and Privacy

In October of 2012, the FTC released these guidelines on dealing with the privacy issues of facial recognition. The publication begins with a scene from the movie Minority Report where the protagonist is offered a product based on facial recognition software. When the movie came out, this future seemed decades away. However, now it just seems around the corner. And this is primarily due to advances in data mining capabilities brought to you by the cloud and more specifically big data. One of key characteristics of Big Data (see here for IBM's definition) is being able to include data that is not just massive or fast moving, but also goes beyond the simple world of flat file - meaning it includes images.

And here comes the interesting part about privacy and big data. Think about the following scenario: you walk  into a store, the security cameras take your picture, it's uploaded to Google Images (see below for how this works), a second search is done to find out what you've posted publicly on the various social sites and then you are approached by a sales associate who has all this information about you and then can tailor its offerings to you.

Privacy regulations requires that users give consent before their information is collected. So could this simply be circumvented by posting a sign that states "By entering this premises, you consent to the store collecting your image and using that information to tailor offerings, services and the like to your online profile"?

I think so.

As I posted last week, TJX was effectively able to stop the Canadian privacy watchdog, by agreeing to encrypt the personal information it should not collect. So it does not take much for companies to persuade users (or the privacy regulators) to get what they want from their customers/users. At the end of they day, companies simply have to repeat the Capitalist mantra: "You are free to go somewhere else if you don't like our policies". Never mind that all the companies have the same policies, which means you don't have any choice except to wear a mask when you enter the store. And that is not advisable because it may be result in being billy clubbed or tazered by security guards! Or to be a little less dramatic, the store will simply offer to refuse you service if you wear a mask.

Friday, April 5, 2013

The Killing of Google Reader: Proof that Privacy Matters at Google?

Google announced last month that it was going to kill off Google Reader. According to the post, the reason that was given that there was a decline in the number of subscribers. For the past few years, Google has been consolidating its offerings and reducing the number of properties that it has out there. For example, it retired Google Wave, which was seen as a way to revolutionize the way people conversed with one another. The other trend in Google' s consolidation is to get its subscribers into its social network; Google Plus. So another theory is that Google killed Reader because it wants to drive more traffic to its social network - as they have done with things such as YouTube, Blogger, etc.

However, allthingsD reported that another factor that led to Google retiring reader was due to compliance with privacy. Citing "sources" the elimination of reader, "[w]asn’t just a matter of company culture and bigger priorities...Google is also trying to better orient itself so that it stops getting into trouble with repeated missteps around compliance issues, particularly privacy".

If what sources are saying are true, the factoring of privacy costs into its product releases represent a significant maturation from a privacy perspective. Google got in trouble with the FTC because it failed to comply with privacy procedures with Google Buzz and had to submit to biennial privacy audits for 20 years. In other words, Google can probably include the "kill decision" as "audit evidence" as proof that they are complying with their commitment to privacy.

So is this proof that the US overall approach to privacy creates a more privacy compliant nature than the one used in Canada? Although more research would be required to answer this question, we can contrast the proactive nature of Google with respect to privacy and how TJX reacted to its breach of privacy policy in Canada. The Privacy Commissioner of Canada's took issue with TJX's (which operates Winners in Canada) the use of driver's licenses during the returns process. In summary, TJX should not be collecting driver's license information because it has nothing to do with buying clothes, etc at the stores! However, instead of stopping the process, the company merely agreed to stop storing in an unencrypted format. In other words, they basically ignored PIPEDA and continued with business as usual.

Sunday, March 17, 2013

Google Glass and Privacy: You've just been Glassed!

Last week at the SXSW Conference, Google showed off its latest product Google Glass, The gadget last made headlines when Sergei Brin claimed that - while sporting Google glass - mobile phones are "emasculating", In other words, men (and women?) will fork over money to Google to be "real men". Prior to that ,the search engine giant invited the Verge's Josh Topolsky and revealed in this interview that the product will be available to the wider public by the end of 2013. The company plans to work with eye-glass manufacturers to make the technology available through such channels as well.

As can be seen in this interview, Google believes that the glasses will assist human beings to better connect in the world we live in: we can stay in the moment without having to take out our smartphones to capture the moment. For example, if you attend your kids sporting or extra curricular events you are probably used to seeing parents viewing the event through to their iPads or smartphones - instead of actually watching the kids play.

Is this the next big thing?
With Apple's steady stream of innovative products, such as the iPhone and iPad, having seem to become mainstream, some are questioning whether innovation in technology is becoming stagnant. For example, on this show on the Agenda, a group of panelists explored this topic based on a survey conducted by TVO that indicated the biggest inventions occurred decades ago.

Enter wearable technology: is Google Glass the next "big thing"?

Some commentators, such as Leo Laporte, have questioned the value of Google Glass or other wearable technology (e.g. it is rumoured that Apple is working on a watch). Does it really solve a problem that we have? Or is it a means to manufacture a want in order to satisfy Wall Street insatiable appetite for endless growth and profits?

Laporte, humourously,  has judged the soon-to-be-released device as a "Segway for your face" - referring to the 'people mover' that had low commercial success due to the fact it did not look fashionable to ride one of these things. Consequently, it is not clear whether Google glass will be the next big thing or be a commercial failure.

Privacy implications of Wearable Tech
That being said, the privacy implications of this device are hard to ignore. In fact, one business in Seattle, the 5 point cafe has gone to ban the device. The owner of the establishment has admitted that the is was partially a PR stunt. However, one could argue that the ploy was successful because it speaks to underlying concern in society with the increasing encroachment of technology on one's privacy.

In a previous blog post, I have discussed how the shift to social media is from a certain perspective an adjustment in privacy for people that live in non-rural environments - where individuals are used to the anonymity of the condominium or the suburban sub-division. However, it is not for those that live in a more village oriented setting where everybody knows everybody and individuals could anonymity.

The issue, however, with Google Glass is that it is integrated into one's person's physical body and, unlike a smartphone, video camera or that ancient camera with smoke and all,  it inherently lacks the social mechanism to communicate that the interaction is being recorded. Even with social media, it is well understood that the communication is occurring in a medium that can be easily shared, so those that engage in such a communication understand there is a possibility that their conversation is not private and may not be kept confidential. In other words, precisely because Google Glass is integrated into the moment, it inherently lacks the ability to gather:
  • "Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed."
  • "Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information."
(This was taken from AICPA-CICA Generally Accepted Privacy Principles, see page 7)

Of course these principles are designed for companies and organizations to manage the privacy of their customers and other stakeholders. However, they are useful because they help breakdown the problem of "wearable technology" in terms of what the privacy issues exactly are - beyond the "creepy factor". (Jeff Jarvis, professor of Journalism at CUNY and open-Google-fan-boy often talks about how creepy is too vague a term to be an obstacle to technological innovations that, in his opinion, increase the ability of a person to live life in public.) That is, the problem with Google glass is that when you lean in to talk to someone you are expecting them to keep what you are saying confidential. However, if they are wearing technology that can record what you are saying (i.e.without your knowledge) - then it effectively violates that expectation of privacy because the person wearing Google Glass has failed to give "notice" and therefore cannot gain "consent".

Consequently there will be need to be some adjustment in terms of wearing Google Glass. For example, one suggestion I have heard from someone on the Twit network, is that Google Glass should have some kind of light on that indicates it is taking pictures/videos/etc. However, given the nature of things, people can always find a way around such "controls".

Avoiding being Glassed
Inevitably, the privacy issues will go the way of social media. As horror stories of being "Glassed" (i.e. what I define as "an embarrassing-Glass-recorded-personal-moments makes it way YouTube or other video sharing site") get around,  people will become aware of the privacy risk of being involved with Google Glass and may simply request: "Can you take those off before we talk? I'd rather not be Glassed. Thanks."

Tuesday, February 26, 2013

Technology and Audit: Rising tide of tech floats all boats

Norman Marks, evangelist at SAP, neatly summarizes  in this 5 minute video the implications of the how the recent technologies, such as cloud, analytics, and the like has implications on the auditing profession.

As he notes, "if it's good enough for our clients, it's good enough for us" (i.e. us being the auditing profession).  He mentions how individual analysts and other business professionals are using tablets and other devices to perform analytics. He also cautions that we should not make the same mistake as we did when analyzing the potential for desktop computing. In the video he narrates an amusing anecdote about the reaction of the accounting firm that he worked at to the nascent, desktop computer in the 70s.

Although I agree with his comments, I would say that this also extends beyond the corporate IT environment I have written in the past about cloud and mobile tech and what I see is that these technologies favour the small and medium sized business (SMBs) over the large ones. Basically, SMBs can now afford enterprise class technology and are probably using this technology within their personal spheres. Hence the term "consumerization of IT": advances in technology are focused in the consumer space not the corporate IT Department. As illustrated by the use of the iPhone within the corporate IT, consumers brought or demanded that IT let them use the iPhone instead of the standard  issue (e.g. BlackBerry) smartphone. Furthermore, widespread familiarity with these technologies allows SMBs access to employees who know how to use these technologies - without specialized training. The sum of it: it is much harder for auditors to justify being low-tech, when even the employee of the SMB has gone high tech.

Sunday, February 17, 2013

NYT vs Tesla: Sustainability, Electric Cars and Data Audits

On February 10th, the New York Times posted a negative review of the Tesla S Sports car. The article entitled, "Stalled Out on Tesla’s Electric Highway", painted a bleak picture of the ability of the Tesla to keep its charge and travel long distances. This is obviously a big concern for those that would purchase such a car.  The reporter who drove the car noted the following with respect to his experience during the test drive:
  • Charge was dropping faster than anticipated.
  • In order to extend the charge, the reporter reduced the temperature to the point where he was feeling uncomfortable.
  • The reporter barely made it to the next charging station, even though he should have been able to make it (easily) based on the amount of charge indicated at the outset of his journey.
  • Car did not retain its charge overnight after. When the reporter went to sleep it stated 79 miles was required, but in the morning it stated that 25 miles was remaining
  • On another leg of the trip the reporter never made it to the next charge station, even though the driver drove the car at a modest 45 miles per hour. Instead, the car shut down on the road, requiring the reporter to wait 45 minutes for the car to be put on the flat bed truck.

Billionaire Elon Musk, the co-founder and CEO of Tesla and founder of PayPal, was not going to take this review lying down. As it turns out, the Tesla S sports car had data logs recording the drivers actions. So, Elon reviewed the logs and fired back with the following post, disputing the claims of the NY Times article. He noted the following:

  • The temperature was not turned down, but instead turned up to 74 degrees.
  • Insufficient time was spent charging the car (47 minutes instead of 59 minutes).
  • On the last leg of the trip where the car died, the reporter actually missed the recharge station.
  • He drove between 61 and 81 mph, well beyond the 45 mph claimed.
The blog post also points a link to the following article, highlighting that the report had previously noted that electric cars were "dismal, the victim of hyped expectations, technological flops, high costs and a hostile political climate", pointing to the writer's bias against electric cars. 

Of course, the report was also not going to take this rebuttal lying down either. And so he fired back with the following "rebuttal of the rebuttal". (I am not going to summarize what he said, but you can read it there).

The point is who is correct? 

Although Tesla is stating that the reporter has an axe to grind, the same argument can be made against Tesla. That is, they want electric cars to be viewed favourably so that their company succeeds. 

And that's where the importance of data audits and system controls come in.

How do we know the logs that Tesla are using are not tampered with? What are the system controls that are in place to ensure that there is data integrity? 

The importance of this topic goes beyond a tussle between a media outlet and company. What's really being discussed is here is environmental sustainability. The tussle illustrates the increasing importance of data for society to make critical judgments on how to think about sustainability. And this goes to my next question: are assurance practitioners ready to tackle these types of third party reporting challenges? 

As I've mentioned in previous posts, auditing information is skill that goes beyond the actual information being audited. In terms of the Tesla car, audit procedures could be performed to see whether there were controls over the data logs exist to ensure they were not tampered with,  the sensors that report the data generated could also be tested for completeness, accuracy and validity, etc. For example, Musk claims that the car never ran out of energy, where as the reporter (in his rebuttal) claims it did. So is it the reporter right and the sensors wrong? Or the sensors right and the reporter are wrong? You can only know if someone independent of the NYT and Tesla tested the controls. 

As we know from the increased interest in big data (e.g. it was a big part of the last US federal election), these types of disagreements are going to become more common place. It illustrates the financial auditors need to become more proficient in technology and be able to port over their skills from one arena of financial information to sustainability, etc.

However, the world waits for no one. 

Non-accountants have already started to dabble in the world of assurance. Although not an audit per se, CloudAudit  is an attempt by members of the Cloud Security Alliance to allow potential cloud customers to view "audit artifacts" (which I would translate to source documents or audit evidence) maintained by a cloud service provider and gain some comfort over the state system controls at the cloud customer. Consequently, if audit professionals choose to stay on the sidelines and stick to the traditional financial audit, some other tech savvy professional group will be needed to fill this gap.  

Sunday, February 3, 2013

CNET, CES and Crowd-sourced audits: Independence does matter

In a previous post, I looked at how the editorial interference from CBS forced CNET to award the Best in Show category to another contestant because CBS was involved in litigation against the company who actually did win best in show. The perspective that I took was more of a "decision usefulness" perspective: could a reader actually figure out who the real winner is due to the use of disclaimers. 

Others were much more outraged over this lack of objectivity. 

Since my post, Greg Sandoval, a reporter at CNET, has resigned over the controversy (click here to see his tweet).  More importantly, the Consumer Electronics Association (CEA) itselft has taken a firm stand against this move by CBS. As noted in this press release, they have effectively overturned CNET's decision and have awarded the Best in Show to both the Hopper and Razor's Edge (effectively CNET's second choice). They have also are requesting a request for proposal for "a new partner to run the Best of CES awards program". 

Looking at the heart of the issue, the question is how does one maintain independence when reporting on a matter? 

We can take a look at what the Canadian Institute of Chartered Accountants (CICA) and the Canadian Public Accountability Board (CPAB) have written about independence in this publication. On page 7, they cite the International Ethics Standards Board for Accountants (IESBA) and breakdown independence in two categories: 
  • "Independence of mind: The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
  • "Independence in appearance: The avoidance of facts and circumstances that are so significant that a reasonable and informed  third party would be likely to conclude, weighing all the specific facts and circumstances, that a firm’s, or a member of the audit team’s, integrity, objectivity or professional skepticism has been compromised."
The publication also a number of threats to independence. The two probably most relevant are the "self-interest threat" and the "intimidation threat", which I think are probably most relevant to the CNET-CES controversy. Effectively, CBS's objectivity of the reporters was put aside in favour of the self-interest emanating from their litigation against DISH (who makes the Hopper). 

But the more interesting one to explore is the "intimidation threat". And this is most felt by reporters and editors who are pressured to abandon their view in favour of what the parent company wanted. And it speaks to a fundamental flaw in journalism: the press depends on money from the companies and others that they need to write about. The biggest illustration of this is what went down between Fox News and Jane Akre and Steve Wilson when they were forced to stop reporting about the health effects of drinking milk from cows that had been given Monanto's Bovine Growth Hormone. The reporters were fired when they refused to give into the "intimidation threat". They initially won their case under Florida's whistle blower law, but when Fox appealed they lost. The reason? The media has no obligation to tell the truth.  

So the challenge remains as to how does one remain independent when they need to eat and pay their bills in a free market system? Greg took the principled stance as, Jane Akre and Steve Wilson did, but not everyone can afford to pay the prices. People have to pay rent and take care of their families. The reality is that if society really cares about have access to information that has integrity they need to pay for it.

Is it time to have audited standards for the media, similar to the one used for financial information generated by financial companies? 

Although not perfect by any stretch of the imagination - the accounting scandals, a la Enron, serve as an important reminder of the lack of perfection in the system - the way financial information is subjected to testing serves at least as a starting to point as way to understand what needs to be there to ensure the information has integrity. 

Another probably more plausible approach is to leverage crowd sourcing and organize it to enable people comment or blow the whistle on information that is produced in a manner that is inaccurate, incomplete or invalid. The Guardian actually did this for the MPs expenses: they built an app that allowed ordinary users to analyze MPs expenses (if interested check out the Google Docs Spreadsheet with this info). As noted in the article, there was another attempt to build such an app (see here for the alternative). This is both good and bad. It's good in the sense that no one organization has the ability to monopolize such initiatives. However, it is bad in the sense that the efforts of the crowd are effectively divided. Regardless, it does illustrate that the potential for "crowd sourced audits". 

Sunday, January 20, 2013

Unauthorized Access to China? Value of IT Audits and Control Frameworks

Various media sites and blogs, including the BBC, picked up on the story reported by this blog about one enterprising individual who decided to apply what all the major manufacturing companies and service companies are doing: outsource work to cheap labour pools in China (and also India). According to the Verizon post, the individual would basically show his face to work and surf the Internet, while the developers in China were doing all the hard work. Although many have attacked him as being lazy and "scamming" the system, the reality is that many enterprises, such as Appledepend on such strategies for their profitability. Regardless of this debate, it ultimately the individual violated his agreement with the company. (I am assuming that he had a standard terms of employment that required him to do the work assigned to him and not to provide his credentials to unauthorized users).

From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access.  COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:

DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."

Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
 "The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."

ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.

The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or  frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.

Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.

Sunday, January 13, 2013

Auditing the Media: Was CNET's CES coverage complete?

As noted in the Tech News Today (TNT) report on Friday, CNET's parent CBS banned its staff from awarding Dish's "Hopper" an award as part of their reporting the Consumer Electronics Show that just wrapped up last week. As reported by CNN, the bottom of CNET's 'Best of 2013' page notes the following:

"The Dish Hopper with Sling was removed from consideration due to active litigation involving our parent company CBS Corp. We will no longer be reviewing products manufactured by companies with which we are in litigation with respect to such products."

Some may point to this as a legal risk management move: CBS had to stop CNET from awarding this to Dish to avoid it being used against them in court. However,  Ayaz Akhtar, a non-practicing lawyer and host of TNT, noted in his commentary on the issue that CNET awarding a prize would have little impact on the course of litigation  (but listen to the show for the proper context and for how he worded this. He's careful to avoid any misrepresentation and it's not an exact quote).

The real issue, in my humble opinion, is to looking at whether media be relied on to report on issues objectively. One could say that due to the lack of independence of CNET on the matter, makes their reporting of CES lack objectivity. This is the standard of care that a financial auditor is held to when auditing a company. For example, auditors are prevented from holding stock in companies that they audit. Should the media be held to the same standard?

For me this incident illustrates how the concepts of financial information integrity are portable to other arenas, such as understanding news coverage. Financial information produced by companies listed on stock exchanges is subjected intense scrutiny and regulation. Accountants/auditors were required to develop a framework to analyze how financial information can be provided to investors in a reliable that enables them to make effective investment allocation decisions. This financial “information production” process is essentially similar to the “information production” process produced by the media: data is gathered, summarized and presented to the user/reader to make a decision. The latter is the key difference. For example, if someone is going to rely on CNET's CES coverage to understand the best products out there, then they could make an erroneous decision because CNET did not cover dish's product.

The following is a list of audit objectives (i.e. completeness, accuracy, etc) that financial information must meet in order to reliable for decision making purposes.

  • Completeness – is the information presented completed, i.e. everything that is out there is included in the medium
  • Accuracy – is the information congruent with the original event
  • Timely – was the information reported in a timely manner, to be useful to the user
  • Validity – does the information faithfully represent the underlying reality that is presented
Another important concept, especially to media coverage, is the one  of "presentation & disclosure – is the presentation of the information impartial. In financial statements, companies may engage in transactions to alter the presentation of items, e.g. bury accounts payable into accounts receivable so the user won't be able to accurately assess the ratio of current assets to current liabilities. Media has a greater ability to do this. And I don't mean to pick on the CNET people because they at least tried to inform the reader about their bias, but the statement they mentioned is at the bottom and not at the top. That is, some readers may miss it.

Overall, it's hard to say whether that the coverage lacked integrity and more specifically was "incomplete". On the one hand, one could argue their analysis was in complete because they excluded Dish's product. However, they did provide full disclosure although it is buried at the bottom. But one can easily search for Dish's product on the Internet and see what other reviewers are saying (e.g. such as PCMag's review). But it does illustrate that media consumers need to be aware of such risks and do their best to understand where corporate conflicts exist and how such coverage can be biased.

Sunday, January 6, 2013

Social Media & Privacy: The Return of the Village

Some of you with connections to the younger folk may have heard of SnapChat. The promise of the application was that it would allow its users to share images that would be deleted within a few seconds of it being transmitted. Another similar app and function is offered by Facebook called Poke. The hope was that, such an app would protect the privacy of the users by maintaining the confidentiality of the messages sent. However, CNET uncovered (based on the blog, BuzzFeed FWD) that it is quite easy to go around the controls:
"an iPhone user simply has to plug the smartphone into a computer, navigate to the phone's internal storage, and find the folders for Snapchat and Poke where the videos are stored locally. The user can then copy the videos from the phone to the computer to sneak a peek at them. In BuzzFeed's testing, this bug applied only to videos; photos didn't appear to show up."

The workaround, if you will, illustrates something that we know that there is always a way around these controls and therefore they offer limited privacy protection at best. The reality is that once something gets online it's out there forever.

I try to make the next generation accounting students aware of the risks during the Masters course I teach at the University of Waterloo by getting them to pull articles on how posting on Facebook can undermine one's career and professional prospects. (here is a blog that compiles social media faux pas that result in one losing one's job). As the then CEO of Sun Microsystems (now owned by Oracle), Scott McNealy stated (back in 1999), "You have zero privacy anyway.Get over it."

Over the summer, I had some time to think about privacy and social media as I was researching the phenomenon. One the thoughts that struck me was that social media actually represents the "Return of the Village". Being an urbanite myself. I am used to leaving in the city or the burbs where people "mind their business". However, that's not how life is in the traditional village. In the village, everybody knows everybody and word gets around quickly about people's affairs. There, just as in the online world, if you don't want anyone to know something don't tell anyone about it. Consequently, privacy has always been limited in a village context. However, as Jeff Jarvis touts in his book Public Parts, there are benefits to living life publicly. In other words, by living in the "online village" we get the benefits of community that were hard to find living in the more individualistic urban setting. A couple examples that illustrate this concept:

When developing a controls strategy around social it is important to keep the human element at the focus of the strategy. As illustrated by SnapChat, technology-centric controls can be easily circumvented. Furthermore, when considering the risks of employees contributing online it is important to remember that
 it is hard to segment one's professional world in the corporate cubicle with one's personal life. Consequently, governance and controls need to address the personnel rather than relying solely on technological solutions, such as data loss prevention tools. For example, Microsoft relies essentially on its people to police themselves and in order to post things that are in-line with Microsoft's corporate culture. In other words, the techno-centric solutions can supplement governance controls but they don't supplant them. 

In terms of protecting oneself from privacy breaches it requires vigilance. Some totally avoid being a social network for just the reason. That being said such people are in the minority (I poll students annually as to whether they are on Facebook: a handful give it up because it is a waste of time. I've found 1 or 2 people who've given it up for privacy reasons). Other try to mitigate such risks through "social controls". For example, in the Facebook Effect, the author notes how colleges have no cellphone and no camera parties to avoid illegal activities for finding their way online. It may seem like weak control because anyone can sneak a camera into the party. What this misses is really that the control is social in nature: people won't take pictures because they wanted to be invited to the next party!

Ultimately, the real test of social media will be how it is used against people who do not conform to the norm. For example, what would happen if employers discriminate against people who support the Occupy Wall Street movement? If the people go along with such discrimination, the social media essentially becomes a way to ensure conformity in society. Conversely, if it such discrimination is opposed, then it would lead to a more open society as the threat of social sanction (e.g. unable to finding employment) is effectively removed.