Reflections on the demise of Yahoo!

By now we've all heard that Yahoo!'s web assets were bought by Verizon. According to the Wall Street Journal, Verizon paid $4.83 billion in cash for the assets. Yahoo itself will continue to hold the remaining assets but will eventually change its name and become an investment company. In total, the company was rumoured to be worth $6 billion.

For us Gen Xers this is an interesting day: we witnessed the end of a company we saw as innovative and fresh just a "few" (i.e. read ~20) years ago.

I was recently explaining to a young lad in his early 20s about life before the Internet: you had to find books at the library and it was almost impossible to connect socially with people beyond your classmates. So to use Yahoo or other search engines to access information or people was a completely new and mind-blowing concept.

As I noted in this post commemorating Google's 17th anniversary:

"It's especially memorable for those of us who were in university in the late 90s because we had access to high speed internet on campus unlike the painfully slow dial-up at home. 

I remember my first job as a coop student at the UW Federation of Students (I can't believe this quote is still hanging around from that time!) when a co-worker was explaining to me how OpenText was the best search engine (of course using my NetScape Browser). Of course back then there was a number of search engines including, Yahoo, Lyco, Alta Vista, etc. However, I stuck to OpenText for a while then eventually switched, along with everyone else, to Google...Well Lycos, OpenText (as a search engine) and AltaVista may be long gone, but it looks like plaid is back!"

So now we can add Yahoo! to the pile of "has beens" search engine.

Beyond nostalgia, I had the following reflections on the Verizon of Yahoo based on the WSJ article above:

• Verizon is no longer just pipes: Verizon has a strategy to move beyond just serving mobile and broadband services. Verizon is adding Yahoo to its existing portfolio of content plays, such as AOL. For Verizon, it's an overall strategy to make billions through content and advertising. Net neutrality can potentially limit their ability to use this vertical integration to undermine competition, but regardless it shows how being a "pipes-only" company is not enough. Of course it is a bit ironic that former rivals, Yahoo and AOL, are now sitting in the same tent.  
• Big Data is monetized at the expense of privacy: The ability of Verizon to combine the data plays between its various content plays is a great illustration of a point that I have noted before: for big data achieve value it must water down privacy. Since there are synergistic values (i.e. instead of just being additive) of combining the data, it could be argued that it's something that a user should explicitly consent because a user may simply not want Verizon to use their Yahoo data this way.  
• Remember the Internet Bubble? Yahoo! had a market capitalization of "more than $125 billion at the height of the dot-com boom in early 2000", which is quite a steep decline to $6 billion. I wonder if it ever produced the cash flows to justify that valuation. 
• Algorithms win over people: WSJ today published a good read comparing the algorithmic approach of Google, in contrast manual effort required to index the Internet. This is similar to Amazon's who found that the algorithms to better than humans in getting people to buy things: "Amabot replaced the personable, handcrafted sections of the site with automatically generated recommendations in a standardized layout," according to The Everything Store, a new book exploring the history of Amazon. "The system handily won a series of tests and demonstrated it could sell as many products as the human editors."
• Innovation and exponential thinking: On a separate note, but related note Yahoo could have bought Google for $3B in 2002 but it didn't. It's a great example of how Google embraced leading-edge technology to deal with the exponential growth of the Internet and Yahoo's inability to recognize Google's approach as the winning approach led to its demise.

Yahoo! is now literally a shell of its former self - both in structure and the assets it holds. However, it's a good case study of how failing to identify exponential trends - and acting on them - can ultimately lead to disaster.

Verizon Mobile Push into Canada Evaporates: The Data Privacy Angle

Canadians had been anxiously awaiting the entrance of American telecom giant into the Canadian mobile market. For years, Canadians have lived under the domination of a few giant players, which has resulted in Canadians paying one of the highest - if not the highest - cell phone rates in the world.

The government of Canada actually dedicated a website, which actually illustrates the level of concentration in the market. Apparently, to address the issue "Ottawa rolled out the red carpet to attract the U.S. mobile giant in the hopes of establishing a fourth mobile competitor in all provinces - not only in Quebec, where Quebecor’s Vidéotron is giving the Big Three a run for their money. "(see the Globe & Mail article for the full context of the quote). As this Globe & Mail article, suggests the hope was that Verizon would have entered the market and forced the incumbents to offer better prices.

However, Verizon announced that it has cancelled any plans to enter into the Canadian market and thus dashing these hopes.

An interesting point to note, however, is the data security and privacy angle that the incumbents took to bolster their case to the Canadian public. As per the FairForCanada website (which is supported by the Big 3 Telecoms), they claim:
"Who do you want to own your private data? 

Across the country, Canadians use their wireless devices to make calls, send text messages and emails, and browse the internet every day. That information should be safe, secure, and private. 

Will American companies say no to requests from U.S. government agencies, for customers’ personal data? 

Canadian wireless providers have a solid track record of protecting your data in compliance with Canadian laws. But what will happen with regard to the data of Canadians in the hands of foreign-owned wireless carriers? What laws will regulate the protection of your information? This is not a trivial issue. It is one that should be of concern to all Canadians."

It seems that the advocacy group was riding the fear of Canadians that the US will have access to their data.

It seems they have done their research.

As noted in this ZDNet article, "Since being signed into law in 2001, the Patriot Act has been cited as a viable reason for Canadian companies, government departments and universities to avoid the cloud due to the close proximity to the United States". In other words, fear of US surveillance has led to low demand for US-based cloud services. Applying the same logic, the incumbents were playing on this same fear that Canadians would stick to them.

However, this is only part of the truth. The reality is that Canadian companies have had to comply with similar legislation that requires them to divulge data to Canadian law enforcement. As noted by the Office of the Privacy Commissioner of Canada:

" In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities. Despite the objections of the Office of the Privacy Commissioner, the Personal Information Protection and Electronic Documents Act has been amended since the events of September 11th, 2001, so as to permit organizations to collect and use personal information without consent for the purpose of disclosing this information to government institutions, if the information relates to national security, the defence of Canada or the conduct of international affairs."

This is on top of the recent CSEC scandal (where the secretive agency is alleged to have illegally spied on Canadians), but one could argue that such surveillance was actually illegal. Ultimately, I had hoped Verizon would have entered into the market, but only to push down the rates. I would have ended sticking with the Canadian mobile carriers because the data is one way or another in one jurisdiction.

However, all is not lost in terms of lower rates in the cell phone market.

It seems the government is hoping to entice voters by tackling a problem, which does impact the productivity of Canadians (see this post which compares Canadian mobile access to access in India/China). For example, the CRTC has mandated a number of changes to the cell phone contracts that the wireless industry can legally offer, such as restricting the minimum contract length to two years.

But from a data privacy perspective, it seems the only way to get privacy these days is to live a technology-free lifestyle of yesteryear!

Unauthorized Access to China? Value of IT Audits and Control Frameworks

Various media sites and blogs, including the BBC, picked up on the story reported by this blog about one enterprising individual who decided to apply what all the major manufacturing companies and service companies are doing: outsource work to cheap labour pools in China (and also India). According to the Verizon post, the individual would basically show his face to work and surf the Internet, while the developers in China were doing all the hard work. Although many have attacked him as being lazy and "scamming" the system, the reality is that many enterprises, such as Apple, depend on such strategies for their profitability. Regardless of this debate, it ultimately the individual violated his agreement with the company. (I am assuming that he had a standard terms of employment that required him to do the work assigned to him and not to provide his credentials to unauthorized users).

From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access.  COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:


DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."

Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
 "The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."

ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.

The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or  frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.

Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.