Beaten Up by Big Data Analytics

Posted by K Krasnow Waterman on Thu, Jan 16, 2014 @ 10:01 AM

Tags: privacy technology, accountability, data mining, big data, b2b customer service technology, privacy, analytics, risk management, forensics

Big data analytics and I have had our first personal run-in.  Last year, I wrote and spoke about the risks of big data analytics errors and the impact on individuals' privacy and their lives.  Recently, I observed it happening in real time... to me!  One of Lexis's identity verification products confused me with someone else and the bank trying to verify me didn't believe I am I.  I was asked three questions, supposedly about myself; the system had confused me with someone else, so I didn't know the answers to any; and the bank concluded I was a fraud impersonating myself!

Here's how it played out.  I was on the phone with a bank, arranging to transfer the last of my mother's funds to her checking account at another bank.  The customer service representative had been very helpful in explaining what needed to be done and how.  I have power of attorney, so have the right to give instructions on my mom's behalf.  However, before executing my instructions, the representative wanted to verify that I am who I claimed to be.  

In the past, companies confirmed identities by asking me to state facts that were in their own records - facts I had provided, like address, date of birth, last four of Social Security Number.  Instead, the representative informed me, he would be verifying my identity by asking me some questions about myself from facts readily available on the internet.

The good: That's a pretty reasonable concept.  The typical personal identifiers have been used so much that it's getting progressively easier for other people - bad guys - to get access to them.  In a 2013 Pew survey, 50% of people asked said their birthdate is available online.  The newer concept is that there are so many random facts about a person online that an imposter couldn't search their way to the answers at the speed of normal questions and answers.

The bad: The implementation doesn't always match the concept.  The customer service representative asked me "What does the address 7735 State Route 40 mean to you?" Nothing. I later Googled to find out where this is; I don't even know the town. 

"Who is Rebecca Grimes to you?" To me, no one, I don't know anyone by that name.  "Which of the following three companies have you worked for?"  I had never worked for any of the three companies with very long names.  I explained that I lead a relatively public life, that he could Google me and see that I'd worked at IBM, JPMorgan, etc. That might have been my savior, because next he patched in someone from security to whom I could give my bona fides.  With my credentials in this arena, a google search, and answering the old fashioned questions, the security staffer told the customer service rep he was authorized to proceed.

The ugly: The rest of the population is not so lucky.  They can't all talk their way past customer service or play one-up with the Information Security staff.  And, big data has some pretty big problems.  In 2005, a small study (looking at 17 reports from data aggregators ChoicePoint and Axciom and less than 300 data elements) found that more than two thirds had at least one error in a biographical fact about the person. In that same year, Adam Shostack, a well regarded information risk professional, pointed out that Choicepoint had defined away it's error rate by only considering errors in the transmission between the collector and Choicepoint, thus asserting an error rate of .0008%.

Fast forward, Choicepoint is gone, acquired by LexisNexis in 2008.  My particular problem, the bank InfoSec guy told me, was coming from a Lexis identity service.  In 2012, Lexis Nexis claimed a 99.8% accuracy rate (0.02% error), but I was skeptical given the ways accuracy and error can be defined.  

The problem, though, is larger.  At the end of 2012, the Federal Trade Commission did a larger study (1,001 people, nearly 3,000 reports) of credit reporting, another form of data aggregation and one that typically feeds into the larger personal data aggregators.  That study found that 26% of the participants found at least one "material" error, a mistake of fact that would affect their credit report or score.  One in four people found a credit-related error. The FTC did not count other factual errors but this provides a sense of the scale of error still being seen today.


In the FTC study, approximately 20% of the participants sought a correction to their report and 80% of those got a report change in response.  About 10% of the overall participants saw a change in their credit score. Appropriate to today's blog topic, the report table above shows that data vendors agreed with more than 50% of the complaints that they'd mixed in someone else's data.

The individual today has the choice between regularly chasing after big data analytics errors or suffering the consequences of mistaken beliefs about themselves.  Some very prominent folks in the Privacy policy sphere have told me this isn't a privacy issue.  I think they're wrong. The Fair Information Practices, which have been in use since the 1970's and form the basis for much of the privacy law and policy around the world, include the requirement that those entitites handling personal information ensure that it is accurate.  How much sense would it make if you have a privacy right to keep people from using accurate data in harmful ways, but no privacy right to keep them from using inaccurate data in the same harmful ways?



Article has 0 Comments. Click here to read/write comments

Pure Democracy & the RoboDialer

Posted by K Krasnow Waterman on Sun, Nov 24, 2013 @ 17:11 PM

Tags: technology innovation, technology implementing law, public policy, legaltech

The ultimate digital townhall has arrived, and with it, have we seen the flicker of opportunity for pure democracy?  A recent experience tells me the time has arrived for a bold politician to consider offering an experiment in such democracy.

A few evenings ago, my home phone rang.  When I answered, a robodialer asked if I'd like to join the Town Hall being conducted my my local Congresswoman, where her team was available to answer questions on the Affordable Care Act and the insurance process.  I pressed the assigned key and was dropped into a conversation in which other constituents were queing up, asking questions, and getting answers, all shared with everyone one the line. 

I want to be clear - I had not signed up or indicated interest in any way.  I have not yet been able to confirm, but it appeared that the robodialer called the home of every voter in the district and the call had no limit on participants.  Kudos to my Congresswoman, Carolyn Maloney, because her assembled team answered a myriad of diverse questions during a call that went on for a long time.

During the course of the call, one of the staffers would occasionally ask a survey question and ask the constituents to enter their vote through their phone keypad.  This is when my enthusiasm really picked up. 

When I first moved to New York City many years ago, before email and the web, I wondered if the sheer proximity of an entire constituency would make it possible to experiment with truly representative government, for an elected official to actually accumulate the opinion of the people on an issue and vote according to the majority. At the time, I envisioned ballots dropped in stacks at buildings, or delivered with the newspaper, or some equivalent.  The logistics of collecting the returns were achievable but labor intensive.

In the mechanics of this digital town hall call, were the mechanisms for achieving such an experiment. The robodialer combined with Q&A for difficult details and a phone survey would make it possible to get meaningful and representative constituent input.  And, this can be done asynchronously, so no need to get all constituents at the same moment.

When I speak about LegalTech innovation, this is the sort of thing I'm envisioning.  With all due respect to those who are offering enhanced document management applications for the legal profession, that's not what I'm seeking.  Technology offers the opportunity to implement the law as we know it in completely new ways, or to create wholly new legal paradigms.  Here is the opportunity for a bold politician to offer to represent his or her constituents in the most pure form of democracy.  Any takers? 




Article has 3 Comments. Click here to read/write comments

Risks in Big Data Predictions

Posted by K Krasnow Waterman on Tue, Jun 11, 2013 @ 09:06 AM

Tags: technology for lawyers, accountability, data mining, big data, technology for business managers, public policy, privacy, knowledge discovery, analytics, risk management

The Centre for Information Policy Leadership is holding its annual membership retreat in Washington this week. The topic is Innovation, Risk, and Big Data.  I'll be kicking off the program with a discussion of the risks of getting big data analysis wrong and some risk management questions responsible managers should ask.  As someone who has often discussed law and policy with other lawyers or technology with other techies, I always enjoy the opportunity to bridge the gap.  I'll be taking a fast walk through the steps in the knowledge discovery process and provide examples and statistics of some of the likely errors in each.  This is in concert with an article I'm co-authoring on the topic and both will be posted here soon.
Article has 0 Comments. Click here to read/write comments

Winners at Disrupt Law!! Spark-athon (InternetWeekNY)

Posted by K Krasnow Waterman on Sat, May 25, 2013 @ 11:05 AM

Tags: software development, legaltech, entrepreneur

In the midst of torrential downpour and flash floods, more than fifty intrepid developers and lawyers turned out for Internet Week NY's Disrupt Law!! Spark-athon.  Soggy and enthusiastic, they networked for new legaltech in a great space provided by WeWork Labs in Soho. 

K & Sparkathon Winnersdescribe the image

Dreamhost prizes were won by Hector and Paul (below left) for their ideas and enthusiasm.  We're not going to spill the beans about those here - LawTechIntersect has promised to host a VC/Angel pitch night if four new ventures were sparked!  The crowd was pin-drop quiet for great talks by Tom Chernaik (CEO, CMP.LY), Steven Cherry (Journalist, @TechWisePodcast), and Matt Hall (Founder, Docracy).  Tom announced CMP.LY's exciting new Command Post product!  Steven taught us we better get working on our kaggle score.  And, we saw a real live Docracy-crush by a very happy user.   

describe the imagedescribe the image

Thanks are due to volunteers Jennifer, Jared, Taier, Matthew, and Lesley, and for the help from Jonathan Askin.  Thanks, too, for support from the members of New York Tech Meetup, New York Legal Hackers, and nyhackers!

Article has 0 Comments. Click here to read/write comments

Disrupt Law!! Spark-athon (InternetWeekNY) - UPDATE

Posted by K Krasnow Waterman on Thu, May 23, 2013 @ 08:05 AM

Tags: technology implementing law, technology for lawyers, Internet Week, legaltech, entrepreneur, startup, IWNY

The Disrupt Law!! Spark-athon is sold out!  I knew it would be exciting to put on an InternetWeekNY event.  We're bringing together Matt Hall (Founder, Docracy), Tom Chernaik (CEO, CMP.LY), and Steven Cherry (Journalist, @TechWisePodcast) to inspire 25 lawyers and 25 hackers brainstorming new legaltech projects and ventures. We added in a happy hour - the space and the beer donated by WeWork Labs in Soho - and prizes - Grand Prize donated by Dreamhost.


But, I had no idea how exciting it would be.  We've got a waiting list! We've received tremendous support from the New York  Legal Hackers and the nyhacker meetups. Jonathan Askin, a noted tech law professor, is going to participate.  Extra thanks to him for pitching in getting the word out and adding volunteers. And, Josh Kubicki, author of the TechCocktail blog I've been quoting, has come in from Cincinnati to participate!






Article has 0 Comments. Click here to read/write comments

Disrupt Law!! Spark-athon (InternetWeekNY)

Posted by K Krasnow Waterman on Mon, May 06, 2013 @ 18:05 PM

Tags: technology implementing law, technology for lawyers, Internet Week, legaltech, entrepreneur, startup, IWNY

I'm a fan of InternetWeekNY - now 45,000+ New Yorkers mingling to teach, pitch, and network all manner of things web.  So, this year, I'm the proud sponsor of an event.  On Thursday, May 23, from 4pm to 6pm, I'll be hosting DISRUPT LAW!! SPARK-ATHON in Soho.  

The event will include speed-networking and collaborative brainstorming among 25 innovation-oriented lawyers and 25 venture-seeking hackers/developers.  The goal is to spark new legaltech ventures in disruptive legal technology.  For those not in the startup scene, that's "disruptive" as in "ground-breaking innovativion" NOT as in "breaking someone else's technology.'" 

Motivating descriptions of successful ventures will be provided by Matt Hall, co-founder of Docracy; Tom Chernaik, CEO of CMP.LY; and one more surprise.  Docracy was the winner of the TechCrunch Disrupt NY Hackathon in 2011; it offers an open collection of legal contracts and a mechanism to negotiate and sign documents online.  CMP.LY provides a full and creative suite of tools for compliance and risk management for social media.  And, of course, there'll be a little something to eat and drink.

I haven't been this excited since I created the LinkedData Lab, which launched new careers and companies.  Can't wait to see what Disrupt Law!! brings!  

Click here to reserve your ticket

Follow this event on twitter - #DisruptLawIWNY

Article has 0 Comments. Click here to read/write comments

A lot of catching up to do...

Posted by K Krasnow Waterman on Sun, May 05, 2013 @ 16:05 PM
This blog has been dormant for quite a while due to a contractual agreement that included a publications clause.  Stay tuned for both new blogs and a few that will cover the past.
Article has 0 Comments. Click here to read/write comments

The Cross-Border eDiscovery Challenge & The Possible Accountable Systems Solution

Posted by K Krasnow Waterman on Thu, Jun 18, 2009 @ 13:06 PM

Tags: access control, technology implementing law, privacy technology, technology for lawyers, accountability, knowledge discovery for litigation, information management, data protection, digital evidence, technology for business managers, global outsourcing, information security, digital rights, privacy, eDiscovery, forensics

Cross-border eDiscovery is a hot topic this year. The decreased cost of storage has resulted in nearly everyone retaining massively greater quantities of information. Email and the Web have driven a shift in data to less formal, less structured records and files. And, globalization of business has caused the relevant information for an increasing number of lawsuits to be spread among multiple countries. Courts have instituted new rules for how parites will engage in discovery related to this digital evidence. And, these new rules are putting some lawyers in the cross-hairs of other governmental digital control activities. Lawyers, by and large, are not technologists and the challenges arising from handling this mass of distributed data are proving daunting. Technology vendors are offering significant assistance but still more is required.

Discovery, at its simplest, is the concept that one party to a lawsuit can learn what the opposing party knows that is relevant to the resolution of the case. In the US, this had long been accomplished through gamesmanship and strategy (think, hide-and-seek meets go-fish) while, for example, the UK had moved on to affirmative disclosure, the idea that each side needs to identify the truly relevant and provide it. In either case, the parties have needed to decide what data to preserve and how to search it. For a variety of reasons, corporations are adding and deleting data all the time -- doing things like updating client or supplier addresses, changing prices, adding sales, marking deliveries. So, typically, one needs to select a moment in time that's relevant to the issues in a lawsuit and look at all data from that time or up until that time. This is no easy task, as the challenges of selecting the moment, deciding how to save the data, and which tools will provide the best search result are all subject to debate.

Handling a case that involves data in multiple countries compounds the challenge. The EU has had detailed and tightly controlling rules about the handling of information about people by commercial entities for nearly thirty years. By comparison, the US historically has had a comparatively limited concern about the privacy of people whose identities appear in commercial files. For example, in many cases EU rules prohibit making the sort of "moment in time" copy of entire systems described in the last paragraph and have rules that as a practical matter prohibit sending data about people out of the country. Recently, these rules have come into head-on conflict with courts in the US requiring that certain information be turned over in discovery. The decision not to violate the EU rules has resulted in some significant financial penalties being imposed by US judges, while the decision to violate the EU rules and provide the data in the US has resulted in some equally significant financial penalties being imposed by European judges, leaving litigators between a rock and a hard place.

Much discussion is ongoing about ways to resolve this problem. For example, governmental, public policy, and commercial bodies are discussing possible changes to their rules. New forms of insurance may be offered to indemnify parties caught in the current situation. At the same time, there is a quiet march forward of new technologies which may resolve some of the issues. For example, systems that track each data transaction at a very granular level and account for their compliance with rules, called "accountable systems", are in development. Such systems would make it possible to understand the data in the system at a particular moment in time without requiring a "copy" to be made. And, they would be able to recognize competing data rules and apply the correct ones, wherever the resolution of a rules conflict is possible.  In theory, this technology might also make it possible to transfer the substantive portions of the information without the personal information, so that the parties could define very small subsets that are relevant and actually required to be disclosed, thus limiting the release of personal information to subsets so small that requirements, like notice to the individuals in the data, could reasonably be met.

While this new type of technology offers promise for resolving some of the cross-border eDiscovery challenges without requiring any jurisdiction to change its rules, it has drawn relatively little attention in this context to date.  Perhaps this is because the technology needs to be refined and then implemented in the day-to-day digital business practices of organizations before it can be capitalized upon to address this issue.  How long it will be before this occurs will be driven by how quickly people recognize the problems this technology can solve.

Article has 0 Comments. Click here to read/write comments

Legal Standards in a Technologically Bifurcated World

Posted by K Krasnow Waterman on Thu, Jan 29, 2009 @ 10:01 AM

Tags: access control, identity management, technology implementing law, privacy technology, technology for business managers, law about technology, public policy, technology b2b customer service, information security

It's not news that our society is divided into technological haves and have-nots.  Much has been written about the advantages lost or gained - education, professional, and social - based upon the primacy and recency of one's technology.  Recently, I've become increasingly attuned to another place where technological caste matters -- legal standards. 

It's been clear to me for quite some time that the lawyer who resonates with technology can do more successful and faster legal research; propound vastly superior discovery requests; and produce substantially more incisive disclosures.  It's now becoming increasingly clear to me that the law itself is being skewed by those of us who live to keep up with the next big thing in technology.  Debates among lawyers rage in my email inbox about the differences in things like encryption technologies and metadata standards, with lots of cool techie references to things like ISO, NIST, Diffie, OASIS, and XACML.  

In the meantime, I was on the the Social Security Administration website the other day and they wanted me to use an eight digit alphanumeric password (case insensitive, no special characters) to upload W2 and other sensitive tax information.  My bank's brokerage affiliate is using the same outdated and readily hackable password technology  I still see commercial and bar association websites seeking personal and financial information without indicating that they're using SSL or some other baseline method of securing the information.  I still get requests from security professionals to email my Social Security Number.  If you're not particularly technical, trust me, none of these are good things.

The distance between these two realities has got me thinking about all the places that these two technological castes will be competing to set legal standards.  For example, does a "time is of the essence clause" apply the perception of time of a blackberry owner or a person without a laptop?   

As the new administration provides the first coordinated national focus on technology, I'd like to add this to the list.  Perhaps the new national CTO (yet to be appointed) could work with the American Bar Association and other leaders to identify a rational strategy for standards setting in such a technologically bifurcated society.




Article has 0 Comments. Click here to read/write comments

Campaign Hacking a Reminder for Email Security

Posted by K Krasnow Waterman on Fri, Nov 07, 2008 @ 12:11 PM

Tags: access control, technology for lawyers, data protection, technology for business managers, information security, technology management, forensics, cyber-security

Computer hacks were the topic of tech news on the day after Senator Obama's historic election. On Wednesday, Newsweek reported that the Obama and McCain campaigns were the subject of computer hacks during the campaign.  The Obama campaign reported a possible email phishing attack this past summer.  They were ultimately told by federal authorities that both the Obama and McCain campaign computers had been compromised. Reports are circulating that the attacks came from a "foreign entity" and lifted significant amounts of data from both campaigns.

Also on Wednesday, malware creators took advantage of the tremendous interest in the election and began sending emails with "Obama" somewhere in the subject line.  The most common subject lines promised video of a speech, additional election coverage, or new interviews.  One security company alone reported that it had filtered more than 10 million emails in less than 6 hours on Wednesday morning.  Apparently, hundreds of thousands of people sought to open them and were instead infecting their computers with malware.

These two events highlight the importance of email security.  This is the first major election heavily conducted, financed, covered, and influenced on the web.  It reflects the transition to technology for ever-increasing numbers of the population.  And, it reflects our ready acceptance of the transition.

Too many people assume that their spam filter, anti-virus software, etc will protect them.  Yet, any technology professional will tell you that firewalls and software alone are not enough to protect a computer from data theft or destruction.   They'll also tell you that emails are the easiest means of attacking computers because people still act before they think. A huge percentage of hacks rely on "social engineering" - convincing a person to do something that works to the hacker's benefit.  

Education is still a significant tool in the computer security arsenal.  Users must learn to stop and ask themselves whether the email is likely to be what it seems.  First the easy questions: How likely is it that some stranger will really send you millions of dollars?  Is your US bank really going to send you any request from an email address that doesn't contain the company name?  And, if your friend really did lose a wallet on a spur-of-the-moment vacation how likely is it that she'd email you for a credit card number instead of calling her husband, the consulate, or American Express for help?

Is it possible to go the next step and teach users a little technology?  They should always check to see if the attachment they're about to open like a present on Christmas morning ends with ".exe" (a file that will execute some program).  If it does, they should beware and seek tech support.  Or can we teach them to look at the "properties"  of the link they're about to click, see the web address ("URL") and recognize that the source is the wrong country?  A quick look at the domain registry will make it pretty obvious that something that purports to come from around the corner has a two letter code that means it's really coming from a country around the the world.

With so much hacking going on, the problem is no longer just a technical one. More laws are creating responsibility to take reasonable care to protect other people's information and liability for failing to do so. It is important to remember that with these changes, the standard of care is expected to improve, and what was reasonable yesterday may be unreasonable today.

Article has 0 Comments. Click here to read/write comments