Browsed by
Month: October 2015

User, Customer, Client

User, Customer, Client

In our connected lives we all consume lots of digital services, not to mention other services with a digital component. Think of your cellular service, or your cable TV provider — which may also be your ISP.

To obtain every one of these services, we execute some kind of contract.  It might be a stack of paper dropped in front of you to sign (here… and here… and please initial here) when you rent that shiny new iPhone.  Or maybe it’s a tombstone of mind-numbing text that we click past as fast as we can while setting up yet another Twitter handle.  But they are all binding contracts until proven otherwise in a court of law.  And at the consumer level, few of us are willing to test them there.

I would like you to come away from reading this note with one important question stuck in your head like a bad rock and roll song from a couple of decades ago (you can read my Google+ profile if you want one of those).  That is: “Am I a user, a customer or a client?”

A User, in this framework, is a person who simply walks up and begins using the service.  The canonical example would be Facebook.  Unless you buy a bunch of ads there, or developed one of the big apps, your Facebook account was probably free for the taking.  So too, we users of most Google services, Twitter, Instagram, etc.  I think an important thing to remember about these services is, you have no leverage.  The service is provided as-is and unless you agree to the contract they present you as written, you will simply not be allowed to use it.  What Facebook gets out of the deal is not really the topic here, but suffice to say that the contract’s implications make it pretty clear that your personal data and your privacy are the “price” you’re paying for the opportunity to allow that weird kid from high school to stalk you quietly all these years later.

To be a Customer is very little different from being a User, except that you give the service provider money.  In some jurisdictions this may give you a few non-waivable rights (which means that you still have them even if the contract says otherwise).  But you are also in a take-it-or-leave-it situation as to the terms of that contract.  You have a bit of leverage, in that you can terminate the relationship and that means they stop getting your money.  It’s up to you to assess whether they care about this at all, and if so, how much.  There’s a big difference to a company about losing a customer who’s 1.5% of their annual gross revenue, or 0.0015%.  For smaller customers, there’s really no way a company can afford a process where they negotiate distinct versions of their contract for each customer.

At some point you may find your business matters enough to the provider that losing you would be a real problem for them.  You may find yourself trading drafts of the contract with them until you mutually arrive at a version that everyone is just about the same amount unhappy with.  Congratulations, you have become a Client. Obviously this is not something that happens with social media providers or even cloud providers like Amazon Web Services at the level of individuals.  You probably have to be a reasonably large corporation to get to this point, and be spending significant amounts of money.

It’s not necessarily bad or dangerous to be a Customer or even a User.  But I think it’s important to maintain an open-eyed understanding of where you are in any given relationship, and let this inform your expectations of the provider.


Seriously. Seriously?

Seriously. Seriously?


How many breach notices have you received this year?  I would guess that, for anyone with enough online life to read my blog, the answer is between eight and twenty.

Does a single one of those notices fail to say that they “take your security very* seriously”?  Don’t we think that’s pretty tough talk from the entity who just informed you that it took them seventeen months to realize they’ve leaked all your information to Russian criminals or the People’s Liberation Army or some script kiddie from Albania or… well, they really have no idea.

* – “very” is optional and depends on the mood of the PR person who was composing the letter, and/or the CxO who signed off on it.

via SecMeme 


Proud to be a Hacker

Proud to be a Hacker

I was talking with some people this morning at the Rochester Security Summit, and one person said, “I have a problem with the Certified Ethical Hacker – it’s a contradiction in terms!”  This really pushed my button.  Clearly the fellow equates “hacker” with “criminal.”  This is fallacious.

A hacker is a person who investigates how things work, at least in part for the joy of simply discovering how things work.  That is all.

The equation of “hacker” with “criminal” grew out of hysterical media reporting of early crimes and mishaps regarding computer networks.  The Morris Worm, one of the first “cyber security” incidents, grew out of experimentation that, admittedly, went awry.  But there was no hostile intent.

I was a “hacker” in college and I remain proudly a “hacker” today!  I still experiment with things to see how they work, see if I can break them, and see what I learn from how they break.

Hacking is only criminal if one takes criminal actions with it.  So too is, for example, driving a car.  And just as “driver” does not mean “criminal,” neither should “hacker.”