Thursday, March 31, 2016

The right to delete your own data

After I left higher ed in December to work in government, I suddenly became aware of all my online accounts that were tied to my University email address. While I am an alumnus of the University of Minnesota, so my email won't go away until I stop using it, I realized I should delete some of my accounts that only relate to working in higher ed.

So I have been going through my list of accounts, every week logging into the old account and finding the "Delete my account" function. I'm pleased to report that most websites allow you to remove your own account when you are done using it. Even if there isn't a self-service method to delete your account, most websites will remove your account upon request if you ask via their "Contact Us" form.

However, not all websites let you leave their network, or even to delete your account data. It's like an online Hotel California where "You can check out any time you like / But you can never leave."

It's disturbing to me that some websites make it impossible to remove my account. While I can understand that some systems are just not set up to accommodate deleted accounts (Wikia tracks edits by account, for example) at least most websites don't actually store personal information.

But some websites do keep personal information about you, and they don't let you delete your account or remove (or edit) your own personal data after it's in the system. This should be a large concern for anyone these days. Data breaches are (unfortunately) too common.

Data breaches have become such an issue that you can find other websites such as Have I Been Pwned? to discover if you have an account that has been compromised in a data breach. Enter your email address (like you'd use to login to a website) and haveibeenpwned will tell you when and where your data was accessed by hackers.

Do you want your personal data out there if that website is breached? If you can delete your own account when you stop using it, then you can minimize your risk if the website is attacked. If you can't delete your own data, you can only hope the website doesn't get breached.

The website that's causing me the biggest headache is Educational Testing Service (ETS), the people who run the Graduate Record Examination (GRE) when you apply to graduate school. They also manage other exams. I took the GRE in late 2011 before I entered my Master's program in Spring 2012. As far as I know, I haven't accessed my account since then—until now, anyway. After finding no option to remove my own account, I contacted ETS last week (March 2016) to request they delete my account for me. I received this reply:
Thanks for your message! Unfortunately the MY GRE Account can not be deleted. Please note, it will drop out of the system as long as there is no access with the account.
It's unsettling to have an account out there that I cannot remove. Especially one like ETS, which by its nature needs to know several personally identifying details about you so they can verify your identity for any exams you take through them. If the ETS website is ever hacked, my personal information is out there. As will be thousands of other users who have taken the GRE or other exams.

We need to have the right to delete your own data. If it's your data, you should have the right to have it removed from a website's systems after you stop using their service.

I know some this is technically impossible, for some websites and for specific types of data. For example, Facebook stores some of your data (such as photos) on BluRay discs. And BluRay is a write-only medium. But there's a middle ground, a best-case scenario. Sure, maybe Facebook can't delete the data on the BluRays, but if I stop using their service, they should be able to delete my account and all my metadata that refers to data on BluRay.

I consider the right to delete your own data an emerging issue. The right to delete your online accounts reduces our risks to data breaches.

I also see this benefiting future generations. When I was growing up, the Internet didn't exist. We didn't have Facebook or Twitter or Instagram or the plethora of social media websites we enjoys today. When we took a photo of ourselves doing something stupid (as all teens do) the record of that act didn't proliferate. The only photos might get tossed out, and the negatives eventually lost. By the time we got our first jobs, employers couldn't see the embarrassing things we did in our wonder years of middle school, high school, and college.

But today's generation takes photos of everything they do. And they post those photos online. And if you cannot delete your own account, those photos continue to be available for others to see.

We need the right to manage and protect our personal information. We need the right to delete our own data when we stop using a website.

I'm planning to reach out to US Senator Franken (my Senator) on this issue. I think it's something worth fighting for. I hope you'll support me!
If you live in Minnesota, please contact Senator Franken's office (phone or email) and ask him to support the right to delete your own data. You can also tweet to him via @alfranken.

If you live elsewhere, I encourage you to reach out to your own Senator and ask that they support the right to delete your own data. Feel free to use the reasons I've shared here.
image: Sammynetbook (cc-by)

Sunday, March 27, 2016

Happy bunny day!

Just wanted to wish you all a happy bunny day! Here's a nice Easter egg for you:
At my house, we're celebrating with a nice dinner tonight, and butter pats shaped like Han Solo in carbonite. Because that's how we roll.

Friday, March 25, 2016

Running a 30 minute meeting

How many meetings seem to just drag on forever? I can't tell you how many meetings I've attended that could have just been an email. Please just send me your updates. Only get us together if it requires discussion towards a decision.

The art of a good meeting is keeping everything on topic, with a productive discussion. It's all about maintaining focus. And that's the point of this February article from, about six steps to running the perfect 30 minute meeting. Although I would condense this list down to five elements, combining their "referee" item with their "remember why you're there" item.

Here's my simplified list, based on the article:

1. Test any technology items beforehand
Are you planning to use a smartboard in your meeting? Or are you going to bring a laptop to connect to the projector? I recommend you test the setup well before the meeting to make sure you know how to use it, and to ensure that you can leverage it in the meeting the way you hope to. Your meeting time shouldn't be spent debugging the technology, or getting your wireless connection to work in an unfamiliar space.
2. Limit the meeting to just those who need to be there
Start with this question: What is your meeting topic? Based on that, take a careful look at the attendee list. Who really needs to be there, and who are you inviting just to keep them in the loop? You aren't doing anyone any favors by burning their time in a meeting. Consider trimming the invite list to just those people who have a stake in the discussion and decision. Everyone else can get an email afterwards to let them know of the outcome.
3. Be clear on meeting outcomes
What is the purpose of the meeting? Do you want to build understanding around a difficult topic? Or are you looking for a decision at the end of a discussion? When building your agenda, I find it helps to clearly state the intended outcome of each topic.
4. Avoid presentations
The first rule of using Powerpoint is don't use Powerpoint. If you must use Powerpoint, at least don't make your slides distracting, or you risk losing your audience. You may one day need to give a presentation for others. Remember the general rules to give a truly outstanding presentation: Avoid distractions. Use slides that are visual, not wordy. Share your enthusiasm. Leave room to talk around the bullet points.
5. Keep the topics moving along
As the convener of the meeting, it's your job to keep the meeting focused on the agenda topics. Be cautious if the meeting discussion goes astray, exploring tangents to topics, then tangents to those tangents. If you aren't careful, a meeting can quickly devolve to a discussion about esoteric topics. It's okay to explore an issue to move depth, but be ready to pull back the discussion to the topic at hand. Side topics can wait for another day, taken "off line," or perhaps shared as an email update.
image: PortoBay Hotels & Resorts/Flickr (cc-by)

Friday, March 18, 2016

The Facebook challenge

A few years ago, I realized I spent too much time on Facebook. At work, I was always opening Facebook to share some little thing I was doing, or to see what others had written in the last hour or so. Facebook began to drive my day, rather than the other way around.

I intended to use Facebook as a way to stay connected with friends, especially those who I don't see all the time. Instead, I found Facebook generated too much noise. And in return, I created too much babble of my own.

So I created my own Facebook challenge: only post to Facebook once a day. It is an interesting limitation. Is this article I want to share really important enough to make my one-a-day quota? Is this cute photo really worth it? Or the funny video? Every time I think about sharing an item to Facebook, I consider if this really rises to my one-a-day self-limit.

My cat Fanir (orange) and Zoƫ (grey). I still share cat photos on Facebook, but now I do so less often.

Since taking on this challenge, I have become more thoughtful of what I share on social media. Looking back on my Facebook timeline, I don't post inane items, and rarely do I write about the news of the day. Instead, I choose to share significant life events, accomplishments, and other things that are important to me.

My other cat Nyssa. Even though she is very cute, I don't post photos of her on Facebook all the time.

I also noticed another, more subtle change in my social media behavior. While I post only one item a day (sometimes two updates, if it's a very interesting day) I still comment on others' posts. But since taking on the one-a-day quota for myself, I find my comments on my friends posts have become more mindful. I reflect on what they share with me, and I try to comment positively and constructively on their life events. But when my Facebook usage was "me posting about me," I think I rarely did this.

Today, I extend this Facebook challenge to you. Think about what you share to social media, and try to limit your Facebook posts to one or two items a day. Posting a photo? That's one item. Sharing a news article? That's one item. Writing about a life event? That's one item. Find that one item that you think merits your one-a-day limitation, and avoid the senseless noise that most people broadcast on their Facebook walls.

Wednesday, March 16, 2016

SQL Server on Linux?

Last week, Microsoft made an amazing announcement: they are bringing SQL Server to Linux. I find this interesting because of Microsoft's history.

Consider Microsoft's history and their approach towards open source software. There was a time not so very long ago that Microsoft feared open source software. Former CEO Steve Ballmer referred to open source as a "cancer" that would taint everything it touched. (The original interview at the Chicago Sun-Times is now missing, so I've linked to a referencing article at The Register.)

Ballmer's message was clear: He didn't want companies to use open source software. Ballmer's statement was aimed squarely at CEOs and other C-level executives who didn't fully understand how open source software worked, and wanted them to think by using open source software (Linux) you would need to open source your own internal development. And by saying that, to set fear in implementing open source software in corporate environments.

Of course, that's not how open source software works. Open source software is just like any other software, except you can view the source code. Most open source software is distributed under a "copyleft" license that keeps the source code available to anyone who uses the software. In fact, the copyleft requires that if you distribute open source software, you need to make available the open source code. That term can be somewhat confusing to people new to open source software, and it's that confusion that Ballmer wanted to build on.

Maybe you already know about open source software, and are confused by statements like this. But this was all part of Microsoft's anti-open source playbook. And yes, there really is a playbook of sorts. Starting with a 1998 Microsoft memo for then-CEO Bill Gates, leaked on Halloween 1998 and thus dubbed the "Halloween Documents," Microsoft has long viewed open source software a threat to the Microsoft business model.

Since 1998, Microsoft's strategy has been to "Embrace and Extend" open source software, by adopting standards that open source software adheres to and depends upon, then extending those protocols to integrate proprietary Microsoft technologies. For example, extend DNS by integrating Microsoft Active Directory functionality to "add value." The theory is that open source software will be unable to follow the proprietary path due to licensing and other restrictions. From the 1998 Halloween Document:
OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.
Over time, Microsoft advanced their strategy to instill "Fear, Uncertainty, and Doubt" when talking about open source software. The goal here was to raise unanswered questions that cause C-level executives to fear open source software. For example, "Look at the copyleft. If you use open source software in your enterprise, you'll need to give away your proprietary source code to anyone who asks." (No, you don't.) This led to Ballmer's famous "cancer" statement.

But under CEO Satya Nadella, Microsoft seems to have genuinely changed its tune. Rather than only develop applications for the Windows platform (and maybe a little MacOS) Microsoft now provides versions of its products for iOS, Android, and now Linux. Several years ago, Microsoft entered the Cloud application market, providing a version of Office ("Office 365") that you can use via a web browser, similar to Google Docs.

And now, we find Microsoft plans to release a version of SQL Server for Linux. I'm excited by this news. I don't have any Linux systems at my new organization (the culture of government seems to be Windows-only) but I want our IT organization to remain open to other options, including Linux. SQL Server for Linux opens up new possibilities for us. And for that, I welcome this news.
image: Wikimedia (public domain)

Friday, March 11, 2016

The future of technology

The road to the future can be difficult to predict. Even Jedi Master Yoda could not always see the path ahead; you may remember his famous quote, "Always in motion is the future."

Sometimes, rather than building a complete picture of technology to come, we need to describe the broad shapes that it will contain. I use this analogy: My mother likes to do quilting. When she starts a new quilt project, I may not be able to tell you what the quilt will look like exactly, but I can tell you about the colors that will be in the quilt.

Apply that to your forward thinking. Maybe you can't provide great detail about the state of technology in five years' time, but you can describe the future landscape in broad themes.

What will technology look like in the next year? That may be easy to figure out; next year's technology may only be an iterative improvement from today's technology. But what about five years from now? Ten years? How will technology inherit the future? What technology will we use at that time? What is the shape of that technology landscape?

Technology will become increasingly mobile
Certainly next year's technology will continue to leverage wireless and mobile devices. Mobile bandwidth will become increasingly important.

The convergence of mobile, portable, and desktop devices seems increasingly likely. Some vendors have already experimented in this space with mixed success. Apple's iPad Pro and Microsoft's Surface are gaining traction in office spaces; these are platforms to watch.

It is a matter of time before mobile merges with the desktop and this new hybrid device becomes the next "must have" technology. In five years, our phone may become our new laptop, available for traditional "desktop" computing when connected to a display and keyboard, and as a mobile device when on the go.
Computing will meet you where you are
The promise of the Cloud is that your work will always be available to you, no matter where you are. All you need is a web browser. Today, Millennials look to the Web as their primary computing platform. They look for technology to come to them, not for them to go to technology.

Web-based systems such as Google Apps and Microsoft Office 365 provide greater work flexibility. If you have a web browser, you can access your work wherever you go. The future of technology will not be on the desktop, but on the Web.

That doesn't mean the traditional desktop is going away. Far from it. If the future includes a hybrid of mobile and desktop, we will retain some desktop applications for some time. That means computing needs to meet you where you are, on your platform of choice. Microsoft seems to have figured this out with Office 365. They provide a Web version for those who prefer the Cloud model, apps for those who prefer mobile computing, and desktop applications for those who still use the desktop.

The key to the future will be the seamless integration of storage on the back-end to unify the platforms. It shouldn't matter what platform you use; if you need to edit a file, it should be immediately available.
Technology will become more personal
Social networking such as Instagram and Twitter provide outlets where users can engage with others, without the perceived "filter" of overhead. For example, Millennials often use Twitter to reach out to vendors and service provides. A friend of mine uses Twitter to ask her vet questions about her dog, and she expects the vet's office to reply.

If your organization has a social media presence, you need to be active with it. Engage your audience. Respond to questions. Find ways to remove barriers to communication.

In addition to social, computers will increasingly respond to you and your preferences. We can see this already with voice search. Today, I rarely type a query into my phone; I just tap the microphone icon and speak aloud. "What's the weather today?" and my phone tells me the weather forecast.

In the future, we will expect our devices to become more interactive. It's more than just voice search, but any query we make should respect our previous activity. The query I made a minute ago probably relates closely to the query I'm making now. My search history can indicate a preference for certain topics. Our tools will respond to us and become a true digital assistant.
image: openDemocracy/"cyberspace" cc by-sa

Tuesday, March 8, 2016

How to share an update

I don't think my colleague will mind me sharing this story, if I leave out a few details.

Last week, I asked one of my managers to share her project status at an enterprise review meeting. As she prepared for the meeting over the next week, I quickly realized she didn't know what to include in the update.

So I took advantage of a coaching moment—a coaching button—and asked a few questions. Where is the project right now? (Requirements gathering.) Who was involved in reviewing the requirements? (A short list of stakeholders.) What did you share in the last update? (Not much.) I asked her to start there, and build her update to answer those questions.

We met a few days later for our regular one-on-one meeting. Her presentation was in much better shape. She summarized the project status in four slides, without a lot of text. The project status was neatly summarized in those four pages, But, she asked me, why do I have to share all this information when most of the people there already know about it? She had previously shared an email update with most of the people in the meeting, so wouldn't they already know about the project if they read their emails?

My answer was simple, and I'll share it here.

You can't assume others know everything about your project. And you can't assume everyone groks everything in the emails you write. Sometimes, you need to share these updates in person.

The reason for a project update is to tell other people about the project and how it's going. We are all in this together, and we want to know if the project is on track or if it's falling behind, if the right people are involved, and if it's going to do what we need it to do. Shoot for what you think everyone probably know, plus about ten percent more.

That afternoon, the manager shared her project status at the enterprise review meeting. I was prepared to step in to back her up, if needed. But I didn't need to worry. I think she took to heart my advice, because her presentation was very smooth. She opened with a brief background for the project, then described the goals of the project, enumerated who has been involved and described their input and feedback into the project, and shared a rough timeline with next steps.

Afterwards, several of the enterprise team met with me to share their thoughts. They were very concerned about this project update, going into the meeting. Apparently, previous project updates weren't well received; the manager only shared brief verbal reports, no slides, and didn't provide much in the way of status. But in this meeting, the enterprise team was very pleased to hear such a complete, professional update on the project. One team member recognized the coaching I had done with this manager, and commented that the coaching made all the difference.
image: Highways England/Flickr cc-by

Friday, March 4, 2016

If you aren't paying attention to HIPAA, you should be

We live in a world where data is ever-present. Many of us working in IT store data about our users. There are different types of data, each with its own rules and best practices for how to protect that data—whether it's simple login data or more personal information.

One area that gets a lot of security attention is HIPAA data. Sometimes generically referred to as "electronic private health information (ePHI)," the data that is covered by HIPAA is the most personal information about ourselves: data about our health. And so it is correct that this health information should be protected very carefully. If HIPAA data isn't on your IT radar, you need to talk to your IT security officer.

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, and is United States legislation that provides data privacy and security provisions for safeguarding medical information. The Compliance and Ethics Blog has a great article about HIPAA compliance: What you need to know for 2016. A few highlights are below:

This affects everyone.
Everyone needs to take data privacy seriously. Everyone. And if you don't think that you're affected by HIPAA rules, check again. In my experience from higher ed, institutions sometimes collect health data without realizing it. Are you tracking sports injuries per player? That's health data.

So it's a good idea to treat all data as though it were under HIPAA rules. Set the bar high for everything, so everything is protected well. That means encrypting all devices on your network, not just laptops. Although laptops are still a high loss target. Examples from the article include: A 13-physician practice entered a $750,000 settlement after a laptop and unencrypted backup media containing ePHI were stolen from an employee’s car. A nonprofit teaching hospital entered a $850,000 settlement after an unencrypted laptop containing ePHI for 599 patients was stolen from an unlocked treatment room.
Risk assessments save money.
When was your last risk assessment? When I worked in higher ed, my group was part of an internal risk assessment (audit) about once a year. That didn't mean my group was the subject of the assessment, but when the auditors examine, say, the Financials system, eventually they'll want to talk to the group that manages the Financials infrastructure. And that was my group. I quickly learned to value the risk assessment; the audit results were feedback that I could use to improve my team's operations.

Risk assessments also save you money over the long run. More specifically, failing to conduct a risk assessment may be penalized. From the article: "an insurance holding company entered a $3.5 million settlement after it experienced multiple breaches. The OCR found that the company failed to conduct a security risk assessment and failed to implement security safeguards. The good news is that the government provides a free security risk assessment tool, making it easy for providers to complete the assessment themselves."
It comes down to your staff.
What do your staff know about protecting private data, including HIPAA data? Make sure that everyone who touches private data understands how to manage the data safely. And don't just worry about the IT staff, think about everyone who uses or manages HIPAA data.

Good computing practices will get you most of the way. Teach your users not to trust attachments in emails, even from people they work with. Spear phishing attacks have become quite sophisticated, so if you didn't expect someone to send you a financial report that requires macros to view it, then you shouldn't open it. Even "drive by" attacks can get you, such as ads on websites, so be sure to keep up with antivirus and other protections. A few examples from the article include: A hospital entered a $218,400 settlement after employees used an internet document sharing program to store documents containing ePHI. A university teaching hospital settled for $750,000 after an employee downloaded an email attachment with malicious software, which compromised the ePHI of 90,000 patients.
image: Cory Doctorow/Flickr cc by-sa