Tag: Fred Wilson

No steadfast rules for storing/sharing financial data and its offspring online

Living in a user-generated online society, who owns the data and how can it be used have been persistent questions. The debate continues, particularly as data stores grow with more complex (and more personal) information.

Fred Wilson’s Union Square Ventures has invested in a company called Wesabe, which like several others aims to sort through and make sense of your personal financial information. Financial data is probably the most sensitive of all with regard to online conveyance, and individual concern as to how that data is handled is an obvious barrier to acceptance of services like Wesabe. The company has answered the call in part by publishing a “Data Bill of Rights,” the purpose of which is to alleviate anxieties regarding housing personal financial information with them. Mr. Wilson caveats the “press” by stating it’s a good start, and calls out for additional opinion. Mine are as follows (with the disclaimer that said opinions are by no means steadfast rules, nor are they necessarily cost-effectively operationally feasible)…

The Q&A

Who owns the metadata you and others create about the transactions that come into the system?

In the world according to credit card processors and credit reporting agencies, they do, and despite your requests to block its use there is probably a lot of metadata being gathered that doesn’t fall within the two-point type guidelines your creditors periodically send you. They’re likely using it – and you should get used to it. But with regard to opt-in services such as Wesabe, I think there’s a happy median to be had. Clearly, these types of online services see value in said metadata, and allowing you to remove your viewable information shouldn’t necessarily be accompanied by complete removal of the offspring (particularly if the service was offered for free). I believe if personally identifiable and proprietary data elements (meaning data uploaded, imported, or otherwise entered by the user) are stripped away from the metadata, then the result (or what’s left, if anything) should be available to the service provider.

Is it better to let the service do the tagging or is it better to let the community to do the tagging of the transactions?

Both. The services themselves are the machine, and the community is the blood and guts. Algorithms versus psychy, or the two working in harmony and learning from each other. I believe there is a lot of value to be gained from allowing the machine to suggest helpful tag elements to the users, and I believe the users should be ready, willing and able to reciprocate.

Should the tags be shared and if so, when and with whom?

This should depend on the data elements or transactions being tagged and who is doing the tagging. If the machine “suggests” a tag for a personally identifiable element, then the end user should have the option to reject that metadata. But that doesn’t mean the service shouldn’t be allowed to use that metadata in conjunction with non-personally identifiable information to improve itself for the benefit of others in the community. By the same token, user generated tags should be sharable within the community while directly related to said user (or their data) only with their permission, but the “transaction” which resulted in that choice should be something the machine is allowed to learn from.

Where should your login and passwords be stored?

Probably a personal choice issue – there are a lot of folks working on various solutions which include third-party authentication, token exchange, etc., and there is not enough information to make a blanket judgment call on the matter either. I will likely never input my bank, securities, or credit related login information into a third party service, regardless of the level of security assurance the service provides. That is my choice, and the logic is this: a centralized repository of such data will attract threats in direct proportion to the service’s popularity, particularly given the potentially profitable nature of that data. My accounts are spread across numerous vendors, and while the possibility of having my data stolen through phishing attempts and the like increases with each transaction, I personally don’t engage in large numbers of them. I assume the risk is lesser than that presumed in a “large target” stored environment.

The bottom line is that the storage of login identifiers and passwords should be a choice based on convenience versus comfort. If the user wants to store their various account login information in a system for quick and easy retrieval, let them, but the service provider should be prepared to accept the burden of responsibility. If the user values the comfort more than the convenience, give them that option. Unfortunately, we live in world where the easy out is to blame the other guy, and proceed to court. There is simply no easy answer here (yet).

Can these services be hacked?

Of course! The moment someone says something is unhackable is most often immediately followed by a moment of apology over a breach. It is the value of the information housed within that service provider that they and their users need to be cognizant of, as the usefulness of the data within the store for a hacker to garner profit from is directly proportional to the amount of effort they (the hackers) are willing to pursue to break in. If the data is segmented by account type, unbranded, and non-personally identifiable, it’s usefulness goes down tremendously.

Is personal identifiable information (PII) being stored with the data?

This is a tough issue to explain to the end user, particularly if said end user didn’t complete their “Introduction to Relational Databases” and “Networks and Information Systems Management” courses. Consumer end-users assume that if they can see their financial data, that the data must somehow be tied to them. To the layman, that IS personally identifiable information – the numbers are money. But “PII” really means data elements such as name, address, phone number, and most importantly social security or tax identification number – elements that tie the numbers (the money) to the person itself. If a system asks me for such information, I generally stop what I am doing and read their privacy policy carefully before I continue. If that information is being stored for later use, I am somewhere between 99% and 100% likely to put the service in the “potentially more trouble than it’s worth” file. If it’s not, I see the risks as no greater than disclosing the same information to a customer service representative over the phone.

The End Note

Again, these are just my opinions, and offering every nuance of this self-prescribed “perfect world” is impossible and likely unprofitable (or at the minimum, a major pain in the ass for some engineers). There is no way to please every user, and there probably never will be. Nonetheless, we’re talking user inputs, service outputs, and wants and needs which are either presently being breached or are yet unfulfilled. And there are a growing number of solution providers jockeying for position, hoping to provide enough answers to get up front.

A Side Note

I’m presently working on some research related to the login/password storage issue, and am looking for some data. In particular, I’m trying to find statistics on internet usage stratified by user type (i.e. core, casual, convenience only, what-have-you), including the number of sites visited daily, login counts, and time spent on sites thereafter. Site types (including blogs, bookmarking, social networking, and financial) would also be helpful. If anyone can point me to something useful in this regard, I’d greatly appreciate it.

Picking a startup CFO

To be filed under “Fred Wilson’s Words of Wisdom“…

Look for someone who is a roll up your sleeves person who likes to engage with the other parts of the business. Look for someone who has been in a startup with growing pains before. Look for someone who can work nights and weekends. And be willing to pay them well. Because they’ll save you way more than they’ll cost you if they are good.

Quite possibly one of the most overlooked parts of building the C-level team (especially in tech, where CEOs and CTOs rule). And, that last sentence is one that most people can’t quite ever get their heads around.

“If you don’t like it, leave” is not a good answer

I’m obviously not fishing this morning, and I’m still blaming a Friday afternoon meeting…

RSS’s daddy, Dave Winer, voiced some concerns with Google’s FeedBurner acquisition. Fred Wilson responded by noting how easy FeedBurner makes it to leave. What Wilson is talking about is FeedBurner’s redirect service – you can delete a feed and FeedBurner will redirect requests back to the original RSS source. In a perfect world, your subscribers continue to get the crappy content you create, and by the time the FeedBurner feed dies they’ve hopefully changed their subscribed URL back to the base feed. We don’t live in a perfect world, and the “if you don’t like it, leave” argument has some holes…

  • If Google were willing to toy with feeds as Winer suggests, what’s to prevent them from making it more difficult to get out? If you can imagine someone tinkering with feeds to favor a certain reader, why can’t you imagine them “accidentally” redirecting your feed into a black hole (except for Google Reader users, of course)?
  • Switching costs are generally inversely proportional to the number competitors offering a product or service. And when it comes to distribution channels, logistics make those costs inherently high. FeedBurner is a distribution channel – a heavily used distribution channel which some content producers rely heavily upon. And I don’t see a bunch of strong competitors to FeedBurner waiting in the wings.
  • I agree – services that make it easy to leave are often an attraction, but that’s not the main reason I use the service; FeedBurner sold me on their great attitude. Google bought the company, and they can do as they please with it.

    I just hope that pigeon-holing folks into a single point of consumption isn’t one of them.

    A side note: There are probably some neat things that could be done with FeedBurner and Google Reader…things that might entice me to OPML-up my subscriptions and move there. In particular, I rarely bother looking at stats, tinkering with FeedFlares, etc., but if I could do this all within Google Reader I might pay more attention. Claim my feeds within and do the manipulation from there – I’d be combining my feed management and feed consumption – one less stop. Allowing me to compile a list of FeedFlares that would be available for all Google Reader users to play with, without me having to embed them in the feeds themselves, would also be nice. And last but not least…I have no intention of putting any ads in my feeds because I believe feed ads are aggravating and discourage both consumption and re-distribution. But I’d consider putting ads (linked to a proprietary Adsense or FeedBurner account) in feeds if they were only available to Google Reader users (since Google users in generally are so used to seeing ads on just about everything Google anyway).

    UPDATE: Day 2 – “The most common rebuttal was the user’s ability to opt out. If you don’t like it you don’t have to use Feedburner. But that’s not any kind of a rebuttal.”

    UPDATE 2: “One of the things I’ve heard over and over from non-technical users who have the same concerns now that Feedburner is owned by Google, is where do we go if we want to switch? Ahh. There is no place to go.” Where have I heard that before?

    Being an “A-list” blogger isn’t any fun

    The raging controversy over Federated Media affiliates plugging Microsoft slogans into their blogs won’t end soon (at least until the next “scandal” breaks, that is).

    I say everyone should grab a scotch, read the top ten blogger lies, and remind themselves that the average human being will never know “the conversation” even happened.

    UPDATE: Dan Blank says have a popsicle instead.

    I’m quitting, since I’m over 30

    Fred Wilson of Union Square Ventures touched a nerve when he cranked out this post debating the prime age for being an internet entrepreneur.

    Dave Winer, the creator of RSS, was ticked off. Steven Hodson had this to say – “kiss my ass.” And Fred wound up having to defend his position.

    A good ol’ fashioned pissing contest. Fortunately, Fred pointedly qualified the discussion right up front:

    • Now don’t get me wrong. We’ve only funded one of these net natives out of close to fifteen portfolio companies. We’ll certainly fund more. There’s a lot more we look for in an investment than a 23 year old design whiz.

    And even more fortunately, some folks did get him wrong – the ensuing “debate” would have never happened otherwise. Scattered amongst this interaction were some points I found interesting – I’ve grouped them together as a way of scalping away the noise:

    On VC intent and business models…

    • I really don’t want to be the guy who made it harder for anyone older than 30 to get funded in the web services market. – Fred Wilson
    • The thing is that VC’s don’t want to deal with experience and knowledge because it is too expensive. It is cheaper to latch onto the 15 year olds, the 20 something’s because they don’t truly understand the value of knowledge. VC’s don’t want paradigm shifts because in the end it might threaten their business models. – Steven Hodson

    Pretty self-explanatory, and Fred was certainly cognizant of the potential repercussions. I’m just curious as to what other think about this.

    Where’s the “paradigm” shift…?

    • The Internet is their medium and they are showing us how it needs to be used. – Fred Wilson
    • Paradigm shifts come from knowledge of the past, the vision of the future and the ability to bring them together. Twenty something’s might be hot to trot and they might be able to JavaScript into the wee hours of the morning but they haven’t produced any paradigm shifts. – Steven Hodson

    I’m going to chime in here. Creating a web full of widgets tied to other services tied to other widgets tied to Google Adsense isn’t exactly a paradigm shift, and this will become extremely clear the moment the money runs out.

    If launching a blog and filling it up with tons of widgets is the path to embracing this groundbreaking new web, I guess I’m missing something.

    The only option I see is to quit now (right after I turn off my browser’s Javascript). But I won’t be blaming Fred Wilson for the decision.

    UPDATE: Wilson concurs that the discussion was “the beginning of something”, although what “that” constitutes is still undecided.

    UPDATE 2: The money isn’t even there for some.