Wednesday, July 8 2020

Experts hate being proven right about avoidable disasters - after the fact

We live yet again in an age of unreason - where cross-competence complexity is so big that special interests groups (in both private sector and public bureaucracy) easily manipulate decision making. As an expert in the field of #Trustworthy Computing, it is heartbreaking to witness how bad decision-making in the institutional systems again and again despite sustainable alternatives lead to - predictable and predicted - damaging action that undermine both democracy and markets.

Continue reading...

Friday, June 19 2020

Announcing CitizenKey

CitizenKey is the first solution to solve the multi-dimensional identity problem

CitizenKey Card and Mobile.png, Jun 2020

Identity is a particularly wicked problem that has been haunting everyone ever since the start of digitization.

In one end we have identity anarchy and massive crime and in the other end we find authoritarian regimes amassing around single national id, surveillance capitalism, these combining into digital feudalism where government power is abused to drive profit and surveillance to provided taxed and more surveillance power to government while identity theft, economic crimes and all sorts of data crimes are accelerating.

The solution to this is not simple.

When you start with the principle of one identity per purpose, you create the mechanism to contain context and share data within and for a particular purpose without enabling secondary data crimes.

This is what blinding using the open source library UProve can achieve and why CitizenKey is so evolutionary in its achievement of simultaneously enabling

  • Trustworthy data sharing for services and research,
  • Empowering citizens with contextual control to ensure rights and restore markets
  • and countering the massive crime problems escalating in all directions.

The rest is then "only" about enabling and customizing identity for the multitude of secondary or compliance requirements.

But there are a lot of aspects when you get into the details.

Covering all the dimensions require a very carefully designed framework

  • From UN Global Goal 16.9 ("Global Identity") over National Id 2.0 to Contextual Identity
  • From IOT over infrastructure contextualization to supporting complex application requirements
  • Handling all the complex stack issues from usability in one end to semantic integration in the other while retaining non-linkability
  • Overcoming the myriad of bad technical standards designed to centralized control
  • Enabling asymmetric upgrade, gradual change and support for continuous change

What is clear is what CitizenKey is NOT:

  • CitizenKey is P2P and not a "trust-me" model where some man-in-the-middle accumulate control and profit
  • CitizenKey use blinding-at-issuance to avoid key reuse and long-lived keys that require revocation and data retention
  • CitizenKey make no use of blockchain and other cloud-based lock-in mechanisms
  • CitizenKey only apply revocable biometrics such as privacy biometrics (on-card), biometric encryption (mixing biometric data with one-tie keys in zero-knowledge proofs or contextual existence. There are no collection of non-revocable biometrics at is would create a genocide database linking biometrics to identity opening for all the worst sinister abuses.

Tuesday, April 25 2017

ePrivacy debate is missing the basics - ends up helping criminals and anti-trust operations

ePrivacy is part of GDPR

ePrivacy is addressing the low-level aspect of GDPR - can and are citizens and devices identified and thereby trackable in the first place?

Where GDPR address data as such, ePrivacy is focussed on the technology and telekommunications when other than the citizens access or collect data from basic devices and entities. People are also devices as they communicate and have sentive "identifiers" (biometrics are sensitive data which cannot be collected according to GDPR article 9).

The ePrivacy debate is missing the core issue

Much of the debate on ePrivacy is somehow mistaken as a repeat discussion on GDPR (which is fixed) as commercial providers focus on access to track and collect sensitive data without or merely the illusion of consent.

On one hand, this is understandable as consent is hard and in some instances almost impossible.

Informed Consent is increasingly meaningless in a digital world, where data are (ab)used for a myriad of purposes that grow almost exponentially. In addition, expressing consent PRIOR to collection is literally meaningless when data collection has already happened when the question is asked. Internet of things represent scenarios where this problem scale into the extreme as the constant tracking of devices based on their leakage of identifiers (MAC or other device identifiers or addresses)

On the other hand, this is the EXACT reason and justification of ePrivacy as it address the question of HOW basic telecommunication occur.

The KEY question and raison d'etre of ePrivacy is to require sustainable telco standards.

The existing ePrivacy regulation have been effectively sabotaged by commercial interests reducing the issue to a statement "Here we track you and you consent simply by using our site" which is essentially a tracking wall mocking informed consent.

But we also saw the existing ePrivacy beginning to work as standards are changing - Bluetooth, RFID, WIFI all have seen modification in the direction of eliminating persistent identifiers whereby basic communication does not involve collecting device and personal data if neither can be recognized from session to session. In such technical setup, Informed Consent can PRECEDE collection, i.e. the citizen can CHOSE to release a Customer # or other identifier known to the site without releasing persistent identifiers linking the citizens/device across purposes.

If the citizen - for some strange or peculiar reason actually wants surveillance - she can always release a persistent identifier such as a Device MAC or reused communication address (equivalent to or easily linkable a social security number etc.). But, at least in principle with the proper technologies applying to Privacy by Design, she can also avoid doing so and maintaining the integrity of purpose-specification and control of data.

5G represent the test of ePrivacy reform

The ePrivacy reform face an easy upfront test. 5G is in entering the final stage of standardization.

Presently the standard work with the principle of enforced Data Retention in the sense of "Mandatory Endpoint Identification" meaning that all communication according to 5G will involve the network spying on devices and thus citizen.

If this happens, EU face a cartel-enforced data-retention regime until the next major change of standards which is assumed to be VERY long (at least decades) in which case, the collapse of not only both ePrivacy and GDPR will be almost ensured but also a MASSIVE negative impact on the value-creation of otherwise impressive technologies able to provide huge improvements in wireless communication.

The win-win alternative which ePrivacy MUST enforce

The sustainable alternative would be security and identity established as contextual-only, i.e. mechanisms where basic infrastructure maintain unlinkability unless explicitly desired otherwise BY the citizen.

It is clear that the telecommunications industry are still controlled by the gatekeeper thinking even long after this has proven a massive failure. Bad wireless standards are feeding control to the horizontal OTT infrastructure where profit-streams originate from systemic profiling of citizens and companies across non-related sessions. A Data Retention problem that has been judged clearly illegal and non-compatible with the EU Charter by courts. As such the 5G standardization process (such as e.g. @5GPPP and the 5G cartel) have both ignored and not invested in security beyond systemic surveillance. In other words taxpayers money have essentially - through EU - been feeding illegal data retention activities.

But even though the actual security alternatives clearly have been suppressed in investments, this does NOT means that standards should not assume these solution can, will and must emerge. By deliberately preventing alternatives ("mandatory"), the 5G standard function as a illegal antitrust cartel that prevent innovation in a direction that would prevent systemic tracking of citizens and devices which would call for large fines as obvious violations of both EU anti-competition regulation and GDPR/ePrivacy.

You can now say, that we should just wait and let Margrethe Vestager issues the predictable fines. But this misses the point as we will still be caught in decades of MASSIVE BAD INVESTMENTS in insecure surveillance-by-design 5G technologies which best case will cause massive damage to European economy and trust in an already precarious situation.

My point - and the sole reason for this article - the ePrivacy discussion and reform needs to get back to focus on the core point and raison d'etre; to require telco standards to ensure basic communication can be established WITHOUT transfer of control from citizens to surrounding infrastructure or passive wiretapping.

5G standards as-is is ENABLING terrorism

Where I would claim 5G should be considered critical infrastructure and thus particular attention to security should be emphasized we instead see standards DELIBERATELY undermining security even though we already know that e.g. US drones use the lack of security to direct missiles. The use of e.g. wireless identifiers leaking is rapidly turning normal in commercial tracking and targeting.

Point is - it is only a matter of time until even terrorist do the same as this represent a certain, cheap and effective targeting system to attack particular targets including VIP.

I informed EU about and demonstrated this more than 10 years ago, but they continued to make the same basic security mistakes. I even published it as a commercial business case "Bombs for Hire" (slide 8) as part of EUs 50 years anniversary. Bombs for hire (no security without privacy)

Thursday, November 19 2015

EU Commission DSM strategy will lead to economic & democratic collapse

Ideological blindness is a deterministic road to failure

In the 1960s, Chinas Mao pushed forward the "Great Leap" to industrialization. The rhetoric was grand and promises even bigger. Only problem was that means lacked linkage to claimed consequences leading to economics disaster, famine and millions of dead chineese while destroying enormous wealth and historic artifacts in a mad raze to industrialize through manufacturing steal.

EUs DG Connect and EU Commission claims of a "data-driven" economy is even worse. Systemic dis-empowerment of citizens with eIDAS and ICT standards with build-in lock-on/surveillance, free flow of unsecure data in both public and private sector as well as systemic profiling and abuse of personal data provide a straight route to market and democratic collapse. The strategy is fundamentally a plan for digital feudalization of Europe.

In this, it hardly makes much question if the source of failure originate in institutional defenselessness to bigtech lobbyism, in yet another European authoritarian ideology (a destructive feudalist combination of BigGov bureaucratcy and BigCorp markets controls), in paranoid fear of terrorism leading the system to self-destruct or in some fourth source of institutional failure.

What is important is the way unscrutinized claims and numbers fabricated in "consultancy reports" on BigData, Identification and OnceOnly gets transformed into "political truths" stripped of any linkage to reality and causality.

What is important is the near-total absence of consideration of alternatives or reflection of impact of means that systemically will dis-empower citizens both in terms of democratic rights and in terms of the consumer power to enforce choice on value chains.

Problem is not ends, but means

The claim here is not that we e.g. do not want knowledge from research, but that we want better knowledge in smarter ways, that do no a priori distort the market processes and reduce citizens to analyzed and managed objects.

The claim here is not that we do not want growth, but that growth is caused by SMARTER use of ressources to produce more individual value. The present means will do the opposite - sacrifice value for the illusion of growth as power gets concentrated and monopolly effects benefits the few at the expense of the many and society overall.

The claim here is not that we do not want protection against criminals and terrorist, but that trying to do so by surveillance of everybody always, only makes security worse by making targets defenseless and providing the means and vectors of scalable attacks, i.e. that "security" thinking in terms of identification is worsening - instead of improving - security.

So what is wrong?

Three Digital Agenda 2012 Linking Security with Economicscore aspects are wrong with DSM.

1) Digitalization is not designed for change and adaption to choice, but to create single-size-fits-all and centralize controls. Especially infrastructure is designed more to prevent competition and innovation than to facilitate it. Solution is to create standards to remain open for change in parallel, i.e. open interfaces for better solution to outperform lesser models and value chains.

2) Security is not design to isolate to prevent interdependence as well as targeted or scaling attacks.

3) ICT and processes are not designed for choice to work as the ONLY way to signal best value of alternative use of resources. Both OnceOnly, commercial profiling and infrastructure are designed to manage and control citizens instead of empowering them to enforce choices on processes.

But EU will reform Data protection regulation?

So what?

If the technology fundamentals are designed to reverse the value chains and reduced citizens to analyzed objects to be managed and traded, soft regulation might do a bit to reduce the damage, but cannot compensate of enable processes and markets to adapt and improve.

Data Protection regulation may REQUIRE good empowering security by design or it will inevitably fail reducing "consent" to a mere excuse for abuse without any real choice possible.

What will work is regulation that require the right to enter into digital transactions WITHOUT identification and enabling means to do so. What will work is regulation that actively reject secondary use of personal data and enable means for citizens themselves to respond to request by collecting data from non-linkable sources and anonymizing/contextually isolating the results for knwoedlge creating processes or services.

But EU Commission is enabling the Single Market?

Won't competition and innovation solve the problem?

It would if markets are allowed to work and citizens empowered to enforce choice.

But fact is that EU is NOT enabling market with present DSM strategy. Eu is through accepting and even investing in bad technology design preventing markets from working by systemically dis-empowering citizens and legitimizing reversal of value chains.

So, to summarize, claiming doing good is no good if means are counter-productive to intended goals.

DG Connect, EU Commission, Andrus Ansip and Günther Oettinger - you ae basically spreading misinformation and vasting taxpayers money on bad investments - you urgently need a change of perspective or be the instrument for European deroute for decades to come

Wednesday, April 29 2015

Privacy By Design – legal compliance or getting markets to work again?

Two approaches

Generally we can talk about two views on privacy - either the legal or soft policy view where rights are assumed maintained because some regulation, policy or agreement say so - or the "By Design" approach where principles are unconditionally forced or designed into technical design.

The legal or soft policy way

Often in the privacy discussion, we meet the argument that companies can build trust if they “respect” consumer privacy or the assumption that the discussion is about accepting some short-term loss (in not getting or using some personal data as an “asset”) in exchange of better “brand”-likeness attracting more business or have fewer security breeches.

Variants of this argument is in the area of “legal compliance”, i.e. deletion, non-collection, non-sharing, “settings” or more complex attempts for “compliance” in the form of sticky-policies trying to improve agreements negotiation using mechanisms such as P3P or to embed internal restrictions in “Digital Rights Management”-like rules.

A simple example of this “compliance” thinking is when surveillance feed from networked cameras are post-collection obscured in some way to reduce damage from means such as automatic face recognition and constant networked surveillance. A mechanism that in EU would violate the ePrivacy Directive (not enforced, but citizens are in themselves “devices” requiring prior consent), but represent an attempt to circumvent Data Protection Regulation post-collection through claims of “proportionality” or even exemptions due to non-substantiated claims of “national security” not considering alternative means.

In these compliance models, Data control is NOT with the citizens as they best case have some influence and have to trust some internal security mechanisms despite data flowing in external systems and through insecure infrastructure, These include cloud and internet-of-things where rules enforcement are close to theoretically impossible.

The market or security way - "by Design"

In contrast, Privacy By Design is the market/security approach Empowering the demand to enforce choice on value chains to drive progress and competition.

When technology is designed so citizens never loose control over the ability to link data outside context, the supply side is forced to adapt to customer needs and e.g. the customer retain the power to say STOP – simply by dis-continuing the process/relation and taking the business elsewhere.

We often hear claims of inconvenience or loss of value from real or legal restrictions for misuse of data out of context, but these are comparing apples and bananas as they fail to incorporate how citizens themselves reuse their data as part of market processes. There is no reason to assume that citizens are not as effective in applying the data management themselves – on the contrary, when considering issues such as interoperability, actuality and expression of needs, citizen self-management of data can be far superior to any “Citizen-centric” system control of data.

Companies and bureaucracies don´t like that unless they understand the necessity or their interest – and honestly no company dislike they have “market power” and few bureaucrats don´t assume society is better of with them in control. The rhetorical games to claim exemptions or “proportionality” are creative and widely abused to circumvent rights and security – healthcare research, tax and anti-crime are some obvious examples.

However, companies do understand that e.g. Google, Facebook, Amazon and (mainly US-based) payment/telco providers are selling their customers to competitors based on targeting information leaking in transaction (e.g. Google Analytics/Facebook Like and payments as probably the main problems today). The consequence is customer defection or churn which is the biggest drain on their profit as acquiring customer is costly and profits rely heavily on customer loyalty (increased profit over time and amortization of customer acquisition on many transactions).

When applying Privacy by Design, companies can significantly protect their customer relations from commercial 3rd party attacks as they stop providing targeting information. Customers may still chose other providers if your product/service offerings are not competitive, but at least the company stop the main drain on profits. In short Privacy By Design the market way is by far the best investment, any company can make – provided it is within their sphere of control to do so.

Just to exemplify in the Camera example above. In a Privacy or rather Security by Design approach, you would issue identity devices to Citizens making it possible to e.g. document non-wanted status, local authorization and even specific accountability without ever making the citizens identifiable in the transaction, i.e. no PII is created.

A local alarm can then be triggered either by law enforcement due to some specific incident/threat or a refusal by the citizen in question to provide the needed digital proofs. When the alarm go, a SPECIFIC and LOCAL change of priority and rights is established digitally, justifying that the PHYSICAL visibly curtains blocking cameras from collecting images can move away and evidence collection as well as incident management can commence.

Any such removal of physical blinds would be subjected to accountability whether personal or system providers on the trigger causing this under scrutiny by a judge.

Conclusion - By Design works where Soft policies fails

On a society level, blocking the abuse of personal data is by far the most urgent problems for getting markets to work again.

The winner-takes-all structure in commercial infrastructure is collapsing fundamental market processes based on prize/offering towards driving control to local or global monopolists. These profit from steering markets and filtering offers/messages or applying more powerful mechanisms to restrict behavior such as Smart-phone device lock-in where some players charge 30% transaction tax or more on all transactions through their “ecosystem”.

In my view, mere compliance are in the area of legal dreaming – like believing that alcoholic organizations can resist a data-drink on the table in front of them when it feels good short-term to abuse data even though it “may” hurt long-term. Never going to happen.

From a security and market power perspective, Privacy by Design are far superior to soft policy compliance as the consumer power is unconditional, enforced by design and trustworthy without any loss of legitimate value. Demand choice are enforced on market furthering best value for money and stopping the bad ones including from abusing data to prevent or control market processes.

I suggest that Privacy or rather Security by Design is the critical enabler of sustainable growth in our age. Something that mere soft policy compliance cannot provide.

Friday, April 17 2015

EU eGov Once Only - a failure by design. Suggest better ways

EU Commission indicate they will raise the "Once Only" principle to strategy without pursuing sustainable solutions.

A bigger mistake can hardly be conceived as it is a certain way to fail - both on economics, security and legally. It is also in unresolvable conflict with both EU Charter as well as numerous regulations and principles.

I would suggest a Pareto better approach is to provide citizens with tools to respond to requests for data or answers that know what data has been provided and is able to reuse data (from all sources) and provide answers that do not add linkability. I suggested this 10 years ago Nobel Week - eGov Trust

"Once Only" is the principle that citizens should only provide data to authorities once - and it is then the task of authorities to organize reuse of data to all purposes internally.

From a first reading "Once Only" may seem like good governance as citizens and companies hate being bothered with the same question and it creates double work.

The assumption of “Once Only” being good governance is, however, an illusion ignoring the obvious disaster created by choice and by design while hiding the real question.

The EU choice is based on reports like this (Characteristic for this report is that it has no reality checks or alternative considerations. The economics is cherry-picking not standing to even the lightest scrutiny)

But why is "Once Only" wrong?

Because it does imply 3 mistakes at the same time

1) Incompatible with security in public sector. The only way government can take responsible of using data for non-related purposes is if there is inherently no data security and thus citizens are stripped of all controls. Instead of providing data to the specific purpose, data is feed to general purpose public sector profiling. The choice thereby is not about citizen convenience, but a strategic choice to abandon all possibility of security in public sector - a mistake that can hardly be underestimated.

2) Reverse value chains. The inherent danger when providing data for statistics, research and administration is that such data will revert back into operational system thereby creating seriously negative Command & Control damage to the value system. If government officials assume they already know, they don´t ask and thus create structures that do NOT adopt to real actual needs and choice but force citizens to adapt to system assumptions, however wrong they may be. This create legacy on a grand scale making eGovenment increasingly more ineffective to provide value for money.

This is not only the lesson of former Eastern European regimes. This report is essentially based on scaling numbers fabricated by danish authorities to claim success, but the overall numbers don´t lie. As indication see e.g. Danish Statistics on productivity changes dropping steadily since IT-based centralized bureaucracy was introduced

3) "Once Only" creates unsustainable power structures. The assumption that public authorities is trustworthy and only wants to do what is good and legal fails to all historic tests and understanding of how systems operate. Such power structures become self-preserving and self-expanding always scanning for new "excuses" to act and justify their own existence. Without checks and balances bureaucracy will scale out of control and "Once Only" prevent such Checks and Balance based on citizens choice.

Everything gets linked the back-door way while the structure prevent needs-driven innovation. "Once Only" is an inherently destabilizing structure. Instead of becoming better at serving society, the structures will scale mistakes and failures until it cracks.

I claim that "Once Only" is not only a strategic governance mistake of epic proportions, but ignorant to better alternatives based on Citizen Empowerment.

Wednesday, September 3 2014

We need a Second Renaissance

The first Renaissance

was about freeing the world from religious superstition where some Bible, Koran or Priest is assumed to tell people was is right and what is law. The religious dictatorships of the pre-Renaissance best exemplified by the Holy Inquisition and the Conquering and enslavement of colonies with military and priests side-by-side. Various alliances between the Church and dictatorships brought suffering on everyone on a enormous scale,.

Through science, experiments and rationality, citizens was empowered to think for themselves, revolt and act for the betterment for mankind. This brought forth a revolution of democracy and free markets that can be said to culminate with the Internet where all mankind can have access to all knowledge almost instantly. It peaked with Francois Fukuyama´s claim in 1989 of "The End of History" calling for the ultimate victory of democracy and market over dictatorship.

It did, however, not eliminate religious superstition. Worse - was Fukuyama wrong - it did not free humanity from the rapidly increasing abuse of pseudo-science for ultimately the same purposes that the first Renaissance was trying to free mankind from.

The second Renaissance

is also abut empowerment. It is about freeing the world from scientific superstition where some model or formula is able to or should tell the citizen what is right and how to behave. The dark side of the Internet and natural sciences turned out to be the ultimate of totalitarian regimes whether built on Command & Control bureaucracy and economics, technically enforced cartels or Google style behavioral winner-takes-all market controls.

There are no pure democracies and most of the former "free societies" are far down the grey-scale as the systems have grown unstable - intoxicated with the power of the Internet making it possible to enforce non-legitimate interests on citizens and organizations while technically also ensuring they abide to dictate.

  • Authoritarian regimes can profile each citizens ensuring that they act and think according to a defined ideal - whatever that may be. The divergent citizens and employees will get detected early and their re-education to the "right path" automatically controlled and constantly supervised. In such a society, there is no democratic debate except what the state deems beneficial to maintain the illusion and pseudo-legitimacy of power. The involved will have no problem convincing themselves that this is necessary for stability, national security, anti-crime and other anti-social behavior. They will even create an atmosphere of constant fear to ensure compliance.
  • Bureaucratic regimes can through technology dictate processes according to their design. Alternatives cannot exist and they will ensure all sub-systems feed their monitoring and plans for a "better life for everyone". And they will have an endless demand for intimate profiling of citizens to feed their "Research" and Command & Control models. Alternatives and UN-planned innovation will not be possible as technology structures will not permit these. The involved have not problems convincing themselves of their own superiority, neutrality, the effectiveness of centralized control and how irrational citizens needs supervision to do what is right for themselves. They will create an atmosphere of spin claiming everything they do is good and blasting every case into proof of the incompetence of citizens.
  • Commercial cartel structures can through technology and pseudo-science dictate markets according to their design. Alternatives cannot exist as they cannot be interoperable and new innovative competitors and better solutions are effectively prevented. Especially the role as gatekeeper to the digital networks are enforced through technology standards the strip citizens of control through identification and dictate a choice of Lord between cartel members.
  • A few commercial winner-takes-all structures will operate a structures where every transaction increase their power in the next transaction as they own the ability to link and apply controls. When these structures pass a certain threshold, power shifts from market participants into the infrastructure market makers as participation will become license to operate.- if you don't comply you cannot get access to market. These structures will ensure all are accomplices and get a small fraction of the power profit. They will do their best to keep up the illusions of competition and choice even though there is none and markets are turning into gardened monopolies where the infrastructure players dictate their profits and all society suffer. These structure force commoditization in products and services as they feed on the illusion of competition but almost eradicate innovation. As a result almost all providers will see their profits disappear in cut-through prize competition with little chance of innovating themselves out of problems as all novelties are rapidly copied and cartel standardization structures prevent major innovations.
  • Large-scale criminal organizations prosper in this world destabilizing power concentration. They will not only be tolerated but created as the source of fear to justify the centralized powers and blame of more covert actions. But even without the acceptance of the powerful. The near-total lack of security of dis-empowered citizens, commoditisized companies and single-point of state organizations makes them easy targets and - through identity theft - useful to hide behind.
  • These destabilizing power structures are worst when the feed from each-other. E.g. when NSA and the similar in China and Russia create and feed from Commercial cartel structures such as GSM, EMV etc. requiring these to strip citizen security through standards. Or when the Bureaucratic regimes and pseudo-democracies rig elections through winner-takes-all entities engaged in political profiling and vote selling through systemic behavior manipulation.

These mechanisms are far from showing their worst as we see smart-phones, biometrics, elimination of cash, cloud and Internet of Things turning into systemic surveillance and control of citizens by both the direct commercial providers and indirectly state structures utilizing the commercial controls for bureaucratic and authoritarian purposes.

Characteristic is that the neo-classical economic models are almost blind to these structures and the subsequent damages. The assumptions of market has become their illusion as they do not see or model how power is exercised and how value is destroyed and growth prevented as people are adapted to systems instead of resources and processes adapted to real needs..

We are not heading for trouble, we are already deep in trouble as the destabilization process continues to escalate in many ways already exploding into social unrest, conflicts and crisis even if political institutions try to create illusions to maintain some order and structure. The events of 2001 and subsequent military actions, the Financial crisis of 2008, the Snowden revelations and the emergent geopolitical conflicts are far from over - they are going to get a lot worse and how we act will have a profound impact on future generations. Problems such as over-population, pollution and resource depletion are simple and easily solvable in comparison to social power and market structures gone destabilizing.

What is essential to understand is that all these problems are really caused by the first renaissance focus on rationalizing the world without ensuring that the social sciences evolved to say what we need to remain within the realm of personal space and choice and to dictate these principles on technical design and standards. Naive political ideologies

The second Renaissance is about a return to Empowerment

Through evolving social sciences we need to understand the problems and provide us with the education, scientific, technological and technical means to detect and prevent the problems.

In reality most of the problems can be condensed into one single problem and related solution. Both the cause and solutions are closely related to HOW we digitize society.

  • Most of the power emerge from identification of Citizens when entering the digital networks and participating in society process. This is both the main source of destructive power and the main source of abuse of power.
  • Solutions simply has to eradicate digital identification - or in technical terms the ability to link unrelated transactions with the same citizen - as that will re-empower citizens relative to to the destabilizing power structures and provide means for gradual recovery as historic data cannot be abused to control the future and citizens while society processes and value chains will - once again - be forced to adapt to individual needs and the best providers rewarded with the profit of serving real needs instead of non-legitimate interests in private or public infrastructure.

I remain defaistic optimistic. Meaning that in the short term, I fear that our institutional structures are more a part of the problem and knowing very well from history that each age has a tendency to live up to its most sinister potential. But also that - in the longer term - humanity has a tendency to raise to the occasion when it is most needed - yet often only out of great suffering trying to prevent this from happening again.

We will measure success on the time from the emergence of Internet to when citizen can enter into even the most complex public sector services without ever becoming identifiable towards a server and power structure. And hoping that the suffering in the meantime can be kept to a minimum

Stephan Engberg, September 2014

Tuesday, August 12 2014

Stop leaking your Digital Assets

Leaking customer data is bleeding profits

Most companies are very aware of the two traditional elements of Customer Loyalty focusing on sales (get and grow), but underestimating the third increasingly more vital aspect of customers leaving (keep).

  1. Get - Customer Acquisition
  2. Grow - Customer up-selling or cross-selling
  3. Keep - Customer Retention

The reason is very simple. The cost of customer acquisition are in the accounts but excused by the sales value whereas the cost of customer leaving is a loss of revenue not recorded in the accounts as neither cost nor lost revenue. Sales are therefore constantly repeating the same mistake overspending on marketing and outbound selling while massively underspending on protecting customer relationships.

Are you feeding your customers to your competitors?

Google, Facebook and the other profiling engines make their money from making your customers defect.

Whenever you leak data on your prospects or customer interactions with you, you are not only helping your competitors target your best customers, you are also telling the marketing profilers how best to make your customers defect.

For instance, when marketing use Google Analytics to collect data on who visit your website and what they look at - that information go straight to competitors targeting your customers - every bit of information is automatically qualifying the targets and how to convert these - for the sake of Google Earnings.

Similar, when marketing mistake number of "Likes" on Facebook for loyalty and strength of customer relations, they are forgetting, that like are resold by Facebook to competitors and you increasingly have to pay Facebook to prmote you to you own customers as "Like" does not mean they see what you try to communicate.

The outcome is a negative spiral of growing marketing costs, market distortion and resources diverted from value creation to moving, trading and shouting to customers..

Do you have a strategy and means to prevent leaking customer data from happening?

Notice that this is pure strategy and mission critical analysis. That is even before we address other aspects of customer data leakage such as the lack of legality (e.g. EU Data Regulation), threats created towards customers (Identity theft etc.) and the accumulating consumer distrust from providing you with data.

Try making this simple check: Whenever your customer load a page from your website, do YOUR website trigger a connection to Google, Facebook or other customer profilers? I am not only talking about Google analytics, but any of the many ways the profilers try to get you to link to them and feed their profiling whether we talk "Like".

If so - you have just discovered the biggest drain on your bottom-line profit and need to act urgently on this! Pushing new customers and marketing resources to get or grow customers, when they are poring out in the other end. You need to plug the hole!

Are you feeding your future competitors through your choice of service providers?

All are suffering from the problem of leaking customers pushing price competition,

But huge industries are suffering even worse - consider media, telcos, payments, digital service etc. They all suffer from virtual infrastructure trying to take control of their customers and pushing themselves in front of the value chains.

What starts as a problem of growing marketing costs, customer churn (fast turnover) and over-communicating pressuring bottom-line in an industry turns into something much worse in terms of bleeding profits - commoditization were you loose the connection and direct relation to individualize services and possibility of differentiation - as the winner-takes-all engines are growing and getting more and more aggressive as they turn into virtual supermarkets owning the customers with you providing the product and service while they take the profits.

Consider your service providers - id, payments, communication, search, supply chain etc. - what are their business models? Are they in the business of leveraged network effects, i.e. to put themselves in the center of a spiders web were everybody else are feeding them data while they increasingly profit from controlling market making or creating lock-in effect based on the control of your customer data?

Are you doing something as simple as letting them control your security (log-in), communications channels or unsecured data? Do you depend on them for communicating with existing or potential customers?

if so - you have just discovered your biggest strategic problem and future drain on you bottom-line profit!

Your business model is unsustainable as your are being intermediated and are yourself training your future competitors on how to reduce you to a commodity-player with a rapidly growing pressure on profit margins.

Do you have a strategy and means to maintain control of your connections with customers?

Any other problem is secondary to dealing with the two above problems.

If you do not understand and have a clear strategy on dealing with these two aspects, your business is under attack due to your own neglect.

You can design new products, you can poor marketing costs into the operations, you can create great technology - but if you are not able to protect your customers, your business model are leaking.and your future profit under serious attack.

If you

  1. do not understand the problems, get help - because you are most likely suffering from these.
  2. do not know whether you suffer from these problems, buy the analysis - as you are working in the blind.
  3. know, you suffer but don´t know what to do, get help for the workshops and training - as your strategy is omitting the key components.
  4. know what to do, but lack the skills to do it, get the expertise - as the devil is in the detail.
  5. are suffering from unfair competition, get the help to document and inform government authorities - as the lobby of the winner-takes-all players are extremely powerful and politicians and bureaucrats have no idea of the kind of problems, you are facing.

Protect your customer data from leaking, control your connection with customers and do not let unfair competition from winner-takes-all virtual infrastructure erode your market.

The Author - Stephan J. Engberg

Stephan Jürgensen Engberg

I started out specializing in Digital Business Architect & Strategy to build Customer Loyalty and sustainable competitive advantage in both a specific corporate and national cluster dimension. Never before was the from increasing competition bigger and opportunities from new technological means and business models as available. I worked more than 10 years with this focus both theoretical and practical in both large organizations and as an entrepreneur getting to the point where I was teaching and doing executive consulting on Strategy and solutions.

However in this process, I realized a fundamental problem. That markets have come unstable as consumers are made into assets of the few super-large winner-takes-it-all entities. This means that EVERYBODY loose - consumers, society and companies - as all are reduced to providers to highly centralized power structures that do not provide value, but feed from everybody else at their expense. As such I in late 1990s expanded my focus to the often overlooked security design aspects on how to redesign power structures to empower citizens and protect companies from these power structures. I rapidly become part of a small global group of privacy/security by design specialists aiming at restructuring identity to actually secure processes. In this process, I quickly become member of a small group specialists advising and participating in EU research or pre-policy processes.

During the years I have analyzed almost all aspects of security and digital infrastructure and - standing on the shoulders of giants - created numerous inventions to solve fundamental problems- some of which have been transformed into business models and solutions in production (e.g. RFID), but most still on the drawing board suffering from market imperfections such as bad regulation or technical standards that prevent security - whatever the reason.

Having a Innovation Strategy perspective to security bring a disruption to the thinking as almost everybody else are technicians (focusing on either anonymity or simple access control/surveillance), soft activists focusing on abstract human rights or merely entities seeing security as a barrier to their interest. Understanding the WHY to drive understanding of requirements and the impetus to go beyond easy assumptions a very powerful driver to new understanding and solutions.

It does, however, also put you in opposition to the purists - legal or technical - balancing multi-stakeholder issues is not for amateurs as you have to address the really tough questions without resorting to primitive and naive assumptions. Anonymity of a stakeholder rarely can provide the basis of healthy society processes, but identification and dis-empowering citizens is even worse as it represents the biggest source of failures.


  1. Innovation strategist focusing on value creation and Customer loyalty
  2. Specialist on Identity, Trust Socio-Economics and Security/Privacy by Design
  3. Independent Consultant
  4. Serial Entrepreneur
  5. Often speaker on research, pre-policy or technology assessment conferences & workshops
  • Computer Scientist and Economist from Copenhagen Business School (M.Sc.)
    • Specializing In innovation strategy and competitiveness
  • London Business School.
    • International strategy and entrepreneurship

Work Experience
  • Unibank/Privatbanken (Nordea), 1986-1995
  • IBSEN Micro Structures, 1995-1998
  • TietoEnator, 1998-1999
  • Open Business Innovation, 1999- (founder)
    • Priway, 2004-2012
    • RFIDsec, 2004-2010
    • Numerous projects for government, digital infrastructure, companies


  • Privacy / Direct Marketing Copenhagen Business School, 2002-
  • Security in mobile environments, Danish Technical University
  • eBusiness Strategy & Security, Copenhagen It University
Research / Academic

Selected Keynotes / speeches at Scientific conferences / Program Committees

Publications / papers


Sunday, August 10 2014

Security is a multi-stakeholder issue

Security is the main problem of the digital age

When we integrate everything we create

  1. Interdependence if your security depends on security elsewhere
  2. Exponentially growing vulnerabilities as everything becomes easier to track and attack
  3. Built-in mechanisms to accumulate and exercise power on a large scale

The consequence is a rapidly decaying security while the benefits only grow logarithmic while the threats and security failures grows exponentially as described here.

This is unsustainable and calls for a radical departure from present security thinking. What we need is a Security Renaissance.

Surveillance is the problem, not the solution

Surveillance create interdependence and weaken the defense as every single entity is getting more, not less, exposed.

The problem here is that few- trying to solve security problems - are aware that the root cause of most and the growing security problems is identification itself. The flawed logics is that more digital identification (i,e. surveillance) improve security - it is WRONG and can never work as it create more interdependence and vulnerabilities, i.e. unmanageable risks.

Sustainable security is about verification WITHOUT identification

Understanding that identification is the problem does NOT lead to the understanding that anonymity (defined as non-accountability and unlinkability) is the solution to security. That is a false dichotomy - instead we need to think contextual security resolution or verifying security without identification.

Following this radical departure from present thinking follows normative target follows the natural questions of why, how and who etc. This is further elaborated.

For now - realize

a) That accountability does NOT require identification in the transaction. It it enough that some means for a judge to identify the responsible for an action violating right or agreements are established as part of the transaction.

b) Verifying legitimate security requirements of one stakeholder without undermining the security of other stakeholders is the key to security in a digital world. As this is preventing interdependence and avoiding making some entities vulnerable to secure the interests of other stakeholders.

What this is doing is as logical as reversing the Security Death Spiral above - moving upstream to and eliminating the source of security problems instead of creating more of what created the security problem.

Notice that even massive problems such as privacy concerns and Identity theft are practically eliminated. You cannot abuse data that you cannot refer to a physical person. And you cannot steal the identity of a person if the transaction do not try to identify the person nor accept claims of identification as valid security prof establishing any kind of responsibility on behalf of a citizen.

Friday, August 8 2014

Public Sector is lacking a sustainable vision - need a third way

The Public Sector is falling for the "easy" central solutions trap

Governments everywhere are working hard to get the benefits of the Digital revolution - driven by the "easy" solution of giving citizens direct access to transactions systems both to save administrative costs and to give better service. The intentions are good and tempting.

However the easy Central Approach paradigm fail to understand and incorporate the dangers and damage of simply plugging identified citizens onto centralized it-systems like we have been doing with employees. Consequences are devastating for all critical evaluation dimensions - economics, security, rights and usability.

Countries are pursuing approaches with minor differences, but when you analyses approaches they are all based on Single National Id and massive centralization of power and control while failing to build sustainable structures that can adapt to individual needs and choice. Not a single version of a citizen- and needs-centric approach without even the potential of creating Citizen Profit seems presently under implementation.

The problems are much worse than simply a lack of citizen involvement in the development phase - the root problem of the massive centralized approach pursued almost everywhere is that we loose flexibility, adaptiveness while risks are rapidly scaling out of control and systemic misuse and economic distortions at the expense of society is exponentially growing.

The alternative is not decentralized lack of structure or manual structures as that would loose the potential benefits from digitalization. It is often seen political spin to use this as a strawman for worse centralized approaches.

Making this a question of plague or cholera is failing to understand the real problems and questions in how to utilize the benefits of digital networking without massive concentration of power and risk leading to an increasingly ineffective and unstable society. We need a third way.

What we need is a Public Sector Renaissance driven by better understanding of the economics and digital requirements. A public sector where processes adapt to individual needs instead of adapting citizens to the implicit behavioral control and interests involved in the provisioning structures.

But this also require the nuances to respect that a public sector is not - and should not be considered - a homogeneous unit, there are vastly different problems related to creating and maintaining a framework for society such as emergency response and critical infrastructure in one end over sustainable legal and court justice to effective Public Sector services such as e,g. healthcare and education in the other end.

To understand the core of a Digital Renaissance, we need to start by assuring we are asking the right questions and defining sustainable principles while also exposing the rapidly escalating problems of the centralized approach.

Monday, August 4 2014

Citizen profit

Neo-classical economics and Gross Domestic Products (GDP) focus on trade values instead of the actual value to the citizen.

This systemically underestimate the value of production and scew the political focus towards what generates profits instead of what generates value to citizens and society. The consequence is Fool's Growth is where the models are claiming "growth" in GDP while the actual output value to citizens drop. This especially occur in the public sector and when something reduce or prevent competition in the private sector.

The first phase of the Digital Economy is to a large degree characterized by Fools Growth where a few cartels and monopolies accumulated power through digital infrastructure to control market processes for their short-term profits at the expense of overall growth in Citizen Profit and society progress.

Continue reading...

Wednesday, July 30 2014

The increasing failure of neo-classical economic models

Neo-classical economics focus on what we can measure. Reasonable to a large extent, as we of course wants to do our best to understand progress and predict consequences of actions in order to be able to respond in time to prevent unpleasant developments. The has always been so but the Financial collapse of 2008 has significantly increased the focus and attention on trying to predict and prevent economic problems.

However, the desire to be able to quantify and predict make the econometric models heavily biased and misleading. They and GDP (Gross Domestic Product) do NOT measure value produced and are as thus extremely dangerous to guide policies. What happens is that the models adapt policies to the flawed model assumptions. This facilitate a serious bias towards system preservation and away from policies facilitating true progress and growth.

However unsatisfactory from a position of Economic Management, we truly need to focus more on the complex causality and less on the numbers emerging from biased and increasingly misleading econometric models.

  • The main problem - they do not measure value

Economic models that assume GDP express value created in society are utterly wrong.

Not only because some processes are omitted (e.g. voluntary such as friends helping each-other, social such as household or black market selling e.g. homemade products or even shady services such as prostitutions or even criminal activities) or economic elements included wrongly (e.g. the cost of externalities in case of pollution or non-recycling of non-renewable resources)

The real problem is that the very outcome of value chains are grossly and increasingly worse misrepresented by the market price. They simply ignore the Citizen Profit despite this is the fastest growing and accumulating proportion of the economy.

When you work with models that do not understand value, how can you say anything meaningful about quality of investments and Public Choice?

  • The Innovation problem

Beyond the value problem is an even bigger problem when talking about predictions.

Innovation and growth is about CHANGE - we only improve by more rational processes, better sustainable resources and better adaption to individual needs. But this means that growth is essentially about change and doing things in new ways!

How can you predict this without simply modelling the assumptions of the claims turning the process of answering and calculating consequences of questions into assuming themselves without anything that resemble science and testable prediction?

  • Finally - both these problems are growing in the digitalization phase where change is biggest and individual value (should be) exploding.

The Digital transformation represent a radical departure from previous market processes in many ways.

First and foremost the individual part of any product or service is rapidly increasing and thus so does Consumer Profit. The fight to control individuals though Digital Infrastructure at the expense of Citizen profit is key to the problems of our time.

Second is that change occur on a most faster and continuous basis in many directions at the same time. Digital Value chains reorient and reconfigure themselves much faster, dynamic and in complex ways compared to earlier. This means that not only prices, but the actual structure and dynamics of a market change constantly making models assuming Status Quo increasingly useless to describe and especially predict economic change, Worse the models are often the source of problems.

As a simple example - the financial crisis of 2008 what the result of a massive increase in lending that fueled unsustainable "growth" according to the models. This was the consequence of a double failure - first a political as government globally pushed for growth and pumped liquidity and relaxed restrictions on lending everywhere. Second in the private sector where short-term profit without due consideration as to the massive bubble effects created accumulated a snowball that did with devastating effect.

But fact is that neither governments or market seems to have learned from the mistake. Bubbles are back and e.g. US government debt is exploding. Again model economists try to create "condifence" that this time they have it under control - they haven´t as they simply do not understand what is happening.

We need a Digital Renaissance on economics

The models simply don´t work for their usage and assuming they work is one of our biggest problems creating mistakes from doing more of what created the problems in the first place. Because the models claim that growth is just spending instead of focusing on sustainable value creation.

The root problem is the desire to control. Just like the safe of a Bible defining the World made the Vatican Priests fight so hard with the Inquisition to maintain order in the Universe so does model economic and bureaucrats to force society into their models, however flawed and damaging this process may be.

The outcome is not much different from Communist Chinas Big Leap ending up in hunger and disaster as they simply had no idea as to what the complexity of that they were trying to control. Just like China didn´t blossom until the Bureaucrats released control and European economy grew rapidly after the Reformation, the world today is calling for a release of assumed economic control based on flawed and biased models. (But in all honesty, China also represent the best example against anarchistic laissez-faire, e.g. on environment issues as markets suffer from serious negative externalities unless careful attention to frameworks is politically ensured)

We shouldn´t stop trying to understand and model, but we need to understand that adapting policies to what we know is flawed is worse than releasing controls and focusing on the frameworks of empowered citizens directing value chains to produce Citizen Profit.

In some ways the second Digital Renaissance is a revolt to the first Natural Sciences Renaissance as it has created and environment in which social processes are assumed to be run like a Scientific model - the very failure that former Eastern Europe and many others taught us is very dangerous.

We need to question what we can/cannot model while in parallel focus on the digital frameworks.

Right to be forgotten - when you get core principles wrong

The EU and members states need to act timely and augment the "Right to be forgotten".

The principle of a "Right to be forgotten" is fundamentally human and critical to maintain society stability in e networked age.

But the European "Right to be forgotten" is perhaps the most obvious example of legal failure as vital principles are not transformed into operational solutions.

The principle cannot be implemented as a legal-only structure. To become operational, it has to be enforceable and by nature of the problem, this require law to dictate technical design principles from preventive approach as technology design will otherwise override the legal principle making it void and "unworkable" - and as such easy to ignore by commercial or shady (read in reality non-democratic) government institutions.

The main technical design principle has to change so as to enable non-identification or contextual identity in legitimate society transactions including eCommerce and public health-care. This is both possible and critical for markets and democracy - and it is the only way to protect society from the likes of Google from acquiring destabilizing and self-reinforcing power over citizens and society processes.

Continue reading...