A giant glaring flaw in an otherwise excellent article (The Evolution of Security) by Daniel E. Geer is how he measures success. He might poke fun at trying to reduce the cost of management, but I think his expectations for a defined environment might be a bit unrealistic:

We reproduce our computing tissue asexually by cloning some gold master somewhere, even though a pond full of identical blue-green algae can be thought of as success only when evolution is very young.

A true gold master can be defined, measured and hopefully repeated. Repeating something that is not well defined or measured does not really mean it deserves the title of “gold”. People are all too willing to throw the term around, without a common criteria of what it means.

Maybe it’s a minor point, but it seems odd to me to compare the standard of evolution for products based in a heavily-skewed American consumer market to millions of years of life/death-based natural evolution.

I would say that the American industry is often dominated by who has the best story to sell and who will believe it, while success in the wild raises stakes to another level — true survival. Greer suggested some of this himself, earlier in his article:

We have risks, costs, and benefits from the all-alike alternative, and we have risks, costs, and benefits from the all-different alternative. Where’s the tradeoff? What is cost effective? Is this a new problem never before seen? Is there an answer? The answer is staring us in the face; the answer is in nature.

Unless of course you are a creationist, and then you might say that success is best defined and measured by someone, somewhere, who is elected or ordained to decide fate. The tradeoffs are not always as obvious as we might hope, and the systems are often too complex for us to emulate, which opens the door for people who prefer to give up and adopt a construct of faith.

Do you believe Vista is safe, or will you let nature decide?

Disclaimer: I worked at Yahoo! and a large part of my responsibilities as a member of the security group included protecting privacy for consumers.

The news from the BBC on search engine company privacy practices should not be underestimated:

Google has the worst privacy policy of popular net firms, says a report.

Rights group Privacy International rated the search giant as “hostile” to privacy in a report ranking web firms by how they handle personal data.

Google naturally put their legal team forward to fight back, rather than a senior executive or a founder. Personally, I have been inside Google several times, have met with senior Google security staff, and I would not trust my data to their systems. Then again, that’s just me and I might be a Paranoid, if you know what I mean.

Privacy International placed Google at the bottom of its ranking because of the sheer amount of data it gathers about users and their activities; because its privacy policies are incomplete and for its poor record of responding to complaints.

“While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy,” read the report.

Responding to the report Nicole Wong, general counsel for Google, said in a statement: “We are disappointed with Privacy International’s report which is based on numerous inaccuracies and misunderstandings about our services.”

Endemic threat to privacy? I guess it’s not just me.

Ironically, Google is extremely private about its services. They might argue that this is a defensive tactic to ward of corporate espionage, protect their IP, etc. but the bottom line remains that consumer privacy is threatened and their love for opaqueness simply adds to the danger as evidenced by the rippling results of disclosure laws like California’s Shine the Light, AB1950 and SB1386.

Why do I mention the legal versus founder difference in the public message? Because I worry that this is a leadership issue more than one of legal wrangling. Remember when Yahoo! originally tried to make a statement that they had no choice but to abide by local laws of a country they operate in? It had to do with a critical decision moment when they were involved in the conviction of a Chinese reporter. Yeah, the “we’re just interpreting the law” went over like a lead balloon and today they have a new message:

“Yahoo is dismayed that citizens in China have been imprisoned for expressing their political views on the Internet,” the company said in the statement faxed to The Associated Press, which asked Yahoo to comment on Shi’s lawsuit.

The Internet company, based in Sunnyvale, California, also said it has told China that it condemns “punishment of any activity internationally recognized as free expression.”

However, Yahoo added that companies operating in China must comply with Chinese law or risk having their employees face civil or criminal penalties.

Naturally, it gets confusing when a company tries to comply with a foreign law and gets sued domestically as a result. I do not think the problem is easy, nor do I propose that I have the answers. More importantly, I think it shameful that we have to wonder about the moral fiber of companies, especially wildly successful global companies with armies of lawyers at their disposal, who refuse to stand stand up for freedoms and the people who fight for them.

Yahoo! is doing the right thing now both economically and philosophically speaking, albeit maybe not politically, by trying to influence and disrupt consumer constraints in the market in which it wants to operate (e.g. more freedom of speech = more/better flow of information online). Perhaps Google will follow their lead…again.