Friday, March 29, 2013

Do not track me

Amendments to the Personal Data (Privacy) Ordinance will be effective on 1 April 2013.  Companies are required to notify their customers about using their personal data for direct marketing.   Citizens of Hong Kong received notification of this use from many companies in March.  They will be presumed to have given consent to such if objection is not raised in writing.   The Privacy Commissioner advised citizens to object, bringing out a wrong message that all such uses are evil.

We live in a society where everyone needs to depend on others on goods and services.  Thus information on goods and services are essential for us to make a considered choice.  All companies provide such information we call advertisement.  But there are so much of them and many are on goods and services we do not need.  So it is a better arrangement for the information to target customers in need of them instead of flooding the world with all of them.  To do so, companies may need to know who their customers are and what they want.  There is where personal data come into play.

The dichotomy of the work of the commercial world and personal privacy is hard to resolve.  A similar case is the tracking of web surfing data.  Companies track such data to improve the placement of advertisement but citizens do not want to be tracked.  In order to devise legislation on regulating such activities, the USA Federal Trade Commission brought privacy advocates and online advertising industry together to work out a compromise.  The discussion has been going on for over a year but there is no sign of any agreement.  IT World recently has an article on the situation which you may like to read in full.

Despite the wish to work out a compromise, any agreement reached would be less favourable for the companies than the present unregulated scenario.  The disagreement comes down to the basic definition of some common terms.  The article points out some essential points where there could be mistrust on both sides.

1. Redefining track

When we think of web tracking, we probably think of someone or something recording what we do as we browse a website.  When the online advertisement industry says track, they really mean "target advertisement based on your web surfing history."  So when a network says you can opt out of tracking, they actually mean "you can elect to not see targeted advertisement".  Information about you will still be collected and added to your profile.  Some data would be collected for the purpose of assessing the advertisement placed, but some may be collected for other reasons.

2. Redefining anonymity

Advertising companies claim that tracking data is collected anonymously.  Therefore the network cannot identify a person or match the web history to a real identity.  But that is not entirely true.  Anonymous tracking is not always anonymous.  A Stanford researcher who is a member of the do-not-track working group demonstrated on a few occasions that this is not so.  Another programmer who attempts to provide transparency into the world of web tracking acknowledged that "in certain cases, data may be combined with other sources to produce more detailed profiles."

3. Redefining choice

When adding the Do-not-track option in Internet browsers, companies claim that they are enabling a choice for consumer.  It is only half-hearted, presuming web users do not easily choose this option.  When Microsoft includes in Internet Explorer 10 for the Do-not-track option to be turned on by default, many web designers simply ignore that setting.  And when Mozilla announced that it was thinking about blocking third-party cookies in Firefox, the advertising industry reacted fiercely, claiming it would be counterproductive for consumers and business.

4. Redefining free

A key argument on why tracking is necessary comes down to the advertising money which keeps some web companies going.  Without tracking, advertisers argue, the "free" web will cease to exist.  Some even claim that Do-not-track will ultimately kill free speech by putting web sites out of business.  This is certainly not the business models many websites are pursuing.  A free (free-of-charge) web is different from a free-speech web.

I think all these doubling talking may just be an illusion.  If you have a good understanding of how Internet browsing works, you will know that data exchange between the user and the website is a basic technical requirement.  For the two parties to interact, information request will need to be sent to the website, and the website must need to know where the information should be forwarded to.  Data exchange is a stream of bits of 1 and 0 moving in high speed.  Both ends will need to capture the data, store it in cache, and then process them and display them in the proper format.  Information stay in the cache, working area and in temporary files for quite some time in order to speed up the processing speed should the information be required again.  That means all sort of data, including personal data, browsing history, and preferred information are all tracked and stored by default.  The Do-not-track option may simply mean that the users are not alerted of their data being used.  What the privacy advocates should concern is how the companies make use of the personal data.

Sunday, March 24, 2013

Beethoven's Late String Quartets - Sublime Madness?

I wonder if Daniel Chua wrote a book on all Beethoven's late string quartets, or is going to.  But he was invited to speak on such at CU's Book Club on 22 March, and the material could construe a book.  Daniel Chua is the Head of the School of Humanities, HKU, and is a music professor.  I would say a talk about music to a general audience would be likely on music appreciation and its philosophy.  But Daniel Chua's talk was heavily dotted with technical aspects of the art, and would require some music knowledge to understand.  This may not be applicable to the regular book talk attendants.  Luckily, among the audience, there were many Daniel Chua fans, including music scholars and his music students.  Also, Daniel Chua gave a lively talk with energy and humour.  The floor was generally enlightened and satisfied.   I think the CU Book Club website will have a video recording of the talk later on.  Those who are interested may re-visit the talk in full.  However, there are a few issues on the topic which allow me to wander further.

Beethoven concentrated on writing these string quartets during the last three years of his life.  The style and emotion expressed were different from his previous work.  All music critics pretended to be a worm in his belly and drew up various theories on the change, most were subjective and speculative.  Some said he was deaf then and the music were for the eyes on the score instead of the ears; some said he was disillusioned from his heroic period and went pessimistic; some said these were his death songs.  But none was true.  Though with hearing impairment, the sound effect of music was still in his mind.  Many musicians could hear music by reading the score. It was true that the heroic period in Europe as a whole diminished by then, but the late string quartets were not sad music.  They were experimental and many passages were full of spirit.  On the last part, Daniel Chua cleverly pointed out that Beethoven did not know he would die in three years.  Instead, he just recovered from illness and was happy about it.

Beethoven was well known for his creativity and innovation.  It would be a natural process for his music style to evolve.  On appreciation of music, there are some standard approaches.  One is to follow your natural instinct and reaction to melody and rhythm.  Anyone would feel romantic or sad on slow passages, and be excited on loud and fast tunes.  The other is to distinguish music instruments in an orchestra and appreciate tone colour.  A deeper appreciation is on form, to be able to understand how the music developed following some composing methods.  These are the perspectives of the audience.  However, the mind of the composers may be different.  While they still do all these normal things, at the same time they will try to break away from tradition.

After listening to Beethoven's glorious symphonies for a few decades, the audience suddenly found that Beethoven abandoned the orchestra and only composed string quartets, a simple form without other instruments.  Also, the familiar construction of sonata form was also changed.  Movements were arranged differently and expectation was broken.  Even the basic melodic and rhythmic progressions were changed.  There were mimics of conversation and recitative in the music which were theatrical.  Beethoven had gone mad.  This was the assessment in the 19th century.  Nowadays, we found that all composers were doing the same.  This was just not accepted as normal practice at that time.

A well-known work of the late string quartets I admire is the "Heiliger Dankgesang" or holy song of thanksgiving.  It is the third movement of string quartet in A minor, op. 132, composed after Beethoven recovered from a serious illness.  The main theme is peaceful, slow, steady, long and with perfect harmony; only white notes are used.  Critics at that time called it a thanksgiving song to god.  However, there is a middle section which is a dance, showing smooth bodily movement and is not suitable for use in worship.  Modern critics considered that this movement was a record of the state of mind of Beethoven recovering from his illness.  The slow and solemn section is a representation of him in convalescence in bed; and the dance section, marked "Neue Kraft fuhlend" with renewed strength, simply reflects his becoming energetic again.  The slow passage in this movement contains much deep thoughts, and could only be discovered more and more as being listened to time and again.

Another prominent and controversial work of the quartets is the Grande Fugue, the last movement of string quartet in B flat major, op. 130, or not.  It was originally written as the last movement of the quartet.  The audience did not like it, finding it too difficult and awkward.  Beethoven was furious, but he was persuaded by the publisher and friends to write a replacement movement, which was a dance with much simplicity.  The Grande Fugue was published separately as op. 133, a standalone piece.  Two centuries later, Stravinsky the modern composer still found the Grande Fugue fresh and revealing; and he considered Beethoven had written something well ahead of his time.  The fugue is a standard composing method in the form of a canon highlighting intertwining melodies developed from a theme.  It was popular a generation before Beethoven, but had then become archaic, to be composed as homework by music students.  Beethoven chose this simple form but did it in the most complex manner.  Instead of good harmony and well balanced counterpoint of a fugue, this piece is full of dissonance.  Each instrument seems to have a mind of its own.  The melodies seem to contradict rather than complement each other, creating great chaos.  I took it as a challenge and listened for a week.  It is a double fugue with two themes each with development of their own.  Out of the confusing counterpoint, there emerges a scenery of chaos and pain before settling down.  To put it in context with the quartet in B flat major, some critics noticed that the slow movement before it was the cavatina, a beautiful song with a very sad middle section, like someone weeping while singing with the lyrics broken.  Some critics called it the Gethsemane scene which was the night of the capture of Jesus.  Thus it followed that the next movement the Grande Fugue was about cruxification.  However, I find it too far-fetched.  To really put it in context, one has to consider the whole string quartet, where the first three movements are not religious as such.

Wednesday, March 6, 2013

Cloud computing security

There are many horror stories concerning IT security, which I think are overrated.  All systems have security risks.  Even the most basic method of double locking valuable documents in an expensive safe is not absolutely safe.  Safes could be breached; locked offices could be broken in; documents could be lost in transit; officers could be careless.  When information is digitized and stored on computers, the security risks just change emphasis.  They are not more vulnerable nor safer.  But paperless documents present a different perception.  Some say you cannot steal when there is nothing to hold; but some say you do not even know it is stolen because there is nothing to hold.  The bottom line is, major corporations, financial institutions and government agencies now all store their valuable information on computers.  We could believe that reasonable and adequate protection are in place to avoid foreseeable security risks.

When valuable data are in the cloud, security considerations go one step further.  The fact that the data are stored outside the office in the cloud, and accessed through external connection does raise concern.  News of IT security breaching are often seen in the media, thus giving an impression that it is less safe.  The truth is that online business transactions, especially financial transactions, are now very common.  All banks are pushing very hard for online account management by users.  Online purchasing and bill settlement is a booming business.  Thus among the billions of transactions, the rate of security breaching is very low, much lower than road accidents and other crimes.

There are three main sources of IT security breaches.  The first is a deliberate attack by criminals or hackers, like breaking in.  The second is erroneous setting of IT procedures leading to data loss, like forgetting to lock the door.   The third is information leakage by workers, either through carelessness or malicious actions.  All these are still valid with cloud computing.

I would say that cloud computing could simplify much work for managers on hardware and software.  However, it presents additional security risks which the managers should focus their attention.  For outside attacks, managers could rely on the security of the cloud as the first line of defense.  The security of the servers is the responsibility of the cloud operators.  Managers could assume that state-of-the-art defense is deployed.  There have been talks that security measures by the cloud operators alone is not sufficient.  Additional security could be obtained by restricting access to the cloud through another cloud to prevent skillful intruders.  I think this level of defense is for the top secret data, and may not be feasible for every system.  Just rest assured the cloud could do its job properly.

Additional risks are in data transmission and reception.  Security measures such as virtual private network and data encryption could be implemented according to the sensitivity of information.  These may have to be specifically ordered.  At the user end, computers are vulnerable to be attacked by hackers, or by malicious software rampant in the Internet.  The standard protection is the IT security protection programs widely available in the market.  Make sure that they are completely and actively installed, with instantaneous automatic updating.  On user accounts, there is the issue of identity verification and local storage security.  The standard gateway is the user name plus a password.  Additional verification could be implemented through multi-factor authentication.  In the past, security cards and digital tokens are used to identify an officer.  These are now thought of as presenting only a false sense of security as they are easily lost or stolen.  Furthermore, they present additional headache for managers in their issuing, replacing and maintaining.  Recently, more popular methods are additional password with random digits and security secret questions and answers.  The OCGIO Government Public Cloud Service GPCS bulk purchasing contract includes all these additional security services.  They could be purchased as SaaS.

On the person level, managers are required to nurture the mindset and behaviour of officers on the vigilance of IT risks.  On the technical side, software is available for monitoring staff behaviour on the Internet such as browsing habits and files download restriction.  On the human side, it is more a human resource management subject than an IT management subject.  IT security awareness and conscience could be promoted through training, staff management and staff relations.

Monday, March 4, 2013

Cloud computing - Software as a service SaaS

With the IT infrastructure in place in the cloud, managers need to make use of their functions for the delivery of IT services.  Besides computer hardware in the cloud, computer software could also be put and operated in the cloud.  Computer software are usually referred to in two levels.  One is the basic operating system and utility programs generally called the platform.  Upon the platform, computer applications are developed and implemented for the delivery of specific services.

The cloud could offer both as a service: PaaS Platform as a service and SaaS Software as a service.  PaaS could be viewed as a part of the IaaS, that is, the software part of the infrastructure.  As such, the platform is provided as a common service in the cloud.  Managers could take the platform in the cloud as granted and freely make use of its functions for the implementation of departmental applications.

Besides the technical platform for operating the hardware, OCGIO announced that she will make use of a common platform for supporting common e-government applications across departments.  They include a new user directory service for unified identity management, communications and collaboration that complements the government electronic messaging system.   Managers may be glad to hear that the tedious work of managing user log-in accounts, user identification, email accounts may all be replaced by a government-wide common system operating from the cloud.  Departments may need to follow strictly the procedures set by OCGIO in the common system.  This is a great step forward in the integration of communication in the government and a great relief for managers.

OCGIO also announced that she will develop shared services for a portfolio of applications, including software to support electronic information management, human resource management, electronic procurement and support for paper-less meetings.  Operating from the cloud, these software will be common to all departments, but with specific emphasis on individual data and circumstances.  Managers have been working on such systems for a long time.  OCGIO attempted in the past on developing such common applications for all departments, but failed.  Each department seems to have her own special requirement.  A common cloud application could be a way to force departments to adopt and change.  I would raise a word of warning.  Beware of the impact of the change when adjusting the age-old manual system to fit into the new cloud-based system.  The problem is not the technology but the requirement to change human working habits.  But EO are expert change agents.  We could bravely face the issue.

Then there are the most important departmental IT applications to be implemented in the cloud.  Each case is unique and the usual steps of system analysis and design are required.  Managers are the user side.  The technical part is contracted out.  In this connection, OCGIO has shortlisted a number of qualified service providers for the supply of SaaS common commercial software as a service.  Initially, these providers will provide cloud services under four categories: Productivity Applications, Business Applications, Cloud IT Services, and Social Media Applications.  Manager would have to negotiate with the providers, or refer departmental officers to them for the development of specific applications.

One remark on financial management; managers would be required to budget for the expenses of engaging contractors for the provision of cloud computing services.  From the scale of the applications on the list of selected services, the cost would likely need to be absorbed in Departmental Expenses.


Sunday, March 3, 2013

Cloud computing - Infrastructure as a service IaaS

When things are in the cloud, the ground is clear.

An IT infrastructure is the backbone of IT applications and IT services.  Managers who are responsible for departmental IT matters would know all the issues associated with setting up and maintaining IT infrastructure in the department.  Work would start from the basic requirement of accommodating the infrastructure, that is, special accommodation requirements.  Usually, a secure room with uninterrupted power supply and temperature control is needed for the central servers and hubs.  Then a series of servers is required for various functions.  The servers are connected to individual terminals through a messy network of wire which could turn the office upside down.  This beast requires constant feeding and care-taking.  The manpower, attention and energy required for its up-keeping is enormous and continuous, not to mention the worry of interruption of service and its safety.

To get the infrastructure off the ground, managers first need to perform much work on procurement and installation.   IT hardware needs to be constantly maintained and upgraded.  The cycle of maintenance, system update, replacement and addition is never-ending.

What if someone else could do all these for the managers?  Cloud computing offers such an opportunity.  All those mentioned above could be put in the cloud.  Then all that the managers need to do is to dream about it.  IaaS Infrastructure as a service comes into play.

IaaS could be provided in private cloud, outsourced private cloud and public cloud.  Managers could expect the Government private cloud to be almighty.  OCGIO has tried her utmost to bring the capability of her data centres to a high level which should be capable of meeting all the needs of departmental applications.  A public cloud run by major IT service providers is even mightier.  They do that for a living.  For outsourced private cloud, the contractor would be happy to make the data centre for the department as versatile as possible.  When the infrastructure is in the cloud, all the associated daily chore of operation, backup, maintenance are taken care of as a package.  Managers only need to choose how to use the infrastructure.  They could safely assume all that is required are already in the cloud.  Procurement and installation of equipment for the cloud will be the task of the cloud keeper.  Managers could just pick what function they want from the cloud.  The rest is taken care of by the service charge, or by OCGIO data centres.

Besides saving a lot of effort for the departmental users, IaaS offers much benefits in cost saving through economy of scale and resource sharing.  With centralized procurement and system implementation, the infrastructure could be share-used by many different applications.  A strong and ready cloud support is scalable and could meet service change on demand.

Nevertheless, managers making use of IaaS should first know how to ask the right questions.  Up-to-date common knowledge of the IT infrastructure is still required, just like a government human resource manager who would need to know the Civil Service Regulations well.  Most importantly, managers need to know and understand what the cloud could do.  The technical details could be left to the technicians.

In a perfect scenario, which may not be feasible for all offices at present a least, we could foresee all back-office IT services to be carried out in the cloud.  The office could be linked to the cloud through one or a few leased broadband connections.  Users are then connected through wireless routers.  Officers are each assigned a notebook computer or tablet computers so that they could be mobile in the office when using IT services.  No network wiring is then required.  All that the managers need to do is to stock a few spare computers for replacement.

Friday, March 1, 2013

Cloud computing in the government

Cloud computing is the order of the day.  The market is now flooded with cloud services.  All major IT service providers are competing to offer the best, fastest, most versatile and most secure cloud services. They are now in great demand.  There are much talks on the mystery of cloud computing.  Simply put, it is just a wider use of the TCP/IP protocol, or in more layman term, the Internet - the cloud.

The Internet has been here for more than twenty years.  In the past, it was not extensively used by serious businesses.  First, connection to the Internet was not reliable; and second, security over leased line was a major concern.  These problems have largely been overcome. Many large corporations, financial institutions and governments are now comfortable in using the cloud as a standard platform for IT services.

The HKSAR Government announced that she would adopt the Cloud Computing model to meet rising public demands and community expectations on e-government services and reap the benefits of emerging technologies.  Actually, the issue has been on the agenda for a long time when the OCGIO set up her own data centres years ago for the storage of data for departments and for acting as central servers for many departmental applications.  The time is now ripe and a full scale introduction of cloud computing is being promoted.

EO as government resource and system managers are required to manage IT projects both for the delivery of departmental services and support services within the department.  Cloud computing represents a new approach to such services.  Thus managers would be impacted first hand with this modern trend.  Lucky to say, the cloud computing model is a way forward and a much easier way from a management point of view.  The major difference between cloud computing and traditional computing is that the majority of equipment and applications are not located on site.

Government announced that she plans to re-provision the central IT facilities and build the Government Cloud environment comprising three service layers: an in-house private Cloud owned and operated by the Government, an outsourced private Cloud with facilities dedicated to the Government in secure data centres operated by contractors, and public Cloud for generic services.  They are used to host applications and data based on the level of sensitivity and confidentiality of the data and information involved.

Managers could look at the change from the organizational perspective.  They have been tasked with the management of IT services, which may entail IT personnel, IT equipment and applications as well as IT security.  OCGIO or the previous ITSD used to undertake the technical work in the past.  Many years ago, OCGIO withdrew from the frontline, leaving departments to handle the technical work themselves.  Instead, IT Management Units were set up in departments.  These units, staffed by OCGIO seconded staff, acted as consultants on IT projects. Actual work was carried out in the departments by contractors.  Departments were required to manage both the IT Management Units and the contractors.  The government consultants, rather than hired consultants who took requests from clients, could dictate projects from the technical rather than the management angle.

The Cloud computing model may change the scenario to our favour.  For private cloud, it could be the data centres operated by OCGIO.  Operation personnel together with the daily chore with the servers will then be the responsibility of the centres.  Some large departments may wish to set up their own private cloud in an out-sourced private data centre at off-site location.  This would be a dedicated technical task usually with strong operational content and run by technicians.  For the public cloud, an IT service provider offering general cloud services to the public may be engaged.  This will be for non-sensitive public information distribution.  In short, if handled well, cloud computing could mean lesser work but stronger control for departmental managers.