Source Code: Your daily look at what matters in tech.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.
yesAdam JanofskyNone
Subscribe to
Want to better understand the $150 billion gaming industry? Get Shakeel Hashim's newsletter every Tuesday.
Are you keeping up with the latest cloud developments? Get Tom Krazit and Joe Williams' newsletter every Monday and Thursday.
David Wertime and our data-obsessed China team analyze China tech for you. Every Wednesday, with alerts on key stories and research.
Want your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.
Do you know what's going on in the venture capital and startup world? Get the Pipeline newsletter every Saturday.
Do you know what's coming next up in the world of tech and entertainment? Get Janko Roettgers' newsletter every Thursday.
Hear from Protocol's experts on the biggest questions in tech. Get Braintrust in your inbox every Thursday.
Get access to the Protocol | Fintech newsletter, research, news alerts and events.
February 20, 2020
Ransomware victims often find themselves in what feels like an impossible position: There are endless decisions to be made, but it's a race against the clock to save computer systems and data.
That's what New Orleans city officials learned firsthand in the early morning hours on a Friday in December. At 6 a.m., there was a blip of suspicious activity on the city's cybersecurity alert system — not a definite sign of attack, but an early warning of what would come, the city's chief information officer Kim Walker LaGrue recounted in an interview with Protocol. At about 9 a.m., when many city employees started arriving to work, there was an uptick in reports of unusual behavior on their computers.
Get what matters in tech, in your inbox every morning. Sign up for Source Code.
By 11 a.m., the diagnosis was clear: Ransomware was spreading through the network. The malicious code was encrypting devices and information, rendering them inaccessible unless city officials decided to contact the attackers. Presumably, they would then get instructions about paying a ransom.
City officials had a game plan in place to guide them through some of the toughest decisions ransomware victims face — the biggest being whether or not to pay the demand. The Louisiana state government and three of its school districts were hit by two separate ransomware attacks in 2019, so New Orleans officials had prepared and rehearsed an incident response plan.
The first step LaGrue took — before she even consulted with the mayor — was to disconnect all city systems from the internet. More than 3,000 computers and 400 servers were shut down to prevent the malicious code from spreading, she said.
"We sounded every type of alarm we could," LaGrue said. The city declared a state of emergency within about 30 minutes of identifying the attack, she added. Within an hour, the FBI and other state and federal agencies were on the ground to help respond to the attack. Normal lines of communication — including the city's email system — were inaccessible, and a war room was set up to help relay information.
City officials knew early on that they would not engage with the attackers and that no ransom would be paid. The U.S. Conference of Mayors, of which New Orleans Mayor LaToya Cantrell is a member, last year adopted a resolution opposing such payments after cities including Baltimore and Atlanta were hit by ransomware attacks. Additionally, the FBI discourages organizations from paying ransomware demands, arguing that it incentivizes crime, emboldens attackers and is sometimes futile — attackers on occasion don't decrypt the data after a payment is made.
Because it didn't pay the attackers, New Orleans is still recovering; LaGrue estimates that it will take another four months to make a full recovery. So far, her staff has focused on restoring key priorities. The first step was inspecting and cleaning thousands of government computers, and removing ones that were too old to run up-to-date software, she said. Over the last month, the city has focused on restoring data from backups, as well as services including email and printing. Over the last few weeks, the city's IT staff has been particularly focused on assisting the city's infrastructure and public safety agencies in their preparations for Mardi Gras on Tuesday.
The financial impact of the attack is still uncertain. A city spokesperson said that the current estimated cost of the attack is $7.2 million, adding that he "wouldn't be shocked if it got higher." The city has a $3 million cyber insurance policy that will help cover some of the costs, which include replacing between 500 and 800 computers as a result of the incident, LaGrue said. The city is planning to add three cybersecurity specialists to its IT staff, which currently includes 65 workers, she said.
Ransomware has been a rapidly growing problem for all types of organizations, including Fortune 500 firms and small nonprofits. The antimalware firm Malwarebytes said in August that it observed a roughly 365% spike in ransomware detections between 2018 and 2019. Municipalities, educational institutions and health care organizations are prime targets for ransomware attacks due to their lack of spending on security and outdated hardware and software, according to the report.
Because ransomware affects a range of organizations, the decision to pay can't be one-size-fits-all, according to Chris Hallenbeck, CISO for the Americas at cybersecurity firm Tanium.
"In an ideal world, no one pays the ransom," he said. "It's feeding the beast and creating an ecosystem that encourages criminals. But the reality of many organizations is that every day they're down there's massive impacts to the services they provide."
Overall, about a third of companies pay the ransom, according to security firm Emisisoft.
Which brings us to Maastricht University in the Netherlands, a recent example of an organization that decided to pay a demand after falling victim to ransomware. On Dec. 30, the university decided to pay 30 bitcoin, or about $305,000, to regain access to its systems and data.
Several factors made the attack particularly disruptive, and increased the university's incentives to pay the demand, according to a forensic report from FOX-IT, the security firm that assisted with the incident. A key factor was that attackers were able to encrypt backups for some of the university's critical systems. That meant that, without obtaining a decryption key from the attackers, the university would have to rebuild its infected systems from scratch — a process that would stall the work of students and researchers for many months. Additionally, unlike New Orleans, Maastricht University did not carry cyber insurance to help cover the costs of lengthy disruptions.
The attacker had access to the university's infrastructure for months and studied it to figure out how to maximize damage. They first gained access through a phishing email on Oct. 15 that instructed someone in the university community to sign an attached document and scan it back to the sender. Upon clicking the attachment, malware was installed that gave the attacker administrative access to the device.
On Nov. 21, while scanning the university's network, the attacker found a server with missing security updates and used it to obtain full access to the organization's infrastructure. On Dec. 23, the attacker deployed the Clop ransomware variant on 267 servers. The timing was particularly challenging for the university: Most faculty, students and support staff were away for the holiday break. Employees from IT, facilities, communications and a range of other departments had to skip part of their holiday to respond to the emergency, according to a spokesperson. One week after the ransomware was installed, the university decided to pay the ransom.
Nick Bos, vice president of the university's executive board, said in the report that the decision to pay the demand was a "devil's bargain": The university would have to live with the ethical issues that come from paying criminals in order to resume operations, research and studies.
At a symposium this month attended by students and faculty, Bos said the risks of losing the data were so great that the university did not attempt to negotiate with the attackers; administrators wanted the process to be as calm as possible, he said.
Bos said he was confident that paying the demand was the right choice. About five weeks after paying the demand, students and faculty were able to access almost all of the university's technologies, as well as attend classes and take exams.
"We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff," Bos said in the report.
Adam Janofsky
Adam Janofsky (@adamjanofsky) is the former cybersecurity and privacy reporter at Protocol. Prior to that, he was a reporter at The Wall Street Journal, where he covered cybersecurity, AI and other emerging technology. Prior to that, he worked at Inc. magazine and edited The Wall Street Journal's blog about startups and entrepreneurship.
Protocol | Fintech
Plaid’s COO is riding fintech’s choppy waves
He's a striking presence on the beach. If he navigates Plaid's data challenges, Eric Sager will loom large in the financial world as well.
Plaid COO Eric Sager is an avid surfer.
Photo: Plaid
March 4, 2021
Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.
March 4, 2021
Eric Sager is an avid surfer. It's a fitting passion for the No. 2 executive at Plaid, a startup that's riding fintech's rough waters — including a rogue wave on the horizon that could cause a wipeout.
As Plaid's chief operating officer, Sager has been helping the startup navigate that choppiness, from an abandoned merger with Visa to a harsh critique by the CEO of a top Wall Street bank.
<p>But things have been breaking nicely for Plaid during the COVID-19 crisis, which has let the company really charge. </p><p>Plaid, which is based in San Francisco and has more than 600 employees, charges financial apps for a service that helps consumers verify and connect their bank accounts, a key step for moving and managing their money. It also, controversially, pulls transaction data from those newly connected accounts and sells insights based on that information.</p><h3>Surfer-in-chief</h3><p>Plaid's surfer-in-chief describes the customer base as a series of waves.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>"The first wave is the core fintech companies — the Robinhoods, the Venmos, the Squares, the Chimes," he said, noting how these "early fintechs are getting more and more successful."</p><p>"The second wave [composed of] banks and financial institutions are rapidly moving to digitize. … The third wave are the Googles, the Apples, the Lyfts, the Teslas. Everybody is moving towards building digital financial services."</p><p>"We're riding all three of those," he added. "If anything keeps me up at night it's making sure that we continue to kind of scale the business."</p><p>Sager admits that, as a surfer bro, he can be an intimidating presence at the beach.</p><p><br></p><p class="shortcode-media shortcode-media-rebelmouse-image">
<a href="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTcxMzc4NC9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTY1ODQ1Mjc4NX0.2-3V-Md9VtATd0QhCvcc6VFQNXuu7_reFyIPjdEVuAA/img.jpg?width=980" target="_blank"><img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTcxMzc4NC9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTY1ODQ1Mjc4NX0.2-3V-Md9VtATd0QhCvcc6VFQNXuu7_reFyIPjdEVuAA/img.jpg?width=980" id="3c170" class="rm-shortcode" data-rm-shortcode-id="4978fb31443a663192df9fc1643a9eb4" data-rm-shortcode-name="rebelmouse-image"></a>
<small class="image-media media-caption" placeholder="Add Photo Caption...">Sager with wife Melissa Miao.</small>
<small class="image-media media-photo-credit" placeholder="add photo credit...">Photo: Plaid</small>
</p><p><br></p><p>"I'm 6'8", I have a 10-foot-board and my family has a history of skin cancer, so I go out there with a hat," he told Protocol. "So all the little kids that are surfing always make fun of me. But once I'm on the wave, all the short boarders get out of the way."</p><p>Plaid's latest charge is toward payroll data. On Thursday, the company unveiled a new product that would make it easier to verify employee income for different financing needs, including securing a loan, applying for a mortgage or leasing a car. </p><p>Plaid is supporting real-time payroll authentication for more than 250,000 of the largest employers in the U.S., which the company estimates makes up to 60% of the total working population. </p><p>"It was something we heard a lot from customers who were being asked to verify income and so forth," Sager said. "Every single lending customer we have would love to have this information for the exact same reason that it makes the onboarding flow easier."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Melody Brue, analyst with Moor Insights & Strategy, said the new offering could "open up so many possibilities for employers, lenders, neobanks — pretty much everyone in the fintech ecosystem." </p><p>"Access to payroll data can change the way lenders look at underwriting and servicing loans and significantly cut costs and time spent on verification," she told Protocol. </p><h3>'A blessing in disguise'</h3><p>It's Plaid's first major product rollout since the collapse of merger talks with Visa. Brue called <a href="https://www.protocol.com/plaid-visa-deal" target="_self">the scuttling of the deal</a> "a blessing in disguise" after Plaid saw stronger demand for its infrastructure in the COVID-19 crisis. The company, which has raised $310 million in funding from investors that include Goldman Sachs, Citi Ventures and Visa, was last valued at $5.3 billion. That has <a href="https://www.theinformation.com/articles/plaid-shareholders-field-offers-at-15-billion-after-merger-collapse" rel="noopener noreferrer" target="_blank">reportedly jumped to $15 billion</a> following the collapse of the Visa deal.</p><p>But Plaid's latest product offering, she said, will also likely make it more of a target: "This will likely be seen as a threat to financial institutions, as they already fear security issues from open banking and now may fear losing customers."</p><p>Plaid emerged as a powerhouse by providing banks and financial startups real-time access to consumer financial data, such as bank and investment accounts. Plaid, whose services integrate with 11,000 financial institutions, has more than 4,000 customers, including Square, PayPal, Robinhood, SoFi and Affirm.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>But Plaid has taken fire for the way it manages financial data. "Plaid has irritated a lot of the banks," Logan Allin, managing general partner and founder of Fin Venture Capital, told Protocol. "You heard Jamie Dimon saying Plaid's playing dirty, right?"</p><p>He was referring to the <a href="https://www.cnbc.com/2021/01/15/jamie-dimon-says-jpmorgan-chase-should-absolutely-be-scared-s-less-about-fintech-threat.html" rel="noopener noreferrer" target="_blank">JPMorgan Chase CEO's remark</a> on a call with analysts calling out "people who improperly use data that's been given to them, like Plaid." Dimon's remarks came despite a 2018 agreement the companies signed that they said would "protect customer data."</p><p>Plaid also faces a class action lawsuit filed by a consumer, accusing the company of using deceptive and misleading data practices.</p><p>"Imagine there is a company that knows every dollar you deposit or withdraw, every dollar you charge or pay to your credit card and every dollar you put away for retirement, within hours after you make the transaction," <a href="https://www.courtlistener.com/recap/gov.uscourts.cand.361471/gov.uscourts.cand.361471.1.0.pdf" rel="noopener noreferrer" target="_blank">the lawsuit filed on behalf of California resident</a> Logan Mitchell began. "Imagine that, as far as you know, you never provided your username and password to this company or otherwise authorized it to access your online accounts."</p><p>The lawsuit argued that Plaid "acquired its mountain of consumer data by deceiving consumers into giving Plaid the key to their financial lives: their bank usernames and passwords." It accused the startup of committing "fraud by erecting a sophisticated edifice of deceit to trick users into thinking that they are logging into their financial institutions, when in fact they are turning over their credentials to Plaid."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>Sager declined to comment on the lawsuit or Dimon's remarks. But he said Plaid has built features meant to give consumers control over their data. "If you're a consumer, you can log on to a dashboard, you can see every single connection you've ever made, you can permission and un-permission that information."</p><h3>Debate over data access</h3><p>However, critics, including some fintechs, argue that Plaid does not offer enough clear and convenient opportunities for consumers to opt out of having their data accessed. Yves-Gabriel Leboeuf, CEO and cofounder of Flinks, a Plaid rival based in Montreal — it's been called the "Canadian Plaid" — would not comment directly about Plaid, but he said consumer consent in fintech data aggregation is a serious issue. </p><p>"The bad data practices that we've seen in the market are practices where there will be an ongoing aggregation of the data on a daily basis, without having expressly giving the consent to do so," he told Protocol. "Our thesis is that that's not Flinks' data, that's the consumers' data. And we have no right to use that data, unless it's clear that they are giving us that right."</p><p>Steve Smith, CEO of Finicity, another Plaid rival which was recently acquired by Mastercard, also emphasized the need for "full transparency" in the way consumer financial data is accessed. He stressed the importance of "bringing down the walled garden of data, but doing it in a very responsible way."</p><p>"I can't speak to Plaid's specific data governance policy or Yodlee's specific data governance policy," Smith told Protocol, referring to another major data aggregator which has <a href="https://www.reuters.com/article/dataprivacy-envestnet-yodlee/envestnet-yodlee-seek-dismissal-of-privacy-lawsuit-over-financial-data-collection-idUSL1N2HR39K" rel="noopener noreferrer" target="_blank">also been sued for its data collection practices</a>. "Clearly, I think you'll find differences between the three organizations and the way they view data or the way they approach this conversation."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>Sager stressed that making all that data accessible to banks and fintechs has been a game changer for many consumers. "A lot of the innovation fintech is helping address is suddenly people are getting products that they previously weren't able to get," he said.</p><p>His views were shaped by an unusual career. Born and raised in Germany, he moved to the U.S. as a high school exchange student. He had hoped to go to California or Hawaii, for the surfing spots, but the program sent him instead to Mississippi where he also went to college.</p><p>His first job after graduation was with Capital One. He was part of a team at the credit-card issuer that ran tests to evaluate the effectiveness of direct mail campaigns. "What's the difference in response rate if the letter is blue versus pink versus white?" he said. "What's the difference in response rate if the font on the APR is 10 points versus 12 points? There's just nothing we didn't test."</p><p>That included the unorthodox, and legally dubious idea, of putting a dollar bill inside promotional mailers. That didn't sit well with Capital One's management, who promptly told them to shut it down.</p><p>"Well, I didn't put it in there myself," Sager said of the dollar bill scheme, laughing. "The results were good, but it's obviously not the kind of thing you want to be doing at scale so we shut that down. It was my first job. I was 22 and it was probably not the best judgment call."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p>He subsequently got an MBA from Harvard before working at Bain. He then plunged into the fintech world, first as head of sales at Square, then as chief revenue officer at BlueVine, a small business-financing startup. <em>[Disclosure: This reporter worked with Sager at BlueVine.]</em></p><p>When he joined Plaid as COO in 2019, it was a challenging transition. Plaid was six years old, and still growing quickly. He was the new guy, and he didn't want to screw things up.</p><p>For the first time in his executive career, Sager said, he was leading a team that he didn't help build from the ground up. He was used to being one of the most experienced people in the room.</p><p>"I was used to saying, 'Hey, I built this. I actually was there when we built it from zero to one or from one to two,'" he said. "Suddenly, you're in a world where it's already at 10. It was already a big, successful company. Suddenly, you're in a situation where you're going literally all day long talking to somebody else and they know way more, but they're still looking to you as if you should have some unique insight. It will make you feel dumb very quickly."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p>Charley Ma, who was a growth manager at Plaid when Sager joined the startup and is now a general manager at Alloy, remembered him as an effective leader. "He's very German, very direct, which I like," he told Protocol. </p><h3>Democratizing finance</h3><p>Brue of Moor Insights & Strategy said Sager has become instrumental in "driving the company" in the direction of "actually democratizing finance. The company is giving people access to financial services they've previously been excluded from."</p><p>That approach was influenced by Sager's early years in the U.S.. His first credit card after moving to the U.S. from Germany had an APR of roughly 30%, he said. "I just didn't have a good credit score because I just had never been part of the U.S. system," he said. "Don't get me wrong. Nobody should feel sorry for me. I had a good job and I could find other ways of doing it."</p><p>"But think about how many people in the U.S. aren't in that position — they don't have the history, they can't get loans or they have to get really really expensive loans. You're in a bad cycle. You're trying to take care of your family. You're forced to take high-interest loans. Now you have to work to pay off the high-interest loans and before you know it, you end up in a very negative spiral."</p><p>Fintech is helping fix this, he said. Broader data access is making it possible to offer better financing to more consumers, including those who may not have what's traditionally considered stellar credit. "At the end of the day right, better data means better underwriting," Sager said.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="8">
</div>
</div></p><p>In fact, having more data could have improved the work he did at Capital One, he said: "If we just had some of the data that we now have, we would have been able to make much better decisions. We would have been able to offer people much lower rates."</p><p>"It's not impossible" for a consumer to provide more data then or now, he said. "The other version 10 years ago would have been you asked for all the bank statements, I go print them out, I put them in the mail or I go go to the office and drop them off and you work through all that. It's not like it couldn't be done, but it's about removing the friction."</p><p>Sager acknowledged that data access has become a "flashpoint" in financial services. Banks and other traditional financial institutions have been <a href="https://www.protocol.com/fintech/cfpb-banks-financial-data" target="_self">resisting calls to make consumer data</a> they collect and hold more accessible to new financial players. </p><p>Leboeuf, the Flinks CEO, said it's a debate in which his company and others are aligned with Plaid: "I do think that the best approach is driven by Plaid and Flinks because ultimately we are working for the best interests of the applications and the consumers."</p><p>Sager echoed that view, saying: "At the end of the day, it's the consumer's data. Whoever you've been banking with, it's your data and you should have the same rights to that data digitally as you would if you were to print out your bank statement, if you wanted to use that to get a car loan, if you wanted to use that to input that information manually into an Excel spreadsheet so you could do your budgeting — whatever it is, it's the consumers' data."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="9">
</div>
</div></p><p>It's the view Sager hopes will prevail as Plaid gears up for that swell on the horizon. Will Sager get a clean ride — or will Plaid find itself locked in?</p>
Keep Reading
Show less
Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.
Sponsored Content
The future of computing at the edge: an interview with Intel’s Tom Lantzsch
An interview with Tom Lantzsch, SVP and GM, Internet of Things Group at Intel
February 28, 2021
Saul Hudson has a deep knowledge of creating brand voice identity, especially in understanding and targeting messages in cutting-edge technologies. He enjoys commissioning, editing, writing, and business development, in helping companies to build passionate audiences and accelerate their growth. Hudson has reported from more than 30 countries, from war zones to boardrooms to presidential palaces. He has led multinational, multi-lingual teams and managed operations for hundreds of journalists. Hudson is a Managing Partner at Angle42, a strategic communications consultancy.
February 27, 2021
An interview with Tom Lantzsch
Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corporation
Edge computing had been on the rise in the last 18 months – and accelerated amid the need for new applications to solve challenges created by the Covid-19 pandemic. Tom Lantzsch, Senior Vice President and General Manager of the Internet of Things Group (IoT) at Intel Corp., thinks there are more innovations to come – and wants technology leaders to think equally about data and the algorithms as critical differentiators.
In his role at Intel, Lantzsch leads the worldwide group of solutions architects across IoT market segments, including retail, banking, hospitality, education, industrial, transportation, smart cities and healthcare. And he's seen first-hand how artificial intelligence run at the edge can have a big impact on customers' success.
Protocol sat down with Lantzsch to talk about the challenges faced by companies seeking to move from the cloud to the edge; some of the surprising ways that Intel has found to help customers and the next big breakthrough in this space.
What are the biggest trends you are seeing with edge computing and IoT?
A few years ago, there was a notion that the edge was going to be a simplistic model, where we were going to have everything connected up into the cloud and all the compute was going to happen in the cloud. At Intel, we had a bit of a contrarian view. We thought much of the interesting compute was going to happen closer to where data was created. And we believed, at that time, that camera technology was going to be the driving force – that just the sheer amount of content that was created would be overwhelming to ship to the cloud – so we'd have to do compute at the edge. A few years later – that hypothesis is in action and we're seeing edge compute happen in a big way.
<p>The last 18 months have been a wild time to be in technology. We've seen edge compute come to life to help businesses adapt during the pandemic. At the same time, we are also seeing how 5G is going to drive up interest, especially from a networking perspective, rather than a use-case perspective. We also see lot of people that are focused on their data, but the <em>algorithms</em> that companies train with the data are going to be their critical assets. It doesn't matter what company or what industry; <em>this</em> will really become the differentiator for many companies.</p><p>And particularly amid the backdrop of the pandemic, we've seen how companies are using technology to either bring workers back in safely or <a href="https://www.intel.com/content/www/us/en/corporate-responsibility/covid-19-response-sensormatic-article.html" target="_blank">serve their customers in new ways</a>, <a href="https://www.intel.com/content/www/us/en/customer-spotlight/stories/brentwood-academy-customer-spotlight.html" rel="noopener noreferrer" target="_blank">educate children in new ways</a> -- all things that have accelerated the digital transformation that had been underway. I recently read a <a href="https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever" rel="noopener noreferrer" target="_blank">McKinsey survey</a> that reported on the "speedup in creating digital or digitally enhanced offerings. Across regions, the results suggest a seven-year increase, on average, in the rate at which companies are developing these products and services."</p><p>And based on what we're seeing at Intel, those are lifesaving and industry saving investments happening today – completely re-designing the way that <a href="https://www.intel.com/content/www/us/en/corporate-responsibility/covid-19-response-mic-article.html" rel="noopener noreferrer" target="_blank">patients are treated</a>, and businesses operate.</p><h4>What are you particularly expecting to see this year?</h4><p>What I find most interesting is the work that combines IoT with networking capabilities – and I think this is going to be a year of expansive exploration and working with our customers to put these two things together to solve real business challenges.</p><p>When we first started the integration of networking technology and operational technology capabilities and layered that across the industry verticals, we could count the amount of interested customers and opportunities on one hand. Last year, it was five times that many and this year we see that number increasing significantly already. So, we're excited to see the industry continue to build excitement to scale those types of deployments.</p><h4>What role does AI play at the edge and in what way is Intel involved?</h4><p>An AI use case recently grabbed my attention: employees in a restaurant being screened by a device that checks temperature while the employees are washing their hands – and provides a determination on whether they'd done it adequately before they report to work. I have seen other applications using similar technology in the <a href="https://marketplace.intel.com/s/offering/a5b3b000000TiMSAA0/using-ai-to-make-construction-site-safer?language=en_US" rel="noopener noreferrer" target="_blank">construction industry</a>, where an AI algorithm scans to see if employees have their helmet, goggles, vest and other safety equipment on properly to determine if they are ready to work. And the best part is – that the employer can see aggregate data on these interactions to determine if more training on handwashing or helmet wearing is needed.</p><p>At Intel, in addition to providing the fundamental base technology to enable these applications, we work with a lot of third-party developers to create these applications. And we help the developers scale them across multiple industries with our salesforce. So, we may not make the scan technology that determines if you have the right gear on, but we orchestrate that coordination across our ecosystem with all of our partners to effectively put it into a <a href="https://marketplace.intel.com/s/?language=en_US" rel="noopener noreferrer" target="_blank">catalog</a> so that if customers are interested in that sort of application, we can provide them with different parties to make that happen.</p><h4>Is there a problem with fragmentation in the market and how can that be solved?</h4><p>It's very fragmented. I gave just two examples of totally different workers coming to work in different industries and I can give you five more that are different again. Although the base technology that Intel creates to enable this type of innovation is very horizontal in nature, the reality is that bringing those to life must be very "vertically-centered" and very "use-case centered" – and must take into account, geography. The two employee use cases I cited look very different if you are talking about employees in North America, India or Germany. So, all in all, this is a holistic ecosystem challenge – and an ecosystem solution.</p><p>At Intel, we're in a unique situation to orchestrate these solutions. </p><p><cite class="pull-quote">People tend to think of Intel as providing the technical footprint that enables edge computing – but we also have the developer reach – and we can use our ecosystem and scale to help our end customers get access to the best solutions.</cite></p><h4>What sort of challenges do customers face when they're attempting to adopt edge computing?</h4><p>There are two common challenges. One is the technical question of 'Who can I work with?' A customer may have a chip focus but actually, it's a more complex question than a chip. We like that complexity, because we can be an adviser to them and <a href="https://marketplace.intel.com/s/partners-by-industry?language=en_US" rel="noopener noreferrer" target="_blank">bring to the table partners</a> that they can work with to solve that complexity leveraging our technical knowledge and ecosystem network. </p><p>The second thing that companies struggle with is the challenge of how to fund getting into this space – even if the business case warrants the investment. The world has changed. Companies don't want to write a big capital check for these types of investments – they want a pay-as-you-go model, like you see with the cloud. We've been working with customers to find a way to make that happen – and I think that is going to be a bigger part of the conversation moving forward.</p><p>You can see it across almost every aspect of technology now. We rent compute more than we buy compute. Evidenced by the success of AWS, companies can rent compute from Amazon instead of building their own data center – and there are many benefits to that approach. In the old world, even for this video conference that we're having today we would have installed capital to do this. Now it's just a service. And I think that edge as a service is right around the corner.</p><h4>Do you have an example of that?</h4><p>A customer in Mexico wanted to deploy outdoor WiFi and add security features into it. So, it was an edge-based computing issue that was part connectivity. But there was actually way more to it than just installing it. We not only helped to solved the technological challenge creatively and coordinated the <a href="https://marketplace.intel.com/s/partners-by-industry?language=en_US" rel="noopener noreferrer" target="_blank">ecosystem of providers</a> to solve this, but we also found a way so that the customer could get into this market with a service-based model without needing to outlay a lot of capital.</p><p>Other semiconductor companies would have a difficult time partnering on both sides of that challenge, but Intel can do it because we have the scale.</p><h4>How do businesses identify which functions they do want to perform at the edge versus in the cloud?</h4><p>It really comes down to a question of what you're trying to do and how you do it at the lowest cost, highest quality and standard in computability.</p><p>If you have an application and it can perform what you need it to do in the cloud, you'll probably run it there. The cloud is a great thing - there's infinite compute and lots of choice in a well-understood developer environment.</p><p>But there are many things you can't or shouldn't do in the cloud for certain reasons. Take the camera example from earlier. Say you have eight high-density cameras, and you want an action on them immediately. You may not be able to afford the latency that comes with going up into the cloud. Or it may be a financial challenge – that its actually more expensive to send that data to the cloud over and over again, and it makes sense to invest in compute at the edge. There are nuances in the decision-making. It really comes down to what you want the application to do, how quickly and how much it should cost.</p><h4>How does Intel help developers to learn, to build and then test their solutions at the edge?</h4><p>To enable what we know to be interesting and challenging use cases at the edge, required us to change our focus on who these developers are and what they care about. We learned that they <em>really</em> don't care about what hardware they're running on. The modern developers are fairly well extracted from the hardware – they just assume the compute is going to be available for them to do their work.</p><p>To make sure we can deliver on that, we typically target developers by specific capability. The most advanced case that we've been studying on the edge recently is focused video and specifically, video inferencing and AI inferencing. We created a tool called <a href="https://software.intel.com/content/www/us/en/develop/tools/openvino-toolkit.html" rel="noopener noreferrer" target="_blank">OpenVINO</a>, which was developed in a way that developers didn't have to care about the hardware it runs on. It's a model optimization technology that enables them to easily scale out to different hardware platforms. That's proven to be an interesting value proposition to these developers.</p><p>Our goal with <a href="https://software.intel.com/content/www/us/en/develop/tools/openvino-toolkit.html" rel="noopener noreferrer" target="_blank">OpenVINO</a> is democratize AI activity and inference at the edge. We want to make it simple -- to put these tools in the hands of non-data scientists and make it work. As a part of that process, we're also creating an environment where they can develop anyplace, anytime, anywhere they want to be. We're so proud of our <a href="https://software.intel.com/content/www/us/en/develop/tools/openvino-toolkit.html" rel="noopener noreferrer" target="_blank">OpenVINO</a> community and are constantly working to grow the community and release new features and capabilities to edge developers.</p><h4>What's the possible next breakthrough that you see for Intel in edge computing and the IoT space?</h4><p>I'm looking forward to the big breakthrough when we show integrated 5G, Virtual Private Network and the edge workloads all in one unit. More to come.</p>
Keep Reading
Show less
Saul Hudson has a deep knowledge of creating brand voice identity, especially in understanding and targeting messages in cutting-edge technologies. He enjoys commissioning, editing, writing, and business development, in helping companies to build passionate audiences and accelerate their growth. Hudson has reported from more than 30 countries, from war zones to boardrooms to presidential palaces. He has led multinational, multi-lingual teams and managed operations for hundreds of journalists. Hudson is a Managing Partner at Angle42, a strategic communications consultancy.
Protocol | China
Here’s who has the ear of China’s most active cyber regulator
Alibaba and Huawei are dominating — while other big companies like ByteDance are sitting on the sidelines.
TC260's proposed standards have influence throughout Chinese government.
Image: Yuichiro Chino/Getty Images
January 27, 2021
Clara Wang is a Researcher - Data Scientist for Protocol | China. Previously, she worked as a data scientist for the Biden campaign and at Civis Analytics, and she spent a summer working for the John L. Thornton China Center at the Brookings Institution. She has conducted research on data privacy, misinformation, and information control in the digital age, and she is completing her Master's in Economics at the Yenching Academy program at Peking University.
January 27, 2021
Protocol | China tracks major Chinese standards and regulations with the power to affect your business.
China's economy is projected to be the world's largest by 2028, and Beijing is betting heavily on the power of technology to get it there. But China needs to build and sustain public trust in tech platforms if it wants a future with smart cities that run on the cloud, wide adoption of digital currency and increasing reliance on electronic devices that collect vast amounts of personal data. So it's hastily assembling a regulatory framework, and the organization doing much of this building is the National Information Security Standardization Technical Committee (also known as Technical Committee 260 or TC260). Despite its wonky name, it wields extraordinary power over Chinese cyberspace; as of December, it has issued more than 300 standards related to information security and cybersecurity, and it has about 700 more in the works.
<p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>TC260 isn't an enforcement body, but its influence is visible throughout Chinese government. For example, in October 2020, it released an updated <a href="https://www.tc260.org.cn/upload/2020-09-18/1600432872689070371.pdf" rel="noopener noreferrer" target="_blank">personal information security</a> standard with recommended practices for data governance and security. About three weeks later, the government released a draft of its updated <a href="https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/" rel="noopener noreferrer" target="_blank">Personal Information Protection Law</a> for public consultation, and two days after that <a href="http://www.cverc.org.cn/" rel="noopener noreferrer" target="_blank">China's National Computer Virus Emergency Response Center</a> published a <a href="https://baijiahao.baidu.com/s?id=1681330813286436015&wfr=spider&for=pc" rel="noopener noreferrer" target="_blank">list</a> of over 20 mobile applications in violation of existing personal information protection laws and urged users to be wary of downloading these apps. The list mostly includes Chinese apps, but also named <a href="https://www.amazon.cn/" rel="noopener noreferrer" target="_blank">Amazon</a>, a sign that foreign companies operating in China could also be swept up in coming regulatory crackdowns. <br></p><p>Multinationals have to ensure their technologies align with standards to pass regulatory checks if they want to maintain their operations in China.</p><p>This is surely one reason why dozens of foreign companies sit on TC260's working groups, as do hundreds of Chinese ones; these companies nervously await each new release, and often task their lawyers or outside firms with quick guidance. </p><p>TC260 is also more transparent than a typical Chinese government entity. The identities of its 81 committee members and corporate participants in its working groups are all public, as are the names of the companies and individuals credited with input on each of TC260's regulations. Protocol has collected and analyzed all information released by TC260 to unpack which companies have the regulator's ear.</p><h3>Chinese tech giants: Who's primus inter pares?</h3><p>China's largest technology companies have a large footprint. Among 81 committee members, Baidu, Alibaba, Tencent and Huawei (the "BATH") are all represented, as are Lenovo, ZTE and JD. Committee membership on TC260 is valuable, as committee members get the final say on standards coming out of various working groups, and they can vote to send standards back to a working group for revision. The committee member from Huawei also wields influence as the team lead for the working group looking at communication security standards, meaning that they can impact that group's standard setting deliberations. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>But even though all these large technology companies have representation on TC260's committee or one or more of TC260's working groups, not all of them play an active role in drafting TC260 standards and regulations. Instead, Huawei and Alibaba are preeminent among them. Both have their fingerprints on more than 20 released national standards.<br></p><p><img src="https://lh5.googleusercontent.com/CFpu8Uv-fjBPB8ML89ue6q8ZGyAm0U0-RtcqQmjpZ43HbbhofJNVhzjEVz-DC41ea8VNZw_5yrQncPARaxoJ_H6cmoANypmZnszdb3OuYMgFkeZDrvZ4GUFPGU09T6N7iPMkfnLC"> </p><p>China's big tech companies seem to have the greatest involvement in the Internet of Things. Of the 16 regulations that have been released or are currently in progress that relate to IoT, almost 50% of them have one or more BATH companies involved in drafting the regulation. As "smart" devices scale up into "smart" cities, IoT technology will play an even greater role in people's daily lives — from traffic congestion to water usage metrics — meaning that China's tech giants are helping to define standards that reach far beyond phone screens. </p><p>It's clearly an unequal bunch. Xiaomi and ByteDance sit on multiple working groups but are not credited with helping to draft a single standard or regulation. In fact, their peers may be using TC260 to undercut them. For example, a <a href="http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=4568F276E0F8346EB0FBA097AA0CE05E" target="_blank">personal information security specification</a> that formally went into effect in October 2020 requires users be given a clear opt-out mechanism from their news filter bubbles so they can view generic, rather than tailored, content. While the specification impacts all the big technology companies that work with data, this new addition seems like it could be targeted at ByteDance's Toutiao product, which has dominated the personalized news space due to its <a href="https://www.ycombinator.com/library/3x-hidden-forces-behind-toutiao-china-s-content-king" target="_blank">novel, algorithmic recommendation system</a> that's juiced user engagement. Two contributors to that new regulation? Tencent and Alibaba, both ByteDance competitors. ByteDance itself is notably absent.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Huawei's prevalence in TC260 may give the company a greater say in the country's future technology infrastructure. Huawei has been involved with TC260 regulations and standards related to telecommunications, data security and cloud computing, which fundamentally impact many organizations that work with or transfer data. The telecommunications giant has also been involved with standards such as <a href="http://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F665694F939CE7DF87D50741E39E6BDA" rel="noopener noreferrer" target="_blank">the "Framework of smart city security system"</a> which sets foundational standards for China's smart city ambitions. Huawei's 5G technology is likely to form part of the key infrastructure for China's smart cities, as it enables faster and more reliable data transfers. </p><p>Meanwhile, many of the policies Alibaba and its subsidiaries, such as Taobao and Ant Financial, have helped draft generally involve safety standards and regulations for big data, cloud computing and cloud security. While Alibaba is currently involved in 40 of the projects in progress (about 6% of the total), it's unclear whether Ant's recent regulatory troubles could threaten its future involvement in certain regulations. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><h3>Enter the foreigners ... sort of</h3><p>While the standards that TC260 sets are unlikely to have the global impact of Europe's GDPR — which has <a href="https://www.crowelldatalaw.com/2019/06/at-the-gdprs-first-anniversary-the-impact-on-us-companies-grows/" rel="noopener noreferrer" target="_blank">compelled American companies</a> to change their cybersecurity practices and pushed tech giants like Twitter and Facebook to look <a href="https://www.protocol.com/big-tech-policy-priorities-2021" target="_self">beyond America's borders to</a> identify important compliance hurdles — Chinese standards will immediately impact foreign companies operating in China. They may also indirectly shape the regulatory standards in regions where China has invested heavily, particularly Africa and South America, which have young populations and are ripe for technological and economic growth.</p><p>TC260's regulations may also help China further wall itself off from the international community. As China sets more stringent cybersecurity standards, many of which fail to align with international standards, companies may just choose to build operations around two incompatible systems — China's and the rest of the world.</p><p>TC260 started allowing foreign companies to join the ranks of its working groups in 2016. But unlike some big Chinese tech companies, the foreigners are mostly window dressing. Protocol took a deep dive into the composition of TC260's committee and working groups, as well as all of the regulations currently being researched, revised or already released by TC260. Foreign companies make up just 6% of the working group members for which data are available.</p><p>Foreign companies are most prevalent in three working groups: information security evaluation, information security management and big data security. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p> <img src="https://lh5.googleusercontent.com/NzJjSDQ1Nf9FArVRzM5cvDxipjp2sLwOXVLeTIH2_OkC3scpHy4owGyElZa_8bNYTJxDI4K-SrRjbZzpD0kMj_laQ6si3_5w6yyIiS3n40DSQYupGZuHpouYq-JZC9cc2MV_TbMy"></p><p>Qualcomm stands out as the only foreign member in every single one of the working groups that allows public participation. Other big players in the technology space such as Intel, IBM, Siemens, Dell, Oracle, Apple and even Google — many of whose services are blocked in China — are repeat members. Many of these companies are the same ones <a href="https://www.wsj.com/articles/chinas-cybersecurity-regulations-rattle-u-s-businesses-11564409177" target="_blank">most likely to be hurt</a> by tough cybersecurity regulations.</p><p>But as shown by China's big technology companies, representation in a working group doesn't equal influence. When we look at the standards and guidelines currently being researched, developed and revised by TC260, and who's credited for them, the involvement of foreign companies barely registers. Just four regulations have been released with acknowledged input from foreign companies. Foreign companies can contribute to TC260 regulations by submitting comments when TC260 solicits public suggestions, but it's unclear whether TC260 members give much consideration to external submissions.</p><h3>Reading the tea leaves</h3><p>TC260 currently has more than 700 projects "in progress." In many of these, TC260 is continuing work related to topics it has repeatedly emphasized, particularly security standards for cloud computing, passwords and verification, and trusted computing systems. To read the tea leaves of what TC260's new areas of focus might be for future standards and regulations, we looked at the terms and phrases that appear in the titles of projects in progress, but not in the titles of regulations that have already been released. This allows us to isolate new topics or technologies that future TC260 standards may cover. Here's what comes up: </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p><img src="https://lh3.googleusercontent.com/uRNEZvLb8Wki0Noa42VwrXuuEa6HBRtWls6AENoOktwc1AdVi7C_igLnHivPl93pFla42yWagwoRqjKB8gS7bUtZDC_KAXOD_zBe0iQkXP0s1u8Tkfr1wilvwSDi6uoZ0CL1GMV1"></p><p>Many new projects revolve around TC260 tracking its current standards, streamlining its complex maze of rules and evaluating its standards against international ones. Currently, only about 15% of the standards released by TC260 align with global standards, creating a tangle of regulations for multinational companies that operate in both China's market and external markets. It looks like TC260 is trying to solve for that by adjusting its own standards, as well as proposing some of its standards for international adoption by the <a href="https://www.iso.org/standards.html" target="_blank">ISO</a>.</p><p>Some of the most prevalent new terms of note are "critical information infrastructure," "broadband," "metropolitan area network" and "malware," which suggest that TC260 is focusing its efforts on securing China's vast wireless network. As China's government shifts more critical functions to the digital sphere — from banking to education — the need to secure its digital space becomes increasingly pressing.</p><p>Some terms reflect new trends in China's tech space — "digital currency," "blockchain," "ecommerce system," "shopping" and "payments" — which all relate to China's digital economy and the country's efforts to develop a new <a href="https://www.reuters.com/article/us-china-currency-digital-explainer/explainer-how-does-chinas-digital-yuan-work-idUSKBN27411T" target="_blank">digital currency</a> backed by the central bank. </p><p>Other new terms of note are "finger veins," "gait" and "face," all of which relate to technologies for personal identification. These may be used for surveillance purposes, for which China is <a href="https://www.chinafile.com/state-surveillance-china" rel="noopener noreferrer" target="_blank">notorious</a>, but they are also critical for fintech. After all, citizens may only be comfortable using a digital currency if highly accurate identification technologies can ensure that their money is securely tied to their identity. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p><em>This is the first in a series of Protocol | China analyses introducing our proprietary research methods. The methodologies above are also available for bespoke research.</em></p>
From Your Site Articles
Keep Reading
Show less
Clara Wang is a Researcher - Data Scientist for Protocol | China. Previously, she worked as a data scientist for the Biden campaign and at Civis Analytics, and she spent a summer working for the John L. Thornton China Center at the Brookings Institution. She has conducted research on data privacy, misinformation, and information control in the digital age, and she is completing her Master's in Economics at the Yenching Academy program at Peking University.
Transforming 2021
Blockchain, QR codes and your phone: the race to build vaccine passports
Digital verification systems could give people the freedom to work and travel. Here's how they could actually happen.
One day, you might not need to carry that physical passport around, either.
Photo: CommonPass
February 23, 2021
Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.
February 23, 2021
There will come a time, hopefully in the near future, when you'll feel comfortable getting on a plane again. You might even stop at the lounge at the airport, head to the regional office when you land and maybe even see a concert that evening. This seemingly distant reality will depend upon vaccine rollouts continuing on schedule, an open-sourced digital verification system and, amazingly, the blockchain.
Several countries around the world have begun to prepare for what comes after vaccinations. Swaths of the population will be vaccinated before others, but that hasn't stopped industries decimated by the pandemic from pioneering ways to get some people back to work and play. One of the most promising efforts is the idea of a "vaccine passport," which would allow individuals to show proof that they've been vaccinated against COVID-19 in a way that could be verified by businesses to allow them to travel, work or relax in public without a great fear of spreading the virus.
<p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>But building a system that everyone agrees with — and can access — is no small task. There are several companies working on competing projects to verify vaccinations. But beyond that, there are more than a few hurdles that could prevent vaccine passports from succeeding, from antiquated medical records systems to interoperability issues and privacy concerns. Here's how they could actually succeed. </p><h3>Competing projects, similar standards</h3><p>Pretty much since the first blockchain white paper, people have been looking for perfect examples of where a distributed, immutable ledger could be valuable. There's obviously the push to use it for currencies, and companies have tried to use it for things like tracking <a href="https://www.protocol.com/ibm-blockchain-supply-produce-coffee" target="_self">food production</a> and <a href="https://www.govtech.com/products/Blockchain-Voting-Debate-Heats-Up-After-Historic-Election.html" rel="noopener noreferrer" target="_blank">voting</a>, but there are few use cases that have truly taken off, at least so far. "We've been working on this since 2014; we never thought that health care would be the kind of the use case that we take this mainstream," Jamie Smith, the senior director of business development at Evernym, a company focused on using the blockchain as a basis for verifying identities, told Protocol. </p><p>Smith said Evernym had been discussing its concepts with automakers, retailers, telcos, governments, loyalty companies and banks prior to the pandemic. One of those companies was IAG, the airline group that owns British Airways, which had been interested in the idea of contactless travel based on a single identity credential that follows you from the airport check-in to your gate. With the pandemic, that morphed into thinking about ways to verify that passengers have had negative COVID tests, and eventually, that they've received a vaccine. "From our perspective, it was a really easy lift to see," Smith said. "We're doing contactless travel, and we just added verifiable credentials for test results."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>It's a similar genesis for IBM's Digital Health Pass initiative, which leader Eric Piscini said started about two years ago as a way to store people's entire health records in a safe, accessible platform. It also relies on the blockchain for its immutable record of proof, and both Evernym and IBM are part of an open-standards group called the Good Health Pass Collaborative, which aims to bring private credentialed vaccine records to business and people around the world. Companies are working on their own implementations of the standards, but Evernym's Smith said the data is meant to be portable from one passport to another. </p><p>Most of the companies working on passports say their systems are private by design, especially given that they're mainly working off the same open standards. In most cases, the health information only ever remains on a user's phone, but where it asks to verify that the user's information meets a system's standards — such as whether this person has had two COVID vaccines and should be allowed into an office — that information is recorded on a blockchain. "You can, using blockchain technologies, verify that someone has been tested recently, without having access to the underlying data," Piscini said. "I don't know any other technology where you can do that."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Similarly, the nonprofit Commons Project's CommonPass, backed by the likes of Oracle, Microsoft and Salesforce, started out as a project to bring an analog to Apple Health for Android. JP Pollak, a senior researcher at Cornell and founder of the Commons Project, first launched CommonHealth to bring the sort of data and insights that Apple Health offers to iPhone owners to Android users. Last summer, the group started building an app that could take health data and privately share it with others — in that case, it was to help truckers stuck at the borders in <a href="https://www.newtimes.co.rw/opinions/digital-technology-re-opening-africa" rel="noopener noreferrer" target="_blank">East African countries</a> who couldn't easily prove they'd taken COVID tests. This morphed into vaccine credentialing, with the group now working to pull together the various data streams needed to get a project like this off the ground. </p><p>"Health care institutions, EMR vendors, retail pharmacies, state vaccine registries, all issuing people a digital verifiable credential of their vaccination record that they could then use in the app of their choice, to be able to get access to various kinds of services," Pollak said. CommonPass is also working with the Mayo Clinic, as well as Epic Systems and Cerner, two of the largest EMR vendors. </p><h3>Something for everyone </h3><p>With so many competing efforts to become the world's digital vaccine passport, it might seem that the country is heading for some sort of VHS versus Betamax format war for proving everyone has had COVID vaccines. But given that so many of the efforts are using the same standards, and in many cases, looking to embed their tech in someone else's app rather than their own, the race might be less about the best tech winning, and more about various approaches working in different situations. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>"The intent is not to be the only company; we don't want to be the proprietary platform that everybody has to use because they have no choice," IBM's Piscini said. "That's not who we are right now: That's the IBM from 30 years ago, not the IBM of today."</p><p>For IBM, though, the selling point is that the company already works with so many other massive companies. Why look elsewhere for a vaccine passport solution if your airline booking system is already powered by IBM? "We believe our network is going to be more valuable than any other because of our scale and our ability to integrate the platform with CRM systems, building systems or stadium systems — we can do that every day," Piscini said.</p><p class="shortcode-media shortcode-media-rebelmouse-image">
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTY2NTc3NS9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYyMTM1MjYyM30._ykxxCyx3_wDbZrYgCcmK0QT2Ue1tZFdP5pf60kOmPU/img.jpg?width=980" id="c81c9" class="rm-shortcode" data-rm-shortcode-id="3967636652192acfdaad341861263bc8" data-rm-shortcode-name="rebelmouse-image">
<small class="image-media media-caption" placeholder="Add Photo Caption...">IATA's digital passport app.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Photo: IATA</small></p><p>For other companies, it's about securing new partnerships with major players in the hopes of finding that scale. Evernym, for example, is working with International Air Transport Association, the airline industry's trade association, on an air travel-specific app called Travel Pass. IATA is working with airlines and local governments to ensure it has the latest requirements to feed the app's rules engine. "It will say, 'Hey, you're flying JFK to Heathrow, you need a PCR test 48 hours in advance before you can land,'" Evernym's Smith said. "And of course, those policy changes are changing every day." Qatar, Emirates and Etihad Airways are all <a href="https://simpleflying.com/qatar-iata-travel-pass-launch/" rel="noopener noreferrer" target="_blank">expected</a> to start trialing the app in the next few weeks.<br></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>In other instances, the technology will live inside other companies' existing apps; why make someone download yet another app and add another hurdle to compliance? Instead, the experience will be rather like adding a loyalty account or TSA PreCheck number when booking a flight. Airlines and other venues restricting access will require uploading negative test results or vaccine records using one of these services. "You're going to be using the United or the Delta app, and they'll be using our solution or somebody else's, but you will do it via their app," IATA's Travel Pass lead, Alan Murray Hayden, told Protocol.</p><p>The World Health Organization is also working on its own offering, and recently convened the <a href="https://www.who.int/groups/smart-vaccination-certificate-working-group" rel="noopener noreferrer" target="_blank">Smart Vaccination Certificate Working Group</a>. It's built upon the WHO's nearly century-old notion of the "yellow card" vaccination record, which first was used to document that travelers had been inoculated against diseases such as cholera and yellow fever. Evernym Chief Trust Officer Drummond Reed is part of the working group; he said there should be more to share in the coming months. </p><h3>What could go wrong?</h3><p>It's entirely possible that as more people start to get vaccinated, vaccine passports start to become the norm. You walk to work — still masked, of course — scan a QR code reader in the lobby, and are let in. You go out for lunch, and your loyalty card app has a discount for in-store shoppers verifying they're vaccinated. Your concert ticket is also tied to health pass information that you shared earlier in the day with Ticketmaster. But there are more than a few hurdles ahead of the companies rushing to turn these concepts into realities. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p>First off, there's the … reality … of the real world that any digital system has to contend with. For anyone without access to the internet, digital vaccine credentials will prove difficult to acquire, though all the companies Protocol spoke with said they would offer a paper-based QR code for people who don't have smartphones. But there's also the issue of having to corral so many different stakeholders into one system, especially when some health care providers are still reliant on antiquated database systems or <a href="https://www.protocol.com/manuals/health-care-revolution/electronic-health-records-after-coronavirus" target="_self">even paper records</a>. "The amount of inefficiency in the system is tremendous," IBM's Piscini said. </p><p>But in the U.S. at least, all vaccinators are required to report COVID-19 vaccines to their state. Piscini said that even for people who just received a paper copy of their vaccine records, systems like IBM's can likely link up to the state's immunization registry and allow people to import records to a vaccine passport.</p><p class="shortcode-media shortcode-media-rebelmouse-image">
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTY2NTc4My9vcmlnaW4ucG5nIiwiZXhwaXJlc19hdCI6MTYzNzg3MTM2M30.RZtqR7F_FuXK1S24V6jVaqUZ0xOSG-gCwj00xU3fxcM/img.png?width=980" id="b0bd3" class="rm-shortcode" data-rm-shortcode-id="11d8002d92c0cd6ef39b12fc7b8dccf8" data-rm-shortcode-name="rebelmouse-image">
<small class="image-media media-caption" placeholder="Add Photo Caption...">How CommonPass's app shows your records. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Image: CommonPass</small></p><p>And states are willing to help out, Pollak said, adding that CommonPass has started working with Hawaii to roll out its offering for would-be tourists. "We're seeing a lot of state governments stepping up and doing a really good job with this," Pollak said. "It would be surprising if there wasn't a coordinated federal effort very soon." That being said, while <a href="https://www.cbc.ca/news/canada/north/iceland-covid-passports-canada-1.5904828" rel="noopener noreferrer" target="_blank">many countries around</a> the world are committing to working on vaccine passports, getting a straight answer out of the U.S. government on what it's doing has proven difficult. The State Department, which maintains America's traditional, analogue passports, referred me to Homeland Security, which referred me to the White House. The acting director and chief of staff of the White House's Office of Science and Technology Policy, Kei Koizumi, told Protocol that "OSTP can't discuss projects we are working on before they are publicly announced."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p>But even with systems in place at a federal level, there's still a fair amount of education that needs to happen before people will trust systems like these. "There's a substantial gap in understanding and knowledge of how these systems work, and people's views, in terms of who should get access to which data," Pollak said. </p><p>"We assume there's a Facebook Borg in the sky, monitoring every interaction," Smith said. "The emergence of verifiable credentials breaks down that mental model, where actually it becomes more like decentralized bits of paper that I can carry around, and no one's to know that I've been sharing this information."</p><p>"Our belief is that if you do the right thing, from a platform point of view, protecting your privacy, and giving you control and access to the platform to everybody who wants to use it," Piscini said. "I think those are very basic things that allow the core of the platform that we build to generate adoption by the individuals."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="8">
</div>
</div></p><p>Even with a system that works, there may still be holdouts to this potential new normal. "Some people are saying, 'I will never get vaccinated,'" Piscini said, "and I don't know if the airlines are going to say, 'Well, maybe you will never fly again.'"</p>
Keep Reading
Show less
Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.
Protocol | Enterprise
Don’t worry about the cybersecurity fallout of the Capitol breach
Members of Congress can't access classified information on their work computers, and the chances that Wednesday's mob contained a few moonlighting cyberspies are slim.
Any lasting cybersecurity damage from the breach is likely to be limited.
Photo: Louis Velazquez/Unsplash
January 11, 2021
Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET and paidContent, and served as executive editor of Gigaom and Structure.
January 7, 2021
Among the disasters that visited Capitol Hill on Wednesday, the fact that the people who infiltrated Congressional offices had unfettered access to IT assets for several hours ranks rather low.
One of the most iconic images of Wednesday's events was a picture of the home screen of Speaker Nancy Pelosi's office computer, abandoned in haste after a mob broke into the Capitol building, forcing Congress and staffers to retreat to safer locations. By design, nothing on Pelosi's computer was classified: Members of Congress have to enter a protected area room in the building to view secret documents, as you'll recall from last year's impeachment proceedings when several House Republicans stormed into such a room in protest because they were denied access to documents their leaders could access.
<p>There could have been plenty of unclassified information that would still be considered sensitive, such as Pelosi's contacts and email correspondence. And it's fair to say that congressional IT practices are somewhat haphazard; some computers might have been encrypted, while some might not have even had password protection, according to security experts.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>As Katie Moussouris, CEO and founder of Luta Security, <a href="https://www.washingtonpost.com/politics/2021/01/07/cybersecurity-202-riot-capitol-is-nightmare-scenario-cybersecurity-professionals/" rel="noopener noreferrer" target="_blank">told The Washington Post</a>: "There's an old saying, if an attacker has physical access to your computer, it's not your computer anymore."</p><p>Still, any lasting cybersecurity damage from the breach is likely to be quite limited.</p><p>A <a href="https://www.reuters.com/article/us-usa-election-cyber/u-s-senator-says-capitol-building-rioters-made-off-with-laptop-idUSKBN29C2GA" rel="noopener noreferrer" target="_blank">laptop from Sen. Jeff Merkley's office was taken</a>, but there were no other reports of missing computers. Representatives from Merkley's office did not respond to an inquiry as to whether or not that laptop was encrypted; computers purchased for Senate offices after October 2018 were <a href="https://www.zdnet.com/article/us-senate-computers-will-use-disk-encryption/" rel="noopener noreferrer" target="_blank">required to have encryption technology turned on</a> at the urging of Merkley's fellow Oregon senator, Ron Wyden, but it's not clear when the laptop in question was purchased.</p><p>There's a far greater threat to information security in the Capitol Building, and it doesn't require access to the building itself. As we've seen with the SolarWinds hack that infiltrated several executive branch agencies last year, the biggest threats to government information security aren't wearing red hats and breaking windows; they're coming from overseas through the internet to steal sensitive data.</p><p>And in any event, the Capitol Building is not exactly the most secure facility controlled by the government, as Wednesday's events show. Any foreign intelligence agent bent on figuring out what the House Committee on Ways and Means is up to would probably have better luck accessing computers by infiltrating the cleaning staff or mingling with visitors on a post-pandemic tour of the building.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>The incident does shine a light on congressional cybersecurity practices, which are far less robust than the requirements of the executive branch.</p><p>In the House, members of Congress are responsible for procuring their own IT assets just like any of us, whereas in the Senate, technology purchases are made through the office of the <a href="https://www.senate.gov/reference/office/sergeant_at_arms.htm" rel="noopener noreferrer" target="_blank">Sergeant at Arms</a>. Email and file servers in the House are managed by the chief administrative officer, a non-partisan position. In the Senate, that duty falls to the Sergeant at Arms, who serves at the pleasure of the party in power.</p><p>"Images on social media and in the press of vigilantes accessing congressional computers are worrying," said Rep. Anna Eshoo, a Democrat from California, in a statement. "I asked the Chief Administrative Officer of the House to conduct a full assessment of threats based on what transpired yesterday, and the CAO has already taken important steps to that end. I have confidence that House and Senate IT and cybersecurity professionals are taking the matter seriously."</p><p>On Thursday afternoon, the <a href="https://twitter.com/ericgeller/status/1347303258180751364/photo/1" rel="noopener noreferrer" target="_blank">CAO updated members of the House</a> saying that administrators took "efforts including issuing commands to lock computers and laptops and shutting down wired network access to prevent inappropriate access to House data." It's not clear what, if any, action was taken on the Senate side.</p><p>Executive branch staff are almost universally required to use two-factor authentication to log into their work computers, but such a requirement does not exist in the legislative branch. Congresspeople are essentially small-business owners who can require their staff to follow whatever cybersecurity practices they deem necessarily, including, well, nothing.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>There's certainly a chance that a few individuals among the mob that breached the Capitol Building could have read less-than-flattering emails sent by or to members of Congress, and could use those emails to damage a few reputations.</p><p>But the most likely outcome of Wednesday's breach is that a lot of passwords have already been changed, or will be changed in the next few days.</p><p><em><strong>Update: </strong>This article was updated at 4:07 p.m. PT to include a statement from Rep. Anna Eshoo, and corrected at 5:17 p.m. PT to fix the spelling of her first name.</em><br></p>
From Your Site Articles
- The other reason Facebook silenced Trump? Republicans just lost ... ›
- Pressure mounts on social media giants to suspend Trump as rioters ... ›
- Social networks didn't create a coup. But they helped. - Protocol ›
- How Biden’s cyber policy could differ from Obama’s - Protocol — The people, power and politics of tech ›
Keep Reading
Show less
Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET and paidContent, and served as executive editor of Gigaom and Structure.
Latest Stories
See more
Most Popular
Bulletins
Get Source Code in your inbox
David Pierce's daily analysis of the tech news that matters.