The announcement that GuideStar, Charity Navigator and others would be moving away from the 990 form as their primary source for assessing nonprofit performance raised a lot of interesting questions, such as "How will assessments of outcomes be standardized in a way that is not too subjective?" and "What will be required of nonprofits in order to make those assessments?" We'll have a chance to get some preliminary answers to those questions on February 4th, when NTEN will sponsor a phone-in panel discussion with representatives of GuideStar and Charity Navigator, as well as members of the nonprofit community. The panel will be hosted by Sean Stannard-Stockton of Tactical Philanthropy, and will include:
As my colleague Steve Backman fully explains here, here's been some fallout from this story for Microsoft. First, like Google and Yahoo!, Microsoft operates a search engine in China and submits to the Chinese governments censoring filters. They've kept mum on their feelings about the cyber-attack. Google's analysis of that attack reveals that GMail accounts were hacked and other breaches occurred via security holes in Internet Explorer, versions six and up, that allow a hacker to upload programs and take control of a user's PC. As this information came to light, France and Germany both issued advisories to their citizens that switching to a browser other than Internet Explorer would be prudent. In response, Microsoft has issued a statement recommending that everyone upgrade from Internet Explorer version 6 to version 8, the current release. What Microsoft doesn't mention is that the security flaw exists in versions seven and eight as well as six, so upgrading won't protect you from the threat, although they just released a patch that hopefully will.
So, while their reasoning is suspect, it's nice to see that Microsoft has finally joined the campaign to remove this old, insecure and incompatible with web standards browser.
I have kept Google Wave open in a tab in my browser since the day my account was opened, subscribed to about 15 waves, some of them quite well populated. I haven't seen an update to any of these waves since January 12th, and it was really only one wave that's gotten any updates at all in the past month. I can't give away the invites I have to offer. The conclusion I'm drawing is that, if Google doesn't do something to make the Wave experience more compelling, it's going to go the way of a Simply Red B-Side and fade from memory. As I've said, there is real potential here for something that puts telecommunication, document creation and data mining on a converged platform, and that would be new. But, in it's current state, it's a difficult to use substitute for a sophisticated Wiki. And, while Google was hyping this, Confluence released a new version of their excellent (free for nonprofits) enterprise Wiki that can incorporate (like Wave) Google gadgets. That makes me want to pack up my surfboard.
Last week, we talked about domain registrar services and what to look for. In today's followup, we'll focus on how to transfer a domain and the accompanying security concerns, then talk a bit about registrars vis a vis hosting services.
Domain Transfers
Transferring domains is a somewhat complex process that has been designed to minimize the risk of domain hijacking. In order to insure that transfers are performed by the actual owner of the domain, a few important measures are in place:
Every domain has an authorization (a.k.a. EPP) code associated with it. Transfers can not occur without this code being submitted. If you don’t have this information, your current registrar does. Some registrars have automated functions that will deliver that information to the domain contact; others require that you ask for them via email to the registrar or their support ticket application. Registrars are required to provide you with these codes within five calendar days of your request. If they don’t, your best recourse is to determine who they get their domain authority from (there are only a handful of companies that resell registration services) and appeal to them for assistance.
Communication is strictly through the registered “whois” email address of the domain owner. You can determine what that is by doing a whois lookup on your domain.
Tip: While most domains can be looked up at http://whois.net. However, whois.net has some trouble with .org domains, so the alternative http://www.pir.org/whois is a more reliable source for most non-profit domains.
If the address that your domain is registered with is either non-functional or owned by someone other than you, then you need to update it, via your current registrar’s web interface, before you can successfully transfer the domain.
Domains can (and should) be locked to prohibit transfers before and after you switch registrars. Locking and unlocking your domains is usually done by you, from your registrar’s web site. If you don’t have options to do that when you log on to the web site, your registrar should do it for you upon request.
Transfer Procedures
To initiate the transfer, go to the web site of the registrar that you want to switch to and follow their instructions. They will have you submit a request and, upon receipt of your domain fees, issue an email to the email address associated with the domain containing a link to a form where you can confirm the request. That form will also ask for the authorization code. Subsequently - and this can take up to seven days - you’ll receive an email from your current registrar asking you to confirm the transfer request. Once that is submitted, the transfer should go through. Detailed rules about how domains are transferred, as well as what the responsibilities of the registrars are in handling the transfers, are listed at http://www.icann.org/en/transfers/policy-en.htm.
Choosing Registrars
Registrars charge anywhere from $5.00 to $50 dollars for a year’s domain service. The two best known registrars are Network Solutions and GoDaddy. Many people go with Network Solutions because they're the longest standing of the registrars (for many years, they were the only registrar). GoDaddy has become very popular by dramatically undercutting the cost. Note, though, that both of these registrars have been accused of questionable business practices:
Network Solutions has engaged in "Front Running", a questionable practice of locking domains that a potential customer might search for in order to block competitors from making the sale. They will also use subdomains of your domain to advertise, a practice called subdomain hijacking. A decent registrar will not seek to make profits based on your intellectual property.
GoDaddy famously suspends accounts based on corporate requests. In 2007, they suspended seclists.org, a website that archives internet security mailing lists, per the request of MySpace, with no court order or valid complaint. MySpace was upset that content posted to one of the lists that Seclists archived was inappropriate. But, instead of contacting Seclists to deal with the content in question, GoDaddy closed the site and wouldn't respond to desperate emails or phone calls regarding the sudden closure. Worse, after the fiasco was resolved, they were unrepentant, and reserve the right to shut down any site for any spurious reason. If your NPO does work that is in the least bit controversial, keep this in mind when considering GoDaddy.
Web Hosting and Registrars
Many registrars supplement their business by providing web hosting services as well. Some will even offered discounted or free domain registration with a hosting plan. While this simplifies things, it can also be a bit risky in the “eggs in one basket” sense. Having a separate registrar and control over your DNS service allows you to be more flexible with switching hosts, should your current host prove themselves unreliable or go out of business. And the web hosting industry is pretty volatile, with companies coming and going pretty quickly. I would suggest a best practice is to keep your host and registrar separate.
Domain Name Management: not a very sexy topic. This will be a rare post for me that won't mention popular search engines, the latest "superphone", content management or rumored tablets. But I hope I can provide a good glossary on a geeky subject that anyone with a web site sporting their organization's name has to deal with.
You have a web site and you have a domain, and as long as the web site is up and running, everything is fine. But what happens if your domain is hijacked? What if you need to make changes to your domain registration, or register a new one, and your registrar is simply disinterested? What if they go out of business? Your domain name is a valuable property, and you should keep it in pro-active and trustworthy hands.
How Domain Registration Works
Domain registrars provide the service of keeping your domain name mapped with current information so that it can be found on the web. Domain names are meaningful aliases for numeric IP addresses, and aren’t technically required in order to host a web site. But, the internet would be hard to navigate if we could only find things by their numeric addresses.
The primary thing that a registrar does is to keep your contact (whois) data maintained; point your domain to the appropriate name servers; and allow you to move your domain to another registrar if you choose to.
Domain Services
In addition to domain registration, most registrars offer additional services, such as:
DNS Management (address mapping) for subdomains (which allows you to host your main domain on one server, but, perhaps, an online store called “store.yourdomain.com” on another server),
Aliasing of Addresses (so that both http://yourdomain.com and http://www.yourdomain.com go to the same place),
Backup Mail Handling, so, should your primary mail server go down, messages sent to you will be stored until they come back around;
Web Forwarding, so you can, say, register yourdomain.org, yourdomain,.com and yourdomain.net, but forward all visitors to the .com and .net sites to your website at yourdomain.org.
SSL (Secure Socket Layer) Certificates, to encrypt sensitive data, like online donation forms.
Things to Look For in a New Registrar
Are they accredited? ICANN, the organization that oversees domain management , accredits registrars. If they aren’t on ICANN’s list, they aren’t trustworthy.
Do they add a year to the existing expiration date, or charge you for a full year as of engagement? They should do the former.
Do they offer automated access to all functions (via web forms), including locking/unlocking domains, retrieval of authorization (EPP) codes, and modification of all whois records? (Some registrars prefer to list themselves as the technical contact. It should be up to you whether they can have an official name on your domain, not them).
Do they list a telephone number, and is it promptly answered during business hours?
Do they respond promptly to emails and support requests? The ability to communicate with your registrar is rarely needed, but, when it is, it’s critical - you don’t want them out of the loop if your domain is subject to an attempted hijack.
Do they offer the ability to manage DNS for mail servers and subdomains? While this is an added feature, it’s common enough to be worth expecting.
Do they have any additional services (examples above)? While these supplemental services are far from critical, they are convenient. More to the point, a company that is engaging in a robust suite of services is more likely to be focused on their business. The truth is that anyone can be a domain registrar, if they make the proper investment, but whether it’s a going concern or a neglected piece of extra income for them is a question you’ll want to ask.
Next week: Safely transferring domains and a word on web hosting completes the topic.
To break down that tweet a bit, @kanter is the well-known Beth Kanter of Beth's blog. @pearlbear is former Idealware blogger and current contributor Michelle Murrain, and Beth asked us, in the referenced blog post, to dive a bit into internet security and how it contrasts with internet privacy concerns. Michelle's response, offers excellent and concise definitions of security and privacy as they apply to the web, and then sums up with a key distinction: security is a set of tools for protecting systems and information. The sensitivity of that data (and need for privacy) is a matter of policy. So the next question is, once you have your security systems and policies in place, what happens when the the policies are breached?
Craft a Policy that Minimizes Violations
Social media is casual media. The Web 2.0 approach is to present a true face to the world, one that interacts with the public and allows for individuals, with individual tastes and opinions, to share organizational information online. So a strict rule book and mandated wording for your talking points are not going to work.
Your online constituents expect your staff to have a shared understanding of your organization's mission and objectives. But they also expect the CEO, the Marketing Assistant and the volunteer Receptionists to have real names (and real pictures on their profiles); their own online voices; and interests they share that go beyond the corporate script. It's not a matter of venturing too far out of the water -- in fact, that could be as much of a problem as staying too close to the prepared scripts. But the tone that works is the one of a human being sharing their commitment and excitement about the work that they (and you) do.
Expect that the message will reflect individual interpretations and biases. Manage the messaging to the key points, and make clear the areas that shouldn't be discussed in public. Monitor the discussion, and proactively mentor (as opposed to chastising) staff who stray in ways that violate the policy, or seem capable of doing so.
The Case for Transparency
Transparency assumes that multiple voices are being heard; that honest opinions are being shared, and that organizations aren't sweeping the negative issues under the virtual rug. Admittedly, it's a scary idea that your staff, your constituents, and your clients should all be free to represent you. The best practice of corporate communications, for many years, was to run all messaging through Marketing/Communications experts and tightly control what was said. I see two big reasons for doing otherwise:
We no longer have a controlled media.
Controlled messaging worked when opening your own TV or Radio Station was prohibitively expensive. Today, YouTube, Yelp and Video Blogs are TV Stations. Twitter and Facebook Status are radio stations. The investment cost to speak your mind to a public audience has just about vanished.
We make more mistakes by under-communicating than we do by over-communicating.
Is the importance of hiding something worth the cost of looking like you have something to hide? At the peak of the dot com boom, I hired someone onto my staff at about $10k more (annually) than current staff in similar roles were making. An HR clerk accidentally sent the offer letter to my entire staff. The fallout was that I had meaningful talks about compensation with each of my staff; made them aware that they were getting market (or better) in a rapidly changing market, and that we were keeping pace on anniversary dates. Prior to the breach, a few of my staff had been wrongly convinced that they were underpaid in their positions. The incident only strengthened the trust between us.
The Good, the Bad, and the Messenger
Your blog should allow comments, and -- short of spam, personal attacks and incivility -- shouldn't be censored. A few years ago, a former employee of my (former) org managed to register the .com extension of our domain name and put up a web site criticizing us. While the site didn't get a lot of hits, he did manage to find other departed staff with axes to grind, and his online forum was about a 50-50 mix of people trashing us and others defending. After about a month, he went in and deleted the 50% of forum messages that spoke up for our organization, leaving the now one-sided, negative conversation intact. And that was the end of his forum; nobody ever posted there again.
There were some interesting lessons here for us. He had a lot of inside knowledge that he shared, with no concern or allegiance to our policy. And he was motivated and well-resourced to use the web to attack us, But, in the end, we didn't see any negative impact on our organization. The truth was, it was easy to separate his bias from his "inside scoops", and hard to paint us in a very negative light, because the skeletons that he let out of our closet were a lot like anybody else's.
What this proves is that message delivery accounts for the messenger. Good and bad tweets and blog posts about your organization will be weighed by the position and credibility of the tweeter or blogger.
Transparency and Constituent Data Breaches
Two years ago, a number of nonprofits were faced with a difficult decision when a popular hosted eCRM service was compromised, and account information for donors was stolen by one or more hackers. Thankfully, this wasn't credit card information, but it included login details, and I'm sure that we all know people who use the same password for their online giving as they do for other web sites, such as, perhaps, their online banking. This was a serious breach, and there was a certain amount of disclosure from the nonprofits to their constituents that was mandated.
Strident voices in the community called for full disclosure, urging affected nonprofits to put a warning on the home page of their web sites. Many of the organizations settled for alerting every donor that was potentially compromised via phone and/or email, determining that their unaffected constituents might not be clear on how the breach happened or what the risks were, and would simply take the home page warning as a suggestion to not donate online.
To frame this as a black and white issue, demanding that it be treated with no discretion, is extreme. The seriousness and threat that resulted from this particular breach was not a simple thing to quantify or explain. So it boils down to a number of factors:
Scope: If all or most of your supporters are at risk, or the number at risk is in the six figure range, it's probably more responsible, in the name of protecting them, to broadcast the alert widely. If, as in the case above, those impacted are the ones donate online, then that's probably not close to the amount that would fully warrant broad disclosure, as even the strident voice pointed out.
Risk: Will your constituents understand that the notice is informational, and not an admission of guilt or irresponsibility in handling their sensitive data? Alternatively, if this becomes public knowledge, would your lack of transparency look like an admission of guilt? You should be comfortable with your decision, and able to explain it.
Consistency: Some nonprofits have more responsibility to model transparency than others. If the Sunlight Foundation was one of the organizations impacted, it's a no-brainer. Salvation Army? Transparency isn't referenced on their "Positions" page.
Courtesy: Some constituencies are more savvy about this type of thing than others. If the affected constituents have all been notified, and they represent a small portion of the donor base, it's questionable whether scaring your supporters in the name of openness is really warranted.
Since alternate exposure, in the press or community, is likely to occur, the priority is to have a consistent policy about how and when you broadcast information about security breaches. Denying that something has had happened in any public forum would be irresponsible and unethical, and most likely come right back at you. Not being able to explain why you chose not to publicize it on your website could also have damaging consequences. Erring on the side of alerting and protecting those impacted by security breaches is the better way to go, but the final choice has to weigh in all of the risks and factors.
Conclusion
All of my examples assume you're doing the right things. You have justifiable reasons for doing things that might be considered provocative. Your overall efforts are mission-focused. And the reasons for privacy regarding certain information are that it needs to be private (client medical records, for example); it supports your mission-based objectives by being private, and/or it respects the privacy of people close to the information.
No matter how well we protect our data, the walls are much thinner than they used to be. Any unfortunate tweet can "go viral". We can't put a lock on our information that will truly secure it. So it's important to manage communications with an understanding that information will be shared. Protect your overall reputation, and don't sweat the minor slips that reveal, mostly, that you're not a paragon of perfection, maybe, but a group of human beings, struggling to make a difference under the usual conditions.
Last week, I shared my impressions of Google Wave, which takes current web 2.0/Internet staple technologies like email, messaging, document collaboration, widgets/gadgets and extranets and mashes them up into an open communications standard that, if it lives up to Google's aspirations, will supersede email. There is little doubt in my mind that this is how the web will evolve. We've gone from:
The Yahoo! Directory model - a bunch of static web sites that can be catalogued and explored like chapters in a book, to
The Google needle/haystack approach - the web as a repository of data that can be mined with a proper query, to
Web 2.0, a referral-based model that mixes human opinion and interaction into the navigation system.
For many of us, we no longer browse, and we search less than we used to, because the data that we're looking for is either coming to us through readers and portals where we subscribe to it, or it's being referred to us by our friends and co-workers on social networks. Much of what we refer to eachother is content that we have created. The web is as much an application as it is a library now.
Google Wave might well be "Web 3.0", the step that breaks down the location-based structure of web data and replaces it completely with a social structure. Data isn't stored as much as it is shared. You don't browse to sites; you share, enhance, append, create and communicate about web content in individual waves. Servers are sources, not destinations in the new paradigm.
Looking at Wave in light of Google's mission and strategy supports this idea. Google wants to catalog, and make accessible, all of the world's information. Wave has a data mining and reporting feature called "robots". Robots are database agents that lurk in a wave, monitoring all activity, and then pop in as warranted when certain terms or actions trigger their response. The example I saw was of a nurse reporting in the wave that they're going to give patient "John Doe" a peanut butter sandwich. The robot has access to Doe's medical record, is aware of a peanut allergy, and pops in with a warning. Powerful stuff! But the underlying data source for Joe's medical record was Google Health. For many, health information is too valuable and easily abused to be trusted to Google, Yahoo!, or any online provider. The Wave security module that I saw hid some data from Wave participants, but was based upon the time that the person joined the Wave, not ongoing record level permissions.
This doesn't invalidate the use of Wave, by any means -- a wave that is housed on the Doctor's office server, and restricted to Doctor, Nurse and patient could enable those benefits securely. But as the easily recognizable lines between cloud computing and private applications; email and online community; shared documents and public records continue to blur, we need to be careful, and make sure that the learning curve that accompanies these web evolutions is tended to. After all, the worst public/private mistakes on the internet have generally involved someone "replying to all" when they didn't mean to. If it's that easy to forget who you're talking to in an email, how are we going to consciously track what we're revealing to whom in a wave, particularly when that wave has automatons popping data into the conversation as well?
The Wave as internet evolution idea supports a favored notion: data wants to be free. Open data advocates (like myself) are looking for interfaces that enable that access, and Wave's combination of creation and communication, facilitated by simple, but powerful data mining agents, is a powerful frontend. If it truly winds up as easy as email, which is, after all, the application that enticed our grandparents to use the net, then it has culture-changing potential. It will need to bring the users along for that ride, though, and it will be interesting to see how that goes.
--------
A few more interesting Google Wave stories popped up while I was drafting this one. Mashable's Google Wave: 5 Ways It Could Change the Web gives some concrete examples to some of the ideas I floated last week; and, for those of you lucky enough to have access to Wave, here's a tutorial on how to build a robot.
The credit card industry is doing the right thing by consumers and enforcing proper security measures regarding the handling of credit card information. You might have heard about this - a number of the popular vendors of donor databases are recommending upgrades based on their compliance with these regulations. The "Payment Card Industry Data Security Standard", commonly known as PCIDSS, is a set of guidelines for securely handling credit card information. The standard has been around for about four years, but early enforcement efforts focused on companies with a high volume of credit card transactions. Now that they're all in compliance, they've set their sites on smaller businesses and nonprofits. So, what does this mean? Here's the simplest F.A.Q. that you're likely to find on the topic:
Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?
If no, you don't have to worry about this.
If yes, do you have more than 20,000 such transactions annually?
Well, if you do, congratulations! Most nonprofits don't, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of "4". Higher validation types are subject to stricter security standards.
The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures. Do you have a firewall? Are all of your transactions encrypted? Do you use anti-virus software? Is credit card information properly restricted to authorized staff?
Depending on your network, you might already comply with a lot of the requirements. If you don't, then it might require a significant investment to get there.
What will happen if I ignore this?
This isn't government regulation (although your state might have laws in place that do mandate some similar response). participation is mandatory. But, should your security be breached, two things will happen:
1. The compliance requirements for your organization will be reassessed to level one or two, and they'll be much more costly and complicated to meet. The credit card companies might decline to do business with you if you don't comply. Can you afford to not take Visa?
2. You will likely be indirectly fined for non-compliance. The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard. Your bank will likely pass that fine on to you.
So what's the easiest way to deal with this?
Simple: don't handle credit cards. There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud's BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.
I'll share that, at the Goodwill where I used to work, outsourcing wasn't an option, because we were both a charity and a retailer. Our frustration was not that we didn't have good security in place. It was that there were differences in how we had set up our security and the PCIDSS requirements. So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant. In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem. We also engaged a consultant. Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.
Blackbaud has put together some good further reading on this topic (and they are one of the vendor's whose latest software is compliant; ask your eCRM vendor!).
In 2000, after spending 15 years at corporate law firms, I made a personal choice to start working for organizations that promote social good by reducing poverty and protecting our planet. I understood that this career move would put some serious brakes on what was a fairly spiraling rise in compensation - my salary tripled from 1993 to 2000. And that was fine, because, as I see it, the privilege of being compensated for doing meaningful work is compensation in it's own right.
We all know that we make less in this industry than we might in the commercial world, and we're all pretty okay with that. But how much, or how little, the discrepancy between "real world" and nonprofit salaries should be is a metric with little established thought behind it. We don't base our pay scales on any rationale other than what we determine others are paying and what we can afford. My concern is that, by not taking a strategic, reasoned approach to compensation, nonprofits are incurring far more unnecessary expense than they might, particularly when it comes to technology support, although these thoughts apply across the org chart.
The problem is that, when it comes to determining the market value of a nonprofit employee, we often go to nonprofit salary surveys, such as the one put out by NTEN and the Nonprofit times. But job seekers don't read those surveys. In San Francisco or New York, a good System Administrator can make $70-80k a year at a for-profit. Even if they come in to your org understanding that they aren't going to be offered the market pay ($75k), they have an expectation that they'll either be on the low end of it ($70k), or within 10% of it ($67.5k). The recent NTEN Staffing Survey puts the average nonprofit Sysadmin salary at $52k, which is about 75% of that market. So, given this scenario, here are my questions:
How many excellent candidates are eliminated from consideration because they can't afford to take a 25% pay cut?
Of the ones who can afford that pay, how many can afford it because they aren't qualified for the work required?
How many can afford it because they have other primary income sources, and therefore can take a low paying job and not feel very committed to it?
If a good Sysadmin takes a job at that rate, how long will it be before they decide that they need more money and leave?
What is the impact of having a heavy rotation among the staff that maintain and upgrade your technology?
What is the impact of having of having often empty critical IT positions?
But, let's get really into this. Unless the IT people that are hired at the 75% rate are extremely mature, then they might have some of the common failings of immature Sysadmins:
Many are often controlling and secretive. I've been in multiple situations where I've come into an organization and learned that the prior IT staff left with the key system passwords. I've also seen numerous situations where the IT staff left en masse.
Most Sysadmins are lousy about writing things down. What is the ramp-up time for your new staff when they have to research and guess how everything works on arrival?
The general instinct of a new IT person is to rip everything out and install their favorite things. Got Windows? They like Linux. Got Word? They like Google Docs. They don't necessarily understand that one platform is much like another, but imposing massive change on an organization can be dangerously disruptive.
Technology candidates need to be assessed not only for their technical skills, but also for their attitude and maturity. A very sharp tech, who can answer all of your Outlook questions, might have little patience for documenting his or her work or sharing knowledge with other technical staff. And those skills are the ones that will allow you to transition more smoothly when the tech leaves.
Mission is a motivator, and it has value that can be factored in to overall compensation, but not to the point where it's so unattractive that it knocks the pool of candidates down to a pool of uncommitted or desperate ones. The impact of paying poorly isn't isolated to the salary bucket on the balance sheet. In many cases, particularly with technology, it's tied directly to the ability to operate.
As you probably know, the U.S. Congress has been having a big debate about what went on behind closed door briefings on the treatment of detainees in the war on terrorism. At issue is whether House Leader Nancy Pelosi was told about the use of harsh interrogation tactics, which many of us define as torture, in 2002 and 2003 briefings, when the tactics were actually in use. Rep. Pelosi maintains that they weren't discussed; The CIA, responsible for the briefings, maintains that they were, but neither of them has yet provided documentation that might settle the matter. Meanwhile, Rep. Pelosi's Democratic colleague, Rep. Bob Graham, who, as head of the Senate Intelligence Committee, was also to be briefed on such actions, reports that the CIA's assertions are in error. Dates that they claim he was in briefings on the subject are wrong. His his meticulous notes, which he has traditionally been kidded about keeping, establish that only one of four CIA-alleged meetings actually occurred, and, in it, the harsh interrogation tactics weren't discussed.
At this point, you might well be asking why I'm bringing this up on the Idealware blog. And the answer is, because it's about data, or, more to the point, the integrity of data and data keeping systems, and that's a topic close to our hearts here at Idealware. This example was inspired by some great reporting by the frivously-named, but thought-provoking blog BoingBoing, and a post of theirs on May 21st titled "Bob Graham's much-scoffed-at little notebooks are more reliable than the CIA's records". They quote Gary Wolf's post (which I highly recommend reading) about the intriguing fact that the CIA backed off of their record keeping claims rather quickly upon learning that they didn't jibe with Graham's personal notes. Consider this for a minute: Bob Graham's personal note-taking has more authority than the record keeping of the Central Intelligence Agency. The killer line from Wolf's post is:
"Personal data, kept by a dedicated and interested party, even using yesterday's technology, will trump large scale collection systems managed by bureaucrats."
You can find some really excellent advice here at Idealware on what to buy and how to implement the software that will manage the critical information that your organization lives and dies by. You can spend hundreds of thousands of dollars deploying it. But it, too, might be outclassed by the scribbling of a person who's scribble-keeping habits are far less impeachable (to keep the political allegory going) than the data integrity securing processes that you build around your system.
When you deploy that software, one thing to consider is "who owns this data? Who has the most respect for it?". Distribute the data entry duties in ways that insure that the people who first put that data into the system care about it, and are invested in seeing that it goes in correctly. Then, integrate your systems in ways that eliminate duplicate entry of that data. Set up triggers that push data from the authoritative systems of record (the ones that the people who care enter the data into) to the auxiliary systems, insuring that no donor or client's name is misspelled one place, but correct in another; and that a $50 donation via the web site isn't recorded as a $500 entry in your donor database.
Doing this will insure that your data-keeping systems have the upstanding reputations that your organization depends on.
The technology trend that defines this decade is the movement towards open, pervasive computing. The Internet is at our jobs, in our homes, on our phones, TVs, gaming devices. We email and message everyone from our partners to our clients to our vendors to our kids. For technology managers, the real challenges are less in deploying the systems and software than they are in managing the overlap, be it the security issues all of this openness engenders, or the limitations of our legacy systems that don't interact well enough. But the toughest integration is not one between software or hardware systems, but, instead, the intersection of strategic computing and organizational culture.
There are two types of silos that I want to discuss: organizational silos, and siloed organizations.
An organizational silo, to be clear, is a group within an organization that acts independently of the rest of the organization, making their own decisions with little or no input from those outside of the group. This is not necessarily a bad thing; there are (although I can't think of any) cases where giving a group that level of autonomy might serve a useful purpose. But, when the silo acts in an environment where their decisions impact others, they can create long-lived problems and rifts in critical relationships.
We all know that external decisions can disrupt our planning, be it a funders decision to revoke a grant that we anticipated or a legislature dropping funding for a critical program. So it's all the more frustrating to have the rug pulled out from under us by people who are supposed to be on the same team. If you have an initiative underway to deploy a new email system, and HR lays off the organizational trainer, you've been victimized by a silo-ed decision. On the flip side, a fundraiser might undertake a big campaign, unaware that it will collide with a web site redesign that disables the functionality that they need to broadcast their appeal.
Silos thrive in organizations where the leadership is not good at management. Without a strong CEO and leadership team, departmental managers don't naturally concern themselves with the needs of their peers. The expediency and simplicity of just calling the shots themselves is too appealing, particularly in environments where resources are thin and making overtures to others can result in those resources being gladly taken and never returned. In nonprofits, leaders are often more valued for their relationships and fundraising skills than their business management skills, making our sector more susceptible to this type of problem.
The most damaging result of operating in this environment is that, if you can't successfully manage the silos in your organization, then you won't be anything but a silo in the world at large.
We've witnessed a number of industries, from entertainment and newspapers to telephones and automobiles, as they allowed their culture to dictate their obsolescence. Instead of adapting their models to the changing needs of their constituents, they've clung to older models that aren't relevant in the digital age, or appropriate for a global economy on a planet threatened by climate change. Since my focus is technology, I pay particular attention to the impacts that technological advancement, and the accompanying change in extra-organizational culture (e.g., the country, our constituents, the world) have on the work my organization does. Just in the past few years, we've seen some significant cultural changes that should be impacting nonprofit assumptions about how we use technology:
Increased regulation on the handling of data. We're wrestling with the HIPAA laws governing handling of medical data and PCI standards for financial data. If we have not prioritized firewalls, encryption, and the proper data handling procedures, we're more and more likely to be out of step with new laws. Even the 990 form we fill out now asks if we have a document retention plan.
Our donors are now quite used to telephone auto attendants, email, and the web. How many are now questioning why we use the dollars they donate to us to staff reception, hand write thank you notes, and send out paper newsletters and annual reports?
Our funders are seeing more available data on the things that interest them everywhere, so they expect more data from us. The days of putting out the success stories without any numbers to quantify them are over.
Are we making changes in response to these continually evolving expectations? Or are we still struggling with our internal expectations, while the world keeps on turning outside of our walls? We, as a sector, need to learn what these industrial giants refused to, before we, too, are having massive layoffs and closing our doors due to an inability to adapt our strategies to a rapidly evolving cultural climate. And getting there means paying more attention to how we manage our people and operations; showing the leadership to head into this millennia by mastering our internal culture and rolling with the external changes. Look inward, look outward, lead and adapt.
John Palfrey would probably call himself a “digital settler,” someone comfortable enough with technology to help open up the new realms of pervasive digital media and online social networking. I just heard him speak about the emerging population of “digital natives,” those among the 1 to 3 Billion people born after 1980 with access to the new web and/or mobile technology and who have been exposed to the ways and means of its merger with daily life. ("Digital immigrants" make up Palfrey's third and largest clump of the human population--those of us slowly struggling to make their way in the post-email new world.)
To see what it’s all about, before mentioning any websites, I think I’ll just pass on this youtube link.
For anyone working with youth in schools or youth-serving community organizations, Palfrey’s Born Digital, Understanding the First Generation of Digital Natives, is essential reading. Since reading it last winter, I have found myself referring to it repeatedly in planning meetings about on-line privacy and security on our sites, the constructions of line identities, how advocacy and services can mesh with everyday social networking as experienced by young people today.
Most anyone who went to this year’s nten.org Nonprofit Technology Conference will have returned reporting the emerging mainstream sensibility of integrating facebook, youtube, twitter and more into organizational strategy. I would not call Palfrey’s perspective an antitode to this exhilaration. It’s more that he is balancing the long term risks and opportunities, particularly for young people. And he is trying to explain their perspective to the extent he can interpret it.
An academic (including at Harvard’s Berkman Center for Internet and Socieity), Palfrey had something to say on these matters. So being of a certain age and cultural background, naturally, he wrote a book. Likewise, I found it and read it in the traditional fashion. And I truly do recommend it.
As fits his cautiously enthusiastic embrace of our digital era, Palfrey's talk took a somewhat defensive and apologetic tone about publishing a old fashioned book. He explained that in addition to the traditional book, you can read the Kindle edition. You can also visit the Born Digital wiki at http://www.digitalnative.org/wiki/Main_Page and immerse your personal self in a constantly community-updated version of the work. You can take part in the blog at http://blogs.law.harvard.edu/digitalnatives/.
And with even more enthusiasm, he recommended absorbing the videos produced by some of his students that are bringing sections of the book to life. According to John, the one linked above was made by a 17 year old with no prior videography experience. Watch the video and I won’t say skip that chapter of the book, but you’ll have the idea. Look for others tagged digitalnative or find the links on http://www.digitalnative.org (including to the book).
His point about the video was that participating in the emerging world of digital social media carries risks, but those native to it and are mastering it, are as literate and as fully contributory to social discourse as other population segments. There is much positive to be gained from the emerging digital world, and those born to it will make the most of it.
Second, more to the point of the privacy and other risks, Palfrey also said that over time, young people born to this world will likewise natively come to weigh and take hold of privacy and security issues attendant to on-line profiles and sharing. The media may focus on teenagers coming to regret underage drinking pictures on facebook, flickr and such. To generalize from Palfrey a bit, their calculations about what to put on facebook may collectively mature faster than older generations’ thoughts about Linked In.
Likewise, thinking about a recent project here, in wrestling the pluses and minuses of whether an on-line database should store such information as “sought pregnancy or family counseling,”it made sense to get closer to the needs and thinking of the participating youth themselves. Sure educate them about what lies ahead for those “born digital,” but put ourselves in their position as well.
The presentation I heard by John Palfrey was sponsored by Boston’s Jewish Alliance for Law and Social Action (jalsa.org). In the discussion, I commented how voluntary self-exposure online has to be put in the context of massive involuntary collection of school, medical, business and credit, justice system and other governmental record-keeping. Many of the participants were thoughtful, experienced civil liberties attorneys and as the discussion progressed, there were many comments about national policy under Bush, recent litigation and such. I love hearing attorneys tie our everyday experiences back to what is going behind the scenes. I listened, and watched John Palfrey hang back and let that thread run its course rather than specifically connect it to his book.
Palfrey’s message is not that we should take data gathering lightly, but that we should pay special attention to what the generation of digital natives themselves do about it. When he showed Kanupriya Tewari’s video mentioned earlier, it struck me that she wove the voluntary and involuntary data collection together in a more accessible way than the book itself. Exactly his point!
I’ll end with an image that kept coming back to me: the kid in the opening credits of The Wire who throws a rock through the surveillance camera lens. One might speculate whether that, that kid, when he settles down a bit, will have a more balanced grasp of the balance between sharing and keeping private than many of us digital settler experts.
My esteemed colleague Michelle Murrain lobbed the first volley in our debate over whether tis safer to host all of your data at home, or to trust a third party with it. The debate is focused on Software as a Service (SaaS) as a computing option for small to mid-sized nonprofits with little internal IT expertise. This would be a lot more fun if Michelle was dead-on against the SaaS concept, and if I was telling you to damn the torpedos and go full speed ahead with it. But we're all about the rational analysis here at Idealware, so, while I'm a SaaS advocate and Michelle urges caution, there's plenty of give and take on both sides.
Michelle makes a lot of sound points, focusing on the very apt one that a lack of organizational technology expertise will be just as risky a thing in an outsourced arrangement as it is in-house. But I only partially agree.
Security: Certainly, bad security procedures are bad security procedures, and that risk exists in both environments. But beyond the things that could be addressed by IT-informed policies, there are also the security precautions that require money to invest in and staff to support, like encryption and firewalls. I reject the argument that the data is safer on an unsecured, internal network than it is in a properly secured, PCI-Compliant, hosted environment. You're not just paying the SaaS provider to manage the servers that you manage today; you're paying them to do a more thorough and compliant job at it.
Backups: Many tiny nonprofits don't have reliable backup in place; a suitable SaaS provider will have that covered. While you will also want them to provide local backups (either via scheduled download or regular shipment of DVDs), even without that, it's conceivable that the hosted situation will provide you with better redundancy than your own efforts.
Data Access: Finally, data access is key, but I've seen many cases where vendor licensing restricts users from working with their own data on a locally installed server. Being able to access your data, report on it, back it up, and, if you choose, globally update it is the ground floor that you negotiate to for any data management system, be it hosted or not. To counter Michelle, resource-strapped orgs might be better off with a hosted system that comes with data management services than an internal one that requires advanced SQL training to work with.
Where we might really not see eye to eye on this is in our perception of how 'at risk" these small nonprofits are, and I look at things like increasing governmental and industry regulation of internal security around credit cards and donor information as a time bomb for many small orgs, who might soon find themselves facing exorbitant fines or criminal charges for being your typical nonprofit, managing their infrastructure on a shoestring and, by necessity, skimping on some of the best practices. It's simple - the more we invest in administration, the worse we look in our Guidestar ratings. In that scenario, outsourcing this expertise is a more affordable and reliable option than trying to staff to it, or, worse, hope we don't get caught.
But one point of Michelle's that I absolutely agree with is that IT-starved nonprofits lack the internal expertise to properly assess hosting environments. In any outsourcing arrangement, the vendors have to be thoroughly vetted, with complete assurances about your access to data, their ability to protect it, and their plans for your data if their business goes under. Just as you wouldn't delegate your credit card processing needs to some kid in a basement, you can trust your critical systems to some startup with no assurance of next year's funding. So this is where you make the right investments, avail yourself of the type of information that Idealware provides, and hire a consultant.
To me, there are two types of risk: The type you take, and the type you foster by assuming that your current practices will suffice in an ever-changing world (more on this next week). Make no mistake, SaaS is a risky enterprise. But managing your own technology without tech-savvy staff on hand is something worse than taking a risk - it's setting yourself up for disaster. While there are numerous ways to mitigate that, none of them are dollar or risk free, and SaaS could prove to be a real bang for your buck alternative, in the right circumstances.
Peter Campbell and I have had an ongoing conversation/argument about whether or not Software-as-a-Service (hereby known as SaaS) is more secure than in-house facilities in a small, IT resource-poor organization. So we decided to "have it out" so to speak, on the Idealware blog.
First - we are talking here about small or medium-sized nonprofit organizations with no dedicated IT staff. And the question is, basically, "is it more secure for that organization to house their data and services 'in the cloud', instead of in-house?" My answer is "no." Don't get me wrong, I think SaaS is a great thing - my company implements it, and I've been thinking a lot about SaaS using open source tools. And it's not less secure, at all, either. But it is not a security panacea, and it shouldn't be thought of that way.
Why is this? I want to start by asking the questions "what is security?" and "what are they risking?" Security is, in my mind, is their data safe from getting in the wrong hands? And the risks are not only stolen data, but also corrupted and lost data.
People who spend a lot of time thinking about security do get lost in the depths of encryption, blocking ports, protections against attacks, and virus/worm protection and the like. And I think it gets easy to imagine that if someone (a SaaS vendor) does security "right" and a nonprofit, who has little or no access to good IT expertise, will inevitably do it "wrong", then SaaS will be more secure for them.
But lack of access to good IT expertise means a few things:
Yes, it does mean that their in-house network is likely insecure
It also means that they might not know how to understand or choose SaaS products that are known to be stable and secure, with solid business models.
It means they likely won't know how to get their data out when they need to, for whatever reason
It means there is a lack of understanding of the risks of SaaS, especially in organizations, like human rights or activist organizations, with sensitive data.
And the human factor in security doesn't pay attention to where the data lives.
What do I mean by the "human factor?" I mean using "password" for passwords. I mean sharing passwords among staff, some of whom eventually leave the organization. I mean not doing backups (yes, having backups are important for SaaS, too.)
So my opinion is that we can't say definitively which is more "secure," because there are too many factors at play. And the most important thing is education of organizations around security and risk.
Non Profit social media maven Beth Kanter blogged recently about starting up a residency at a large foundation, and finding herself in a stark transition from a consultant's home office to a corporate network. This sounds like a great opportunity for corporate culture shock. When your job is to download many of the latest tools and try new things on the web that might inform your strategy or make a good topic for your blog, encountering locked-down desktops and web filtering can be, well, annoying is probably way to soft a word. Beth reports that the IT Team was ready for her, guessing that they'd be installing at least 72 things for her during her nine month stay. My question to Beth was, "That's great - but are they just as accommodating to their full-time staff, or is flexibility reserved for visiting nptech dignitaries?"
The typical corporate desktop computer is restricted by group policies and filtering software. Management, along with the techs, justify these restrictions in all sorts of ways:
Standardized systems are easier, more cost-effective to manage.
Restricted systems are more secure.
Web filtering maximizes available bandwidth.
This is all correct. In fact, without standardization, automation, group policies that control what can and can't be done on a PC, and some protection from malicious web sites, any company with 15 to 20 desktops or more is really unmanageable. The question is, why do so many companies take this ability to manage by controlling functionality to extremes?
Because, in many/most cases, the restrictions put in place are far broader than is necessary to keep things manageable. Web filtering not only blocks pornography and spyware, but continues on to sports, entertainment, politics, and social networking. Group policies restrict users from changing their desktop colors or setting the system time. And the end result of using the standardization tools to intensively control computer usage results, most often, in IT working just as hard or harder to manage the exceptions to the rules (like Beth's 72, above) than they would dealing with the tasks that the automation simplifies in the first place.
Restricting computer/internet use is driven by a management and/or IT assumption that the diverse, dynamic nature of computing is either a distraction or a problem. The opportunity to try something new is an opportunity to waste time or resources. By locking down the web; eliminating a user's ability to install applications or even access settings, PC's can be engineered back down to the limited functionality of the office equipment that they replaced, such as typewriters, calculators and mimeograph machines.
In this environment, technology is much more of a controlled, predictable tool. But what's the cost of this predictability?
Technology is not fully appreciated, and computer literacy is limited in an environment where users can't experiment.
Strategic opportunities that arise on the web are not noticed and factored into planning.
IT is placed in the role of organizational nanny, responsible for curtailing computer use, as opposed to enabling it.
Cash and resource-strapped, mission-focused organizations only need look around to see the strategic opportunities inherent in the web. There are an astounding number of free, innovative tools for activism and research. Opportunities to monitor discussion of your organization and issues, and meaningfully engage your constituents are huge. And all of this is fairly useless if your staff are locked out of the web and discouraged from exploring it. Pioneers like Beth Kanter understand this. They seek out the new things and ask, how can this tool, this web site, this online community serve our sector's goals to ease suffering and promote justice? More specifically, can you end hunger in a community with a widget? Or bring water to a parched village via Twitter? If our computing environment is geared to stifle innovation at the cost of security, are we truly supporting technology?
As the lead technologist at my organization, I want to be an enabler. I want to see our attorneys use the power of the web to balance the scales when we go to court against far better resourced corporate and government counsel. In this era of internet Davids taking down Goliaths from the RIAA the the mainstream media, I don't want my co-workers to miss out on any opportunities to be effective. So I need the flexibility and perspective to understand that security is not something that you maintain with a really big mallet, lest you stamp out innovation and strategy along with the latest malware. And, frankly, cleaning a case of the conflickr worm off of the desktop of an attorney that just took down a set of high-paid corporate attorneys with data grabbed from some innovative mapping application that our web-filtering software would have mistakenly identified as a gaming site is well worth the effort.
Flexibility has it's own Return on Investment (ROI), particularly at nonprofits, where we generally have a lot more innovative thinking and opportunistic attitude than available budget. IT has to be an enabler, and every nonprofit CIO or IT Director has to understand that security comes at a cost, and that cost could be the mission-effectiveness of our organizations.
Google often figures in discussion about use of free or low cost software as well as of what are the boundaries of corporate commitments to Open Source. The uniformity and simplicity of Google applications give them a seductive appeal. Yet in my own use of them and in discussions with clients, they also carry with them a sense of unease.
How much can we count on Gmail, Google Docs, Calendar and the rest when their free or low cost availability depends almost entirely on Google’s continued domination of web search? “Do no evil” notwithstanding, how much can we count on Google’s commitment to privacy and security? While providing many Open Source tools, how much can we count on software whose core remains entirely closed and proprietary? Is migration of software to the cloud inevitable and a Good Thing?
These questions come up about other corporate leaders that figure large in software selection and strategy these days. Google fascinates us because it has become ubiquitous and the issues easier to grasp.
The report assesses internal weaknesses, as well as legal, strategic, and other threats. The strategic threats category caught my eye. Google faces challenges from both its large, global competitors as combined with possibilities at the other end of “disruptive technologies” from new companies. Things in software will keep changing. Time frames that you can expect a given software strategy to last continues to shrink.
Likewise, though the authors did not give it high priority, they noted that competition from Open Source alternatives could have a high impact. This in combination with the reports assessment of privacy concerns make for a large potential threat. This is likely true for most all corporate software systems, including others straddling the Open Source/proprietary fence.
Last, the report notes recent interruptions in Gmail and problems with other Google services, which many of us experienced. Yet the authors do not connect this with the difficulty or impossibility most Google users have in getting customer service. As I mentioned in this space some time ago about using free Gmail without a backup plan, this falls into the category of “no free lunch.”
Many idealware blog readers would benefit from viewing these slides, both to ponder Google as well as a framework for considering where we all stand with other corporate software providers.
Back in 2007, popular retail chain T.J. Maxx suffered a credit card and data breach estimated in the billions of dollars. Companies within the TJX parent company chain also affected include Marshalls and Homegoods. (Read an Information Week article from the time.)
Many of us have either directly suffered from losses like these and if not, perhaps felt the chill or worry about data security for systems we have worked on or have responsibility for. When a development director says, why shouldn’t we set up our own credit card processing and cut down on processing fees, you have to ask, uh, do you really want the responsibility of storing someone’s credit card numbers? When a manager says, but we have always appreciated the flexibility of using social security numbers as a secondary way of looking people up, you have to ask, is that ease worth the responsibility? When a youth services program has reporting requirements to a foundation asking for correlation with court involvement, pregnancy counseling, abuse at home, you have to ask, how much of that information do you want collected in one easy place? Maybe we have become more cautious about these matters, maybe not yet.
As it happens, TJX has its corporate headquarters here in Massachusetts where I live and work, so the human impact and new coverage inspired a political response. The Commonwealth adopted what became 201CMR17, “Standards for the Protection of Personal information of Residents of the Commonwealth.” Explaining the law, The Office of Consumer Affairs reported that upwards of 700,000 Mass residents had suffered from stolen or lost personal information just in the last two years. This law, and others like it around the country, will be the response.
This type of legislation could have a positive benefit. It also carries an implementation cost, applying even to small businesses and nonprofits, yet it has no funding. We call this an unfunded mandate. You have to do it, and you can be sued if not doing it results in someone suffering a loss, yet the Legislature has not provided funding for publicizing the law, educating technology folks on how to implement it, or for investing in the improvements the law will require. And as we know, this is not a time for nonessential technology investments. Originally, the law would have taken effect in May 2009. Recognizing reality, the state has now pushed it back to Jan 2010.
Whether its onerous or not, and whether it applies to you around the country or not, it could inspire useful improvements. The law firm Morrison-Foerster provided a useful summary of the type of policies needed to meet the requirements. How many of them do you already follow?
A friend and colleague, Adam Frost, has created a useful web site collecting policy suggestions and technology links around internal data security. Adam has spoken out passionately yet quite pragmatically on these issues for years, including in workshops we co-led at the Grassroots Use of Technology conferences. Check out http://www.201cmr17.com/, which is just beginning, and its associated blog
There is also a Linked-in group specifically on these regulations.
And a great discussion list on technology security issues generally is at http://www.naisg.org/.
I wonder how much time all of us give to these matters.
I’m back to using two computers regularly. My trusty laptop now frequently just sits on my desk. While traveling around, my shiny new, lightweight Ubuntu netbook (a Dell mini 12) connects to the Internet, has Open Office, Remote Desktop, and enough other stuff that I am fine. I’m not here to sing the virtues of Ubuntu; I want to talk about the challenges of having data on more than one computer.
In times gone by, when many of us had a big desktop computer at work or home office, and a laptop on the road, synchronizing data was a daily chore. You emailed stuff to yourself, put it on a flash drive or other portable device, copied stuff remotely to a file server, or used early somewhat clunky web services. As laptops gained, many folks, including myself, transitioned to just the laptop in large part to avoid the sync nuisance.
Netbooks as well as mobile smart phones have brought back the challenging of syncing two or more computers. Steve Jobs said last fall, "We don't know how to make a $500 computer that's not a piece of junk, and our DNA will not let us ship that." Now even Apple will likely have one soon. And if your two computers don’t share the same operating system (Mac and Windows, or in my case Mac and Linux), the challenge grows.
I want to pass on two services which have significantly closed the gap for me.
First Dropbox for files. Like many of us, a lot of the documents I need get stored out on the web. Enough things remain in two places to make document synchronization an issue. www.getdropbox.com provides up to 2 GB of free web-assessable storage. You then install a Windows, Mac or Linux client on your computer that will automatically, quickly, securely and transparently sync your designated dropbox folder to the web. It happens so fast, I generally don’t have to double check that something I worked on in Word on Windows will be there when I open it up later in Open Office on Ubuntu. It also handily tracks versions, provides an RSS feed of your updates, and allows you to share with other folks.
I like dropbox. I have no material relationship to them, but I will shamelessly say that if you try it out using this link, I will get a tad more free storage!
Second, LastPass.com. LastPass does for passwords what dropbox does for files. Even with services like Dropbox, more and more work keeps moving entirely to the web. And this means more passwords. Hopefully, you have graduated from one easily guessed password to many unique ones. I have happily used RoboForm for years to keep my gazillion passwords safe and more usable within IE or Firefox than their own password savers. Unfortunately, Roboform only swings the Microsoft way. I have been experimenting with lastpass. Lastpass does have Mac, Linux and Windows versions. And to get started, it imports from Roboform or other popular traditional password managers you may be using.
(Roboform, LastPass and other such tools make password management easy enough that you really should make sure to generate random secure passwords.)
How secure is dropbox or lastpass? That is a deep question about the state of the Internet and cloud computing generally. I take the popularity of these two services to mean that they are not crooks and scammers. What we can’t know is how much to trust for how long and to what degree their storage of my stuff. Is it more or less secure than Basecamp or Salesforce or other services we use?
For those who want some measure of convenience without having this much faith, you can set up to use a flashdrive instead of the Cloud. Just take your drive with you and plug it in to each new computer you use—and hope you don’t lose that drive and that its encryption can be trusted.
As these and other such services also embrace smartphones and other devices, as well as bridging Mac-Windows-Linux, I suspect they will become another basic part of web life. Other things, like IM, have even easier multiple-machine, cross-platform solutions. The less straightforward challenge is secure remote control of my Windows computer from Linux. I will save that for another time. And I didn't intend this as a "few good tools" comparison, so I'm interested in what else is out there that helps ease multiple computer, multiple operating system life.
Those of us who actively create internet content -- which includes many nonprofits, at this point - were fairly blindsided by a small, subsequently revoked change in Facebook's terms of service this month. The earlier terms allowed Facebook to use any content that a user publishes to the site in a variety of ways, as long as the user kept the content on the site. The change extended Facebook's rights to use beyond it's time on their system. They could keep using it after the user removed it, and they could even keep using it after the user cancelled their account. Facebook's defense of this action, in a blog post by Mark Zuckerberg, the CEO, was that the intention was to insure that people whom you shared information with, such as emails, links or notes, didn't lose access to that information if/when you removed it. But, since the policy didn't isolate that use example from the broader uses, such as Facebook advertising their services with your content, or providing it to third parties, the reassurance left a lot of us cold. A use policy on a social networking site should establish, clearly, what will and won't happen with the content that you post to it, not leave it open ended to this extreme.
This incident prompted a fascinating post by Dr. Amanda French, comparing the license agreements of a variety of popular social networks. This is an important read, but the upshot is: Google services and MySpace have pretty clear terms; Facebook and LinkedIn claim a broad range of rights to content that we publish on their systems.
To me this is a bit like the separation of church and state. I expect that a social networking site, like an ISP, is a medium that I can use to communicate and share things, including things that i create and hold copyright to; not a magazine that licenses and retains ownership of works that I submit. If that's not the case, then I want to know that and be very careful about what I'm putting up there. In my case, I'm trying to protect my works and personal reputation; a nonprofit should be just as concerned about how a business like Facebook might portray them as they repurpose their content.
There is media -- content, that we create -- and there are mediums, and in the print world the issues of content ownership are very clearly outlined in contracts. Facebook and their ilk should be applying the same standards, maybe even more so, since they are publishers on a much more massive scale than, say Ms. Magazine or Popular Mechanics.
If your nonprofit has 40 or more people on staff, it's a likely bet that you use Microsoft Exchange as your email server. There are, of course, many nonprofits that will use the email services that come with your web hosting, and there are some using legacy products like Novell's Groupwise or Lotus Notes/Domino. But the market share for email and groupware has gone to Microsoft, and, at this point, the only compelling up and coming competition comes from Google.
There are reasons why Microsoft has dominated the market. Exchange is a mature and powerful product, that does absolutely everything that an email system has to do, and offers powerful calendaring, contact management and information sharing features on top of it. A quick comparison to Google's GMail offering might look a bit like "Bambi vs. Godzilla". And, as Michelle pointed out the other day, GMail might be a risky proposition, despite it being more affordable, because it puts your entire mail store "in the cloud". But Gmail's approach is so radically different from Microsoft's that I think it deserves a more detailed pro/con comparison.
Before we start, it's important to acknowledge that the major difference is the hosted/cloud versus local installation, and there's a middle ground - services that host Exchange for you - Microsoft even has their own cloud service. If you are evaluating email platforms and including GMail and Exchange, hosted Exchange should be weighed as an additional option. But my goal here is to contrast the new versus the traditional, and traditional Exchange installations are in your server room, not someone else's.
Server Platform
Installing Exchange is not a simple task. Smaller organizations can get away with cheaper hardware, but the instructions say that you'll need a large server for mail storage; a secondary server for web and internet functions, and, most likely, a third server to house your third party anti-spam and anti-virus solutions. Plus, Exchange won't work in a Linux or Novell network - there has to be an additional server running Microsoft's Active Directory in place before you can even install it. It can be a very stable product if you get the installation right, but getting it right means doing a lot of prep and research, because the slim documents that come in the box don't prepare you for the complexity. Once you have it running, you have to run regular maintenance and keep a close watch - along with mailbox limits - to insure that the message bases don't fill up or corrupt.
GMail, on the other hand, is only available as a hosted solution. Setup is a matter of mapping your domain to Google's services (can be tricky, but child's play compared to Exchange) and adding your users.
Win - GMail. It saves you a lot of expense, when you factor in the required IT time and expertise with the hardware and software costs for multiple servers.
EMail Clients
Outlookhas it's weaknesses - slow and obtuse search, poor spam handling, and a tendency toward unexplained crashes and slowdowns on a regular basis. But, as a traditional mail client, it has a feast of features. There isn't much that you can't do with it. One of the most compelling reasons to stick with Outlook is it's extensibility. Via add-ons and integrations, Outlook can serve as a portal to applications, databases, web sites and communications. In a business environment, you might be sacrificing some key functionality without it, much as you often have to use Internet explorer in order to access business-focused web sites.
But where Outlook is a very hefty application, with tons of features and settings buried in it's cavernous array of menus and dialog boxes, Gmail is deceptively uncluttered. The truth is that the web-based GMail client can do a lot of sophisticated tricks, including a few that Outlook can't -- like allowing you to decide that you'd rather "Reply to All" mid-message -- and some that you can only do with Outlook by enabling obscure features and clicking around a lot, like threading conversations and applying multiple "tags" to a single message. Gmail is the first mail client to burst out of the file cabinet metaphor. Once you get used to this, it's liberating. Messages don't get archived to drawers, they get tagged with one or more labels. You can add stars to the important ones. It's not that you can't emulate this workflow in Outlook, it's that it's fast and smooth in GMail, and supported by a very intelligent and blazingly fast search function. Of course, if that doesn't float your boat, you can always use Outlook - or any other standard POP3 or IMAP client - to access GMail.
Win - GMail. It's more innovative and flexible, and I didn't even dig deep.
Availability
Exchange, of course, is not subject to the vagaries of internet availability when you're at the office. Mind you, much of the mail that you're waiting to receive is. And Outlook - if you run in "Cached mode" - has had offline access down for ages. GMail just started experimenting with that this week. If you're not in the office, Exchange supports a variety of ways to get to the mail. Outlook Web Access (OWA) is a sophisticated web-based client that, with Exchange 2007 and IE as the browser, almost replicates the desktop Outlook experience. OMA is a mobile-friendly web interface. And ActiveSync, which is supported on many phones (including the iPhone) is the most powerful, stable and feature-rich synchronization platform available. Exchange can do POP and IMAP as well, and also supports a VPN-like mode called Outlook Anywhere (or HTTPS over RPC).
GMail only supports web, pop and IMAP. There's a mobile GMAIL app which is available on more phones than Activesync is, but it isn't as robust or full featured as Microsoft's offering.
So, oddly, the Win for remote access goes to Microsoft over Google, because Microsoft's offerings are plentiful and mature.
Business Continuity
So, not to belabor this, Exchange is well supported by many powerful backup products. In cached mode, it mirrors your server mailbox to your dektop, which is additional redundancy.
GMail is in the cloud, so backup isn't quite as straightforward. Offline mode does some synchronization, like Exchange's cached mode, but it's not 100% or, at this point, configurable. Prudent GMail users will, even if they don't read mail in it, set up a POP email program to regularly download their mail in order to have a local copy.
Win - Microsoft
Microsoft also Wins the security comparison - Google can, and has, cut off user's email accounts. There seem to have been good reasons, such as chasing out hackers who had commandeered accounts. But keeping your email on your backed-up server behind your firewall will always be more secure than the cloud.
But I'd hedge that award with the consideration that Exchange's complexity is a risk in itself. It's all well and safe if it is running optimally and it's being backed up. But most nonprofits are strapped when it comes to the staffing and cost to support this kind of solution. If you can't provide the proper care and feeding that a system like Exchange requires, you might well be at more risk with an in-house solution. The competence of a vendor like Google managing your servers is a plus.
Finally, cost. GMail wins hands down. The supported Google Apps platform is free for nonprofits. Microsoft offers us deep discounts with their charity pricing, but Dell and HP don't match on the hardware, and certified Microsoft Administrators come in the $60-120k annual range.
So, in terms of ease of management and cost, GMail easily wins. There are some big trade-offs between Microsoft's kitchen sink approach to features and Google's intelligent, progressive functionality, and, in well-resourced environments, Microsoft is the secure choice, but in tightly resourced ones - like nonprofits - GMail is a stable and supported option. The warnings about trusting Google -- or any other Software as a Service vendor -- are prudent, but there are a lot of factors to weigh. And it's going to come down to a lot of give and take, with considerations particular to your environment, to determine what the effective choice is. In a lot of cases, the cloud will weigh heavier on the scale than the colossus.
Last week, we talked about 
Photo: 
Subscribe through Feedburner