Up until now, one of the larger reasons why I haven’t been too keen on Apple’s iPhone is that it’s locked to AT&T Wireless service, and in general, I’m a believer in the argument that AT&T is one of the more loathsome companies out there — the company has cooperated with the NSA, the RIAA and the MPAA to invade the privacy of its customers, it continues to charge iPhone users a $175 early-termination fee for canceling their contracts despite the fact that those users paid full-price for their phones (and thus, no argument about repaying them for a subsidized phone exists), and despite clear rulings that say it has to offer $10 DSL in certain markets, AT&T is doing everything it can to mislead consumers, bury the existence of the option, and generally obstruct people from signing up for the plan. Thus, when reasonable alternatives exist, I generally like to take them, and for that reason (and a few others), Shannon and I have remained Verizon Wireless customers. (Note that I’m not saying VZW is the paragon of greatness — but up until now, I’ve been pretty satisfied that the company’s efforts to screw me aren’t above the norm that we’ve come to expect in the cellphone industry.)

However, over the past week or two, bits of info have come out that might force me to rethink things a bit. First, I got a notice in the mail two weeks ago to let me know that Verizon wanted to share my personal info and calling habits with “authorized companies”, and that if I wished to prevent this, I had to call them and opt out of their plans. That was a little annoying. (Consumerist mentioned the notice in mid-September.) Then today, the Washington Post reported that Verizon has been turning over calling records to federal authorities without warrants for years, claiming that it doesn’t investigate the “legality or necessity” of the requests, because “to do so would slow efforts to save lives in criminal investigations.” While I understand the sentiment, I’m somewhat aghast at this — if Verizon really claims that see no need to evaluate whether a request to share their customers’ information is valid and legal, then I’m not sure I have a need to give them my money.

Unfortunately, though, with every day’s news it becomes clearer that all of the various telecom companies are both doing everything they can to screw their customers and get as cozy with federal law enforcement officials as they can. Thus, I’m not sure that privacy concerns constitute a reason to rethink a telecom choice anymore… food for thought, indeed.

I received the oddest phone call yesterday, a robocall from DirecTV (from whom we currently receive our television service). It went more or less exactly like this:

Hello, my name is Diane, and I’m with DirecTV. From time to time, we like to call our customers with information about our latest promotions and specials, but we cannot call you with these, as you’re on our do-not-call list. We’d like to offer you the opportunity to update your status with us; press 1 if you want to remove your listing on our do-not-call list, or press 3 if you want to stay on the list.

Does anyone else find this the slightest bit weird — receiving a call from a company which acknowledges that they shouldn’t be allowed to call you, and asking if you still want that to be the case? In any event, the phone call is in explicit violation of DirecTV’s own “Do Not Call Policy”, which in part reads:

DIRECTV’s Outbound Telesales Department is a department within DIRECTV that engages in telemarketing to existing DIRECTV customers. The Outbound Telesales Department will not call any DIRECTV customer who has communicated his or her desire not to be called.

Given that DirecTV was fined $5.35 million back in 2005 for violating the federal do-not-call registry, you’d think that the company would be exquisitely sensitive to the ways in which is decides to make marketing telephone calls. After receiving the call yesterday, I thought that perhaps DirecTV was being clever — regardless of whether I want calls from them or now, by calling me they couldn’t be violating the do-not-call law because I’m an established customer of theirs. Turns out that I was wrong, though — according to the FTC (see question #9), they must adhere to the wishes of any established customers who don’t want to receive marketing calls, or they face an $11,000 fine per call. Looks like it’s time to file a complaint.

Two updates: first, it looks like I wasn’t the only one to get the phone call; pity for them they stirred the Consumerist beast. Second, it looks like there’s a bug with the FTC do-not-call registry complaint form; if you, like pretty much every American, have a phone number that’ll expire off the registry soon and you update your listing, you’ll be unable to file any complaints for 31 days because the FTC system thinks yours is a totally new listing. That’s stupid.

So, I guess that the dozens of times I’ve been at my local Home Depot and seen a “saw not working” sign on the panel saw, there’s an even-odds chance that the employees just didn’t want to be bothered to help their customers… fabulous.

Now that pop-under ads have made a resurgence on the web — and nefarious webheads have managed to figure out how to make them happen even with Firefox or IE locked down pretty tightly — I have an idea that I’d love to see implemented. It’s rooted in the basic problem that by the time a user closes a web browser window and sees all the accumulated pop-under ads, he or she has no clue which website was the cause, and as a result, no idea which website should be the target of unabashed loathing. Simply put, the idea is that any web browser window should have a feature which shows the user the exact website address being viewed in the window that spawned the popup. That way, it would be clear as a bell which website was responsible for accepting ad content (or worse, purposely programming content) which behaves this egregiously, and it’d be much easier for users to then avoid those websites — voting with our pageviews, as it were.

Who’s with me?

Ah, the iPhoners now get to see what the difference is between a product Apple controls in every way and a product for which it relies on AT&T to provide some level of service. I can’t fathom why a company with as reasonably great a record as Apple wanted to jump into bed with a company as awful as AT&T… it’s just weird.

Update: Gizmodo gets on the bandwagon and describes the amazingly wide gap between the iPhone-buying experience at an AT&T store and at an Apple store. Guess which store’s staff sucked awfully, treated customers like intruders, and did everything to not give information or assistance to the people who wanted to give them money?

I generally like his writing and his viewpoints, but I can’t help but wonder whether John Gruber’s missive against the enterprise’s wariness about iPhones is based more in his overt Apple lurve or in a lack of understanding of the things an enterprise has to manage on the wireless front. Far from his laser-like focus on email, when a large business thinks about services that need to be extended seamlessly to wireless devices, useful email access shares equal space with the ability to use a global address book, the need to access services on an intranet, ties into enterprise calendaring services, centrally-managed security policies, encryption (both of the contents of the device and communications between the device and other services), and the ability for the enterprise to control access on a device-by-device basis. And again, despite Gruber pointing out that some of the email issues can be solved using IMAP, there are few or no ways to solve the other issues, especially not in as unified a way as BlackBerry has done with the BlackBerry Enterprise Server (BES).

Let’s look at a few example issues, and think of how the iPhone would compare to what BlackBerry has in place.

1. A wireless user needs to be able to send an email to a few enterprise users, none of which are in his contact list. How does that user do this?

BlackBerry: in the email app, the user creates a new email, and in the “To:” line, types in the name of the recipient and chooses the “Lookup” option. The BlackBerry queries the global address list, returns a list of matches, and the user chooses the correct one, which is then added to the recipient list.

iPhone: according to articles like this, the iPhone doesn’t understand global address lists to the point where a developer had to write a raw LDAP client for the device (which we have to assume is a web-based app, given that there’s no native API for the iPhone). So the user has to open Safari, navigate to the web page which provides an LDAP lookup of the global address list, look up the user, and either click a mailto: link to start a new email to the user or cut-and-paste the address into the email client. (And while mailto: certainly is easier, it won’t work for multiple addressees without a really slick web app that allows multiple lookups to all be appended to a single link which will then launch the email app and start a new message. And none of this takes into account the fact that a company will have to write the LDAP lookup app in the first place.)

2. A wireless user needs access to an online database that only exists on a company’s intranet. How does the user get to it?

BlackBerry: given that the BES provides web connectivity that can be routed through the intranet, the user only has to open the BlackBerry Browser application and enter the URL, and will be taken to the web page hosting the database.

iPhone: there’s no similar way for iPhone users to route their web requests through an intranet server; iPhones get their connectivity to the internet through Cingular, and as such, are outside the enterprise firewall, meaning that they can’t get to intranet-only web applications. There’s no info on whether Safari on the iPhone will support the use of web proxies, but even then, use of the proxy will have to be open to the entire Cingular network, opening up a whole other host of security questions and problems. So to achieve this challenge, a company has to either (a) choose to host the web app on a server accessible to the internet at large and implement web-based authentication, (b) implement a public-facing webserver which has authentication and proxies requests for the application to the intranet server, or (c) set up an HTTP proxy server facing the internet and figure out how to secure it such that only authorized iPhone users can get access.

3. A company mandates that all wireless devices need to encrypt all information they store in memory, need to auto-lock after 15 minutes, and need to auto-erase the contents of the device after a given number of incorrect password attempts. In addition, the company wants to be able to wipe a device remotely that’s reported as lost.

BlackBerry: the system administrators create a new security policy with those three rules, push the policy out to all the BlackBerry devices registered on the BES, and then restrict access to the network to only those devices which have the new policy in place. All the devices receive the new policy and implement it; any devices which have more lax security settings are barred from accessing the enterprise. When a user reports their BlackBerry as lost, the sysadmins push a command to the device to wipe its memory.

iPhone: the system administrators recognize that (as of current information) there’s no way to encrypt all the information on the device, and no way to force the device to initialize itself after a given number of incorrect password attempts, so they give up on those two. They then send an email to all known iPhone users pleading with them to set their auto-lock times appropriately, and they hope that the users read the email and follow the directions. And given that it’s unclear whether there are any mechanisms of access control for specific iPhones, they continue to hope that the rules are being followed. As for lost iPhones giving up their data, there’s nothing that would allow for remote erasing, so the company also hopes that there’s nothing sensitive on the device.

4. Finally, given that I’m a physician, something that’s relevant to my world: an organization exists in a world which mandates that all electronic communications about patient care are encrypted from end to end, and system administrators are tasked with making sure their wireless devices comply with this requirement.

BlackBerry: the system administrators install the S/MIME add-on and the enterprise security certificate chain on all enterprise BlackBerries. They then have the users install their personal secure email certificate in their chains, as well, and then users can query the enterprise directory for other users’ secure certs and can choose encryption as an option on the email composition screen.

iPhone: from the bits of news coverage and reviews I’ve found, there doesn’t seem to be any encrypted email support on the iPhone, so there’s nothing the organization can do. It’s unclear whether the phone’s mail client can require — or even support — users’ connections to an IMAP server over SSL, so in addition to the actual email, the communications channel over which that email travels might be totally unencrypted.

There are oodles more issues that could be brought up, but the gist of the matter is that no matter how much people in the enterprise crave being able to replace their BlackBerries with iPhones, the support for the devices working at the enterprise level isn’t there. And given Apple’s pretty awful track record when it comes to integrating their other products into the corporate environment, you’d be naive to think that a seamless iPhone experience in the enterprise is coming anytime soon.

Jeff Atwood has an post worth reading about what he views as the failure of Amazon’s Mechanical Turk service, a service that’s baffled me ever since I saw it spring up. (For those who haven’t heard of it, Mechanical Turk is a clearinghouse set up by Amazon for organizations to solicit assistance in completing rote tasks, paying people a certain amount per task. For more background and info, Wikipedia has a reasonably good article about the service.) To be clear, I understand the idea behind the service — there are certainly a bunch of things that pop up in everyday work life that are worth hiring someone (in effect, a short-term contractor) to help you finish — but every time I browse Turk, it seems that there’s a vast disconnect between the available tasks and the amount people are willing to pay to get them completed.

For example, as of this morning, the Missouri Department of Purchasing and Materials Management has a Mechanical Turk post requesting assistance extracting details from around 250 state purchasing contracts. To complete each of the 250 tasks, the user has to:

• search a web-based Missouri contracts database for a specific contract number;
• visually locate a few fields on the detail page for the contract and cut-and-paste the information into a Turk form;
• download and open up the actual contract (sometimes a Word document, sometimes a PDF) using a link on the contract detail page;
• manually search through the dozen-plus pages of the contract for a bunch of other details, and cut-and-paste them into the Turk form;
• cut-and-paste all the various document links from the contract detail page over to the Turk form;
• and finally, submit all the extracted data back to someone in Missouri.

Once all that is done, someone (ostensibly from the Missouri Department of Purchasing and Materials Management) then evaluates the submitted information before agreeing to pay the Turk user the piecework fee — which is a whopping ten cents. And the funny thing is, this isn’t some isolated case; browsing the available tasks page, most are asking for someone to do something reasonably time-consuming, and are willing to pay reasonably little… and the fact remains that payment of the worker is still at the sole discretion of the person requesting the work. It’s hard for me to understand who’d be willing to participate in the service, and I’d love to see someone take a more longitudinal view of the posted tasks and provide real stats on such things as how many tasks get completed, how many users end up getting paid, and what kind of money ends up moving through the service over a given increment of time.

The Washington Post reported today on a DC-area general contractor which has filed a $6 million lawsuit against two homeowners for posting their bad experiences with the company on Angie’s List. (Both also posted their opinions in the Mount Pleasant neighborhood forum, and apparently, this posting is also cited as a basis for the lawsuit.) It’s hard for me to see the contractor coming out on top here, being that I’d imagine neither homeowner will have a problem describing their own experiences with the contractor, documenting how their renovations went poorly, and how those experiences led to them forming negative opinions of the company, but now both will have to spend time and money fighting for their right to have and share an opinion.

It bears mentioning that it’s precisely because of personal opinions like these that Shannon and I belong to the DC chapter of Angie’s List — I value the opinions of a company’s customers far more than I do the company’s own claims, and I’m not sure I’d ever hire someone to do $30,000 worth of work on my house without finding out how other people feel about the work the company has performed in the past. And because of this, I hate hearing about lawsuits like these, because if consumers become so worried about being sued that the utility of services like Angie’s List or Consumers’ Checkbook is diluted, it’ll be that much harder to figure out which companies are worth trusting with what can be incredibly large investments of money. (It’s sort of like the world of job references these days, where companies more or less refuse to accurately talk about bad experiences they’ve had with ex-employees for fear of being sued.) I guess for the time being, another way that DC-area homeowners can vet potential contractors is by searching the publicly-available building permit database to find other jobs the company has done, and then tracking down and asking those people what they think of the work… it sure as hell beats trusting the few hand-picked references the contractor passes on when asked.

As part of a project at work, I’ve been running specs on a bunch of different barcode scanners and label printers, mostly so I can make sure that they’re able to handle the requirements for the app I’m developing. Out of my research comes a tale of two companies, Symbol (when the hell did they get bought by Motorola?) and Zebra, and the stark difference between the service each provides to people like me ready to spend money and interested in getting the right products.

First, start with Symbol — and more specifically, start with the godawful website for their line of barcode scanners. A VAR made a recommendation of a specific scanner to me, but Symbol’s page for the scanner provides exactly two sentences of specification information, and a closer look reveals that the page isn’t actually specific to that scanner model (but rather covers two related models). Having bought Symbol scanners for a project back when I worked in New York City, I also remember that you have to make sure to get the right cables to connect the scanners to your computer — but there’s also not one single page on the Symbol site that provides information about any cables.

Confused, I decided to call Symbol’s pre-sales support. After automatically being transferred to two different phone systems, I was connected to a genial-enough man, and when I asked for clarification about the cabling I’d need, I was told that I’d have to call the parts department to get that information. I then asked for the specs on the scanner that was recommended to me, and was told I’d need to call the tech support line. Finally, I asked what services the pre-sales support line did provide, and was told that they were available to take my name and phone number and make sure a salesperson called me back. Stunning. After a ten-minute call to the parts department (where I was given a part number that doesn’t exist at a single reseller I can find), and another ten-minute call to tech support (where I was literally read the same two vague sentences from their website, and then referred to a third-party reseller for more information!), I gave up.

Now, move on to Zebra. I had my eye on a specific printer, but it had a few issues that I’d need to figure out how to work around, so I gave Zebra’s pre-sales support a call. I was quickly connected to a woman who literally knew the answer to every single question I asked. She agreed with the printer recommendation, provided me with the part numbers for the add-ons we’d need to get our setup working, warned me about a few gotchas we’d likely experience getting everything working just right, and provided me with her name and direct number for any further questions. In just about five minutes, I knew exactly what I’d need to buy, and knew that the setup was highly likely to work for us.

There are times when I wonder if my standards for good business practice are a lot more exacting than others’, and then there are times when I’m sure a company is flirting with the thin line between doing the bare minimum to keep its customers and ceasing to give a shit altogether. Either way you look at it, though, Zebra’s performance far exceeded what I’d expect, and Symbol’s was so awful that I can’t imagine even the most tolerant consumer would accept it. It’s too bad Symbol has such a huge segment of the barcode market — or more likely, that’s the very reason the company can get away with such laziness. Too bad the market tends to correct behavior like this over the long run…

What a smart idea! If you live within WiFi range of any Starbucks, the folks at FON want to give you a free wireless router so that you can share your connection with the customers at Starbucks. The bonus feature of the offer is that while the coffee chain’s own WiFi service costs $10 a day to use, using the FON connection would only cost people $2 a day, half of which goes to the user providing the wireless connection. Seems like a great way for FON to increase the reach of their social WiFi network, and for Starbucks customers to get access to the net for a hell of a lot cheaper — a win-win any way you look at it.

If you don’t live near a Starbucks but still want in on the free FON router action, don’t fear; it also looks like every registered FON user has three invitations to send which entitle the recipient to a freebie. So go find yourself a Fonero and ask for an invite!

(One caveat: while I have a FON router which works fine, I’ve heard a few horror stories about the setting the routers up, killing them dead with things as simple as a firmware upgrade, and wanting to throw them out of windows. The configuration interface also leaves quite a bit to be desired — it’s this totally weird mix where part of the config is done via a local interface to the router, and the other half is done via FON’s reasonably slow website which then sends it back to your router. I’m hopeful that it’s this sort of stuff that’s more indicative of them being new to the business and growing quickly…)

For those of you who are salivating over Apple’s newly-announced iPhone, you might want to do a little research on Cingular, the other company you’ll be getting into bed with if you run out and get an iPhone in June. As an example, did you know that Cingular now forces you to waive all rights to trials by jury or participation in class-action lawsuits in order to become customers of its services? Or that its number of complaints per million customers is nearly double that of the next large market player (T-Mobile)?

In all honesty, the most amazing thing to me about Apple’s iPhone announcement is the exclusive multi-year pairing with Cingular, which locks Apple fans into an agreement with what might be one of the most customer-hostile companies ever. And what’s worse, can you imagine how awful it will be if the expectation is that customers go to Cingular for all techinical support of the iPhone?

I guess this’ll all play out in the coming months, but my first reaction to the whole thing is that this might be the time that Apple learns what it’s like to release what looks by all accounts to be an amazing device into a world in which the company doesn’t exert 90-plus percent control of the entire end-to-end user experience. Hopefully, it’s planning on some clever strategies to deal with this… but I can’t see the Cingular side of this going well at all.

Wow — any respect or relationship I had with Brian Ball and the macZOT enterprise just flew out the window. The basics of the story, for those who don’t have the time or energy to click through, is that Brian signed a contract to buy the application xPad from Garrett Murray for a hair over $5,500, and one month into the ten months of scheduled payments, stopped replying to invoices or emails and eventually proclaimed that it was overvalued and that he couldn’t justify continuing to meet his payment obligations. What an incredibly dirty way to do business; I figure now’s as good a time as any to cancel my macZOT account.

I got an email from one of the people who hosts a website on my server today letting me know that she couldn’t get to her site, and investigating the problem, tracked it down to the fact that the company providing DNS services for her domain, ZoneEdit, is having issues today with a few machines, two of which are her primary and secondary nameservers. I can’t get too irritated with this — there are a ton of reasons nameservers can be causing problems, many of which (like denial of service attacks) are no fault of the company which runs them — but I can get irritated by ZoneEdit’s response, reprinted here:

If reliable DNS service is critical for your site, we recommend logging into your account, clicking on “Nameservers” and purchasing a “tertiary” nameserver. 3 nameservers are exponentially more reliable than 2 nameservers.

Are you shitting me? Let’s start with “if reliable DNS service is critical for your site” — are there any websites for which reliable DNS service is not critical? (Put another way: how many times a day do you access a website using an IP address rather than a hostname?) Then, I find the attempt to use the problem to upsell customers to a different tier of service to be pretty sleazy — what would be even more reliable is if ZoneEdit could just provide an automatic switch to alternate nameservers when machines of their were having problems.

All in all, I’m not too surprised that “ZoneEdit is a Dotster, Inc. owned company”; my experiences with Dotster have been pretty awful, the same awfulness that’s reflected here.

Jeff Gates made a good pickup in the DC Metro system, where he noticed an oddity in all the Blue Cross/Blue Shield ads on the train platforms: the pupils of all the people’s eyes in the ads have been Photoshopped to reflect the BC/BS logo. Now that I know what to look for, it seems that the same thing was done to the ad at the top of this page, the info about the new federal vision benefits program; I can’t find similar ads on any other BC/BS websites, so Jeff is probably right that the ads are related to the new vision offerings. It’s a bit freaky, and despite the fact that I go through Metro Center twice a day, I never caught this. Weird!

Does anyone know what’s up with Amazon’s new “your item is in stock but it’ll take us nearly a week to process your order” feature?

(Note that this is specifically on an item that Amazon itself fulfills; it appeared on four or five such items on a few of my search result pages tonight.) I’ve been using Amazon enough over the past week or two to feel pretty secure that this is a newly-introduced thing from the past day or two, but I can’t really figure it out. If the item is in stock, and Amazon is the one handling the order from soup to nuts, why does it take so long for them to get it out the door?

There’s been a bit of press given lately to Amazon Unbox, the internet behemoth’s move into the video download business, and I’d imagine that between it and Apple, the online video market is going to explode over the coming months. It’s for that reason that I’m grateful to people like Cory Doctorow, who put quite a bit of effort in Friday explaining how godawful the terms of service are for Amazon Unbox, and why people should treat the new service as they would an ebola-infected colony of monkeys. Summarizing any of the salient points of Cory’s analysis doesn’t do the whole thing justice; suffice it to say that the terms of service dictate when and where you’re allowed to watch any downloaded videos, prevent you from deciding how and when Amazon’s software runs on your computer and updates itself, and prevent you from recourse if and when Amazon decides that you’re no longer allowed to watch the things you’ve paid for and downloaded. If you had to find a single pullquote from the piece, this is it:

So this is just like renting a movie from Blockbuster, except that while you can give your Blockbuster movies to your boyfriend to watch after you’re done with them, these movies are only for you. Oh, and they cost more. Oh, and you have to pay for the bandwidth to transfer them to your home. Oh, and you have to wait for them to download. Oh, and you have to let them invade your privacy.

Given that Amazon has precious little independent interest in enforcing most of the the restrictions placed on users by the terms of service, it becomes clear that what’s being enforced are the desires of content producers like the MPAA, and by using a service agreement, the whole setup avoids the need for an actual legal basis for the demands placed on Unbox users. Most of my tens of readers know that I’m not one to tilt towards tin-foil-hat conspiracy land — the terms of service for Amazon Unbox are purely awful, and I couldn’t recommend more strongly that people find another way to spend their entertainment money.

Today, Shannon and I got a bill from RCN for cable and phone service — which struck me as odd, being that our account with RCN was for the services we received in Brookline, Massachusetts, and we cancelled that account as of June 30th. In investigating why we got the bill, I learned that RCN has “a backlog of discontinuation requests,” and as a result, a tech isn’t even scheduled to turn off our services until this coming weekend — more than five weeks after the date we cancelled them and moved out of the house. And RCN’s practice is to continue billing for services until they’re actually turned off, even though they know that you don’t still live there, and that you aren’t receiving the benefits of the services. (Hell, they’re billing us for phone service — local, regional, and long-distance service, call waiting, and caller ID — even though our old phone number is now answered with a forwarding announcement.) Better still, RCN owes us a balance, but says that their policy is to pay that balance only after the service is actually disconnected, even if the delay in disconnection is their fault, and even then “within one to two billing cycles.” And if I want to question this policy, I have to speak to someone in the billing department, coincidentally the only part of RCN that maintains 9-to-5 hours and thus wasn’t there when I got home after work and got the bill.

It’s amazing to me how most service providers these days don’t try to maintain even the thinnest veneer of being ethical or reasonable in their business practices. I’m not much of a conspiracy theorist, but there’s little doubt in my mind that problems like this aren’t unforeseen consequences of tangentially-related business decisions, but rather are conscious choices made with the explicit knowledge that a certain percentage of customers will continue to pay the illegitimate bills (either mistakenly or as a result of not having the energy or time to fight them). In this instance, I’m fortunate (or RCN is unfortunate) that Brookline has an ombudsman who’s specifically tasked with monitoring the city’s contracts with cable companies and solving the problems experienced by residents. I guess I’ll be wasting a bit more time on this tomorrow…

Holy crap: Amazon is now doing groceries! It’s (obviously) limited to non-perishable items, but everything’s eligible for Amazon Prime (and Super Saver) shipping, and they seem to have a pretty good selection. Shannon and I have been devout Peapod users here in Boston, but we’ll have to change with our move to DC, so it’s a nice option for us. Key will be for Amazon to get the interface right — Peapod allows you to assemble an order using prior orders as templates, has a nice interface for adding things to your cart, and does a good job of showing you options when you’re just browsing. Right now, Amazon’s using its standard ordering interface, which probably will get in the way if we become regular users, but we’ll see.

Wow — Vonage raised $531 million in its IPO today, and then promptly lost 13% of its value. That’s a far cry from the tech IPO days of yore, especially given that Vonage has a service it’s offering, and a business plan that involves collecting actual money from customers in exchange for that service. Then again, TiVo’s perennial profitability issues demonstrate that that’s not all you need; hell, TiVo has an outright droolworthy service (one that most cable companies haven’t come close to replicating in their own DVRs), and it has problems getting enough subscribers to stay afloat.

Shannon and I are switching to Vonage for our phone service when we move down to DC, so I’ve been watching the company’s IPO as a way to see how the market feels about the whole voice-over-IP thing, and about Vonage’s offering in particular. I’ll be posting my thoughts on our service as we get it running and start using it; I’m also going to be penning a review of the Vonage setup process as soon as I iron out the last remaining kinks in a new weblog I’m going to be starting up (hint hint).

Hmmmm — I wonder how many of these credit card holders are going to call their card issuers to find out whether their accounts have been compromised. “Hi, I’ve made a bunch of online porn purchases over the past few years, but I just heard that the company which billed me went and released information about millions of credit cards onto the internet… am I affected?”

A group of online scammers managed to set up a website, pretending to be part of Mountain America Credit Union, that collected the credit card information of MACU users who were tricked into visiting the site. This, by itself, isn’t all that frightening — there are probably hundreds of sites out there that try to do the same thing. In this case, though, the scammers managed to get a secure certificate for the site (the component that then puts the little locked icon in a user’s browser interface), something they did by tricking Geotrust, one of the companies that provides those certificates. (The process of granting those certificates is supposed to involve due diligence on the part of the company, wherein they make sure that the people asking are who they say they are, and that they represent the entity they claim to represent.) Similarly, the scammers managed to convince ChoicePoint that they were legitimate, lending more evidence to unsuspecting consumers that they were actually giving their financial information to their bank. (Of course, we’re talking about the same ChoicePoint that gave the personal information of hundreds of thousands of people to criminals, and both had an enormous fine levied against them, and had serial future audits imposed on their continued business practices.) The remarkably-adept internet security organization SANS has a detailed review of the incident, something that’s worth a read.

The mechanisms of trust that exist on today’s internet are all based on private actors — companies like Verisign, Geotrust, and ChoicePoint — which are supposed to go through strict processes to make sure that people are who they say they are. (For example, when I got an security certificate for a webserver I run on my domain, queso.com, I had to fax my business articles to the company granting the certificate, and provide them with financial information that they could then use to link me back to my company.) We’re learning more and more, though, that we can’t even trust those private actors, something that undermines everything we think of as transactional security on the web.

Does anyone remember ChoicePoint, the data warehousing company that gave criminals access to the personal data of over 150,000 U.S. consumers back in 2004? When the story broke about a year ago, I made note of how ChoicePoint itself actually had been part and parcel of the problem, and lamented the way in which the media was portraying ChoicePoint as a victim rather than as a participant in the destruction of privacy. In light of that, I’m superbly happy to see that the Federal Trade Commission agreed with me today, fining ChoicePoint $10 million and noting that the firm had failed to tighten its internal security despite specific federal warnings going back as far as 2001. The firm also has to pay $5 million into a consumer redress fund, establish comprehensive information security programs, and submit to biennial security audits through the year 2026. (Of course, ChoicePoint netted $147 million in 2004, so part of me would have loved to see even steeper fines; that would have been as clear a message as possible that putting American consumers’ personal data at risk is a corporate practice that will effectively lead to the end of your corporation.)

Am I the only one who has been getting more and more frustrated with the inability to tell what Amazon itself sells (and conversely, what one of their partners sells) until you’re way too far into your search? Over the past two or three weeks, I’ve spent quite a bit of time on Amazon, and I have yet to find a way to perform a search for something (say, iPod accessories) and see, in the resulting list, which products will actually be sold and shipped by Amazon. For example, follow this link to the CD player category and tell me how you know which products are being sold by Amazon — you can’t, at least without clicking on each and every one of them and hunting for the “Availability” section.

To me, the difference between buying stuff from Amazon and from one of their partners is pretty big. For one, my Amazon Prime membership only entitles me to free two-day shipping on products sold and shipped by Amazon itself, so by enticing me into a Prime membership, Amazon has given me a tangible interest in preferring them over their partners. In addition, Amazon’s own listings have reasonably reliable in-stock information, and if I have any problems, I’d be dealing directly with Amazon for the replacement or return. Contrast that with my experience with a few of Amazon’s partners over the past year, partners who couldn’t care less about my Prime membership, who have generally unreliable in-stock information, and who make it variably difficult to contact them when there’s a problem with my order.

In the end, I’ve found myself visiting other online retailers a bit more this year than I did last year; the free shipping promotions most ecommerce stores are offering during the holiday season take some of the value out of my Amazon Prime membership, and the difficulty of figuring out who’ll be fulfilling my order takes a bit more value out of a visit to Amazon. Maybe they’ll figure this out over the next year, and Christmas 2006 will be a different story.

I’m so freaking sick of today’s headlines claiming that “hackers” somehow broke into ChoicePoint’s (obscenely comprehensive) consumer databases and obtained information which allowed them to then steal people’s identities. This is a story that’s been discussed on Dave Farber’s Interesting People mailing list since yesterday, and the truth of the matter — reported correctly only by MSNBC thus far — is that a group of criminals managed to create fake businesses and then set up entirely valid accounts with ChoicePoint in the name of those businesses, and then obtained the information about consumers via those accounts.

Notice the difference? If it’s reported that nefarious hackers broke into ChoicePoint and stole the data, then ChoicePoint comes out looking like a victim. On the other hand, if it’s reported that the failure was in ChoicePoint’s internal mechanisms for verifying the validity of an account application, the existence of the company behind that application, and the right of that company to obtain credit information, then ChoicePoint is revealed as a remarkably large part of the problem. Add to that the fact that ChoicePoint is only notifying consumers in the one state that requires them to (hell, there isn’t even a note about it on the company’s news release page), and doing so four months after they sold consumer data to criminals, and the story truly does take on a different character.

Am I the only one who doesn’t see a Gold Box link on Amazon anymore?

Did anyone else know that FedEx doesn’t hold themselves to the same guarantees of service during the two weeks before Christmas? It looks like the only thing the company’s willing to stick to is that within five days of Christmas, something shipped via First Overnight, Priority Overnight, or 1-Day Freight will get there within 90 minutes of the guaranteed delivery time (cheating on their regular policy by 89 minutes). If you use any other FedEx shipment method, there are no guarantees during that two-week window.

Now that most of my holiday shopping is done online, that’s a good thing to know.

I don’t think I’ve ever seen the Amazon website as screwed up as it is this morning. I’ve spent the last twenty minutes patiently trying to order a few items and check out; only about one in five clicks actually proceeds to the page it’s intended it, and the rest land on pages saying that there are errors processing the request, and to try back later. And since the one step that completely refuses to work is signing in, I can’t save my cart and come back later to complete my purchases.

Somewhat disappointing… and a terrible time of year (for Amazon) to have website problems.

Given how quickly the trend has taken off, I guess it was just a matter of time before counterfeit Lance Armstrong LIVESTRONG bracelets appeared on the scene. There are plenty of other eBay cheats hawking the fake bracelets; once those are all shut down, I’m sure about fifteen dozen others will spring right back up. There have even been a few news articles on the fakes, complete with local investigative journalism angles. You can be sure that not one cent of the money people spend on these goes anywhere but into the manufacturers’ pockets, which is the real shame.

If you’re not put off by the trendiness of it all, want a bracelet, and want to make sure that your money helps fund the cancer research foundation that started it all, remember that there are only three legitimate places to get them: the Lance Armstrong Foundation store and Nike sell the adult- and child-sized ones, and the Build-A-Bear Workshop sells the teddy bear-sized ones (that also conveniently fit toddlers!).