Wednesday, June 13, 2007

What Not to Bear

True confessions time. I've gotten oddly addicted to What Not to Wear (American version), a tv makeover show in which the victim of the week (usually female) has her wardrobe mocked and thrown away before getting fashion rules and being sent off to buy a new wardrobe, hair style and makeup routine (financed by the sponsors). I'd have expected to hate a show like this -- too much focus on consumerism, appearances, and body image. Like many tech/science people, I place higher value on internal than external qualities. Yet I keep watching this show. Why?

Time and time again, the victim emerges from the week sporting a whole new level of confidence and more positive self-image (including body image). The external transformation produces some nontrivial internal transformation. The internal transformation gets me every time, probably because as a professor I'm always on the lookout for ways to help students gain confidence and develop their potential (no fear to my students: we're not about to add fashion interventions to intro programming). I'm always on the lookout for ways to achieve these same ends in myself.

Tenure and sabbatical were a big surprise on this front. When I got tenure, I didn't feel relief. The call hit about as hard as one from the mechanic saying the car was ready for pickup (glad to have it done, call my husband to pass along the news). I tried replaying the call in my head several times to see if I'd get excited or relieved. No go. Instead, I fell under an overwhelming sense of responsibility: I had been given lifetime job security, and now it was time to actually live up to it.

Enter sabbatical: a year to figure out how to live up to the incredible job benefit that is tenure. A year ago, I headed off into that year firmly resolved to come back with an exciting new research program focused on some important problem, complete with vision statement and corresponding web page. And I've largely gotten there, minus the web page.

But something deeper comes back with me: an enhanced respect for myself and more importantly, my time. Being given a year of control over my time made me realize how much of it I give away to issues I don't care about, to activities that don't work towards personal goals, to other people who are happy to waste it on my behalf. I return resolved to fight for time, both my own and others (the latter in speaking out against things we do that waste collective faculty time). Behind the unfinished web page lies a researcher who doesn't want to waste time on problems that don't matter, a professor who wants to squeeze more learning out of every assignment, a committee member who wants to make meetings worth their while (especially as I'm on bigger service tasks post-tenure). And someone happy to idle away a bit of time writing a blog.

Like the show participants, I return renewed, revised, and with a stronger sense of self. I don't yet have the papers, grants, and talks that dress an academic career, but I have my fashion guidelines through my newly identified research area. The sabbatical year has been a fabulous experience, and I look forward to seeing how the next year plays out. Tune in for updates!

Tuesday, June 12, 2007

Ride to Time Bad a Never

On a visit to Williamsburg, Virginia last weekend, I got in a bike ride on the Colonial Parkway, which extends from Jamestown to Yorktown via Williamsburg. The parkway is a scenic road with a surface of stone embedded in something like concrete. Speed limit is 45 mph and the car rattles quite a bit along the surface. On a bike, it's a whole body vibrating experience better than that of riding on cobblestones, but hardly conducive to a smooth, relaxing ride.

Jiggling along the 7 miles from Williamsburg to Jamestown, I noticed that my bike bottle kept rotating leftwards in its cage on the bike frame. As a result, its imprinted slogan read out in reverse, yielding the title of this post, over and over. Contemplating this phrase provided distraction from the tooth-chattering ride.

It actually made surprisingly good sense, if read in pseudo Irish-speak. Why ride? To never have a bad time. To keep from being slow. To maintain understanding of your own pace and ability. To stay healthy. They're all pretty good reasons, and decent explanations of why I enjoy a good ride. I also ride for scenery, which the road certainly offered. I tend to ride to release tension though, which this ride induced instead. However, at a time when I could have easily seen myself chucking the ride and turning back, I instead found wisdom from my rotating water bottle that reminded me of all the fun of just being out on a bike on a summer day. Spinning around can indeed help change your perspective, especially when it happens in the opposite-than-usual direction.

Vegetarian recommendation
: Food for Thought in Williamsburg, Virginia has several interesting veggie options (some vegan). They're on Richmond Road. Probably the best veggie food we've had there outside of ethnic restaurants, and certainly the best selection. In the ethnic category, we enjoyed Emerald Thai as well.

Friday, June 8, 2007

Snail Phishing?

I got a letter on our mortgage company's letterhead requesting insurance information on our condominium building. The letter instructs us to either fax the info (policy number and period, coverage amount, etc) or to log into a website using a PIN included in the letter. Something about the letter failed my smell test when it arrived a few days ago. Last night, I looked more closely.

The company's logo looked like a bitmap image (grainy), rather than an original. The zip code on our unit is wrong (though our mailing address was fine). The url we were to visit wasn't either of the two that I know our mortgage company to use, and the state in the return address from the company matched none of our other documents from them. The letter also claimed its purpose was to ensure "prompt and accurate processing of our condominium insurance", but we hadn't asked anyone to process insurance for us. It just didn't add up.

We were able to construct explanations for most of these oddities: owners don't necessarily live at their properties, so our mailing address and unit address were probably two separate database fields, with one of them entered manually. Collecting insurance info could be outsourced to another company in another state that creates letterhead from bitmaps of its clients' real letterhead. The letter could have been poorly written. And we weren't able to construct a plausible identity attack that would want the insurance info on our whole condo building (as opposed to our unit).

So I called our mortgage company using the number from their website rather from the letter. A maddening sequence of menus later (on which I got the same options at multiple levels), I get to a customer service representative who checks the notes on my loan file and finds no mention that they've requested this info. She advises me not to comply. I ask how I should go about reporting this to their fraud department, but she says they don't have one. Curious now, Shriram called the number on the letter and went as far as the menus that asked for the loan number and all 10 digits of the social-security number (giving dummy values for each). The rest of the call sounded extremely professional.

So, we are left with suspicious practices from the company requesting the info (the full SSN request), instructions not to trust the letter from a mortgage company with no fraud division, and several small signs that our mortgage company isn't as polished as it could be. Friends who have had several mortgages reported being asked for similar info on a regular basis. We are going to return the letter with a note that the mortgage company has no record of requesting this info and advised us not to comply.

There's a real business lesson in here though about how to create the perception of security and trust. If this request is legit, the company has a lot to learn about preempting concerns about identity theft and phishing; if not, they need a fraud department. Either way, the constant hum of data threats raises the stakes on companies that may just be catching up with the infrastructural aspects of IT. These psychological questions will become only more relevant if more people develop the sensors that triggered my night of investigation.

Thursday, June 7, 2007

Data literacy is the new R

Catching up on some old Economist issues, I came across an article "Of bytes and briefs" from the May 19th issue. The article was about how electronic communications have raised new questions regarding information discovery in the legal system (such as what must be turned over in a request to produce documents) . The time required to comb e-data for proper disclosure is apparently becoming onerous (read, extremely expensive). The article also cites judges' need for better education about data, so they can better rule on proper discovery practices.

Yet another example of how lack of data illiteracy becomes a societal problem. About a year ago, the "CSI effect" got a lot of press, with concerns that CSI led jurors to expect to much by way of evidence (though the jury is still out on whether CSI is the fundamental culprit). Much as I love CSI, I cringe whenever they show software packages with zooming and search capabilities beyond what is technically feasible. Privacy is of course another big issue here, with people not understanding data provenance and the power and risk of mining algorithms.

Computing has long felt like a "new R" that should join reading, 'riting, and 'rithmetic as fundamental components of basic education. "Computing" is a broad term, though, and mentions of "computer literacy" raise the neck hairs of many a computer scientist given its association with being able to use office productivity software. Useful skills, but not ones meeting the usual requirement for university-level credit.

That led several to propose that 'rogramming was the appropriate "new R": as computation (rather than computers) became fundamental to so many fields (witness biology), understanding what could and could not be computed and automated grew increasingly important. I have a lot of sympathy for this view, and strongly believe that a basic education in computation is essential for anyone working in science, digital media, or other fields whose practice is touched by computers. But I'd never push my parents to learn to program (and hope my sister has finally forgiven me for convincing her to take a CS course her freshman year).

Data literacy, on the other hand, is a much better candidate. It touches everyone who uses modern societal infrastructure. It can be motivated in the concrete (via privacy) and tied to everyday human experience (ie, for CSI viewers). It's timely, as the verb "to google" comes up in casual conversation outside of tech circles. It has substance beyond the more vocational feel of how to use office software. And, unlike programming, it doesn't require hours of practice in building artifacts (which, much as I enjoy it, admittedly turns off many people).

_This_ is the required computing-related material for the masses. Universities should develop and offer it; eventually it should migrate down to pre-college. What would it take to give non-techies a basic education in data mining, privacy, data provenance, search, and information lifespan? Many of us could design a substantive course on this stuff that used programming. How to do it without that, while getting to the level of understanding that programming would enable, is a fascinating challenge.

What's the R then? 'rovenance is the best I have so far. 'rivacy is both too narrow and too broad. Taking a european twist, 'rmatics gets the gist, but lacks verbal flow. Suggestions, either for that or for other topics that should make a data literacy 'rriculum list?

A usability nightmare

A truly dreadful user-interface experience yesterday called for posting, but Shriram got to it first and included my angle so I'll just include a link to his post instead. Admittedly, I've been reading about usability a lot lately so I'm more conscious of such issues, but this application really is an affront to software design (and being used for a software engineering conference, no less!).

Saturday, June 2, 2007

Perception and Security

In the recent story about the airline passenger with a serious TB strain, the passenger got back into the US despite a border alert to detain him at entry. The border agent who processed him knew of the alert, but let him through because the agent decided he didn't look sick.

In my quest to understand human decision making about security, I've been reading a book on Human Judgment and Social Policy (by Kenneth Hammond). The book discusses two competing theories of truth: in the coherence theory, truth is based on logically consistent conclusions derived from facts; in the correspondence theory, truth is based on accuracy relative to observation (such as our expectations for weather reports). Neither theory is superior in all situations. However, the correspondence theory apparently works fairly well with perceptual observations, but not as well with abstract or conceptual observations.

The border incident seems an excellent example of the last point: the agent relied on his perceptual assessment of the suspect's health, rather than on the conceptual warning that he could be very sick. The agent expected TB to manifest itself visually. Even growing up in a time and place with no serious TB threat, I hear "TB" and imagine people with sunken faces and furious hacking coughs. That image persists despite my recent reading of Mountains Beyond Mountains (Tracy Kidder's engaging book about Paul Farmer's fight against disease in impoverished areas). If the agent had similar associations, he might reasonably conclude that the suspect probably wasn't sick.

Ultimately, this case shows the tension between security and convenience. When I want security, I'd expect border agents to be at least as strict as the warnings (detain additional people as they judge necessary, but adhere to all alerts). When I want convenience, I'd like to see them use their judgment and not hold up people or the processing line when they see no credible threat. In this specific case, with a particular person named, the decision should have favored security. But so many of our security policy statements are phrased much more vaguely (such as the now common airport refrain urging passengers to report suspicious people or bags to authorities). Interpretation must be allowed to navigate these cases which cannot be described precisely. I'd love to see some reporting on this case that discusses this context and tries to get at the relationship between specificity of warnings and how they get applied.