The statement “Data wants to be free” is often used in discussions about accessing listings on the Internet. Examining the origin of this statement is useful when trying to get a handle on the technical implications on both sides of the debate.
First of all, I would like to point out that the statement is derived from the following:
“Information wants to be free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine—too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. That tension will not go away. It leads to endless wrenching debate about price, copyright, ‘intellectual property’, the moral rightness of casual distribution, because each round of new devices makes the tension worse, not better.” ~ Stewart Brand - 1984
The “tension” Brand talked about is ever present in the Real Estate market. As technologists, we are called upon to weigh in on this debate as well as to design solutions. It is important to separate the politics from the technology early on in the process. Certainly there are costs associated with obtaining listings, therefore it is a reasonable to expect compensation for the collection effort. Attempts to draw parallels between listing information and public records are not accurate for too many reasons for me to enumerate. This is not the point of my post anyway, so I will get back to technology issues.
An important thing to remember when offering opinions on the “free data” is that different elements of human society operate at different speeds. Again, the thoughts of Brand can be used to demonstrate why governance has a difficult time controlling commerce. Just when you think you have a solution, the problem changes. I don’t even want to start talking about stopping SPAM or viruses.
So what happens when when you try to control something with technology? If it a fast moving target, you have to make sure that the benefits of the efforts outweigh the cost. When examining the foundation of Say’s Law of economics, it can be seen that the cost of building solutions cannot exceed the utility that is derived. I don’t want to you to get the impression that I think that there is no value to what we are trying to protect though. I think we need to look at the cost and effectiveness (utility) of the solutions.
There are several “camps” being formed around the control of data:
- Procedure
- Digital Rights Management (DRM)
- Authentication
The Procedure camp looks to solve the problem with adjustments to business policy. Examples of this would be frequently changing passwords or limiting the amount of data that actually flows. The thinking on password management is that if changing them frequently (via policy) increases the barrier to abuse. Limiting the amount of data is cited is an example of distributing only the information that is required. If you don’t sensitive information out in the first place, it can’t be misused.
Another group looks to Digital Rights Management (DRM) for solutions to the problem. Proponents of the approach include the Music and Video industries who have wrestled with theft for some time. Corey Doctorow does a good job representing the detractors to this approach. He believes that adjusting business practices is more effective than DRM.
One of the newer approaches surfacing in our industry are new authentication mechanisms. These have actually been used successfully in other markets but are new to Real Estate. Other names for technology are “keys”, “fobs” or “two-factor authentication”. This group is further “forking” into the Federated Identity group that looks to have identity (whether it is contained on a “fob” or not) validated by a third party.
I am not passing judgment on any of these “camps” (well, maybe I’m a bit anti-DRM) but would be interested on how others feel about my categorization.
[Update 9/12/05] - I saw an article referenced 0n Slashdot today that discussed the Six Dumbest Ideas in Computer Security. It is related to my previous post because it talks about all of the wasted time and money being spent on security.
Quote:
“Limiting the amount of data is cited is an example of distributing only the information that is required. If you don’t sensitive information out in the first place, it can’t be misused.”
This seems to be the “solution” many MLS organizations take.
But I would propose the wrong one.
Who owns the data? Who can set it free?
The homeowner wants their property on mls.
The Realtor wants the listings in front of their clients and on their websites.
The leaders of the technology such as yourself Mark are working on technological standards and access solutions and much more.
Web developers such as myself are trying to work with everyone and have everything persented in an organized, usable, and attractive persentation for the data to perform its purpose.
Many MLS associations state to the Realtor,
“No, you cannot have access.”
I guess this is limiting access as a control of data, but everyone loses. In many such cases the main office has the listings but in effect the Realtor is then limited by office procedures, or the lack of them?
Please excuse my lack of experience, but it’s how I am beginning to see it.
Regarding the Slashdot article, I strongly disagree that “Educating Users” is dumb.
The author’s reasoning is “if it was going to work, it would have worked by now. If ‘Educating Users’ is the strategy you plan to embark upon, you should expect to have to ‘patch’ your users every week. That’s dumb.” The author further suggests that users should simply not be given the permissions that would allow them to do any damage.
Addressing the last point first, we all can agree that the most secure computer is one that is powered off, unattached from the wall, and put in a secure vault. But that computer isn’t useful. I’m all for not making the secretary an ‘administrator/root’ user, but the reality is that unlike much of corporate America, our industry organizations often don’t have centralized IT departments for installing software and such - in many (but not all) cases, people need to control their own computers, and need the rights to administer them. I’m glad that NAR is hosting a session on PC security at the upcoming NAR Convention in San Francisco, and this education is NOT worthless.
Regarding the comment that “It would have worked by now,” I assert that it is working. The human factor will never be perfect, but with the amount of informatin/education becoming available in this area, I know more and more people that are smart enough to delete Worm-laden spam and/or defeat it with antivirus/anti-spyware software, and the more education people have the more difficult it will be for them to be fooled by phishing and more sophisticated human engineering techniques.
Is the idea of ‘patching’ your users by educating them every week dumb? Yes, it is. I generally advise clients to review one major security policy with employees/contractors every month (e.g. as a part of regular staff meetings), and otherwise only alert them to issues as needed. Weekly ‘patching’ is not needed.
The majority of IT security incidents can be traced back to user activity, and users need education to avoid risky activities and to become allies in the security effort. I’m not saying that education alone will get the job done - not at all. But to spend money on tools like firewalls and other such and ignore the people-oriented areas where most problems occur is foolishness.