It’s pretty late, but I wanted to post a few words about the first day. I’m not going to cover much on the conference because a) it’s hard to write in an entertaining way about most of this stuff - true about most conferences, and especially true for something titled The KIT - User Needs Analysis Process b) it regards a subject that is somewhat confidential, and c) I’d rather keep writing about my experience with Disney.

Last night, while some of us were sitting around with our beers, we were engaged in a bit of what might be called Disney-bashing. One of our group, a guy from England, protested a bit and said that Disney was really incredible from his point of view. We corrected ourselves - Disney is over the top in most ways, but that is the problem. When you expect perfection, from the master of details, you tend to get pretty persnickety about the details.

The Bad:

Some poor folks are stuck in buildings so far from the convention center that they’ve talked about hyjacking the little golf-cart shuttle that scoots around, always empty, and never stopping to offer anyone ride. Seriously, if they held a footrace along that path they’d have to have multiple water stops.

Internet. Yes, this is a convention center, and it’s used for business functions and all that, but evidently no one thinks that any of us need to get on the Internet. For $10 a day I can get a wired connection in my room. In the bar I can pay another $10 per day, or $5 per hour for wireless, but it’s not coordinated with my room connection so it’s an additional charge. In the convention hall the wireless appeared to be there, but I could not get it to work. Combine the need to check email, with the absense of Internet in the halls, with the long walk back to the room, and you have a bitter joke of a situation. After all, we don’t come to conventions to huddle in our rooms doing email. Give us a chance to do it everywhere and include it in the room.

What’s worse is that the service is flaky. Good, reliable wireless service is not rocket science. If you can find people willing to wear oven-hot character costumes out in the sun to pose with children, you can figure out how to provide guests with decent Internet service.

Somebody needs to buy Mickey a laptop with a wireless card. Then things would be working.

The Good:

The bar, Francisco’s, is the the best run operation in the place. The service is speedy and correct. Everyone speaks perfect english (elsewhere it’s a very mixed bad) and is extremely professional. Very, very nice. For those who I work for: I know this by speaking with others, and by observation as I sped by getting back to my room to get an Internet connection.

Everything is clean. Not regular clean, Disney clean. You will not find a lump of gum stuck to the pavement. If someone tosses a cigarette butt on the ground four people pounce on it with little whisk brooms and dust pans. The conference rooms are cleaned during the breaks, with fresh water and candy bowls. Again, very nice.

Oh yes, my bag was waiting for me last night so all is well on that front.

Today I made the journey to Orlando Florida to attend the Society of Competitive Intelligence Professional’s Annual Conference. I would have gone last year, but my wife was busy having a baby and demanded my presence (she didn’t have to demand it, but she did anyway. Thorough gal.

I booked my flights on Air Tran Airways, which was a new airline for me. I tried to get on my usual Northwest, but they were more expensive and didn’t fit the schedule as well, and weren’t direct. I was pleasantly suprised, both by the airline and a new feature I tried out for the first time - buying an upgrade at an automated checkin kiosk.

For fifty bucks I could upgrade to business class. Very smart pricing. For a two hour flight, $50 is the absolute limit of what I’d pay, and I’m not sure I’ll pay it on the way back although I noticed after I bought it I saw the sign nearby that advertised prices from “$35 to $60″, so clearly it’s variable, presumably according to demand and availability, which is also smart. Like I said, I bought it, and ended up in seat 1A. Not bad. Not the coddling I’ve received on a few other lucky upgrades, but still pretty good. The airplane looked almost new. We left on time, and arrived early. Altogether, very nice and I’d fly them again.

Now for Disney, as the conference is at Disney’s Coronado Springs resort. First, I’d been told via SCIP’s website to book passage on Disney’s Magical Express to get from the airport to the resort. I got to their website and was told to give them my baggage claim check at the Disney Welcome Center on level 1 of Terminal A. Sounds pretty simple, right?

So I get off the plane and after suitable walking - the kind grandparents brag about as their childhood walk to school - I get to the baggage claim. At this point, I have seen not one sign for Disney, Welcome Center or other. I’m just figuring that my free shuttle right might just be worth what I paid for it, and head for the baggage claim. I get there and actually do something that might just make God take my penis away - I ask for directions. Turns out the Welcome Center is on the floor below the baggage claim, but there’s no sign to tell me that.

Note to Disney: No, we’re not idiots, but everyone is disoriented and stupid when they get off an airplane. It’s the food, or the small bathrooms or breathing the same air over and over. Give us a break, and a sign.

I get down there and the Magical Express Counter greets me as I get off the elevator. A few more lines, showing of documents, following of people wearing large stuffed white gloves and I’m on the Magical Express itself - a motor coach ;-) I re-live a bit of my youth as I hear the children around me express their excitement and anticipation. I get off the coach amid a throng of luggage and confused folks getting ready to board the coach. No sign pointing me to the front desk or check-in counter. I following my instincts.

The resort itself is typical Disney splendor - huge, immaculate, and staffed with an international (read: heavily accented) cadre of “cast members.” The walk from the conference floor to my room is long enough that I began and completed a call to my wife before I ran out of walk. It’s very pleasant because it’s eighty degrees outside and perfectly sunny, but I needn’t worry about gaining any weight while I’m here.

It’s also expensive - I paid twenty bucks for lunch, which was better than fast food but not by much. It did include a margarita, but even so that only added four bucks. My company will reimburse me five dollars for this meal.

All the same it’s Disney and it’s pretty darn nice even if it’s expensive. But the one thing that really burns me, I mean to the point where my next email is to the leadership of SCIP, is that they charge for Internet access. Give me a break. It’s 2006. Even the cheapest hotels next to the airport in Milwaukee offer Internet for free and having Disney, the master of details, ding me $10 a day for it is an insult. C’mon Mickey, get on the ball here.

The one thing that kinda burns me, but I’ve still got faith, is that my bag, whch Disney was supposed to bring to my room is AWOL. I arrived at about 12:30pm, and it was 4pm when I left my room sans bag. It’s now 7pm, and after dinner I’m planning to arrive to my room with my bag in it.

Note: Since writing the article below I’ve found that many things I wrote were incorrect. I have corrected them here.

From time to time I think about email security. We don’t tend to think about it much, but our email is essentially like sending a postcard - it’s in the open and anyone with the right tools can read it. The answer is encryption, but these days it’s easy to feel as though using encryption is somehow wrong, as though we have something to hide. Well, we do have something to hide, and there’s nothing wrong with that. It’s called having privacy.

Anyway, so I’ve got a bee in my bonnet to encrypt my email. This is one heck of a lot more complicated that you might think, because there are a lot of places and ways I get email:

• On my machine at work, via Outlook and also via Fastmail’s web interface - Fastmail rocks, by the way.
• On my machine at home, again via Outlook, synchronized via VPN with work, and also via Thunderbird and web interface to Fastmail.
• On my Palm, using Snappermail.
• On my machine at home using Linux, via Thunderbird.

So far, I’ve learned the following about two approaches: OpenPGP and Digital ID. Incidently, OpenPGP is available as both freeware and commercial products. The commercial version has the most sophisticated approach (uses a web proxy) and the smoothest interface, but is $100 (although free to use in a limited way for non-commercial use). The rest are free.

Digital ID is not available as a separate product. Instead, the funtionality is built in to just about every email app out there. However, it doesn’t do file or disk encryption, where OpenPGP does.

Cost of Keys. OpenPGP is zero, Digital ID’s range from free to expensive depending on the features desired. Thawte does it for free, Verisign wants $20/year for a “Class 1″ ID. ID’s are burried sufficiently well on the Verisign site that I couldn’t find anything past Class 1. When you consider that Digital ID’s are good only for a single email address, this could be more expensive yet.

Ease of Key Management. OpenPGP keys are portable, support multiple User ID’s (email addresses) and work with any OpenPGP application. They can be stored on a USB drive for more security, and since you create them no one else has the private key for even more security. You can change the password on the key at will. You can add User ID’s at will. You can revoke it, and un-revoke it (via a backup). All of this can be done using a key management application which facilitates this pretty well. It also make searching for public keys for others much easier via keyservers.

None of this seems to be possible with Digital ID - at least, I can’t find how to do it. Digital ID keys are application specific (at least, when getting one you have to specify what application you use) and User ID specific, so if you have three email addresses that’s three keys you’ll need. Getting a key means going to a site and either requesting or buying one. The ID/key (both private and public parts) is created and then sent to you. The downside is that someone else has the key, the upside is that if you lose it, you can get it back pretty easily and don’t have to worry about backups.

I haven’t yet experimented to find out how application specific the Digital ID’s are, but I had to kind of cheat the system to get one on my Linux system - it kept downloading it into Firefox. I can’t imagine why because FF has no email capability. Anyway, I had to export it and then import it into Thunderbird because the Verisign site had no “Download for Thunderbird” button. Here’s the funny part: In order to export, you have to enter your password twice. I don’t know why on earth it’s necessary to enter it, let alone twice, since you need the password to use it, but there you go. Then, when you go to import it into another program it asks you to create a new password! Sheesh!

A thing about passwords: OpenPGP takes them very seriously, and even calls them passphrases to encourage people to make them long and truly strong. Mine is over 15 characters, and it still wasn’t considered strong. The Digital ID folks, on the other hand, don’t seem to care other than to put a short blurb about how it shouldn’t be a word, and should have numbers and punctuation.

Ease of use. Digital ID has the upper hand here because it is built in to Outlook and just about every other email application. OpenPGP can be installed in such a way that it’s very painless for users, but that really only works in a multi-user environment. The other OpenPGP-based methods are not painful to install, and are fairly easy to use once you understand what they do, but for users who are encryption-ignorant and want to stay that way it’s not the smoothest.

However, if you are using Thunderbird, and if you are using POP or IMAP you should be, you can get a really slick extension called Enigmail. It’s very, very nice.

Long term workflow integration. The real trick is not to send and receive a few encrypted emails. The trick is for it to be part of the overall communication system over the long haul, and here OpenPGP rules.

Digital IDs expire and have to be replaced. This happens more or less automatically, but it means that email from 4 years ago will require a key from 4 years ago to read. That could be 40 keys ago. More if you include more User IDs, more email systems, etc.

In OpenPGP it would be one key if you like, or more if you like. You can make a copy, put it on a CD, stick it in a safety deposit box and rest assured it will work when you need it to.

Mobile Applications. PGP Corp used to make PGP Mobile, but it’s no longer available. I hope they’ll put it in the public domain. There is a freeware version, but it is not compatible with later Palm OSs.

There is an app or two available for Windows Mobile - one I’ve seen just creates a console to use the command line version of PGP on.

I don’t believe, but someone please correct me, that either support Digital ID.

I’ve chosen OpenPGP for now. Since I have the old PGP Mobile for Palm, it provides a nice palm solution. It’s also included in Linux, and is available in so many apps there’s bound to be one that fits. Last but not least, key management while a little daunting at first is much better.

I tried the 60-day trial for Verisign, and for my work stuff it seems ok. The problem is that moving it to any other system is a misery and even so it’s not going to work with any other email address. It’s also $20/year, which isn’t much for a single address but starts to mount when you consider 4 or 5. I thought for a while that I would use Digital ID for work stuff because it’s so well integrated into Outlook and exchange, but the key management is so obscure I don’t think I could reliably explain to anyone how to get to my mail after I left. OpenPGP will be much easier.

So why aren’t these solutions more widely adopted?

I think the fundamental problem is that as much as we care about our privacy, we don’t care enough to use the tools required to preserve it on the internet. After all, the threat is invisible - where an envelope shows evidence of being opened, an email does not. I suspect that the only market for these tools exists in large corporations and the government, and therefore the marketing and support is non-existent. Nearly so, PGP Corp. does a pretty good job of educating people who seek to be educated.

I don’t want to sound like some crazed guy from the backwoods of Montana, but I’d like to ask a favor: Pick one and use it. If we don’t use this stuff, someone in Washington will get the idea we don’t need it. We do. ID theft is still mostly a paper-based thing, but it won’t be forever. We can either have encryption now on our own terms, or later on someone else’s. You choose.