WhatsApp conversations increase your medical bills? When ads are not just ads.

Europeans on the web have typically been much more privacy aware than their US counterparts. So the WhatsApp exodus post Facebook purchase (as seen in the iOS AppStore charts led by alternative clients in a number of European countries) didn’t surprise me that much.


iTunes AppStore Charts for Germany on 24.02.2014 – Source: http://www.appannie.com/apps/ios/top/germany/overall/?device=iphone

But what was unusual is my personal decision to join the masses and move to alternative messaging clients. Having spent the better part of the decade working in an IT security competence center (with a WhatsApp history) I try my best to distinguish between privacy paranoia and real issues. WhatsApp has had terrible privacy and security issues in the past but in my mind the sale poses a much larger concern than anything before. Since a lot of my knowledgeable and respected peers are downplaying the risks I will try to explain my point of view.

Facebook is a business and wants to make more money than it spent buying WhatsApp

Facebook paid 40 USD per user and WhatsApp charges roughly 1 USD per year per user. They have announced that they won’t be putting ads on WhatsApp and we can also safely assume no single user will spend 40 years on WhatsApp. So Facebook needs to generate more income per user to cover their costs. One option would be to up-sell additional services, like the recently announced voice features. But seeing as there are often free alternatives I don’t think this will be the major revenue stream for the average user*.

Facebook has one of the best ad targeting features


Facebook Ad Campaign Targeting – Source: https://www.facebook.com/ads/a

The more obvious revenue stream is of course advertising. Not on WhatsApp itself, but on Facebook. Very few people have come in contact with their ad platform and probably don’t realize that Facebook has one the best ad targeting platforms available.

Take a look on the right at what features (or “signals”) you can choose to specify your audience: basic demographics, interest but you can also include or exclude people based on likes, connections etc. The signals available here are more or less opt-in meaning I chose to tell Facebook about them. If I specify an interest in Japanese sencha then I can expect to be shown ads that sell tea. Fair enough.

More data leads to better targeting and more revenue

Take into account that Facebook is data hungry enough to save messages you never even sent it is more than likely that your WhatsApp messaging data will somehow generate new signals for the Facebook ad platform that advertisers can use. And that’s where the problem lies. I never opted-in to the use of my messages on WhatsApp in the past for this purpose. Their firm stance on not using ads actually reduced the risk of them ever using conversations between friends and family for this purpose, but after the sale all bets are off (especially considering the maths).

Think back to your conversations for a moment. Did you ever mention an injury to a friend in an apology for not going to their birthday party? You most certainly didn’t “like” that type of injury on Facebook or specified it as an interest – but what if Facebook decides that ads can be targeted to you for your injury in future by using the WhatsApp data? By now I imagine a lot of you asking: “Who cares? So I’ll be bombarded by medical ads in the future. I don’t care.” This is where things get ugly and most people don’t think around the corner.

Risk reduction leads to even more revenue

Marketers are clever people. Risk managers are often even cleverer. Let me outline the scenario: Your insurance company is constantly trying improve their risk assessment of you. Of course they would like to know of any hip injuries you have that may need treatment in the future because it increases their costs. But how do they get that information? Let’s say they create an enticing ad with a pretty girl smiling and the phrase “win XYZ”. There’s a good chance you will click on it.

What you don’t realize is that the ad was only shown to people who talked about hip injuries using Facebook’s ad targeting. By clicking on the ad you were taken to a specific page on the insurers website and they can now change your personal risk assessment based on that click**. Suddenly your insurance rates go up and you may never even know why.

Advertising fuels the internet – but it’s about opting in

As an internet user I am aware that a lot of what we consume is free thanks to advertising. I’m not inherently opposed to that and believe that good ads are personalized. Also I believe you have to make a conscious choice what you decide to share on the web. If you post, share or like anything on an ad supported platform, think of it as public information.

Sure I notice ads following me around different site on the internet for ages if I just once check the flights to Barcelona*** and yes Amazon still recommends jigsaw puzzles because I once bought some as a gift for a friend. But in both cases I entered that information knowing fully how these systems work. In the best case scenario Facebook changes the privacy policy to only allow them to use any future messages for advertising purposes.

So by making a conscious decision to change to a messaging tool that is not entangled with an ad network I can theoretically not be targeted in the aforementioned way. My choice is Threema – sure it has it’s issues – but as a European company I put some trust in EU privacy laws.

And in the worst case… Well, my data is already out there. Game over.


About these ads

Visual Studio 2013 Preview and Apps for SharePoint

In case you installed Visual Studio 2013 Preview onto a fresh machine (in my case Windows 8.1 Preview) and ran into one of the following problems when creating an App for SharePoint install the prerequisites mentioned below…

Problems on compiling the empty ASP.NET MVC (App for SharePoint template solution):

  • The type or namespace name ‘SharePointContextFilter’ could not be found (are you missing a using directive or an assembly reference?) …\Controllers\HomeController.cs
  • The type or namespace name ‘SharePointContextFilterAttribute’ could not be found (are you missing a using directive or an assembly reference?) …\Controllers\HomeController.cs
  • The name ‘SharePointContextProvider’ does not exist in the current context …\Controllers\HomeController.cs
  • The file “SharePointContext.cs” is missing in the root of your web application.

Installed the following prerequisites to solve the problem:

When a missed flight is not a lost opportunity – the birth of a product

“If you never miss a plane, you’re spending too much time at the airport.”
George Stigler, U.S. economist

shutterstock_59317648In my case it was more a combination of a traffic jam and an invalid ticket that caused me to fly to Madrid a day later than originally planned. Most people would consider this a nuisance. For me it was a gift.

The most valuable gift of all: free time.

Here a full day with unallocated time.

When this happens my little black idea book comes out for a review. I decided to use this extra time to take some baby steps for a new product idea. I settled on a personal pain point I’ve been having for a couple of months.

Whenever I create proposals, plans or any kind of non trivial document I end up taking a corporate template and then start copy pasting from existing documents and hopefully end up with a useful starting point. I still haven’t started writing the actual document yet! Definitely something that can be improved on, right?

The main venture I work on (WhatAVenture) is all about improving and simplifying the way to develop business models from ideas just like in this case. Even though this is “just a small product” I’m approaching it the same way I would approach a much bigger idea.

In our approach which is very lean oriented I need to start by testing some of my basic assumptions. Specifically I must ask myself: Am I “normal” or not? I’m not talking about talking to a psychiatrist, but rather is my painpoint something that is unique to me or are others out there that have the same problem. I’m not going to write a single line of code before I at least know that I have a handfull of early beta testers that can’t wait to try it.

1. Problem

Let’s begin with defining what my painpoint is in detail. While I’m writing this I’m automatically creating a set of assumptions. These become the hypotheses I have to test!

Small businesses (<50 people) create proposals by copy pasting elements from other documents. This approach costs time (time for creating the basics of the proposal takes about 50% time of creating a propsal) and causes errors (at least 1 recognized error per 10 proposals).

Notice how this is formulated as a measurable and testable problem hypothesis. I could start to test this by simply talking to potential customers. Then again I want to work somewhat efficiently, so I will also describe my proposed solution but I must take care to always ask about the problem first.

2. Proposed Solution

A hosted service that manages a toolbox of document elements to create proposals in Microsoft Word.

This is keeping it simple for the beginning. A click and point solution for creating new proposals for the dominant technology in the small business space. (Strictly speaking testing this will involve testing if Microsoft Word is still the dominant player her).

Armed with two hypotheses who do I ask? I’m going to also go ahead and propose a primary customer group (based on my problem hypothesis) which gives me an idea of who to ask for feedback. The customer group may also be wrong, so even if my feedback is negative, I have to ask if need to change my customer group.

3. Customer Groups

The hosted solution solves the problem for small businesses (<50 people).

Introducing easydocs.co

Granted it took some time to come up with these definition, but it didn’t take up all of the 12 hours that I had just gained. So where did I spend the rest of my time?

In addition to in-person interviews I created a landing page with some basic product mockups. This is an approach a lot of bootstrapped entrepreneurs and other startups (should) take. It gives me something to point people to (if I can only reach then async), people may pass it on by themselves (free feedback from other sources) and if I want to test via ads I’m prepared to do so. A little investment for a lot of options..

So all that’s left is to walk out the door and start talking …

Check back for updates. (Or go to easydocs.co and if you have feedback send me a message.)

“Bob is on BeardGroomers.com” – Your system is leaking information

ImageExchange BeardGroomers.com with a more risqué site and at best the grapevine starts talking. In the worst case political views, private activities etc are used to blackmail you.

A very common security best practice is to avoid information leakage on web sites. This basically means you shouldn’t be able to figure out if a user account exists, by just simply typing in an email address into a website and interpreting the response.

This is achieved by not disclosing whether “your email or your password was incorrect” when logging in and by responding with “if this email exists, we will send an reset password link” when you forget your password. In both cases you can’t find out if the email address exists in their system.

Or can you?

Most of us receive emails almost instantaneously on our private (or maybe even on the business) phone. Let’s say you’re within hearing or seeing distance of the potential beard groomer that you’re targeting. Enter their email address into the forgot password field and wait for the “ding” on their phone. Now you can be pretty sure they just received that reset password link and you’ve uncovered their beard secret.

Of course this requires knowing their email address. But how hard is to guess your own private email address? Try firstname.lastname@gmail/hotmail.com and you’re probably good to go.

Another scenario often seen is sending the user an email if too many invalid login attempts have occurred (and subsequently the account is now locked). What was meant to increase security (the automatic lock out) again leaks information indirectly via the email.

The core of the problem lies in the coupling between the secret event and the notification at a known destination. 

How can we mitigate this? 

The lock out scenario is fairly simple. Don’t send an email when the locking occurs, but rather tell the user you are going to send a reset link when the user next logs on with the correct credentials (and provide the option to postpone sending).

The forgot password is a bit harder. Here security will come at the cost of some usability. The idea again is to separate the event causing the email and the actual sending of the email. If you wait a random number of minutes (>15) before sending the email then the attacker can’t be sure the email is related.

As a final note, this scenario can be extended to private message notifications. If the attacker creates a fake account, reduces the number of potential accounts belonging to the victim (usually by knowing some information such as location, age etc) and just sends a private message to each one, chances are that he will hit the victim’s account sooner or later and “ding”. The beard groomer is uncovered once again.

The Importance of Committing


As a start-up team you’re ideally a heterogeneous bunch of people with different ideas and opinions. You will have to make decisions that are not unanimous. On the other hand successful startups seem to always have a shared vision and one plan of actions. How do they do that? They can’t be living in a happy fluffy everybody agrees world, can they?

The magic word is “commitment” and so far our team has decided on important things like this:

  1. Discuss about available options.
  2. Argue as much as you like about your favorites.
  3. Decide by area of expertise, majority vote or hierarchy, but then
  4. Commit to the decision. 

There is no step 5: Bitching, Complaining or Backstabbing. I know it’s hard to accept anything that you don’t fully believe in, but for the sake of the adventure you’re in you have to try your utmost to act as one team and one mindset (at least facing outwards).

How am I coping so far? I try to over commit. Print and wear the t-shirt with the logo that wasn’t your first choice, write the user guide prematurely for the feature that you think is a waste of time and also watch out for colleagues that aren’t aligned. Stop and remind them to align with the group decision. Over time it will become second nature and you will forget you ever had a different opinion (at least until the company biographer asks).


SAP .net Connector 2.0 (NCo) RFC Server in “Running” State but not appearing in SAP

Recently I was involved in upgrading an old component from one SAP server to a different one. It uses SAP Connector 2.0 which is still supported but has it’s end of life in 2013. The PROGID, Gateway Server and Host were changed to point to the new server and the application log showed that the RFC server reported “Running”, but it wasn’t showing up as a registered endpoint in SAP. (Testing the RFC Endpoint also delivered “Program ID not registered.”)

After a lot of thinking, searching and trying many approaches we finally managed to get it going, but since I hadn’t seen this particular case anywhere on Google I must share it.

Turns out that the old server was upgraded from a 6.4 SAP kernel to the 7 series. One of the major changes of this was that librfc32.dll (a library the .Net Connector 2.0 depends on) is not copied to c:\windows\system32 anymore. Since the 6.4 had been installed on the old server the dll was present and this issue never turned up (and so wasn’t documented in the installation documents).

The solution was easy enough to copy librfc32.dll (beware there is also a unicode version librfcu32.dll which we copied just in case aswell) from the SAP directory to c:\windows\system32\ and then the application registered without any hesitation.

<rant>Only took 4 hours to find though. I just hope the newer SAP .net Connectors are a bit more debugging friendly and don’t just output “Running” when they are obviously not.</rant>

Great Sites! Great First Impressions? Learning from the best landing pages available.

In the past I never gave too much thought to the design of my web applications. Lived by the motto “if it succeeds I’ll hire a designer”. This time I’m taking a different approach. Mainly because I really believe that we are building something big.

But how do you go around designing a web application. I’m not a designer and have worked with enough to know you don’t just explain the idea, off they go and come back with awesomeness. The best results came after I had put a lot of thought into the problem myself.

In this new venture we have access to a UX expert and I have experience with a handful of UI designers. So the basic idea is to mockup everything, iterate on the UX and once that is done we hand over to designers.

My task today is to mockup the start page. Clearly the most important page of all, so I am trying to be as structured (and therefore comprehendable for my team) as possible. To start off I defined what different kind of users are coming to this page. They have different goals that all need to be catered for. But how do you put that all on one page? So why not look at apps and site I frequently use. Learn from the best, right?

I’ve focussed on services with a download and with a secured content area since this is closest to what we are building. For these kind of apps the start page serves three user types:

  • NewGuy: Wants to know what it is.
  • Adopter: Wants the software or wants to create an account.
  • User: Wants access to the secured area.


First impression: Lot’s of white space.

  • New Guy: One click plays the video, 40 seconds later you know enough.
  • Adopter:
    • One click leads to the right download (determines OS automatically).
    • Account creation link is not directly visible. But I guess most users will create the account in the app after download.
  • User: Two clicks in total, username & password entry.

One thing I noticed is that if you press tab the login window popups automatically and you can only tab to password and the “Sign in” button. Using the keyboard you cannot proceed to “play the video” or “download”. Are they assuming that power users are the ones that use a “tab” and don’t need the other two features? Also what about accessibility?


First impression: A lot of elements on the page. The download button almost dissapears in the green.

  • New Guy: Main features are visible immediately.
  • Adopter: One click leads to the right download (determines OS automatically) and one click for account creation.
  • User: Two clicks in total, a page reload and username & password entry.

Interestingly the homepage displays a feature set instead of the problem they solve. As a user myself I would have gone with “Save anything you think you might need in the future” & “find that one thing you know you saved with just a couple of words you remember”.


I hadn’t seen the new homepage before, so this is a quite genuine first impression: “This could just as well be a pay wall to a news site”. Would you think that if you had no idea what Twitter is?

  • New Guy: The value description is too broad and applies more prominently with classic media sites. Clicking on the picture doesn’t do anything. There is a small “About” button which leads to a lot of text and somewhere in there is the Twitter video.
  • Adopter: 3 Fields and you’re good to go. Since the desktop experience is the web site you don’t need to download anything. Thankfully*.
  • User: Username, password and you’re in.

The twitter video has no voice-over and centers on the experience. Sure it creates emotions and a feeling of “ooh I want that too”, but does it show how it differentiates itself from Facebook?

*To download an app from the website: guess and find the link called “Mobile”, send e-mail to myself, then click on link in e-mail to get to the right app store. Four clicks at least.


First impression: This is an app store. I can’t believe there biggest element conveys this message. Even the second image which appears a few seconds only talks about trying the premium for 30 days. The premium of what exactly?

  • New Guy: If you do click on “What is spotify” then the message is clearer: “search for music, play anywhere”.
  • Adopter: With “Get Spotify” you’re there in two clicks.
  • User: 2-3 clicks depending on how you log-in.

I love Spotify and hate to see this as their start page. Sadly it’s the same experience in all countries that I tried. They just translate the “app store” announcement.

Google Chrome Browser

First impression: Sure it’s minimalistic, but is the empty browser window that covers a large part of the page necessary? Older versions even had content in that screenshot. My focus is certainly directed towards “fast, free” and the blue download button.

  • New Guy: It’s a fast, free web browser. Says it right there.
  • Adopter: One click to download.
  • User: not applicable.

That blue button just jumps at you. If this was there only product they could have gotten rid of a lot more elements on the page, but it doesn’t look cluttered at all.

Other examples


First impression is the site’s pages are little too dense with information. Targeted at GTD users the start page slogan “simply get everything done” is recognized immediately. On the sign-up page you are led to think you need to choose a plan even though you don’t.


The video is Joel demo-ing the app, with lot’s of aehms and uhms, but it’s very natural and great to watch. I actually immediately made myself a task to create another board for our project.

The one think I thought I liked was the search box. I didn’t know if they already had a mobile app for Trello but searching for mobile app leads me to strange looking search results. It’s actually a search across the public trello boards and not a search on the Trello site itself.

Take-aways for us

1. A basic value proposition on the first page

Three illustrations on what we offer that leave no confusion. This will take a lot of time to get right, but it’s essential for grabbing the attention of visitors. Focus on the problem you solve and not the features.

Follow-up with a natural video taking you through a basic case and 1-2 more complex use cases.

2. Immediate log-in

Most of the apps show you the secured area immediately (if you have the appropriate cookie). If that can’t be done I prefer username and password fields to be at most one click away, but certainly not require a new page to load.

3. Don’t make the user choose

If possible figure out what the user needs to download. If you can use the referrer to determine what the incoming user is most probably looking for adapt the experience to that.

4. Demo account / screenshots

Hardly any of the sites I looked at had any kind of demo account. When I download tools or utilities I always search for the screenshots of the application first. For online apps I would expect to see a demo account that I can look at immediately (which to be fair many business web application do have).

5. Make sure every action has a reason and is clear

Last but certainly not least. Anything on that first page needs to be there for a reason. It has to be clear to everyone what it means. Test, ask and observer what people do. Reason enough to keep the elements on the first page to a minimum so that testing does not get out of hand.