Nathaniel Borenstein

The World Wide Web turns 25 today, and since its invention by Tim Berners-Lee, we have experienced tremendous social, personal and cultural shifts in how we share, access and consume information.

These changes will be dwarfed by what the next 25 years will likely bring. Nearly every part of our work and personal lives will be changed, including how we communicate, socialize and work, as well as our healthcare, travel and public services. Some of these changes will be obvious to us, others not so as the technology continues its assimilation into the invisible fabric of our lives.

Today is the 25th anniversary of the world's most powerful communication engine - The World Wide Web.

The web and Internet will be a key enabling infrastructure for wearable and embedded computing, robotics and more. The enormous role of this technology in our lives raises critical questions not just for technologists, but for policy makers and ordinary citizens as well.

Any anniversary like this is a good time for reflection. I’ve been thinking about some of these changes, and how they will impact the next 25 years, despite how tough it is to ever predict the future of technology.

While we can look forward to positive changes brought on by the Internet, the web, and technology in general – things like a reduction in crime due to tiny networked cameras nearly everywhere, and medical advancements – it is also clear that without a coordinated international effort, these same technologies could be used by criminals, result in social isolation, or cause a rise in privacy-destroying surveillance.

As we consider the future of the web, I thought I would take the time to create, in partnership with colleagues at Mimecast, a series of posts exploring some personal views on the future we can expect from the Internet – looking at both the good and the bad.

So, Happy Birthday World Wide Web, and thanks for inspiring our attempts to look deeply into the future! Check back later this month for my first blog post in this series.


I was delighted to be asked this week to contribute to TechRadar – in case you didn’t see the article, you can find it here. In it, I explored the differences between privacy of work and personal emails. Conscious that some of our blog readers might not have seen it on TechRadar, I thought it would be useful to repost it for you all…

Organizations carry a serious responsibility for reporting, governance and legal or regulatory compliance.

…I love email. I use email every day for communication and collaboration in every aspect of my work and private life. It has been a feature of my life for decades. A personal email between me and someone else is just that, personal and therefore private – sacrosanct. No ifs or buts. But my work email is a different matter. I appreciate that my business and personal email don’t operate within the same standards of privacy. More to the point - I shouldn't expect them to. That’s why I have two different email addresses.

Organizations carry a serious responsibility for reporting, governance and legal or regulatory compliance. Every communication is part of a chain of evidence an organisation is expected to be able to report on if needed, and email is the archive where the majority of this information exists. It’s where we all do business.

But all too often we bring expectations of freedom and privacy from our private lives into the workplace. We’re uncomfortable about the idea that our employer can enforce ‘appropriate use’ policies or archive email with the right to review it if needs be. Well, we shouldn't need to be concerned about this, because our employer should help ensure that we don’t need to put anything personal in corporate email.

Understanding the Inside and the Outside

First of all, business email is nearly always operated by or for the business, as a dedicated domain with a clearly defined “inside” and “outside,” bounded by a gateway. Inside the boundary, the company has rights and expectations of control over the information, while anything can happen outside. Consumer email, for example, may be viewed as “always outside” in this formulation. Business email that crosses the gateway, in either direction, can be subject to a variety of checks, restrictions, and other processing, which is not the case for consumer email.

In theory, a company has complete control over any information that passes through its gateway. Among the likely jobs of this gateway are:

  • Spam filtering. This is usually done in both directions: to prevent outside spam from getting in and to prevent internal machines (perhaps hijacked by a virus) from sending out spam and tarnishing the company’s reputation.
  • Data Loss Prevention (DLP). Whatever the business, it’s not uncommon for employees to send sensitive information outside the company, whether intentionally or by accident. However, if a company can define the characteristics of sensitive information, which could be as simple as the words “Do Not Redistribute”, then the gateway can automatically enforce restrictions against sending such information outside the company.
  • Large file modification. Internet email operates with size limitations that seem small by today’s standards and, vary from site to site. Email messages that total more than ten megabytes are highly likely not to be delivered. As an alternative, gateways can replace large file attachments with simple links and make the files available from a web server, with or without some kind of user authentication requirement.

 Internal Complications

While these external gateways may seem complicated, business email is further enriched with more complexities inside the gateway, none of which are concerns for consumer email.

  • Security. Most computer security failures come from within the company, most often because an employee has unintentionally allowed malware to infect their machine. This can happen even with the most secure gateway in the world, as users can be tricked into downloading the malware, most often via the web or a USB storage device. Once a machine is weakened, it can easily be used to disrupt all communication-related security. While consumer email can also be compromised, the consumer depends on a service provider to deal with the problem, while a business, and especially the IT manager, needs to worry about it for its internal network.  Such disruptions can wholly or partially shut down a company’s email system, or can even cause critical information leaks.
  • Privacy. Although all corporate email characteristically belongs to the corporation, it is generally considered important to isolate the mail for each user, so that they can’t all read email to Human Resources or the CEO. This requires a certain amount of effort for account maintenance and administration.

Legal and Regulatory Issues

Finally, most businesses operate under legal and regulatory restraints that are simply not relevant to consumers. Here are a few examples:

  • Archiving. There is a strong and highly specific business need for archiving. Some companies want to keep all their information forever, while others want assurance that it’s completely removed after a certain amount of time. (Legal requirements can strongly constrain such policies.) Both of these are tricky to do right; keeping information forever requires disaster-proof practices, while complete purging has to account for such pitfalls as back-up tapes.
  • Compliance. In many industries, legal or regulatory requirements place considerable burdens on corporate communication. Beyond archiving, which is often mandated, there are often regulations (such as HIPAA in healthcare in the USA) regarding the treatment of sensitive information. For a company that is not in the communication or compliance business, it can be hard to know what regulations apply, let alone how to comply with them all.

So when all is said and done, if we want to continue to benefit from the power of email in our business life we need to recognize it is a different tool at work than home. Our business email has to operate under different standards of privacy, much like other forms of business communication. Once we take these concerns into account, we might even find we use email more effectively and create less risk or problems for our businesses in the process.

Of course, all of this depends on employers maintaining reasonable policies about occasional use of personal email while at work. If you expect me to accept the rules about corporate email, you should give me a way to occasionally access my personal email from work when it really matters. Otherwise, you’re forcing me to use corporate email to talk to my kids’ doctor, and I’m far less likely to view the privacy limitations of corporate email so benignly.


It’s that time again. It seems to come around at least a few times a year. Time to question if there’s life left in the old email dog.

The first time I heard the death of email predicted was in 1980, as a graduate student in Computer Science at Carnegie Mellon University. I had just joined the set of people whose duties included maintaining and developing the electronic mail and bulletin board systems upon which my department was already dependent. There were well over a hundred machines on the global network, so things had gotten pretty complex.

Nathaniel Borenstein also shared his views on the strength of email this week on Australia’s ABC Radio Future Tense

It was true then, and it's true now: Email is indeed an old technology, with lots of legacy problems. However, that doesn't mean that starting over will necessarily yield a better result, much less one that could justify the cost of the transition.

So, every few years for the last third of a century or so, someone has come along with a grand plan to do something that will make email obsolete. To date, that hasn't happened, largely because most people don't understand why email has been so successful in the first place.

Email has succeeded, in large part, because of the following architectural factors:

- Open protocols. It must be possible for different people to use different software and still communicate with each other. That software can't all be written in the same place. The great virtue of the open protocol process is that anyone can participate, most problems are anticipated, and the result actually works well for multiple vendors.

- Backwards compatibility. In 1980, the Internet was already getting to be too big and distributed to simply change protocols on a "flag day" as it had occasionally. The best way to replace a protocol is to extend and evolve it.

- Inclusivity of community. In the early days of email there were islands of communities, such as CompuServe or FIDOnet, in which people could communicate with each other but not beyond the island.  Although some providers tried to stay isolated, the value of having email extend to anyone you might possibly want to reach was overwhelmingly more important than the financial interests of a company like AOL -- a fact that today’s social networks, like the earliest email providers, have so far managed to ignore. IM or email on your social network of choice is great for contacting another ‘friend’, but no good if you want to reach someone outside that closed network.

And, arguably but more controversially, this factor:

- Unauthenticated and uncontrolled. The lack of authentication in Internet mail (and on the Internet in general) is often cited as one of its weaknesses but is in some ways its strength. It's a mixed bag because it simultaneously facilitates certain kinds of criminality while strengthening personal freedom. The ideal balance can be argued, but it seems clear why it has emerged the way it has -- individuals and institutions alike are leery of ceding power where matters of privacy are concerned.

Recently I read in Wired that a new company, Asana, has observed that email is an old technology, with lots of legacy problems particularly inside organizations. So, it wants us to start over with something new. Like its many predecessor email replacements, Asana is no doubt a mix of mostly-good ideas that ignore some of the key factors above. In fact, it reminds me most of an early-90's company called General Magic.

General Magic had done some really good things with asynchronous communication. Most notably, messages could include programs that would be executed on the recipient's end. To do this safely, of course, strong authentication was required. Probably for that reason, General Magic conceived its product as an alternative to email rather than compatible with email.

(It was, by the way, possible to do the same sorts of things in Internet email -- I and other researchers had already done in the past.  But it would have required standardization and more complexity, and it would have been far less profitable for General Magic.  Dominating all asynchronous communication in the world, that's where the real money is.)

Anyway, what ended up happening to all the well-funded "email replacement" schemes I know of (Asana is founded by Dustin Moskovitz of Facebook fame, General Magic was Apple and AT&T) is that they built some fabulous demos, got a few key "showcase" users, and kept trying until they either ran out of money or evolved a more profitable business model. General Magic did both -- after some hard times, it came back to do things like build the first version of OnStar, but then cratered in the Internet crash.

Asana may do well or badly, I wouldn't care to predict. But I’ll predict that if it’s still around in a few years, it won't be pitching itself as an alternative to email. It'll be telling you how well it works with email and how much it improves email.

I hope it'll be right, because email is an old technology, with lots of legacy problems.


There's been a lot of talk recently about BYOD -- much of it about how companies might possibly avoid the headaches it brings. But the task of "managing" BYOD will probably prove overwhelming for most businesses. You can't manage it, but you can't avoid it either.

It gets worse: The inexorable clockwork of Moore's Law means that employees may soon have dozens of wearable networked devices, potentially even internal medical devices, each trying to use whatever wireless network it can find.

It's time we all admit that BYOD is not a policy decision, but more an empirical observation. Attempts to fight it will waste resources and at best delay the inevitable arrival of a steady stream of new devices. It makes no sense to pursue a policy that is doomed to be ignored. Practically speaking, all you can do is try to figure out how to deal with the reality of BYOD - most importantly, to secure your systems from hostile agents.

At the same time, email and communication technologies are evolving almost as quickly. Innovative startups are building variants on email, or email-based applications, or clever gateways. We are currently experiencing a flowering of email-like technologies, such as AwayFind, Contactually, Sidebar, Zementa, MailApp, Incredimail and many more. Each of these is potentially a new vector for those who wish to make mischief on your corporate network.

How can a business cope with these twin explosions of options and capabilities? There are really only two options. One is to hire more and more experts at securing such devices within an enterprise, but such experts are likely to be highly in demand and costly to recruit and retain. The other is to make it someone else's problem. You can, in fact, move almost everything relevant to BYOD and security to the cloud. The effort to securely support each new device type is part of a cloud provider's core business, and they're amortizing those costs across all their customers. With a good, reputable provider, your quality of service is likely to go up, possibly dramatically so.

Of course, the cloud vendor then becomes a critical resource for your company. Choosing the vendor is thus incredibly important, as is devoting enough internal resources to maintain a rich, well-informed relationship with the vendor, so that you're likely to know early if there's something to be concerned about.

There are plenty of examples from the history of business showing that what makes sense to provide in-house at one point in time can be a no-brainer to outsource just a few years later. In the early days of electrification, for example, factories that generated their own power had a huge advantage, but they all moved onto the grid once a stable and reliable grid emerged. The best business in the future won't be the one with the most highly-skilled in-house IT staff, but the one that chooses cloud services carefully, and then pays ongoing attention to how those services perform, and works closely with them to get the best of all worlds.

[Tweet "It's time we all admit that BYOD is not a policy decision, but more an empirical observation"]