Open The Dialogue

New research from Nuance Care Solutions brings to light a number of interesting statistics on how social media is playing into consumer attitudes:

• 72 percent say they research a company's customer service reputation online prior to making a purchase.


• 74 percent are actually basing their decisions on who to do business with based on what they find.


• 59 percent use social media to express their frustrations with their customer service experiences.


• Only 33 percent say they think companies take complaints voiced online seriously, though a couple brands in particular were singled out as doing a good job along these lines.

This study also identifies the gaping void that exists for companies to pay attention to what's being said about them online and interact there in order to solve problems. Problems are only problems as long as they remain unsolved, and posts with complaints are going to be updated with positive resolutions, but only if someone's listening and reacting.

Along these same lines, Leigh Householder has a good post up on monitoring Twitter as a way to identify brand reputation management issues that might be floated there before being turned into full-fledged posts detailing all the problems someone has with a company.

Posted by Chris Thilk at 01:36 PM | Permalink | Comments (1) | TrackBacks (0)

I've been trying to keep up with what has been going on with regard to John's issue late last week with coComment and Citibank, and I wanted to post an update today after reading this post by Pete Spire Lindstrom of Spire Security on his blog, about how John hasn't "acknowledged" his participation in this situation.

While I will "agree" to correct John in saying that he didn't mention in his post that he obviously posted the message to Citibank through its online messaging system, he did say to me, on multiple occasions, that he did it by accident the first time, and thought nothing of it until he happened to log in and see that he had coComment updates later on last week. I don't disagree that John was obviously the "push" to what went on in his situation - as were three other unsuspecting users who just so happened to not blog about it, and potentially don't know, even now, that this happened with their messages - but that doesn't hold Citibank (or coComment, or John) harmless. Pete insinuates that someone else wrote John's post, which most certainly isn't the case, and I'll 100% vouch for him as a colleague and friend. Working for a public relations agency, I think that both of us know better than to go off on unfounded attacks on companies when we haven't at all tried one way or the other to get answers. In addition to calls from his end to Citibank's technical side, we've both corresponded a number of times with the bank's technical staff, and I've gone back and forth with coComment a bit myself. The thing I think that Mr. Lindstrom has chosen to ignore is that we *only* posted this because while a browser-based function such as this is the responsibility of the user, it doesn't mean that it should be able to do what it does, hence our lack of "blame" on either coComment or Citibank - or ourselves, really. The reason that Citibank was isolated and mentioned, more than anything, was that John tried this at two other financial institutions that he works with, and I tried it with my primary bank. On zero occasions, with those institutions, did this functionality work, based on policies that those sites had set up.

To answer Pete's last question, blockquoted here:

As I mentioned, if John can demonstrate how Citibank could have somehow protected against this (without a client-side footprint), then I will happy retract this statement, as I am sure he will once he reads this post (I was so careful to get the spelling right ;-)).

I'm not positive that myself - nor John - has enough detailed security knowledge beyond what most of us who've developed a Website with any secure needs have, but after spending time on the phone with some of Citibank's technical team who was on this issue over the weekend, I have a decent gist of understanding this. What I would pose to Mr. Lindstrom, in this case, is that if Citibank isn't able to "protect against this," then why is it that Wachovia, Commerce Bank, and ING Direct were all able to do so? Considering the fact that Mr. Lindstrom has obviously read all of John's post, I'm not sure why he chose to glaze over those facts.

As for the fact that this is a "new toy" for John, it actually isn't, and this was something that was honestly stumbled upon with no ill intent after using it for some time. The gist here was that no one would have expected that this sort of thing would work, especially considering the "option" for coComment to snag the text wasn't available in other secure situations. If it were, I believe that we would have heard many many more examples of security concerns regarding it by now, given the number of bloggers who've given it a whirl. Now doing some casual searches you will see some items where people have mentioned different types of incidents, but nothing at a bank, as far as I can tell.

As for the PR angle, I hesitate to grasp the misunderstanding that Lindstrom has when he says "but this is completely bizarre to be thinking about PR agencies in the face of a security concern." Oh, really? Well, considering John went the security route - on his own volition - in addition to us contacting coComment to let them know this was out there, which they promptly deleted before ever thinking about blogging about this, only to get nowhere, which led to the attempts to get in touch with the company's public relations team just to make them aware of the situation. This is something that, in our jobs, we're always looking out for, i.e. a blogger noting something about a client in the middle of the night. The calls were more about letting them know that this was feasible - and different - on the Citi site, rather than hostile towards them alone.

So while Pete Lindstrom may be right about the fact that John didn't say that he did err in not unchecking the box for coComment to do this, he misses the point that the option to use coComment in this situation was so out of the norm for when it is usable that it was passed by not only by John, but other Citibank customers as well. Based on spending a little time perusing Lindstrom's blog and site this morning, I'm sure that his security credentials are on point, and obviously are well beyond mine - or John's - will probably ever be. But I think that if he had spent five minutes trying out coComment in similar situations, he would have seen that this isn't feasible in all secure situations, and that this was an issue that was "shared" by both the user, the software, and the site. I don't want to be in the position where we're throwing anyone - or everyone - under the bus here, but I think the fact of the matter here is that there is a problem. Saying that "the user made an error and it's his fault" makes me want to say that we should say the same thing to people who choose to use Windows systems over Mac systems - because of what we statistically know about security concerns between the two - are at fault. It doesn't mean that the user is the only person to "blame," it simply points out that there is an issue that needs to be fixed. If it shouldn't be pointed out that potentially thousands of coComment users could be doing this - accidentally, or mistakenly, by believing the software would never allow them to do so (sure, it's blindly, but it happens) - then I'm not sure what we should be raising red flags about. Lindstrom can talk semantics all he wants - it's his blog, his opinion - but if something like this is feasible to do, then it's a "security concern" that those involved can talk about.

[update] Just one more thought. While I do believe that there is something different being done on the other banks mentioned above and in previous posts, something that was said on coComment's official blog about being able to blacklist sites that shouldn't be able to store comments has got me thinking - is what some of the bank security has built into it on some of those sites only half (or one third, given security policy, third-party extension, and human error possibilities) of the issue, and should we be more concerned about what implications using such a thing has, more than anything? Obviously coComment offers a client-side option where you can make your blog work with the system, but obviously that can't work in a negative option-fashion. As in, your site is indexed unless you say not to, or someone blacklists you. Thoughts? I'd be really curious as to what security policies for SSL and whatnot disallow something like this logging to function, or not.

[update 2] I've updated this post from the original, as Pete's last name is Lindstrom, not Spire. Thanks for the update in the comments, Pete!

Posted by Tom Biro at 09:57 AM | Permalink | Comments (2) | TrackBacks (0)

A few minutes ago, I received a response from coComment regarding the ongoing issue with that service indexing submissions to Citibank's online form when logged into the bank's systems. Check out what they had to say here, where they are pointing out that you can blacklist any site from storing your information, should you notice this sort of thing being feasible. In this case, the only reason that John had this happen was that he missed unchecking the box to log his note to Citibank, so it was more luck than anything that got us here (though some might disagree).

Again, I'm not going to specifically point fingers one way or another here, but while I am surprised that coComment software had logged this, I think I'm *more* surprised that it was allowed to log it in the first place. Because, as they say, "this shouldn’t happen and site security policy should prevent it." More on that later. In the meantime, Citi's security team has been great going back and forth, and we're working on finding the right person within that company's internal PR team to hear what they have to say about it.

Posted by Tom Biro at 12:23 PM | Permalink | Comments (2) | TrackBacks (0)

For the latest followup to this story from late Friday/early Saturday morning, I wanted to note that I did hear back, via email and telephone, from Citibank's information security group on Sunday. They were very courteous about the situation and wanted to do everything they could to see what the problem was with coComment tracking some of their online messaging. They did offer to speak with John, my colleague, as well (through me, however), but he has not received any direct, official communication from Citibank after his multiple messages through their online system or two telephone calls to their IT or security groups.

Additionally, while coComment (or someone related them) removed the posts shortly after John and I posted about this late Friday night, no one has responded to my request for comment, and Citibank's security group was looking into who at coComment they could speak with, but I had not heard that they had been successful as of mid-afternoon on Sunday.

In any case, I don't want to lay blame here officially one group or the other, as it appears there's some things that Citi's site could be doing better, from an outsider's perspective, and I'm guessing there are things that coComment is doing that they might not have originally intended. At the same time, as Chris Thilk and I are speaking this morning (we do talk on the phone, by the way), we both are very surprised that no word has come down from Citi's PR department or agency, based on the fact that this was indexed more than two days ago as far as Technorati and whatnot. The other great point that Chris makes is that "how are they not reaching out to John directly?" That's something I'm surprised about, too, considering John blogged it himself and also did directly reach out to his bank - which he is a customer at, not me.

[update 11:45am Eastern] Upon attempting to loop in Ruder Finn, who we're believing is the agency that would handle this specific piece of business, I've failed at the main email address for the firm, found here, on the firm's contact page. So if you're looking to email Ruder Finn at the "rfnewyork@ruderfinn.com" email address, don't bother. There's "no such user."

Posted by Tom Biro at 09:48 AM | Permalink | Comments (0) | TrackBacks (0)

So far, no word from Citibank or coComment on this issue where the commenting service was able to track a theoretically secure page, although coComment has cleared out the thread John and I linked to last night. If you're still interested in seeing it, the PDF of the offending page is here here or you can see the full rundown of screens over at his blog.

Additionally, he made another attempt last night to speak with Citibank's Internet Security group, but didn't get very far with them, although he was able to provide them with the right information. Looking to try and get information from Citigroup media relations today, if possible.

Posted by Tom Biro at 11:27 AM | Permalink | Comments (0) | TrackBacks (0)

After hearing reports and rumors that an iPod Factory in China might be violating child labor and other laws, Apple had one of two options:

1) Deny the reports outright and question the character of anyone making such claims
2) Be open and honest about the issue, launch an investigation and make the results public

Thankfully the company chose the second approach. They created a team of employees from human resources, legal and operations teams to audit the factory and interview employees. After doing just that they found there were no major violations of their Code of Conduct (child labor, for instance, was not found to be used) but there were some places where the factory fell short either in terms of the letter or spirit of the regulations. Apple has begun working with the factory (which houses more than just Apple employees) to expand housing, clear up pay scales and make other immediate improvements. They've also engaged the services of Verite, which specializes in monitoring workplace conditions, to ensure ongoing compliance.

In a time when so many companies defend, defend, defend until they're forced to acknowledge error and then scramble to fix both the problem and their reputation, Apple chose to take the narrow and more difficult path. Part of this is because they know how many MP3 players are waiting for the first sign of weakness to pounce on Apple's market share. But I think part of it is because they realize that it's far better to maintain a good corporate reputation than to develop a plan to fix it.

Posted by Chris Thilk at 04:34 PM | Permalink | Comments (0) | TrackBacks (0)

Late last week, I went out to dinner with two other people to a pretty well-known restaurant chain that has locations across the U.S., and had a kind of curious experience. Now, first off, I've got to say that I go out to eat quite a bit, to a variety of places. In doing so, you come across quite a bit of various dishes being out of stock, or quirky things happening in a restaurant. That's all well and good, but this experience kind of opened my eyes to the new world we live in when it comes to potential public relations and customer service nightmares.

So, after one of our dishes was 86'd only moments before we were to receive dinner, the three of us had something to eat, with the 86'd dinner landing a free appetizer for diner #3. The staff was super super polite, and the manager was the one who came out to apologize for the vanishing dish. This is actually very important when it came to what would happen next. A few minutes later, as we're all well into our meals, a strange object was seen atop one of the plates - not mine. Looking from my seat, I wasn't sure what it was, but shiny, squared-off objects aren't usually part of a chicken-filled salad, so I had to take a closer look. As it turned out, it was a few inch long razor blade.

Thankfully, no bites of a metallic nature had been taken, and the blade was hidden underneath the sprouts. (Aren't they always!?) After retrieving the manager (she must have been happy to see us again), we were treated very well and with a lot of respect as a customer. She did everything she should have to ask us if there was anything else she could get us, assured us that we would not be paying for our meal, and pretty much offered us the run of the place. That was great. When we re-ordered the same dish (but without razor blades), it was quickly delivered within five minutes by the chef of the restaurant, who had done a little digging in the kitchen and determined just what the problem was. As it turned out, the blade was part of a device used to slice tomatoes and other vegetables into long, thin strands, and do multiple slices at once - it was one of about eight blades on the piece. One apparently dropped loose, and fell into the dish, and was unseen by those doing the preparation. Quality control aside, I can totally see how something quirky like this could happen. That doesn't mean it *should* have happened, just that it's not outside of the realm of possibilities.

While sitting there in the moments before the manager arrived, I was torn as to whether to use one of the two cameraphones I was carrying in my pockets (we had four at the table total), and what to do with it if I did. Now there was no injury here, so I wasn't as concerned about that sort of thing, but something struck me at that exact moment - that any of us can hold a lot of cards in situations like that, these days, if we're into the tools of the trade. That doesn't mean you have to be a professional blogger or photographer or anything like that. Let's just say I had shot a photo, sent it to Flickr from my phone, and then texted a few of my friends to check it out. They'd not only know where I was, but they would see the plate. Surely, someone could have blogged it or at the least sent it out to friends on instant messaging platforms, or hell, posted it to a MySpace account. It's a quick and dirty nightmare for the restaurant, a potential lawsuit coming back my way (even if it had no merit), and a bunch of ugliness as people everywhere who might have been heading to this restaurant hear about what is going on. And hey, what about the manufacturer of the kitchen tool?

Not to harp on this forever, but what I wanted to make clear that these kinds of things happen every day, and have for years. The difference today is that everyone - not just the multimillion dollar companies who buy ad time - has a voice, potentially a large one, and probably one that isn't fast forwarded through, either. People listen to each other a lot more often than they do a spokesperson or talking head on the news. Let's just say I was part of a table of teenagers (hey, I was one once) - would I have thought twice about taking the photo and emailing it across the planet from my cellphone? Probably not. That's what we're all up against, all the time.

This isn't about fixing business practices at all - mistakes and errors happen - it's about knowing how to pay attention and be aware of things like this as they happen, or at least within a reasonable time afterwards. This restaurant hearing about this four or five days later (when I'm writing this blog post) wouldn't have cut it. There could have been hundreds, if not thousands, of people talking about this, forwarding it along, blogging on it, or whatever. Just as companies are prepared for crisis communications in a traditional sense, this isn't about waiting until the story is "mainstream" enough to make the evening news and get a formal press conference. Showing that you're on top of this stuff and can incorporate a response from a disaster that may not have begun because someone called the police or their local news station is what is going to separate firms from the pack. Not that we want to see these crises happen, but we know that they are out there and can come about very quickly, perhaps faster than they ever have, even in our 24-hours television news world.

Some people talking about the blogosphere being like the "Wild, Wild West." Typically I disagree, but when comparing instances like this to that concept, it fits right in. You never know where the next gunshot is going to come from.

Posted by Tom Biro at 12:24 PM | Permalink | Comments (0) | TrackBacks (0)