One of the by-products of an increasingly public profile is that companies want you to promote their things. You see this all the time in all walks of life whether it be product placement in movies, celebs sponsored by car companies or indeed the sponsor banner you see at the top of this blog. These companies benefit from the exposure granted to them by individuals with influence.
The flip side is that the allure or money or free goods can taint the impartiality of said individual. For example, in the wake of the Sony Pictures hack we learned that Kevin Hart was paid a couple of million bucks to tweet Sony's messages. More recently, there was news that the Kardashian family wasn't properly disclosing paid endorsements on Instagram. Now I don't exactly have those sorts of levels of celebrity status but it did get me thinking - how do I decide what stuff I attach my name to?
This post makes that position clear. It's necessary because I'm increasingly asked about it and indeed, often challenged by people who believe I may lack impartiality. Here's how I handle it.
I'm Not Endorsing Anything I Wouldn't Use Myself
The very best relationships I have with companies are the ones where they've approached me after my own independent endorsement of what they do. For example, I have the Microsoft MVP and Regional Director roles (no, for the millionth time that doesn't mean I work for Microsoft!) and they came after extensively using their products in a professional capacity for a decade or more. Not just using them either, but writing about them at length and being a community influencer. My series on The OWASP Top 10 for .NET Developers was the catalyst for that relationship and the MVP award came another year after I began that journey.
Lenovo is another great example. I've used ThinkPads since the 90's, originally when they were IBM then into the Lenovo era that began in '05. That was all Pfizer bought us when I worked there - 14 year's worth of ThinkPads! They were great machines so when I needed a new one 4 years ago now, I went out and spent my own hard-earned cash on one:
These days, I'm on their Insiders program and they send me machines, but they're precisely the sorts of machines I'd buy myself anyway. The P50 I received last year is without doubt the best machine I've ever had, regardless of how I acquired it.
Then there's Ubiquiti and if you've been watching, I've said quite a lot about them recently. That all started because I went and spent a couple of grand of my own to finally fix my dodgy wifi. And it's awesome! That blog post was written before ever speaking to anyone there or receiving so much as a free sticker from them.
Now I never expected this to happen to the degree it has, but after writing that blog it turns out that a lot of people went and bought Ubiquiti bits. What makes me especially pleased about the results in that tweet search is how happy everyone is - people love the gear and that's really important to me independently of any commercial interests I have. Which brings me to the next point:
I Always Make It Crystal Clear if I'm Financially Incentivised
Continuing the Ubiquiti topic, regardless of how independently endorsed I am in a product, it's enormously important that I disclose when I've been financially incentivised. For example, when I recently wrote the course Ubiquiti has now put out for free I said this:
I want to be clear that this is a commercial course (they've paid me for my time)
Or when I managed to get 7 aesthetically faulty "factory second" in-wall units that I put into my brother's house in a ground up build:
Functionally they were perfect, but they weren't yet 100% happy with the fitment of the covers. But if I wasn't the fussy type, how many did I need and would I like them to send me over a box of near perfect ones for free? 7, and yes please :)
This is really important context and whilst I can't always fit disclosures into say, a single tweet, I make sure that at every opportunity I'm clear about the relationship. Frankly, I don't think this takes anything away from the value the company in question gets out of the relationship (they still get the same exposure) and if I didn't properly disclose, there's a very real chance it would take something away from me, namely my independence and authenticity.
All of that said, it's not like I say "yes" to any company that pops up and wants to throw money or product my way either. For example:
I Say "No"
Just recently, I had a company you know approach me to write for them. I won't name them here, but let's just say they rhyme with an Irishman who doesn't move too fast (some of you will get it). They wanted me to write some content on a commercial basis but the historical reputation of the company just didn't sit well with me. They've done some shitty things in the past and whilst in more recent years they've clearly tried to turn that around, the bad memories are still just too fresh.
When any of us attach our names to another company whether that be by writing about them, writing for them or even just publicly using their products, a bit of us rubs off on them and a bit of them rubs off on us. It can be a delicate balance and in a case like this particular one, an argument could be made that a positive security influence from someone such as myself is in the industry's best interests. But I didn't feel I could really achieve that through writing alone and that the net result of that relationship would be negative for me.
The other day I had a company contact me asking "if we can cooperate with you" which as it turned out, was code for "can you please talk about our things if we give them to you for free". I'm pretty uncomfortable with this premise - it just doesn't sit well with me. The exception of course is if it's something I'm already endorsed in which is as I explained earlier on.
Same again for blog sponsorship. I rolled that model out in September last year and it's been fantastic! But I've said "no" on multiple occasions because I didn't agree with the philosophy of the company wanting space on my site. Now of course, sponsor messages are a different proposition to me directly endorsing someone's laptops or wifi gear; I haven't personally used many of the products my blog sponsors are selling (with a few notable exceptions), but they're brands and names I'm happy to have occupying that bar for one-week slots at a time.
The point is that saying "no" is ok. But when I do say "yes", there's another really important aspect of every endorsement:
I Maintain Full Independence
I didn't like Lenovo's Superfish, but their laptops are the best I've ever used. I've subsequently leveraged my relationship with them on multiple occasions to talk specifically about Superfish and what I believe they need to do better.
I don't like Microsoft's lack of support for browser security standards such as SRI and HPKP. So, I use the influence I have with them to express why that's important and why I believe it needs to change. (I'm still pushing them for first class Let's Encrypt in the Azure App Service too, by the way.)
The point is that every organisation has strengths and weaknesses and having a commercial relationship shouldn't mean only talking about the former and neglecting the latter. That adversely impacts credibility and quite rightly, makes people question your independence.
I can quite honestly say that none of the organisations I've worked with have ever had anything to say when I've publicly talked about what I don't like. I've also never had any push-back when I've explained why I don't want to do things like hashtag tweets or includes logos in email footers. I've always explained to them that the value I represent is that people trust my transparency and candour; anything that jeopardises that would be negative for all involved.
Ultimately, I approach every relationship with one simple objective, and it's this:
You Shouldn't Be Able to Tell the Difference
I mean you shouldn't be able to tell the difference between a product I endorse because I'm incentivised to do so versus one I just like, short of the disclosure I mentioned earlier, of course. My behaviour shouldn't change just because there's money or product changing hands.
For example, I'm frequently very vocally supportive of both the 1Password password manager and Freedome VPN. I use them both daily, I've written about them both and I constantly recommend them to anyone who asks. I've never received either product for free (I've paid retail prices for both for years), and I've never been paid to endorse either of them. I have contacts at both companies I've spoken to on various issues multiple times in the past, but any sort of advocacy position is simply not a topic that's ever come up.
So, to the point of the title, the way I talk about 1Password and Freedome should be indistinguishable to the way I talk about Lenovo and Ubiquiti in terms of how I endorse them. It's just the right thing to do.
Now, having said all that, no matter how hard I try to get all this right, I'm never going to keep everyone happy all of the time:
People Will Still Complain Anyway
Let me give you an example and it's not to throw this guy under the proverbial bus (he was actually very cool in his later responses), but rather it's to highlight the ongoing challenge of finding the right balance.
Recently, Lenovo sent me a new machine, a Yoga 910 in this case. This was running Win 10 out of the box but I was curious - how much data does a brand-new machine still need to pull down from the web just to get up to current patch levels? Nothing to do with the fact I had a free machine from Lenovo, just genuine geeky curiosity. So, I logged it and tweeted this:
Seems fair, right? Interesting even? Not everyone thought so:
Sorry Troy, I've had to Unfollow you. Can't handle anymore of your Ubnt promos being thrown down my Twitter feed.— 🏴☠️ CM-J [ver]🔹 (@hXmxhvEM2mtY) April 23, 2017
If anything, I thought I'd get a harsh comment or two for having received a freebie from Lenovo! The only reason I added the @ubnt reference was because if I didn't, I'd get a barrage of responses along the lines of "where did you get those stats from".
Admittedly, when I saw this I was pissed. I had a really good reason for mentioning Ubiquiti and it had nothing to do with promoting them. But instead of responding as I felt inclined to, I took a different approach:
That's cool, you've gotta filter what's relevant to you 😀— Troy Hunt (@troyhunt) April 23, 2017
Because that's ultimately what it boils down to, right? If you're following someone and their signal to noise ratio moves outside your comfort zone then you simply don't follow them anymore. Ok, most people probably wouldn't explicitly broadcast their intent to unfollow, but obviously the guy was frustrated and he wanted to vent that. I added a smiley face in my reply because I didn't want it to appear condescending, and clearly it didn't, because I got this back a few minutes later:
Gosh, I almost want to (re)follow you, simply because this is the most sensible response I could have got.— 🏴☠️ CM-J [ver]🔹 (@hXmxhvEM2mtY) April 23, 2017
At the time of writing, he still follows me 😀
The point is that there's always going to be people that fundamentally disagree with your point of view and once you add a variable that is perceived to impact your impartiality, that disagreement is amplified. That's why I'm so cautious with everything I attach my name to and indeed, that's why I've written this post - to explain my thought process. I hope this helps explain things to all the people I'm sure I'll direct here in the future.