So-called data portability and data ownership is a hot topic of late, and with good reason: with all the talk of the opening of social networking sites and the loss of presumed privacy, there’s been a commensurate acknowledgment that the value is not in the portability of widgets (via OpenSocial et al) but instead, (as Tim O’Reilly eloquently put it) it’s the data, stupid
!
Now, Doc’s call for action is well timed, as we near the close of 2007 and set our sights on 2008.
Earlier this year, ZDNet predicted that 2007 would be the year of OpenID, and for all intents and purposes, it has been, if only in that it put the concept of non-siloed user accounts on the map. We have a long way to go, to be sure, but with OpenID 2.0 around the corner, it’s only a matter of time before building user prisons goes out of fashion and building OpenID-based citizen-centric services becomes the norm.
Inspired by the fact that even Mitchell Baker of Mozilla is talking about Firefox’s role in the issue of data ownership (In 2008 … We find new ways to give people greater control over their online lives — access to data, control of data…
), this is going to be issue that most defines 2008 — or at least the early part of the year. And frankly, we’re already off to a good start. So here are the things that I think fit into this picture and what needs to happen to push progress on this central issue:
- Economic incentives and VRM: Doc is right to phrase the debate in terms of VRM. When it comes down to it, nothing’s going to change unless 1) customers refuse to play along anymore and demand change and 2) there’s increased economic benefit to companies that give back control to their customers versus those companies that continue to either restrict or abuse/sell out their customers’ data. Currently, this is a consumer rights battle, but since it’s being fought largely in Silicon Valley where the issues are understood technically while valuations are tied to the attractiveness a platform has to advertisers, consumers are at a great disadvantage since they can’t make a compelling economic case. And given that the government and most bureaucracy is fulled up with stakeholders who are hungry for more and more accurate and technologically-distilled demographic data, it’s unlikely that we could force the issue through the legal system, as has been approximated in places like Germany and the UK.
- Reframing of privacy and access permissions: I’ve harped on this for awhile, but historic notions of privacy have been out-moded by modern realities. Those who do expect complete and utter control need to take a look at the up and coming generation and realize that, while it’s true that they, on a whole, don’t appreciate the value and sacredness of their privacy, and that they’re certainly more willing to exchange it for access to services or to simply dispense with it altogether and face the consequences later (eavesdroppers be damned!), their apathy indicates the uphill struggle we face in credibly making our case.
Times have changed. Privacy and our notions of it must adapt too. And that starts by developing the language to discuss these matters in a way that’s obvious and salient to those who are concerned about these issues. Simply demanding the protection of one’s privacy is now a hollow and unrealistic demand; now we should be talking about access, about permissions, about provenance, about review and about federation and delegation. It’s not until we deepen our understanding of the facets of identity, and of personal data and of personal profiles, tastestreams and newsfeeds that can begin to make headway on exploring the economic aspects of customer data and who should control it, have access to it, can create, read, update, and delete
- Data portability and open/non-proprietary web standards and protocols: Since this is an area I’ve been involved in and am passionate about, I have some specific thoughts on this. For one thing, the technologies that I obsess over have data portability at their center: OpenID for identification and “hanging” data, microformats for marking it up, and OAuth for provisioning controlled access to said data… The development, adoption and implementation of this breed of technologies is paramount to demonstrating both the potential and need for a re-orientation of the way web services are built and deployed today. Without the deployment of these technologies and their cousins, we risk web-wide lock-in to vender-specific solutions like Facebook’s FBML or Google’s OpenSocial, greatly inhibiting the potential for market growth and innovation. And it’s not so much that these technologies are necessarily bad in and of themselves, but that they represent a grave shift away from the slower but less commercially-driven development of open and public-domained web standards. Consider me the frog in the luke warm water recognizing that things are starting to get warm in here.
- Citizen-centric web services: The result of progress in these three topics is what I’m calling the “citizen-centric web”, where a citizen is anyone who inhabits the web, in some form or another. Citizen-centric web services, are, of course, services provided to those inhabitants. This notion is what I think is, and should, going to drive much of thinking in 2008 about how to build better citizen-centric web services, where individuals identify themselves to services, rather than recreating themselves and their so-called social-graph; where they can push and pull their data at their whim and fancy, and where such data is essentially “leased” out to various service providers on an as-needed basis, rather than on a once-and-for-all status using OAuth tokens and proxied delegation to trusted data providers; where citizens control not only who can contact them, but are able to express, in portable terms, a list of people or companies who cannot contact them or pitch ads to them, anywhere; where citizens are able to audit a comprehensive list of profile and behavior data that any company has on file about them and to be able to correct, edit or revoke that data; where “permission” has a universal, citizen-positive definition; where companies have to agree to a Creative Commons-style Terms of Access and Stewardship before being able to even look at a customer’s personal data; and that, perhaps most import to making all this happen, sound business models are developed that actually work with this new orientation, rather than in spite of it.
So, in grandiose terms I suppose, these are the issues that I’m pondering as 2008 approaches and as I ready myself for the challenges and battles that lie ahead. I think we’re making considerable progress on the technology side of things, though there’s always more to do. I think we need to make more progress on the language, economic, business and framing fronts, though. But, we’re making progress, and thankfully we’re having these conversations now and developing real solutions that will result in a more citizen-centric reality in the not too distant future.
If you’re interested in discussing these topics in depth, make it to the Internet Identity Workshop next week, where these topics are going to be front and center in what should be a pretty excellent meeting of the minds on these and related topics.
Factory Joe 
Thanks Chris, I enjoy your insight, every time.
BTW, this link is broken: https://factoryjoe.com/projectvrm.org
the link to projectvrm.org is broken, otherwise a good roundup of a lot of issues that we’ll be facing this year. It should definitely be an exciting time. That being said, here’s some actual comment.
VRM – I question how often there are large scale industry changes as a result of charges from the consumer (and I think doc makes his point when he says that just getting mad and huffing about switching), I would say in fact that I don’t think we’ll ever see consumers “demanding change”. What we will see is other companies offer a product that is more compelling, and capable of providing the consumer with features they didn’t even know they wanted.
And I suppose that’s sort of at the root of it. Most consumers don’t know what they want. They do know they want to be involved in social networking. But they aren’t aware that they are “giving up their data”, because a product doesn’t exist on the market that’s compelling, provides for data ownership, and does so in such a way the the consumer isn’t just swamped.
So I don’t think this should be a call for consumers to act out (maybe us geeks certainly). But it should really be a call for the developers and euntrapeuners to find a way to change the market realities.
Right now we live in this constricting world where the value of a social network directly corresponds to the number of users it has over it competitors (similarly for other mediums like video/pictures/movie preferences/etc.). Until we (developers) begin to provide a way to tear down that current understanding of value, there will be no way to progress in the market.
We have to create products that demonstrate the value and utility of applications that a) share data b) let users own data. In the case of social networks this means demonstrating that social networks can compete not on the quantity of the users, but the quality of their product (and possibly the quality of their users). This /shouldn’t/ be terribly difficult, we already understand that certain target demographics are worth more than others (golfers, doctors, lawyers) so certainly it should be an easy mapping to understand that the breakdown in user value is more granular than what we’re seeing today. And we certainly already understand that companies in the physical world are capable of competing in their own right, so why not bring this to the market.
rambly, but there you go.
~ Anders
The filesystem is the most successful way we’ve ever dealt with these issues in the past. If I could wave a magic wand and widely deploy any solution to these issues, I would concentrate on giving users the ability to save session state as local documents, and then upload those documents to other services. The easiest examples are documents like address books, atom collections, and XSPF playlists.
The hardest part will be for web programmers to grok the desktop application model – user has a file, wants to open it using an application, make some changes, save, quit, and then maybe open the same document in another application. This is something we do all the time on the desktop, but moving those ideas to the web will not be easy.
@Jeremiah: Fixed, thanks! 😉
This is an important discussion; I would, however, suggest stressing the distinction between ‘privacy’ and ‘anonymity’ – they are not necessarily synonymous.
A transaction online is no different than one in the public square, where there is no reasonable expectation of privacy and limited expectation of anonymity: some transactions may be public but anonymous: for example, a charitable donation.
If we accept legal, commercial transactions require a legitimate buyer and seller, it follows there will no privacy and limited anonymity – this is by design. In which case, I would argue the greatest challenge lies in creating a frictionless, common ID system, facilitating all web transactions, commercial or social. The challenge is not protecting a Facebook news feed, the equivalent of standing on Speaker’s Corner and ranting at the rain.
Privacy *is* an illusion; it is therefore incumbent upon us to be mindful of the only relevant question remaining: who is watching the watchers?
Thanks Chris, good stuff.