Is Google the new Microsoft? That is, is Google now the company that “people love to hate,” so that – no matter what they do – there’s sure to be criticism of them? Ten years or so ago Google was seen as the “white knight” that would vanquish the Microsoft dragon as a worthy successor to Apple in that role. Now, though, it appears that Apple has risen from the ashes and is the valiant warrior that the Google “dark lord” is trying to usurp.
Here in the western hemisphere, the gathering of personal data in order to present ads to you which reflect your interests is considered by many to be a bad thing.

The latest round was a recent story in the Wall Street Journal purporting to show how Google had undermined and sidestepped the privacy settings on iOS devices (and computers) using Apple’s Safari browser.

It would appear that there are two possibilities: 1) the Safari mechanism was flawed; or 2) Google used a loophole or “backdoor”. In fact, both are true but the real culprit here may be the user, aided and abetted by the media – and Apple!

Safari is the only web browser which, by default, blocks third-party cookies. At least, they say they block them. In reality, Apple only blocks brain dead third party cookies since they very happily tell all and sundry under which conditions third party cookies may be allowed. According to Stanford University researcher Jonathan R. Mayer, in fact, Safari’s cookie blocking policy is less restrictive than many competing browser vendors. Specifically:

• Reading Cookies Safari allows third-party domains to read cookies.
• Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
• Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies.

Third-party cookies, by the way, are defined as those served by a domain different from the one in your browser’s URL bar. So if, for example, your browser is reading from mail.google.com, then any server identified as *.google.com could place a cookie, but a server at any other URL could not. As Mayer points out, though, “Google Analytics is served from google-analytics.com, Google software libraries are hosted at googleapis.com, Google static content is at gstatic.com, and Google’s advertising services are on doubleclick.net.” All of these would be considered “third parties,” even though all are Google owned and operated properties. In the real world, the non-digital world, no one gives a thought to a retailer, say, sharing a buyer’s information with the vendor who made the product. Few, if any, would object to Best Buy telling Apple that I bought a new iPad, even though they are a “third party.”

On the other hand, many of the services that Google offers its users, particularly in the realm of personalization, require that cookies be placed to identify the user, their location, their settings, etc. Many of the services we’ve come to rely on require that cookies be used. Google’s “+1″ and Facebook’s “Like” buttons, which are becoming ubiquitous across the net, are third party tools yet no one seems to complain about them.

If there were an easy way to allow some third party cookies in Safari, and if Google (and others) chose to ignore that method, then there might be reason for the outcry. But Apple tells Safari users why they block these cookies by default: “Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity.” If that’s what I’m told, then I certainly wouldn’t want those cookies placed on my machine! Unfortunately, while the statement is true it is very far from the entire truth. Most cookies, the very vast majority, are not used to gather data to be sold but to tailor, or personalize, the user’s experience.

Rachel Whetstone, senior vice president of communications and public policy at Google, was quoted by the Washington Post: “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

Not to be outdone, Microsoft jumped on the “kick Google” bandwagon when Dean Hachamovitch, Microsoft corporate vice president of Internet Explorer, declared Google was bypassing user privacy settings in Internet Explorer, also. Perhaps true, but so were tens of thousands of other websites, all using methods that Microsoft itself painfully outlined in a Knowledge Base article (since removed, but available on the Wayback Machine).

In what appears to be the final straw, a class-action complaint has now been filed against Google for its circumvention of Safari’s privacy features. The lawsuit, filed in the US District Court for Delaware, accuses Google of willfully violating of the Federal Wiretap Act, the Stored Electronic Communication Act, and the Federal Computer Fraud and Abuse Act.

It’s time for a dose of reality, folks.

The internet and the content it provides costs money to produce. There are five possible ways to fund those costs:

1. Subscription paid by the user (popular with sports-centric sites)
2. Product purchase by the user (Amazon, eBay and the like)
3. Advertising placed by third parties (95%+ of the web)
4. Self-funded by web site owner (such as our own kuppingercole.com)
5. Funding by a donor, foundation, NGO or government body (religious and charitable sites, for example)

While there are good examples of all five, it’s number 3, the advertising model, which is most prevalent at this time. Much of the advertising we see, though, is irrelevant to our circumstances and lifestyle. Some of it can be annoying, irritating and even offensive. To combat this, vendors have unleashed “ad blocking” software for our browsers which is then combated with advertisers creating different ways of launching ads in a never ending cycle. It becomes more annoying and more offensive all the time. It’s a war that won’t end.

Now it’s possible that some people, those who are weak willed for example, prefer to have non-relevant advertising shown to them as it decreases the possibility that they might click through and – maybe – purchase something that they really don’t need. Most of us, though, I’d guess would rather be shown relevant advertising, for products that we might possibly use. But in order to show us relevant advertising the vendors (or, better, the ad-placing entity such as Google’s DoubleClick) need to know something about us. They could ask us what we like and don’t like, and Google does this in a limited way through the Google Ads Preference Manager. But it’s easier, and less intrusive, for Google to simply note where you go on the web and where you spend time. Using its knowledge of these web sites allows Google to personalize (or “tailor”) the advertising you see so that it’s relevant. For the full story of Google and ads, read Google’s Advertising and Privacy policy.

It never ceases to amaze me that so many people confuse privacy with anonymity. It’s a subject I’ve been writing for a dozen years, but is probably best summed up in this 2006 blog post, “Anonymity, identity – and privacy“. Privacy means that only those whom I wish to know something (or who because of their role – doctor, judge, spouse – need to know something) know it. Trying to keep everyone from knowing anything about you is attempting to be anonymous – and there is no true anonymity on the internet. There really never has been nor will there ever be.

But telling people the honest truth evidently doesn’t sell newspapers. So even the Wall Street Journal will resort to sensationalism – and a bit of biased reporting – to get itself talked about. And they’ll be abetted by commercial enterprises (in this case, Apple and Microsoft) who see a distinct advantage in having a competitor savaged. Fortunately, I’m here to set you straight. Your comments are welcome.

It’s been almost 15 years since Business Layers and Oblix ushered in the new age of Identity and Access Management Systems (IAM systems) with what I called at the time the “killer app” for Directory Services – electronic provisioning. Even more incredible is that it’s almost 20 years since I wrote a workflow-based provisioning application (I even called it “employee provisioning”) based on Microsoft’s messaging application programming interface (MAPI). It actually was quite primitive in terms of 21^st century provisioning tools in that it relied on automated email messages to inform people of things that needed to be done (grant access, deliver hardware, etc.) with an automated “nag” system if the task wasn’t marked as completed.

I know that my system is no longer used and I really doubt that the Business Layers’ and Oblix provisioning systems are still in use. But lots of people are still using lots of systems that no longer are offered. In the provisioning area alone I’ll wager that there are still installations from Thor, Waveset, M-Tech, Sun and more none of which are still being offered – at least not under that brand name.

And it’s not only provisioning systems that have gotten “long in the tooth” in your datacenter. Every aspect of IAM has probably moved forward at least one generation since you installed it, and many have moved quite a bit forward. Let me hasten to add that it probably isn’t your fault that this has happened, especially if you’ve followed the advice we’ve been handing out over those fifteen years since electronic provisioning first became a real possibility and the IAM revolution was launched.

Back then, and for some time after, no one vendor could supply all of your IAM needs. It’s possible to argue that that is still true, but – if it is – it’s less true today than it was, say 10 years ago. So what we, the IAM gurus, suggested was that you choose “Best of Breed” solutions and hammer them together. “Best of Breed” was an amorphous term, though, covering a great many things. In reality we meant “best for you” depending on your circumstances.

Getting all of those apps from all of those vendors to work together was a real chore – one that kept IAM consultants rolling in dough as they cobbled together scripts, apps, services and more so that you had a semblance of an IAM infrastructure.

Anyone who had gone through the experience of surveying the market, demo’ing software or trying out a “proof of concept” from multiple vendors for each area (Provisioning, SSO, Access Control, Governance, etc.) of the IAM continuum came through the exercise very tired, very bruised and very wary of starting again.

Over the years, the apps that were chosen were sometimes updated (by the customer – they were frequently updated by the vendor) whenever doing so wouldn’t break the intricate relationship with the rest of your IAM services. Sometimes – when a vendor was acquired – the app you were using would simply disappear from the market to be, perhaps, replaced by something similar (or not) depending on the whims of the new vendor.

What it all means is that those of you who should be commended for being the early adopters in the IAM space are, essentially, stuck with a cobbled together system which in many of its facets is no longer supported by its vendor, or may not even have a vendor to support it any longer.

Others of you, of course, would have spent an inordinate amount of time replacing parts of the system as mergers and acquisitions occurred. So you may have started out with Business Layers’ eProvisionware as a provisioning app. When that company was acquired by Netegrity, you might have switched your provisioning services to the leader at that time, Waveset. Waveset which, less than a year later, was acquired by Sun Microsystems. Still, you might have stayed with the people you know and, gradually, installed Sun Identity Manager. Which has now been acquired by Oracle.

Another possibility is that you, early on, went with Oblix for provisioning. Until they were acquired by Oracle early in 2005. Well, you quickly switched to the then highly recommended independent provisioning vendor – Thor Technologies. Which was acquired by Oracle!

Where does it all end? Will Larry Ellison eventually acquire everyone in the IdM space? Probably not, at least not as long as there are other major players. But what does it mean for you?

Two points I want to make up front:

• What was “Best of Breed” a few years ago may no longer be;
• Choosing “Best of Breed” today may be a security nightmare.

Yesterday’s “Best of Breed” was probably a stand-alone application from a vendor who was committed to a particular IAM niche. For example, PassLogix was long thought the Best of Breed Enterprise Simplified Signon (ESSO) solution. When that company was acquired 18 months ago, though (by, you might have guessed, Oracle) others who were using the product began to scramble to find a replacement – it was no longer feasible to add Passlogix’ V-Go ESSO to the other multi-vendor IAM apps you were using.

But the whole idea of a Best of Breed IAM stack from multiple vendors needs to be re-thought. The Best of Breed IAM stack was never seamlessly integrated. Scripts, publicly available protocols, data conversion hubs and some manual tweaking always seemed to be needed to insure that everything worked together. And it almost did work together. At the best of times it was probably 95% successful. But that 5% was the camel’s nose in the IAM tent.

That 5% “seam” – which for most installations was closer to 10% or 15% – is the area that hackers, crackers and other malcontents can exploit for their nefarious purposes. That’s where the security loopholes appear,Which can sometimes end up being close to 80% of your project cost, not the 5, 10 or 15% it should be.

So if your current Best of Breed solution is insecure and too complex, and if there’s really no way to improve its security by adding updates, upgrades or other potential Best of Breed applications, what should you do?

It’s time to move up a level. Rather than “Best of Breed” applications, it’s time to look at “Best Fit” suites.

You might think that with all the mergers and acquisitions of the past ten years that provisioning applications, in particular, would be offered by only a handful of vendors, but you would be wrong. Here’s a list of almost two dozen vendors offering provisioning solutions from very basic to extremely complex.