06.03.2014 by Martin Kuppinger
Recently, the FIDO Alliance announced that PayPal and Samsung were enabling consumer payments with fingerprint authentication on the new Samsung Galaxy S5. My valued colleague Dave Kearns and I have written various posts about the FIDO Alliance and the impact we expect they will have on the market of strong authentication and BYOI (Bring Your Own Identity). Have a look here, here, and here.
What first reads like one of these unexciting press releases I receive in huge quantities daily is in fact about a groundbreaking paradigm shift that will have massive impact on device vendors, strong authentication technology providers, and – last but not least – on social networks.
FIDO is all about enabling users to rely on one personal digital identity, their “own identity” in BYOI, to access various services. Not only that, it is also about enabling BYOI with strong authentication and, finally, getting rid of username and password authentication. While the Samsung/PayPal case is the first large use case for the FIDO Alliance, this is just the beginning. Looking at the long list of members of the FIDO Alliance, others will follow. Users then can access various services, relying on strong authentication and a locally managed identity on their smartphone. In addition, Samsung will not remain the only device vendor delivering FIDO-enabled devices.
Obviously, that will affect many markets. Strong authentication vendors, device vendors, services acting as Identity Providers, etc.
It especially will have a massive impact on social networks. A significant part of their attractiveness is that many of these have become an Identity Provider, supporting the “social login”. This is part of the business model of social networks – users are bound to the networks and the social networks learn about user behavior, which is at the core of their business model. However, there is a downside to that from a marketing perspective, as I recently explained. Aside from that, social logins commonly lack support for strong authentication.
When the FIDO Alliance success continues, the need for social logins – the most common way for BYOI –will disappear. Why should users rely on social logins when they have a more secure way to authenticate, built into their devices of choice? With the beginning of the end of social logins, an important part of the business model of social networks start to crumble away. And that is the real big news behind the recent announcement of FIDO Alliance.
06.08.2010 by Martin Kuppinger
Amongst the different vendors I’ve spoken recently, JanRain is definitely one of the most interesting ones – and will most likely make it into the list of next year’s Hidden Gem vendors. JanRain has had some popularity as one of the initiators of OpenID and with their OpenID libraries and other related services. However, they have made an interesting move during the last years and now provide what they call a “user management platform for the open web”. In fact, they provide products for web sites and social networks to enhance the user experience around registration and the services which deal with user data.
Amongst these products are solutions which enable web site developers to quickly integrate registration features which rely on social networks such as Facebook – use your Facebook account to register… There are several other services on top of this. But there are as well capabilities for stepping up in the authentication depending on the types of interactions and transactions someone is doing.
JanRain has managed to find an appealing and obviously successful business model around identity services. They are not focused on any particular type of authentication like Information Cards or OpenID but provide the frameworks to deal with all these different approaches. And that is exactly what most organizations need today when building their online presence: Flexibility in dealing with different online identities and an user-centric approach which allows users to quickly and easily register. JanRain definitely is worth a look for any web developer and especially for all the people responsible for online marketing.
27.07.2010 by Martin Kuppinger
Today I opened my Facebook which I use actively since yesterday. When g0ing to my settings, the system informed me about changed privacy settings. What it then recommended was ridiculous: All my very tight settings should be opened up. Instead of sharing information only with my friends, the system suggested that I should share a lot of information with everyone and other, sometimes sensitive information (religion, political opinions) with friends of my friends. I had to manually change back everything to “old settings” which at least was an option I could use. However, from my perspective it is fully inacceptable from a privacy perspective to suggest such changes. If someone has opted for tight settings, this approach just shows that Facebook still hasn’t understood anything.
Besides this, the options for managing “authorizations” or privacy settings, e.g. controlling who is allowed to see what are primitive. I can share everything with my friends. But in many cases I want to share some informati0n only with some of my friends. I can use lists, but I for example can’t use these lists as sort of “groups for ACLs (Access Control Lists)”. At list I didn’t manage to find out how until now. But given that I have friends from business and from my private life, it is very obvious that I won’t share everything with everyone, isn’t it?
Again, like pointed out here and here, there is no reason not to construct social networks secure and with strong privacy settings. For sure it is hard to do it afterwards, once you have a bad security architecture in place. But technically seen, it is feasible – and it is relatively easy. But it requires understanding the needs for privacy (which become an inhibitor to the market for Facebook at least in some countries these days) – and you have to do that.
Why am I using Facebook anyway? Too many people are using it and many said that it is a better way to stay in touch with contacts than the other social networks like Xing or LinkedIn. And, by the way: These other networks are as well not the godfathers or inventors of privacy… I don’t expect Facebook to ever understand privacy and act accordingly. Thus I’ll keep an eye on what I publish there and what I don’t publish and I’ll keep my privacy settings very rigid. For sure I could use more than one Facebook account. But that would be harder to manage and a pain for the ones which are “friends” in private and business life.
Just a side note: Interestingly many startups have significant lacks in their overall software architecture and struggle with things like scalability and adding new features. And even more struggle with increasing security requirements. One reason is the missing understanding for security (see link above). The other is that many startups have CTOs which are pretty inexperienced – interestingly the ones where the founders (and amongst them the CTO) is doing a startup the second or third time perform much better because they have learned many lessons before. There are – like always – exceptions from that rule, e.g. startups with young CTOs doing a very good job. But these are the exceptions. You could bet on what my rating for Facebook is from that perspective…
By the way: If anyone knows how to control all access to the content in Facebook based on my lists of friends, let me know…
22.10.2009 by Martin Kuppinger
Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don’t have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!
Sorry, that is definitely nonsense!
It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,…) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn’t work with social network sites? I don’t see any real reason why!
For sure there are two reasons why at least some social networks don’t do that in this way:
- Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don’t design security in their products but add it at the end, as something painful they have to do at the minimum level.
- Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.
But to be honest: These aren’t valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.
By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle’s Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about “security first”. If the providers of social networks can’t afford the cost of security, their business model just doesn’t work.
18.08.2009 by Martin Kuppinger
Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.
The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.
Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.
Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.
However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.
Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.
18.02.2009 by Martin Kuppinger
Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.
Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.
Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:
- Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
- Data ownership: Again, it is my network. I really don’t like to have this lock-in.
In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.
I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.
23.01.2008 by Martin Kuppinger
Some days ago I received a press release which stated that in UK the cost of social networks is around 6,5 GBP – at least a recent study claims it to be that high. Such numbers are always questionable, for sure. Which are the real costs of someone maintaining his own social network? Difficult to calculate… But: Even 1 billion would be too much.
There is some value in social networks, especially in business networks. But it is obvious that it takes a lot of time to maintain contacts, find people you know and especially to do this multiple times for different networks. I personally have chosen to limit myself to three networks: Xing, LinkedIn, and StayFriends. And I really hate it to do the same work in Xing and LinkedIn. I could easily split half my own “costs” for maintaining social networks if I easily could exchange information between these networks. User-centric IAM approaches applied to social networks thus might cut the costs significantly. One more reason to doubt the future of today’s social networks.
21.12.2007 by Martin Kuppinger
There is a broad discussion around the use of identity information at StudiVZ these days. They have changed their agreements with their users and will present personalized adverts. That has lead to an intensive discussion in their user community. Another interesting change can be found at Xing since some two weeks: At the starting page you can now directly see not only the number of new contacts of your contacts (like at LinkedIn) but the names of the new contacts.
I personally found that change a little bit to open. For sure you can look up the contact lists of your contacts as long as they aren’t hidden. But there is a difference between acting actively and this new situation where you are passive. I’m not sure whether I like that – and I doubt that other users are convinced of the value of this change.
But, more important than the question whether I will hide my contacts at Xing as a consequence of this change there is another aspect which is common for both described situations: Social networks are at a critical point. And their next steps will influence the future not only of some single social networks but of the approach in general.
Read the rest of this entry »