Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don’t have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!

Sorry, that is definitely nonsense!

It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,…) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn’t work with social network sites? I don’t see any real reason why!

For sure there are two reasons why at least some social networks don’t do that in this way:

• Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don’t design security in their products but add it at the end, as something painful they have to do at the minimum level.
• Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.

But to be honest: These aren’t valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.

By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle’s Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about “security first”. If the providers of social networks can’t afford the cost of security, their business model just doesn’t work.

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.

The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.

Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.

Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.

However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.

Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.

Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.

Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.

Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:

• Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
• Data ownership: Again, it is my network. I really don’t like to have this lock-in.

In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.

I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.

Some days ago I received a press release which stated that in UK the cost of social networks is around 6,5 GBP – at least a recent study claims it to be that high. Such numbers are always questionable, for sure. Which are the real costs of someone maintaining his own social network? Difficult to calculate… But: Even 1 billion would be too much.

There is some value in social networks, especially in business networks. But it is obvious that it takes a lot of time to maintain contacts, find people you know and especially to do this multiple times for different networks. I personally have chosen to limit myself to three networks: Xing, LinkedIn, and StayFriends. And I really hate it to do the same work in Xing and LinkedIn.  I could easily split half my own “costs” for maintaining social networks if I easily could exchange information between these networks. User-centric IAM approaches applied to social networks thus might cut the costs significantly. One more reason to doubt the future of today’s social networks.

There is a broad discussion around the use of identity information at StudiVZ these days. They have changed their agreements with their users and will present personalized adverts. That has lead to an intensive discussion in their user community. Another interesting change can be found at Xing since some two weeks: At the starting page you can now directly see not only the number of new contacts of your contacts (like at LinkedIn) but the names of the new contacts.

I personally found that change a little bit to open. For sure you can look up the contact lists of your contacts as long as they aren’t hidden. But there is a difference between acting actively and this new situation where you are passive. I’m not sure whether I like that – and I doubt that other users are convinced of the value of this change.

But, more important than the question whether I will hide my contacts at Xing as a consequence of this change there is another aspect which is common for both described situations: Social networks are at a critical point. And their next steps will influence the future not only of some single social networks but of the approach in general.

Read the rest of this entry »