Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.

Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.

Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:

• Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
• Data ownership: Again, it is my network. I really don’t like to have this lock-in.

In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.

I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.

I have a personal history in the areas of personalization and profiling. And there might be some good chance for these ideas to become reality now – in the context of Infocards and to the sake of VRM (Vendor Relationship Management).

The threat in personalization and profiling is to know what the person really wants (personalization) or is/has (profiling). The one who knows best is the person itself.

(Managed) infocards can transport virtually everything. They might provide profile information for personalization. A trusted identity provider might offer a service which stores profile information it retrieves from the users and provides it in a controlled way (the basic idea of user-centrism) to web sites which shall provide a personalized experience to the user.

Bring in things like U-prove and that site doesn’t need to know the exact data but can “ask” the Identity Provider about relevant aspects and retrieve a yes/no decision. For sure the service provider/relying party in that equation will know some things but the amount of this knowledge can be limited – and thus privacy can be maximized.

I’m convinced that there is a business model for Identity Providers. Users might pay for a trustworthy handling of privacy information. Relying parties might pay for the ability to personalize information. There might also be approaches where the service is for free but the privacy is limited – the relying party might pay more if she learns more about the user. Both approaches might work.

VRM fits perfectly into this. It is the use of these approaches for vendor relationships, providing information for buying decisions via Infocards. For me, VRM, infocards and technologies like U-Prove are the pieces of a puzzle which, when ready, shows personalization and profiling as the picture.