Amazon’s bid for the .book domain name – The blame lies elsewhere

Interesting story over at The Verge about publishing industry opposition to Amazon trying to muscle in to own a proposed new .book top-level domain

So why are Amazon attracting all the flack? The real culprit, in my opinion, is the ICANN of worms opened last Spring – I blogged at the time that what they were doing was a very, very, silly idea and would really benefit nobody but crooks and dodgy operators. To be clear, I do not place Amazon in either category. In their shoes, I would have done the same and tried to register .book before anyone else did – a (for them, relatively cheap) insurance policy.

But if you set in motion a process that has limited to no real benefit for legitimate operators but offers a boon for crooks and dodgy operators, what would you call it? Answers on a postcard please…

In a hotel, should we have the same service expectations from WiFi as we do for hot running water?

Time was when you couldn’t always guarantee hot running water in hotels in parts of France or Southern Europe. It came with the territory, so to speak. You knew there were were areas what this was a distinct possibility. So one could presumably excuse many smaller hotels whose ISP infrastructure is a little rickety, no?

No. In an aggressive low-margin industry, smaller hotels include free Internet access as part of their value proposition and differentiator to attract customers. It is used in the same way that “hot running water” used to be advertised in some hotels where such service could not be taken for granted.

To add insult to injury today, not only do I not have my trusty smartphone as my access point to the Internet and the world, my work, my contacts, my friends – but I’m in hotel in Cannes, France that takes, let’s be kind, a “relaxed” attitude towards the provision of Internet connectivity.

Instead, the Suite Novotel Cannes has an all-too-typical and cavalier attitude to service provision, somewhat equivalent to saying “so you have no water? Well, someone might be able to fix that in the morning. Nothing I can do, it’s not my problem. Good night.” You offer a reasonable brand (Novotel), a reasonable room, a hefty price but “free, unlimited, wireless Internet access” as a palliative. It’s a business hotel and, well, I want to get on and do some of my business – Online. Which is why I chose you. Instead I’m pinging the Internet every fifteen minutes or so to see if I can get squeeze another email in or out. It’s like sucking honey through a thin straw.

As customers, are we too mute in our responses to poor service in this area? To the “Sorry, the IT guy’s not around”; “We have no control over this, it’s our service provider” (more common); “I’m not really sure how it works, someone might be able to take a look in the morning” (most common)?

Because it’s technology, we excuse it. Running water, electricity – we understand those. If the whole neighbourhood goes dark, that’s one thing – you are not going to blame the hotel. But if the lights went out in your hotel and the water stopped flowing, just to you, you would expect the hotel to fix it pretty damned quickly. Just because the Internet access is bits and bytes and “it’s complicated” (which it isn’t), doesn’t mean that it isn’t still offered as a service and included in the cost model, pricing, and customer expectations.

This isn’t some “white whine” – I’m not claiming it’s a life or death issue (there are thankfully very, very, few) or that anyone will be harmed because I can’t get online. But I am claiming that if a hotel offers a service, it should deliver; repair it promptly if it isn’t working; and compensate customers if it can’t be restored.

Dear @selop, Dear Nokia, do you REALLY want me to buy your #Lumia920 phone?

How difficult should it be?

You walk into a store. Pick the product you want. Pay for it. Walk out the store a happy consumer. Vendor presumably happy too.

Unless you want to buy a Nokia 920 phone that is. I’m on a European trip this week and accidentally left my three year old phone behind – just at a time when I’m thinking of upgrading. The perfect prospect, one would think. A potential customer, who knows what he wants; is happy to go to some trouble to get it, while ignoring other temptations on the way (no…not the PlayPhone 5 for me; or the Cyborg with Cup Cake O/S – I’m talking professional tools that also protect my data).

I live in the USA. Only option to purchase the phone there is through AT&T. Their less-than-transparent pricing practices; price gouging for obvious features that come with the phone anyway; and their data capping, mean that I won’t be going near them. But thanks for asking.

I’m now in France. Sure, Orange will sell me the Nokia 920. Without a contract, so I can slip my existing US card in the phone when I get back home and have something to tide me over the three days I’m here in France. Or so I thought. The shop will sell me the phone. With no contract. But locked to their network for “at least a few months” – really useful, when I’ll be gone in a few days.

In both the US and now in France, the reply is the same: “Blame Nokia, they won’t let us sell the phone unlocked, and we have to ask their authorisation each time for each phone.”

So, Nokia – is this true? If not, I’d be glad to hear from you with a correction and a call to the manager of the Orange store in Cannes.

If it is true then ponder on this: people who are buying new phones on the basis of objective criteria for their personal and business needs, will have looked around and decided what they want. These people have probably, in the recent past, also been locked in to a specific service provider but after the handcuffs came off, probably shopped around to find the best provider.

These are the users you want to attract – sold already on your devices but with the service provider(s) that they have already chosen.

Is it that difficult to understand why you are not making the sales you should with what I consider, based on just the limited time I have had to trial it, the best smartphone on the market, by far, bar none. If this Western world is such a free market, why can’t I buy the phone I want?

So, Nokia, do you want my business or do I have to conclude that I should look elsewhere?

Obama 1 – Voting systems 0

Being an obsessive reader and interpreter of signs, it’s natural that I’m also an election night addict. Yesterday was no exception, a psephelogist’s dream. The night belonged to President Obama but a hat-tip nonetheless to the dogged band of professional pollsters who consistently predicted an easy win – not because the national, popular, vote was so heavily in Obama’s favour but because they understood exactly how fine tuned and laser precise was the work of David Plouffe’s TeamObama in determining to which areas they needed to turn their attention and resources. To eke out such an electoral college majority (currently standing at 303) from only nine swing states is truly impressive.

I was intrigued during the President’s victory speech by a near throwaway comment. In his warm up, commenting on the struggle that many citizens had in getting to vote, Obama – clearly ticked off – stated “by the way, we have to fix that”, a reference to the creaking and inefficient voting systems in use across the country. What other Western democracy has people in line for nearly a whole working day? Has so many cases of alleged fraud, faulty voting machines, mis-counted votes? Hanging and pregnant chads, anyone? And, despite the landslide, Florida still hasn’t gotten around to counting all its votes.

As readers will know, I am heavily engaged in the US National Strategfy for Trusted Identities in Cyberspace (NSTIC) and the private-sector led organization set up to deliver its objectives.

Last night’s comment by President Obama got me to thinking: are’t the technologies today mature enough to deliver a secure, trusted, online solution to voting? With all the displacements in New Jersey and New York following Hurrican Sandy, one would have thought there was an ideal opportunity for using secure mobile devices, like…I don’t know…the cell phones in our pockets? What’s to stop this being looked into? The swathe of new electoral legislation in many states in the run up to yesterday’s election reflected growing unease about authenticating eligible voters (if often motivated by partisan spite) and voters are equally uneasy about how secure, and secret, their secret ballot really is once it is delivered electronically.

This would seem like a perfect pilot for NSTIC: examine the technological feasibility; look at the policy constraints and requirements; consider the registration, ballot delivery, voting, reporting, auditing processes along with the privacy, security and citizen concerns.

More on this tomorrow after I recover from my post-election hangover…

A Paradigm Shift in Personal Data – from possession to use

Ever since I started getting interested in this subject and started writing about it, I had in my pea-brained mind a vague vision of some technology-enabled future in which people could exercise greater, if not total, control over “their data”.

I felt very at home at IIW last week (23-5 October 2012), at which this issue came up again and again. Although a newcomer to this particular party, I don’t make any claim to particular “prior art” in this area – my interest was sparked nearly a decade ago about possible policy implications around data ownership, and less so about the technological feasibility of such an approach. The issue may not have been consistently on my radar in the intervening years but it was great to see last week how much the conversation has moved forward as well as the technologies.

We still tend to think of personal data as digital objects that are stored, moved around and have value added to them as they become passed through the value chain of the identity ecosystem from the single-celled organisms of data points about a particular person up to the top-table of juicy morsels served up (against due payment of course) by the data aggregators and digital advertisers.

This seems set to change if we think of this ecosystem as actually offering the possibility of a value network rather than a value chain. In a value chain, value is added as some product or asset is passed upwards. It is only one-way: in the personal data space, today you are the lunch and at the bottom of that food chain. In a value network, every participant wins, including us mere mortals. So how would this work? Firstly, a paradigm shift.

I have argued for many years that the idea of an “electronic identity card” is a skeumorphism of the original identity card’s functions: why a “card” rather than an identity management system? The “card” is familiar and superficially conveyed its intent but in doing so, it perpetuated a paradigm based on an outdated mode of operation, that the value of the data on the card derives from actually possessing the card.

What emerged last week was a growing sense that the idea of “personal data” itself is skeumorphic: why do we think of personal “data” being passed around when its value is not in its possession but in its use? Should we instead think in terms of personal information services?

Compare:

“You want to know my date of birth? Get lost, it’s none of your business (and, no, hooking me with the offer of a free birthday card or gift ain’t going to work)”.

with

“Want to know if I’m over 21 and entitled to buy alcohol? Over 50 and entitled to join AARP? I’ll give you a yes/no answer”

because that is all you really need to know for that particular transaction. The value is in the relationship of the question to the answer, not in the raw data itself.

Unless, that is, you are in the business of harvesting personal data in order to make a magnitude of profit more than would be the case if you really, really did actually want to offer the “data subject” some useful service> Think how things might change if possession of personal data were considered a liability rather than an asset and required statutory reporting – how that would change business practices overnight…

I sense that the tide is turning. For years, digital advertisers have been riding a gravy train of revenue derived from customers where the intent of divulging our personal data rarely matched the use that followed, or where such intent or use was even requested or measured. They have an opportunity to engage constructively and recognise that they have a place at the table of a vastly superior identity value network but are no longer welcome at the top of a weakening identity value chain.

In one of the last sessions at IIW, we discussed a general problem of technology folks being able to communicate often complex concepts to non-specialist audiences and I talked about the value of metaphor and how this can be used powerfully when working with diverse stakeholder types.

Paradigms, by their nature, tend not to morph fluidly from one to another. There is an abrupt shift, sometimes seismic. In this domain, the ideological, technological, economic, and other plates are moving and faults are detectable to identity seismologists. When the shift comes, you had better be on solid ground.

But that’s a metaphor about paradigms and paradigm shift. What would be an appropriate metaphor to describe the particular paradigm shift I discuss here? From the current mid set of “owning”, “possessing”, and “managing” personal data; to one where the value is the use, the transaction, the very context specific and time-sensitive relationship between the owner of some aspect of personal identity expressed as data; and the person, agency, service, etc. that uses it?

A User? Me? Part 2

I took part last week in my very first Internet Identity Workshop (IIW), notes from which are being finalised on a dedicated Wiki. A theme that surfaced a couple of times was around the issue of the relationship between a “real” person, their name(s), their personae online and how they are identified in different situations.

In my last post, I expressed my concern about the blanket – and ultimately “meaning-less” – term “User”, arguing in particular that “it immediately and instinctively entails systems-focussed thinking and ignores entirely the relationships and behaviour of individuals outside and independently of technology.”

It struck me last week even more forcefully in a separate discussion about “user interaction and interfaces”. One axiom of user interface design is that, from the point of view of the human confronted with interacting with any system, “the interface IS the system” – that is all the human has to work with and cannot, by design usually, is precisely precluded from getting behind that interface. So I thought – well what does it look like from the other side of such an interface?

Microsoft Surface (now “Pixelsense”) Data Visualizer – maps and provides data about what the system “sees” – each finger touch is an “Actor” in this system

From the point of view of a digital system (to the extent that an inanimate box of wires, bits and bytes can have a point of view), there is a similar issue: the system is unable to reach out beyond the interface to “sense” the human beyond – it too relies entirely on the interface. In good systems design, the flesh and blood human is recognised as playing a “role” – as an “Actor” in formal UML terminology – and that this role is played via a “Boundary Object” (such as window, a dialog box, a menu, a button, etc.) that serves as the interface between the real-world and the system and that should appear in different well-conceived use-case, sequence, collaboration, robustness and process diagrams.However, far too many systems designers drop (or never model) the boundary object and model relationships directly between the Actor and the two-dimensional stick figure is further reduces to a single-dimensional bit-stream. Worse, the UML “Actor” construct is also used to represent any other non-human “thing” that interacts with a particular system, including other systems, interactions that take place usually through some application program interface (API). What results, from poor design therefore, is a system-view that makes little or no distinction between a flesh-and-blood human and another digital system.

But there is another problem, of particular concern in the realm of online identity and trust.

Even when the best modelling approaches are used, the human “Actor” can only, at best, be represented by those (relatively few) aspects of that human that are known and presented to a system interface. The fact that a single person – for whatever motive, usually benign but not necessarily so – may want to present different online “personae” to different systems is of no help from a system view: the human “recognised” by a system (by creating an account, login credentials, or whatever means are used) is no more than the persona created by that human and presented to it. That persona in turn is modelled and represented as an Actor within a system, with behaviours, characteristics and preferences only to the extent that they are both 1) modelled, and 2) known to the system. The “Persona” could itself be a specialization of another “Persona”, rather than be related back to the flesh-and-blood human – and so we have a problem, conceptually looking out from within the system: we cannot “know” for sure whether an in-system Actor ever truly reflects the behaviours and intent of a human. We can make a best guess. And to even do that requires unbundling some fuzzy and ambiguous terminology.

It doesn’t mean interrupting and closing down conversation every time a word is “misused” – But, as we discussed in one of the final sessions at IIW, it does means being constantly alert to the relevance of terminology, particularly in such multi-stakeholder organizations such as the recently established IDESG – where you can be sure that citizen or privacy advocates, telco’s, IT companies, retailers, advertizers, etc. will not use the same terms to mean the same concepts.

All of the terms that we do use – human, person, principal, subject, actor, agent, persona, consumer, citizen, customer – reflect a value for whoever uses them and is intended to convey some contextual sense and meaning.

All that is…except user…

Death to NSTIC! Long Live NSTIC!

My first Internet Identity Workshop this week. First morning busy getting going; helping out Dawn Jutla with her presentation of the new OASIS technical committee, “Privacy by Design for Software Engineers”; and attending a regular conference call for the Management Council of the Identity Ecosystem Steering Group – together with several other participants here who are also members.

After lunch, another view – “Death to NSTIC”, despite its irreverent title, was a serious examination of the major risks that the new strategy – along with the organisation, IDESG, set up to deliver it (and on whose Management Council  currently sit…) – will have to face up to.

After a brainstorm of possible risk areas - and there are many – we held a straw poll among participants and two key risk areas stood out head and shoulders above the rest.

The first, maybe surprisingly, is that the “user experience” is too hard. Surprising, that is, until you unbundle some of what it covers: people forced to user interfaces and online systems that they know are flawed or insecure and, to cap it all, are held responsible and liable for the consequences; the relative difficulty of creating a trusted and secure interface and the relative ease with which it can be hacked and subverted; the obsession with “strong” passwords that are actually far easier to hack than intuitively simple to use passowrds that are very difficult to hack; the obsession with passwords, tout court (the longest surviving paradigm of the computing era, having been first used in 1961).

The second issue was more vaguely defined and yet commonly supported: the (perceived or real) misalignment of economics, public policy, technology, and culture. There are similarities with my “magic triangle” model for identity which requires finding the sweet spot between what is technolgically feasible, politically desirable and socially acceptable but it goes further.

A major factor is the absence, or rather misalignment, of liability models for the identity ecosystem and the danger that the model developed is too rigid – with a result that any local failure could have a domino effect and bring down large parts or the entire ecosystem (a theme that we returned to in another session later in the week, ‘A Whiter shade of grey’).