A “User”? Me? How dare you…

An innocent enough conversation thread discussing issues around privacy as part of the IDESG effort has thrown into stark relief some difficult questions about core terminology being used.

In line with common convention, the ubiquitous “user” appeared in many diagrams. But what is a “user”? I think only the illegal drugs trade and the technology industry use this term to describe their primary stakeholders. I continue to argue that as a term it is meaningless in its generality and ultimately unhelpful. It is important to unbundle the blanket term and understand the concepts that we are trying to convey which are numerous.

My starting point is radical: don’t use the term at all, with only one exception in the context of “user experience” where we are explicitly talking about the “flesh and blood human being at the interface with a digital system”. Even in this context, we are talking about a human being playing a very particular role, as a (device) user. In this limited sense, formal modeling approaches, such as the UML, employ the term correctly. It would be a mistake however to extrapolate a two-dimensional “User”, employed as a convenient and accurate part of a system model, to reflect the entire human being.

Rather, we must unbundle “user” and say clearly what we mean: customer, client, citizen, business owner, identity fraudster, etc. The SOA Reference Architecture Foundation spent considerable effort in trying to get this right and explicitly unbundles these various roles and definitions (and even on its latest review, we caught a few stray unintentional uses of the wrong terms). The result, we think, will help encourage “ecosystem” views rather than narrower, IT-focused, systems-only views of the world.

In the rush for simplicity and easy to understand models, we tend instead to munge ideas together. In most circumstances it is not a problem: when you are working and talking with peers in the same industry or specialization, for example. However, in complex environments – particularly one like IDESG that brings together stakeholders as diverse as the ACLU, the American Chambers of Commerce, the Digital Advertisers Association, privacy advocacy groups, online retailers and technology giants – you cannot afford to make assumptions that “your” commonly accepted concepts and terms are shared by everyone else.

Hence the need to understand the multiple roles that a given human will be playing in identity ecosystems: for example, “Person” is a term of art to include both “natural and legal persons” (the former, a human; the latter a corporate entity who acts or can act as a person – an important distinction in online transactions) and terms such as consumer, provider, citizen, etc. reflect roles played by any Person.

By the same token, one could say that a “User” is the role played by a natural (i.e. ‘human’ not corporate) Person when interacting with a digital system: “User” is thus carefully and clearly defined in a specific and meaningful way but not extrapolated to make on significance beyond that scope.

In such a conceptual model, “Consumer” can be understood as the right term in particular circumstances: the “individual-in-a-role-as-consumer” vis-à-vis a “Provider” (another role played by a Person, natural or legal) in some form or another – for example as a party to a social or legal contract.

My major concern with “User” as a blanket term is that it immediately and instinctively entails systems-focussed thinking and ignores entirely the relationships and behaviour of individuals outside and independently of technology. It is because we munge together “User” and “Person” that the “human-as-user” is the most common vector of attack on systems and will continue to be so until we recognise that our behaviour as rational humans is conditioned and circumscribed by a system-centric “User” concept, which is more often than not a problem of poor user experience/interface design and not an inherent problem with the human. “Human error” or “Stupid user” have become euphemisms for sloppy design, poor conceptual modelling and bad execution. The IDESG is not just about IT. It is about educating, shaping perceptions of online interactions and encouraging at atmosphere of trust among humans, not just machines. It is at the interface between human and system (and everything related to “User Experience”) that is key to a successful trust framework.

Put more simply: don’t go for a simplistic reductio ad absurdam but do go for simplicity through clarity: call a person a “Person”, an organisation an “Organisation”, a customer a “Customer”, etc. and be clear how the concepts, together with the terms used to label them, relate to each other.

SOA as a Dynamic Value Network

Since the early days of Service-Oriented Architecture (SOA) appearing, I have argued that SOA is a paradigm rather than a specific approach to using technology. Evidence for this ought to be that technologies change but underlying paradigms do not (see my vent on the subject of SOA v2) and so it is with SOA.

Although the initial hype around SOA died off as the marketing people sought fresher pastures and slogans with which to peddle their wares, SOA as a concept has settled comfortably into the vernacular of analysts and developers. Whole enterprise engineering disciplines have grown up around a core understanding of what SOA should be (and even a successful SOA School and accompanying certification if you want to be sure and need to prove it) and the term is eagerly grasped by business leaders as a lodestar on a choppy sea of technology change.

What interests me is that, despite years of (ab)use, the concept is alive and well. When one considers the underlying model of today’s popular themes – anything “smart” or “cloud-based/enabled/ready” – the relevance of SOA should be obvious. What may be less obvious is how central SOA should be to management and business thinking. I would go as far as saying that SOA is not principally about technology. Consider for a moment the figure below, used recently as part of my presentation of the OASIS SOA Reference Architecture Foundation to the 5^th International SOA, Cloud and Services Symposium in London:

In this vision of the SOA paradigm, the centrally important concept is that of a SOA Ecosystem that bridges both the world of technology systems based on SOA principles and the social context in which such systems are developed. How effectively an ecosystem works will be a function not only of the technology and standards applied at the level of the technology systems but of the common understandings, policies, contracts and behaviours that are trashed out and agreed in the “real world” of human beings and society. SOA-based systems work well when that real-world work is done well and the central role (literally, in the figure above) of the “participant” is unbundled and fully understood.

So what does all this have to do with Dynamic Value Networks? In my opinion, everything. Michael Porter introduced the concept of a “Value Chain” in the mid-1980s. This was followed up in the late 90s with the idea of value networks: while the value chain was a powerful concept to explain how stakeholders in a business each contributed to overall business value, the value network recognized the increased interdependency between businesses and their stakeholders. In a value network, any – potentially every – stakeholder can accrue value from their relationships with others, sometimes way beyond the intention of the original chain of collaboration.

Dynamic Value Networks are typified by their ability to adapt, in real-time, to dynamic shifts in demand and supply within a particular ecosystem. The core tenet of SOA is to offer the technology infrastructure for precisely this to happen, allowing each stakeholder to realize business value and be encouraged to participate further in cross-business collaboration. A well-functioning SOA ecosystem will establish – among the real world stakeholders – policies, conventions, contracts, SLAs, etc. together with clear, detailed, structured, and machine-processable service descriptions that allow the SOA-based systems, once built and deployed, to respond dynamically and efficiently within the parameters set.

So, why bring all this up now? Very simply, because of the “National Strategy for Trusted Identities in Cyberspace”, NSTIC and the new private-sector organization that has been set up to deliver its objectives, the rather clumsily named Identity Ecosystem Steering Group or IDESG (see my previous post). The key is in the new organisation’s provisional name: it is about mapping out the vision of a future ecosystem as outlined in the original NSTIC strategy.

Thinking of the identity ecosystem both as a dynamic value network and as a SOA ecosystem will help in unraveling current practices; identifying who are the stakeholders and systems involved; understanding the relationships and value created between diverse stakeholders as well as the technologies and standards used to underpin the whole. Done properly, the future identity ecosystem could represent the biggest value network the world has ever seen. Many technology companies recognise this already but only a relatively small number of non-tech businesses. The challenge, for the technology “elect” is to make their case understood in business terms that others can understand and relate to, whether they be in the public, private, academic, not-for-profit or voluntary sectors.

Central to this will be a recognition that “trust” is a deeply human process, a willingness to engage with others based on reputation and evidence. Attempting to build online trust by purely technological means, without understanding the complexities of being human, will fail. That means understanding humans, in all their complexity and in all sorts of transactions, as fully rounded individuals and not just as “users” that need to be educated. But don’t get me started about users…

Why I withdrew as candidate for NSTIC Chair

This week I am in Chicago for the kick-off meeting to establish the organization charged with delivering President Obama’s “National Strategy for Trusted Identities in Cyberspace” (NSTIC). Many of my readers will now that I was nominated to be a candidate to Chair the Management Council of the new body, upon which it would be an honor to serve.

Many of you following the meeting in Chicago will have witnessed the inevitable teething issues of an infant organization. The plenary, meeting face-to-face and virtually, Wednesday and Thursday, rightly took a look at the draft bylaws put before the assembly and had a few questions. One of which concerned whether a person could be a candidate for more than one post.

8 candidates were conflicted and we all assumed that adequate mechanisms would be in place to separate out the elections (“take this post first; depending on outcome, x withdraws for subsequent election”, etc.). They were not. Instead, to cut a boring story short, the candidates were asked to choose one post and withdraw from the others, so that the single ballot could proceed for all posts.

We were given a few minutes’ notice. I chose to stick as a candidate for the unaffiliated stakeholder group, where I feel very welcome and at home, and withdraw as candidate for Chair. Many participants were saddened that I had to withdraw and stated that they would have voted for me – easy to say when you’re no longer running, but I’ll be magnanimous!

My motto had been, and remains “workability”: it became clear to me, as it did for many participants, that the Management Council – and particularly the Chair – would have a very busy job in the coming months helping address some of the procedural shortcomings.  And remember, this is all about an interim, six-month, period while all the creases are ironed out.

I felt (and I might have been wrong but remember, we had to decide on the hoof) that Brett in particular would have more time to devote to this as Chair than I could. So I stood aside.

Nonetheless, I feel it is even more important now that the Management Council “get’s it right”, doesn’t inflate its own importance, respects the will of the plenary, and gives the secretariat and NIST the support they need in delivering against tough political imperatives. So I feel, at this juncture, that being a voting member of the Council, representing unaffiliated stakeholders, would be a valuable role that I could play.

As the organization stabilizes and cuts its teeth, we will also all be in a better position to judge what exactly we need from candidates for all the positions going forward into 2013 and whether I should then offer my candidacy unequivocally for Chair on the platform that I laid out in my candidate statement.

Let’s make this thing work!

NSTIC – under starter’s orders

A well attended, informative and well structured webinar today took more than 200 online participants through the steps to kick off of the Steering Group for the US National Strategy for Trusted Identities in Cyberspace, NSTIC.

Yes, it is true that I have been nominated for the position of Chair of the proposed Management Council, and I will respond to the nomination and post further information next week.

In the meantime, it would seem that an appropriate watchword should be “Workability” – after more than a year in the works, it would be a pity if the kick off meeting in Chicago in two weeks were bogged down in procedural wrangles over the bylaws and elections: the proposed 6 month interim period for all elected posts is an excellent idea that will hopefully allow all participants to get down to substantive work from the get-go.

Thanks ICANN for a new opportunity for crooks and dodgy operators

So, what on Earth is to be gained from the latest batch of top level domains as announced by ICANN today? And what sort of minds are hard at work at some of the bidders, who have paid a hefty sum upfront for the likes of  “.dad”, “.new” and “.and”? I really, really, don’t want to imagine where they are going with those and others…

Who is really going to benefit from this “opening up” of the domain naming system? Crooks, blackmailers, speculators, lawyers and dodgy “brand consultants” by the looks of it. Please convince me otherwise.

The current domain naming system is not a simple taxonomy of classes: we have the country-specific domains and we have the supposedly generic TLDs of which three are strictly managed (.mil, .gov and .edu) and the other three are basically a free-for-all hotch potch of non-exclusive sets: if “mydomain.com” is taken, try “mydomain.org” or “mydomain.net”.

The country and generic TLDs are not mutually exclusive: indeed, many companies were quick to spot branding opportunities from buying into short, snappy domain names even if they are totally unrelated to the country domain in question (think of abc.tv, bit.ly, or t.co).

So branding is important and there is no shortage of human ingenuity in making the most of what is already available. So why would ICANN want to open this up even further, except for creating a massive market of largely spurious value that is likely to be dominated by speculators and fraudsters? The problem is, that once called into existence, there is no putting the genie back in the bottle – and it is too late to wimper about the law of unforeseen consequences.

Let’s take a (hopefully) theoretical example of a a new top level domain of “.clothing”. A number of activities were emerge in parallel:

• Crooks: those out deliberately to deceive you, will snap up a domain name of a brand you are familiar with (and before the “genuine” brand owner cottons on) in the hope of fooling you to visit them and part with your money;
• Blackmailers: we are too diplomatic to call them that but I refer to the more quaintly named “cybersquatters”, who will register a name and then wait for you pay them to hand over the name or offer it for sale to the highest bidder, who might well be in the previous category;
• Speculators: variants of the above who claim to have a clean conscience and are just “playing the market”;
• Lawyers: everywhere advising you to register a slew of names and variants of your official brand name, in order to protect your brand; and offering – for a fee of course – to try to wrest your name out of the hands of those who may have gotten hold of a useful name through one of the forementioned methods; and my favourite….
• Brand Consultants: cool dudes trying to convince you that “mycompany.clothing” really, really, is a great brand idea…

Once the full list is operational and we know the new domain owners’ motives will we see whether they are simply defensive bids to protect a brand – such as .google – or intend – as we saw with the .eu domain launch, a massive new market of opportunities, rackets, misunderstandings, deception or downright fraud.

Thanks ICANN, this is what we really, really, needed…

The “Open Ratchet”

Hot headed ranting coupled with the cynical manipulation of key words always seemed to be the exclusive domain of extremist political groups, at least until recently.

It has been a curious month of rants about the UK government’s open standards consultation. One would be forgiven for believing that the world was about to end if you happened to take as your sole source of input the outpourings of one particular British journalist. Thankfully, most of us check our sources and facts and tend to be wary of postings that are thin on facts and rich with innuendo and personal attacks. In fact, I won’t even deign to reference the journalist in question here as further hits or references to his pieces will only be interpreted as good news for that mag’s advertisers.

I want instead – on this last day of the UK government’s consultation on open standards – to highlight a worrying “lock in” phenomenon that masquerades as the best of “open”.

I’ve written before about the phenomenon of “hoorah words” (“democrcay” – hoorah!; “freedom” – horrah!; “open” – hoorah!) but in this post, I am looking at something more worrying: worrying because it has all the hallmarks of the Boiled Frog Syndrome: you don’t see what’s happening to you….and worse, (sorry to mix metaphors) is like a ratchet, it is difficult to move back down once locked in to one level.

What I’ve dubbed as “The Open Ratchet” goes something like this:

“You support open standards of course?” “Of course I do!”.

“And of course, open standards must be open for anyone to use” “D’uh, yeah!”.

“In order for them to be open for anyone to use they should ideally be royalty free” “I don’t know….that sounds like a good idea, so…I guess so…”<click>

“..and Open standards must be implementable using open source” “Makes sense….sure…”<click>

“And of course, all open source is royalty free” “Of course it is!”<click>

“So, open source ought to be preferred when using open standards” “Ummm, I guess that follows….”<click>

“Unless you can prove benefits otherwise, you should therefore prefer open source” “I’m sure I’ve missed something…but, okaaaaaay….”<click>

“So, it follows that only open source can truly implement open standards” “…..wha..?…”<click>

“Of course, open source comes in many flavours and the most popular and widely supported is GPL” “I’m not really cognizant of the intricacies of open source licensing…but you know your stuff, soI guess I can’t disagree…”<click>

“To ensure that implementations of all open standards also remain open source, of course we recommend GPLv3…” <CLICK>

Now, you and I and many technically minded standards buffs out there can hear the <click> of the ratchet each time and see where it might be leading but most policy makers will not – and that is the insidiousness of the approach.

In discussions with different policy makers in the last year, talking about open standards, one phenomenon has keeps popping up: they talk about open standards and open source in the same breath as if they were two aspects of the same. And when you ask further, it seems that the two issues have been presented as such to them, the policy makers, by….supporters of GPLv3 no less. What a surprise.

Now, it may serve open source’s ends to hang on the coat-tails of open standards but I don’t see that the reverse is automatically true. Just because one small and very vocal group insist that there is a connection and insist on applying the Open Ratchet does not a global truth make. Open standards have been happily implemented for decades using all sorts of business models – and that this suits the open source community, fine. Open standards are designed to be implementable by anyone but it doesn’t foolow that this means it’s a free lunch for everyone.

(BTW, and a curious issue aside: why, in a world surrounded by patents and rights-licensing in so many areas of our lives, does the extremist wing of open source advocates insist that software is somehow miraculously different from every other patentable invention? I don’t see an “Open Coffee Foundation” spontaneously arising from moral outrage and protesting for the right to invent and market free coffee capsules as an alternative to Nestle’s monopoly….sorry, did I spoil your espresso?)

But to claim that, because it suits one business model, everyone using open standards should automatically conform also with the most extreme and exclusive form of the open source business model is just preposterous.

I’m all for a wide-ranging debate on the role of open standards and argue vociferously for their increased adoption and – orthogonally – I express doubts about open source being a viable and honest business model.

But I do object to attempts to demonize anyone who tries to keep the debates separate or castigate anyone daring to criticize a single precept of the open source movement as therefore being against open standards. I was all too familiar with this tactic in my student days by supporters of the Spartacist League (goodness, anyone else remember them?) and other Trotskist groups. They too were loud, obnoxious and reeked of moral superiority. If you tried to argue rationally, they would abuse you and divert. If you didn’t argue with them, they would walk away and claim victory.

It would be a crying shame to see IT policy go the same way, with policy makers bullied into positions that they really haven’t had an opportunity to discuss openly and level-headedly and facing castigation if they dare to raise a nuanced opinion. Although not a strong open source advocate myself (and, yes, I have worked on and supported many open source projects, just in case you ask), I still work closely with many who are and I welcome the opporutnities to work together on a many projects. They would be the first to admit that open source and open standards are different concerns and be proud to advocate open source as a distinct and valued business model. But unless they face down the loud mouths in their community, and give voice to the broader, more representative interests supporting open source, the extremists will claim victory.

UK Government open standard consultation (cont’d)

In addition to the general concern of mandating single standards (see previous post), two other issues were discussed in some depth.

One core concern of public officials is the threat of being locked-in to  single vendor. Although, traditionally that has been equated with lock-in to proprietary software, there was consensus at the meeting that there was an equivalent and possibly growng danger of lock-in to single suppliers: an ‘open source’ project is all well and good for encouraging portability but who in reality is going to pick up that 25 million lines of code, except for the original supplier? It was encouraging to hear Graham Taylor from Open Forum Europe, one of the most vocal lobby groups in favour of open source, agree that such lock-in is indeed also a major problem. What is important for government is to ensure that there is interoperability at the most appropriate level and ensuring that any solution – proprietary or not – delivers introperability at that level.

A second concern is a more complex one – of ensuring a ‘level playing field’ on which everyone can compete. What came over in the meeting extremely forcefully was that it is illlusory to believe that there is some ‘neutral’ model which government should favour – choosing any model over another is skewing the market in favour of that model. While a policy that allows proprietary or FRAND licensed software to be offered explictly also allows open or free software – a policy that mandates only open source excludes all the other models. The desire to be ‘open’ ends up actually being very closed.