The IDM Software Business Model:
The first answer is to observe that OpenID is a federation protocol and as such, it fits well within an identity management suite (very much like SAML, or WS-*). Vendors in that space are well known: CA, HP, IBM, Microsoft, Oracle, Sun, etc. IDM vendors derive revenue by licensing their identity management software to large enterprises. Single-Sign-On across enterprise applications still remains an unsolved problem within many enterprises. Because of it is ligthtweightness, OpenID carries the promise of simpler integration across many internal Web applications (enterprise portal, SAP, Oracle Web apps, etc...), making it an attractive IDM solution component and a must-have for most IDM software vendors.
The Service Aggregator Business Model:
OpenID is especially best suited for managing identities across consumer services. So, the natural early adopters will be consumer service aggregators, such as Mobile Network Operators and MSOs. Indeed, these companies view their millions of subscribers as an untapped strategic asset. The ability to leverage OpenID to more easily up-sell and cross-sell subscribers across a growing portfolio of services and channels (wireless, broadband and TV) has strong business appeal. In other words, federating within the walled garden makes good business sense: one unified identity, one converged brand experience, one view of the customer and the ability to subscribe existing customers across new services in one single click, whilst charging them on one single bill.
The Security Business Model:
As a consumer, if you have one consolidated identity for use across many Web services, you are more likely to want to protect that unique identity. It is also easier to do so, since only the identity provider needs to deal with the complexity of any additional security technology. In a shared identity eco-system, security solutions such as strong authentication become more cost-effective since the price of securing identities can now be shared across all the relying parties. In other words, economies of scale can be realized. This is exactly the VeriSign identity protection model that we introduced in early 2006. At that time, OpenID did not exist, so the chances of sharing a complete identity were pretty slim. Therefore, we decided to adopt a simpler sharing model where only the security (the second authentication factor) is shared across sites. Authentication services such as VIP are a good fit for OpenID as they make it relatively easy to turn any IDP into a strong IDP. Beside, if accepting a name and a password from a third party may not provide much additional value over a self-issued name and password, the idea that an identity provider will provide a more secure and stronger identity could well be a compelling value proposition for sites to start accepting OpenID as relying parties.
The Insurance Policy Model:
Building on the idea that what makes accepting a third-party as an identity provider is a stronger identity, arises the identity assurance model. In that model, the identity provider becomes a risk underwriter. Basically, the IDP "insures" the relying party on the validity and knowledge that it has about a given identity. The identity risk profile allows the IDP to make some explicit guarantees (e.g. "no charge back") and be compensated for it. For example, a bank who knows a lot about a consumer identity and purchase behavior could vouch for a consumer transaction to be trustworthy and underwrite the risk based on the consumer risk-profile that it has accumulated over time.
The Lead Generation and Advertising Model:
In OpenID everyone is focused on Single-Sign-On. The truth is that the real money-maker may be more about attribute exchange than simpler login. By attribute exchange, I mean the ability to seamlessly transmit a subscriber's registration profile and payment information in real-time. In that context, I can see OpenID become an enabler for CPA-based advertising. In the CPA model, the publisher and the ad network (IDP) get paid when the user registers with the advertiser (lead acquisition) or purchases from the advertiser (impulse buy). By removing the typing, OpenID can enable a much more effective CPA model where the user only needs to login into their identity provider to authorize a registration or a purchase. The ability to register a new customer and allow them to pay from any device within 1-click could prove a significant enabler for direct response advertising.
Of course, all these business models remain somewhat theoretical and unproven. However, the intuition is that there are many angles to consider when approaching OpenID from a business perspective. Interestingly, the breadth of opportunities should make the emerging standard more relevant to many leading Internet companies. This may explain the broad and growing attraction for federated identity, and OpenID in particular. That is all good news for the technology, as without business drivers, it will remain a technology construct that makes conferences headlines but is ignored by business minded leaders. That would be a shame of course as the best ideas are the one that can seduce consumers, technologist and those who follow the same three directives day after day: "Show me the money, show me the money, show me the money!"
In a nutshell, Android is a mobile platform that builds on top of Linux but bundles additional layers such as a web browser (Webkit), a set of applications services (e.g. telephony and messaging) some libraries and a homegrown runtime (ala Java VM). The marketing brochure says that Android is Open (and most of the components are).
Like the first Google phone, Android seems to be a work in progress. A few hours of digging into the developer site and the examples, followed by a sudden crave for caffeine that interrupted my progress, eventually left me with mixed impressions. Yes, I would have to admit that Android was rapidly falling short of my high expectations. After all, the mobile brainchild of a company with such technical talent as Google had to be second to none.
It is not that Android is technically bad. It is quite the opposite, actually. Technically, Android is extremely sound and brings some interesting innovations. It is just that it does not seem very Google-like to me. In particular, it does not fit the Web-centric programming model that you would expect from the inventors of AJAX and precursors to the Web 2.0 movement. Why Google would decide to err so far away from the development model that made their success was really a big surprise to me.
Take for example, Android's application component model. It relies on the new concepts of "Activity" and "Intent". The idea is to enable an application to easily mix different components from other applications within its own view (way back then, Microsoft called this Object Linking and Embedding (OLE)). Great idea, right? Yes, especially, in a mobile environment where users frequently need to switch between messaging, contacts, and calendaring. But then again, why not enabling widgets and mashups as a simpler GUI and component model for mobile? After all, Apple just did that for MAC OS X. instead of making the Web and mobile come together, Android is introducing yet another programming model. As good as it may be, it sounds like a missed opportunity to do what Google does so well: pushing complexity to the cloud, and simplicity to the client in order to enable the largest developers community.
This is my sole disappointment, really. Android does not try hard enough to enable the Web programming model into the mobile. Instead, like any traditional mobile OS company, it makes it a second-class citizen. In doing so, Android confines most of the Web developers to the browser. That kind of traditional device-top approach is exactly what you would expect from non-Web companies like Nokia, Sun or IBM, but from Google? Where are the XHTML, CSS, JavaScript and all the REST (pun intended) of the Web 2.0 technologies that made us scream "WOW" the first time we saw that Google map drag along the mouse?
Yet, Google is standing strong behind Android. Therefore, I would expect Android to enjoy a long and prosper future. It just seems strange that in the end, Google decided to opt for a development model that is foreign to its own DNA. Ah! But on the other hand, they did call it Android, didn't they?
IP Free Open Technology:
If we have learned one thing form the success of DNS and SSL, it is the importance of Intellectual Property (IP) free open standards to the success of any new Internet technology. Without them, the chances of broad adoption for any new Internet technology are as good as the odds for a wild card team to win the Superbowl extremely slim. Identity services are no exception to the rule. So, the Foundation's primary goal will be to ensure that OpenID always remains open and free to the Internet community. Concretely, this means that the Foundation will work with identity vendors and the community to protect OpenID Intellectual Property Rights and its free usage policy. Technologies always evolve and improve; we needed a body to exercise ongoing vigilance. There cannot be any compromise on this point. The good news is that everyone on the board has already embraced this idea as a fundamental principle.
Where the Ying and the Yang Meet:
OpenID is essentially a grassroots technology. So far, the specification and the implementation have been mostly driven by the technical community. I would argue that it is a good thing. Had the vendors be involved too early, the technology may not have ended up as brilliantly simple and as easy to deploy, and OpenID may not have enjoyed the initial community enthusiasm and rapid deployment (remember Liberty Alliance?). This grassroots model has proven to work so we must keep it moving forward. At the same time, as large identity service providers and software vendors join the OpenID bandwagon, we needed an entity to facilitate the exchange of ideas and product requirements between the grassroots and business communities. A Yahoo! or a Google may need specific product enhancements. A VeriSign may ask for some additional security elements. At the same time, the OpenID technical community needs to be able to keep on innovating and take the technology into new directions. The Foundation will be the place to facilitate the debate and prioritize the efforts.
Creating a Second to None OpenID Experience:
With Google, AOL and Yahoo! deployments, OpenID is off to a great start. 350M users have now access to the technology. One challenge remains: very few of these 350M consumers are using OpenID or are even aware that the technology exists. This leads to one of the important roles for the Foundation: to drive consumer adoption. The Foundation will own the Open ID brand and logo. It will define and protect its proper context of use. More importantly, the Foundation will need to make these assets to be synonymous to "insanely great user experience' in the mind of the consumers. There is little doubt that the success of OpenID will be tied to the quality of the user experience it brings to millions of consumers. Yahoo! already improved that user experience. The Foundation will take it further and enable a true "one-click" or even "zero-click" user experience for login, registration, payment and all other forms of Internet activities that require identity information exchange. The Foundation will be the place to funnel the best ideas from the community and set the best deployment practices.
At VeriSign, we are truly excited to be board members of the Foundation and support its mission. Bill Washburn, a former colleague, and a friend is heading the Foundation, and I cannot think of a better person to help drive consensus across so many distinct personalities. That certainly makes it yet more reasons to be excited. Let us get to work!
First things first: big kudos to Yahoo! for showing leadership on the identity front. Yahoo!'s implementation is actually quite elegant. For one thing, they fixed one of the big shortfalls of OpenID's user interface. Instead of a clumsy URL, you simply type yahoo.com and get redirected to Yahoo!'s sign-on page. The brand marketers will appreciate! I also suspect that typing a brand name as familiar as yahoo.com is much more palatable to consumers than typing a lengthy URL.
Not only is Yahoo! showing leadership, they are doing something really smart by attempting to capitalize on their very large digital identity asset, which will prove critical in the strategic battle for mobility and personalized advertising. If Yahoo! can become the trusted identity provider for 250 millions consumers, greatness and new revenue opportunities will certainly follow. The only question is whether Yahoo! is going far enough to move the needle. After all, consumers tend to be extremely demanding customers. They are creatures of convenience and only seem to care about being able to do new things with more ease and more speed. As long as OpenID only lets them do what most of them are already doing (login in across multiple sites), with relatively little gain in convenience (many users already use one single password for all their sites and mashups), adoption and usage may well remain limited.
So great start, but let us hope this is only the tip of the iceberg. Let us hope that Yahoo! is working hard on adding innovative new services to my new OpenID. Let us hope that consumers will adopt it in mass. What will these services be? Truly a question for Yahoo! product brain trust, but if the Yahoo! Fairy was to visit me tonight, I would make three wishes:
1. Mobility:
My world is becoming more and more Web centric and less and less desktop centric. New devices such as X-Box, Apple TV, BlackBerry are taking a larger chunk of my connected life. I need a consistent but simple way to access and personalize services and content across all these different network devices.
2. Security:
My identity is precious to me and any identity theft is a violent crime against me! Migrating to a portable identity provides the opportunity to make my identity stronger. Fairy, think V.I.P., of course!
3. Activity:
Yahoo! mail has 80% of my social address book, Flickr has most of my pictures, but many other sites have my comments, my blog, my videos. Aggregating and controlling my personal content across all these sites could benefit from a federated access and authorization mechanism.
Voila! Easier said than done. But the point is that for OpenID has to become an enabler for new user experiences, and go well beyond being a patch for "too many names and passwords". OpenID needs to focus on enabling what consumers will want to do tomorrow not on optimizing what they did yesterday. Short than that, consumers may not care and OpenID will be yet another missed opportunity for enabling and protecting digital identities on the Internet.
That happened to me last weekend, when a friend of mine introduced me to a non-profit service called Kiva.org. We have all heard of micro finance. This concept became mainstream when Muhammad Yunus, recipient of the 2006 Nobel Peace Prize, formulated the practice of micro-loans in Bangladesh. Kiva builds on this powerful idea by combining it with the global and cost-effective nature of the Internet, essentially creating a global micro-loan financial network. Similar to Yunus's vision, Kiva has allowed men and women all around the developing world to connect with millions of people willing to upstart their businesses, ranging from carpentry to wine making.
Kiva leverages the power of micro-loan and P2P networks to create the first global bank for the poor. Saying that Kiva is a generous endeavor, a big idea and a brilliant use of the Internet would be an understatement. It is a life changing service for the under-privileged men and women who now have instant access to millions of socially minded individuals all around the world. Of course, don't take my words for it. Go meet Pascuala from Mexico, and Ngheam Nghor from Cambodia as well as hundreds of their peers. Their stories are equally compelling and moving. So join Kiva.org, tell all your friends, and fall in love with the Internet all over again.
Of course, everybody is wondering why paying so much for so little ($240M for 1.6% of the company). With revenues around $150M and 50M registered users, elementary school maths already tells a lot about Microsoft's fascination for Facebook. According to Microsoft, Facebook is worth 100 time current revenue or $300 per registered user. Such multiples would make any VC sell their mother and first born. So, let us try to understand this Balmerian burst of generosity (or desperation depending how you look at it).
The OS theory.
The first theory is the Operating System theory. In the last year, Facebook has been very successful attracting developers to build applications using its APIs. Facebook must therefore be the new operating system. Microsoft being the incumbent OS dominatrix, it must pay to control the new Web OS. Hum...The theory is daring but not quite convincing. Although Facebook as a widget platform is definitely powerful, it is not the entire Web OS. Social networking is an important primitive but it is only one facet of the Web. Facebook applications are great but none of them truly measure to Microsoft Office. So, Facebook as a programming platform is certainly part of the attraction but there has got to be more to the story.
The International theory.
The second theory is International growth. 60% of Facebook users are non US. Since Internet growth is faster outside the US, the deal gives Microsoft a stronger position in the race for global domination over the fast growing advertising market. No doubt that the foreign dimension of Facebook is strategically valuable to Redmond. Nevertheless, despite the fast growth and a 30M foreign user base, this alone cannot justify the numbers either.
The conspiracy theory.
The third theory is a conspiracy theory. All along the negotiations, Google raised the stakes to drive the price higher. Then at the last minute, they withdrew, leaving Microsoft all alone at the bidding table with an insanely high bid. I know that guys are Google are smart but this sounds more like a James Bond movie than corporate development to me. It is clear Google was at the bargaining table. It is likely that they bargained hard, forcing Microsoft to move aggressively. However, I have to believe that it takes more than such a simple trap for Mr Ballmer to sign such a large check.
Ok, so what is it? Clearly, it must be about advertising. Advertising is a soon to be $80B market. It is one of the few markets large enough to move the Microsoft needle. This is also the oxygen tank of Microsoft's #1 rival, Google. In plain English, advertising is a highly strategic market to Microsoft. You don't win strategically by being cheap, especially when you are the underdog.
Think AD Sense 2.0 and Facebook deportalization.
Microsoft views Facebook as as an advertising platform, the asset that can help Redmond make up for the lost time to Google in search. An interesting fact about Facebook is that they know a lot about their users. With Facebook, folks like you and me expose their complete profile well beyond ZAG (Zip code, Age and Gender). Many reveal their personal interests by joining specific groups and registering to special events. So, Facebook has deep segmentation and behavioral information about consumers. Such consumer intelligence should allow them to do more precise ad targeting. In turn, relevant targeting should allow them to command a premium in advertising rates.
How does it compare to Google? Google draws advertising relevance from queries and hyperlink rank. In fact, Google is the undisputed king of the hill when it comes to contextual advertising. However, outside of search, contextual match may not always provide the most effective targeting. In many ways, demographic and behavioral targeting may prove more effective when it comes to videos and the long tail of content available on the internet. Behavioral targeting is where the advertising balance of power could eventually shift, creating a chip in the Google armor. That chip alone may well be worth $15 billion dollar to Microsoft.
Interestingly, social networking sites such as Facebook may not be the best place to advertise. The rumor is that Google AdSense has led to abysmal click-through on MySpace. After all, when interacting with friends, one has little attention span for ads. So,maybe, the true leverage of Facebook may be to evolve it into an advertising network for relying party sites such as MSN. After the Facebook application platform would come the Facebook advertising platform: a behavioral and social ad network to drive improved monetization outside of Facebook.
Today, AdSense is the only real game in town and a significant driver of revenue growth for Google. With 245M of new R&D dollars, fueled by identity intelligence, but respectful of user privacy and trust, Facebook may well hold enough assets in hands to become the alternative ad platform. IDSense anyone? Easier said than done of course, but at least, this perspective sounds like a worthwhile $15 billion bet to me.
A few months ago, Apple's Steve Jobs published His "thoughts on music" advocating the need for a DRM free world. The letter was accompanied by the release of iTunes Plus that provides DRM free EMI content to iTunes users. Of course, skeptics may find Steve Job's new credo too convenient. Indeed, these new thoughts appear to coincide with an increasing scrutiny from European regulators, who worry about the proprietary nature of FairPlay, Apple's homegrown DRM technology. iPod users however, already know that there are insanely greater reasons to stick to Apple music products than Apple's DRM lock on their tunes. Skepticism aside, Apple makes the compelling argument that music should be DRM free, arguing that consumers want DRM free content as it simplifies improves their user experience. Better user experience will drive more sales of digital content online, which should also be good news for the content owners, says Apple. Judging by the number of DRM free MP3 on my iPod and the constantly growing amount of traffic on Bittorrent, Steve Jobs may well have a point.
Although EMI has added strength to the argument, there are clear indications that the big content owners are about to throw the DRM baby with the digital content bath water (especially when it comes to video). However, DRM has made the digital content experience awkward at best. The competition between DRM systems and the lack of consistency in usage policy has led to a world of silos and content non-interoperability. This needs to be fixed or DRM will inevitably join the ranks of the powerful but extinguished technology dinosaurs. Labels and studios are fully aware of the stakes. To that end, in 2004, they created the CORAL consortium. CORAL mission was to provide interoperability between competing DRM solutions. The vision behind CORAL is powerful. It aims at re-creating the simplicity and elegance of the DVD model online. DVDs makes rights management invisible to the consumer's eye. One can buy a DVD from any store. DVD usage policies are simple and identical everywhere. One can run a DVD on any player from any manufacturer. It is simple and it just works. Yet, DVD content is not unprotected, proving that right management technology does not necessarily rime with bad user experience. CORAL has the right vision. Unfortunately, so far, it may have lacked the sense of focus and execution that has made the folks in Cupertino famous. But who knows, more than often, the second time may be the charm.
So DRM or not DRM? The prophecy is relatively straightforward. Content providers have one more shot at fixing the eco-system by creating an open marketplace for digital content. This marketplace should create interoperability across devices, and retail stores. Short than that, DRM will eventually disappear. The DVD has shown that a consistent format, DRM model and usage policy can lead to second to none user experience. There is still plenty of time to replicate the DVD model online. But it requires collaboration and coordination across the main industry stakeholders. In any case, the time has come to rethink the way digital content gets distributed online. Of course, it is not clear what formula will eventually triumph in the marketplace. Nevertheless, there is good news for you an me. Whether Steve Jobs or the content providers win, the DRM saga is heading towards a happy ending. At the end of this movie, consumers win, and that is all good.
Indeed, everyone seems to be joining the social network party. All the big guys are publicly playing catch up. Google social stream wants to unify all your networks into one (one social network to rule them all with no evil). Yahoo! is secretly working on something too. Meanwhile, Microsoft seems to be ready to open the purse. Even Cisco has realized that social networks are a network platform and as such, are worth placing a bet on. But eh, wait. Someone is missing the party. There is no black turtleneck to be seen anywhere. There is no word of Apple when it comes to social networking.
I have never used .MAC. I always found it hard to pay for services I can get online for free. However, I did switch to Mac OS X, MacBook and iPod for pictures, video and music. Certainly, there is an iPhone in my future. But let us think different for a second. Would not it be insanely great if all these second to none applications called iPhoto, iTunes and MailViewer let me do the basic things that Flickr, Last.fm, and Facebook let me do every day?
The more I experience social networking, the more I am convinced that social networks capabilities should be part of any modern operating system. No, Apple does not need to buy Facebook. However, we, the Mac users could greatly benefit if the boys in Cupertino were to take a serious look at it. Knowing my old NeXT friends, I would not be surprised if they were not already working hard at it.
Consumers should love it. It is all about control, empowerment, consolidation, and convenience. By taking a user-centric approach where the user can consolidate and own his identity profile, social graph and activity stream, the social Web tables are turned upside down. The user now is completely in charge. Consumers regain ownership of their "content". They decide what is being shared, when and where. Privacy advocates will love it.
What I like about the idea is that it is practical. As Brad Fitzpatrick explains, there are enough APIs (FaceBook, LinkedIn...) out there to bootstrap the effort whether or not the big social network guys want to play or not.
Relying party sites could potentially become the big beneficiaries of the new identity layer and the open social Web that it enables. There is a clear business value to take advantage of this new movement because it can improve the interactivity and user experience of any network application or service. It will drive more interactions to the relying party sites and more interactions mean more business.
The idea of sharing names and passwords across the Internet is as exciting as curling tournaments. This on the other hand, carries a lot of promise. If the technical community and service providers can provide consumers with the tools to start regaining control of their distributed self, it may just work.
Where will the new identity service reside? Anywhere that's secure, reliable, and always-on: my cable set-top box? my home networked PC? Or, with a trusted service provider in the cloud? Only one thing is clear: Consumers will be the ultimate winners. Yes, social network portability is a very disruptive and exciting idea. Hang on to your seat, the revolution is being blogged.
What we need is a new demo. Jokes aside, there may lay a critical observation. Although an interesting feature, the brutal truth is that SSO is no killer app. Of course, the implications of a shared login are not to be underestimated. User convenience, increased trust and stronger security are important. Bien sur, reducing all these cool new technologies to access control is an unfair characterization. OpenID's user centric paradigm that puts consumers in charge of their identity may well be the foundation to a massive rethink of today's Internet services. As big as these ideas may be, however, no one in the industry has really been able to translate them into killer consumer services. Rarely does new technology succeed unless the experience and benefits it enables outweighs the status quo by an order of magnitude. So, If we truly aspire to mass deployment, we need to provide more value to consumers. We definitely need to go much farther than access control and attribute exchange.
]]> Maybe, it is also time to take a lesson from the Web 2.0 movement. For the most part, the true innovation of Web 2.0 has not been to create new applications. Instead, it has been to re-invent the old ones. What is the main difference between oFoto and Flicker albums, Internet Explorer and Del.icio.us bookmarks, Geocity and MySpace homepages? The difference is social interactions and the community surrounding these services as a fundamental tenet of the application. This bears the question whether identity 2.0 should be more about enabling social interactions across services. In many ways, the portability of my social graph and interactions across sites may be more attractive to consumers than the sole portability of a login name and account information. Enabling social graphs across all wide variety of Web applications strikes me as a fundamental primitive of identity management. Interestingly enough, there have been recent discussions around creating interoperability around social networks. Certainly, open standard could be essentials and VeriSign would love to foster that work within the technical community. Beside, I just cannot wait to get a new identity demo!