Blue Ocean

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook core usage matrix is mind-boggling:

• More than 400 million active users
• 50% of our active users log on to Facebook in any given day
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook

However, Facebook true ambition's may well reside beyond the confine of its own Web site. If one combines Facebook Connect (authentication++), OAuth (authorization) and the Social Graph API, it is crystal clear that Facebook strategy is to become the identity fabric for the Internet. By turning the social network into an identity infrastructure, the Facebook APIs could enable an even larger business opportunity. By extending the Facebook business over external websites, the Social Graph APIs open the door to transactional business models such as Cost per action advertising, eCommerce and payment. There again, when it comes to numbers, the social network hero is showing Homeric promise:

• More than 80,000 websites and devices (including iPhone and Xbox) have implemented Facebook Connect since it launched in December 2008
• More than 60 million Facebook users use Facebook Connect each month.
• Two-thirds of ComScore's US Top 100 websites and half of ComScore's Global Top 100 websites have implemented Facebook Connect.
• Sites like the Huffington Post have seen a 500% increase in Facebook referrals after implementing Facebook Connect.
• 500,000 applications have been built on Facebook and the growth of social gaming (playdom, Zynga, Playfish, etc) is still in its infancy.

So, what could go wrong? Where could the enemy arrow strike its fatal blow to our hero? Could it be over this security glitch that exposes our chat messages to friends? Perhaps, these controversial default privacy settings that leaves our identity increasingly public? Will the threat arise from a growing reputation as a corporation trying to take advantage of our personal data to 'help itself -- and its advertising and business partners'? If there is something that could stand in the way of Facebook, it is probably Facebook itself. Indeed, the growing controversy and erosion of consumer trust surrounding Facebook privacy and security nonchalance may eventually become the Achilles' heel of the young identity giant.

Facebook is clearly an extremely innovative company and a successful platform. Of course, it must keep on running fast against the agile Twitter and the powerful Google of the world who are certainly eying with envy its privileged position as the leading Internet social platform. No doubts that the investors are placing tremendous pressure on management to drive revenue growth. Nevertheless, Facebook needs to slow down and consider the long terms implications of being the de-facto custodian of our digital lives. It must start fulfilling the responsibility that comes with millions of digital identities under management. If it is true that today's Internet generation may have less privacy concern than their elders, in the long run, consumers will not allow Facebook to manage and control their identities unless they can trust the platform.

Eventually, Facebook will have to "do the right thing" for the consumers, sometime in spite of their ignorance digital risks, and surely, despite a business model that encourages Facebook to look the other way when it comes to privacy and security. Yes, the Achilles' heel is very real, it is being exposed every week in the press, and the temptation is growing for privacy zealots and regulators who are assiduously watching the missteps. Good common business sense aside, it is time for Facebook to take responsibility and leadership for the immense security, privacy and trust challenges that our digital identities require. Maybe, it is even time for the social network to start promoting elements of security, privacy and trust within its core platform.

Posted by Nico Popp at 6:40 AM | Permalink | Comments (0)

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

Setting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between consumers and websites as an engine for economic growth?

Trust brokering as a network service

From the late 13th century Italian Renaissance, to the early 21rst century global economy, trust has always been a fundamental tenet in the development of commerce and trade. In a world that is increasingly leveraging the web as a channel for customer acquisition, transaction and fulfillment, trust brokering is a critical yet missing network primitive. For enterprises to embrace SAAS applications, suppliers to join Internet marketplaces or consumers to select businesses on the web, the network needs trust brokering services that can certify and assert trust among parties with little prior knowledge of each other.

A pragmatic starting point for website trust
Web site trust is a multi-faceted problem. Authenticity, security, reliability, assurance, privacy and reputation are all important dimensions to ensuring trust. Therefore, setting the initial bar for Web trust is a significant challenge. Set the bar too low and the lack of substance in the attestation of trust make it irrelevant to consumers. Set the bar too high and the economic barrier to entry makes the standard irrelevant for websites. Unless a pragmatic balance is achieved, the end goal of a complete standard for trust can never be achieved. Trust Seal is VeriSign's initial step to providing an end to end solution to this challenge. We hope to have achieved such initial balance of pragmatic relevance to continuously raise the bar for trust on the Web in the years to come. So, on February 24th 2010, what does it mean for a website to be VeriSign trusted?

Authenticity with business authentication
First it means that we have verified that the web site is authentic. Basically, we verify that the website is really who they say they are. We call this process business authentication. We make sure that the business owner owns the domain name and that the business is a legitimate business. Because bad guys can easily hide between the façade of a professional web site, this is a very important step to establishing Web trust. By verifying the true identity of the website and the business behind it, accountability can be achieved. This is similar to what certificate authorities (the good ones) do when they validate an organization before issuing an SSL certificate for e-commerce. What we have done is extend a fundamental principle for trust in ecommerce to any Web domain, to any web site on the World Wide Web.

Safety with malware detection in the cloud
The second check is to evaluate how safe it is for a consumer to visit the website. We contemplated many different approaches. However, the last two years have taught us that the most dangerous thing that can happen to consumers on the Web is to be infected with malware. For that reason, we decided to tackle this significant safety issue of web malware first. The new VeriSign trust seal is dependent on a successful drive-by download malware scan. Each website is scanned daily. The seal display is automatically turned off when malware is detected. Remediation instructions are provided to the website to remove identified exploits.

Trust Signaling for the Web
consumers, we are reducing the trust signal to its simpler expression. The seal displayed on the site web pages attests that the site is authentic and safe. This is where the VeriSign heritage comes into play. Millions of consumers are already familiar with the VeriSign Secured seal for SSL. We are maintaining the brand, but extending the scope and meaning of our trust mark. The VeriSign seal becomes a simple yet powerful visual cue for consumers to assess whether a website meets transparent criteria for authenticity and safety. Trust marks for ecommerce web sites are not new. However, we believe that any commercial website, transactional, non-transactional or social Web outlets of small and medium businesses could greatly benefit from trust marks moving forward.

Beyond the web site: trust signaling in search and directories
In the long run, trust and reputation assessment should become part of the discovery process of online businesses. Popularity and page ranks are one dimension of search. How much a site can be trusted ("trust rank") is important measure as well. In fact, in the last years, safe search has emerged as an important feature for search engines and end-point security clients. Both have already integrated features to detect, signal and block drive-by malware infected websites. "White lists" of trusted sites should prove an important complement to black lists for search and navigation. Therefore, we have been working to integrate the new seal as a trust indicator in search and directory services (more on that in a future post).

As you can see, the VeriSign trust Trust seal encompasses many new features and the roadmap should keep the product and development teams busy for a while. We are thrilled to tackle one of the most critical and challenging Internet issue. So, give the new service a test run and let us know what you think.

Posted by Nico Popp at 11:57 AM | Permalink | Comments (0)

With the increasing visibility of OpenID, VeriSign gets often invited to conferences to discuss the implications of this new technology. One of the questions that I often get from the audience borrows a line from Jerry Mc Guire: "When technology is based on IP-free open standards, how do identity vendors and service providers make ends meet?" In other words: "Show me the money!" Broad question, so I thought I would get on the record to describe a few of the popular business theories around OpenID and discuss their respective merit.

The IDM Software Business Model:

The first answer is to observe that OpenID is a federation protocol and as such, it fits well within an identity management suite (very much like SAML, or WS-*). Vendors in that space are well known: CA, HP, IBM, Microsoft, Oracle, Sun, etc. IDM vendors derive revenue by licensing their identity management software to large enterprises. Single-Sign-On across enterprise applications still remains an unsolved problem within many enterprises. Because of it is ligthtweightness, OpenID carries the promise of simpler integration across many internal Web applications (enterprise portal, SAP, Oracle Web apps, etc...), making it an attractive IDM solution component and a must-have for most IDM software vendors.

The Service Aggregator Business Model:

OpenID is especially best suited for managing identities across consumer services. So, the natural early adopters will be consumer service aggregators, such as Mobile Network Operators and MSOs. Indeed, these companies view their millions of subscribers as an untapped strategic asset. The ability to leverage OpenID to more easily up-sell and cross-sell subscribers across a growing portfolio of services and channels (wireless, broadband and TV) has strong business appeal. In other words, federating within the walled garden makes good business sense: one unified identity, one converged brand experience, one view of the customer and the ability to subscribe existing customers across new services in one single click, whilst charging them on one single bill.

The Security Business Model:

As a consumer, if you have one consolidated identity for use across many Web services, you are more likely to want to protect that unique identity. It is also easier to do so, since only the identity provider needs to deal with the complexity of any additional security technology. In a shared identity eco-system, security solutions such as strong authentication become more cost-effective since the price of securing identities can now be shared across all the relying parties. In other words, economies of scale can be realized. This is exactly the VeriSign identity protection model that we introduced in early 2006. At that time, OpenID did not exist, so the chances of sharing a complete identity were pretty slim. Therefore, we decided to adopt a simpler sharing model where only the security (the second authentication factor) is shared across sites. Authentication services such as VIP are a good fit for OpenID as they make it relatively easy to turn any IDP into a strong IDP. Beside, if accepting a name and a password from a third party may not provide much additional value over a self-issued name and password, the idea that an identity provider will provide a more secure and stronger identity could well be a compelling value proposition for sites to start accepting OpenID as relying parties.

The Insurance Policy Model:

Building on the idea that what makes accepting a third-party as an identity provider is a stronger identity, arises the identity assurance model. In that model, the identity provider becomes a risk underwriter. Basically, the IDP "insures" the relying party on the validity and knowledge that it has about a given identity. The identity risk profile allows the IDP to make some explicit guarantees (e.g. "no charge back") and be compensated for it. For example, a bank who knows a lot about a consumer identity and purchase behavior could vouch for a consumer transaction to be trustworthy and underwrite the risk based on the consumer risk-profile that it has accumulated over time.

The Lead Generation and Advertising Model:

In OpenID everyone is focused on Single-Sign-On. The truth is that the real money-maker may be more about attribute exchange than simpler login. By attribute exchange, I mean the ability to seamlessly transmit a subscriber's registration profile and payment information in real-time. In that context, I can see OpenID become an enabler for CPA-based advertising. In the CPA model, the publisher and the ad network (IDP) get paid when the user registers with the advertiser (lead acquisition) or purchases from the advertiser (impulse buy). By removing the typing, OpenID can enable a much more effective CPA model where the user only needs to login into their identity provider to authorize a registration or a purchase. The ability to register a new customer and allow them to pay from any device within 1-click could prove a significant enabler for direct response advertising.

Of course, all these business models remain somewhat theoretical and unproven. However, the intuition is that there are many angles to consider when approaching OpenID from a business perspective. Interestingly, the breadth of opportunities should make the emerging standard more relevant to many leading Internet companies. This may explain the broad and growing attraction for federated identity, and OpenID in particular. That is all good news for the technology, as without business drivers, it will remain a technology construct that makes conferences headlines but is ignored by business minded leaders. That would be a shame of course as the best ideas are the one that can seduce consumers, technologist and those who follow the same three directives day after day: "Show me the money, show me the money, show me the money!"

Posted by at 10:38 AM | Permalink | Comments (0)

We have all heard about it. On Wednesday, Microsoft invested $240M into Facebook, beating Google to the punch, and giving the folks on University Avenue a $15B valuation ("yes, mini-me, $15B dollars...") and a war chest large enough to start buying a few buildings even in Palo Alto.

Of course, everybody is wondering why paying so much for so little ($240M for 1.6% of the company). With revenues around $150M and 50M registered users, elementary school maths already tells a lot about Microsoft's fascination for Facebook. According to Microsoft, Facebook is worth 100 time current revenue or $300 per registered user. Such multiples would make any VC sell their mother and first born. So, let us try to understand this Balmerian burst of generosity (or desperation depending how you look at it).

The OS theory.

The first theory is the Operating System theory. In the last year, Facebook has been very successful attracting developers to build applications using its APIs. Facebook must therefore be the new operating system. Microsoft being the incumbent OS dominatrix, it must pay to control the new Web OS. Hum...The theory is daring but not quite convincing. Although Facebook as a widget platform is definitely powerful, it is not the entire Web OS. Social networking is an important primitive but it is only one facet of the Web. Facebook applications are great but none of them truly measure to Microsoft Office. So, Facebook as a programming platform is certainly part of the attraction but there has got to be more to the story.

The International theory.

The second theory is International growth. 60% of Facebook users are non US. Since Internet growth is faster outside the US, the deal gives Microsoft a stronger position in the race for global domination over the fast growing advertising market. No doubt that the foreign dimension of Facebook is strategically valuable to Redmond. Nevertheless, despite the fast growth and a 30M foreign user base, this alone cannot justify the numbers either.

The conspiracy theory.

The third theory is a conspiracy theory. All along the negotiations, Google raised the stakes to drive the price higher. Then at the last minute, they withdrew, leaving Microsoft all alone at the bidding table with an insanely high bid. I know that guys are Google are smart but this sounds more like a James Bond movie than corporate development to me. It is clear Google was at the bargaining table. It is likely that they bargained hard, forcing Microsoft to move aggressively. However, I have to believe that it takes more than such a simple trap for Mr Ballmer to sign such a large check.

Ok, so what is it? Clearly, it must be about advertising. Advertising is a soon to be $80B market. It is one of the few markets large enough to move the Microsoft needle. This is also the oxygen tank of Microsoft's #1 rival, Google. In plain English, advertising is a highly strategic market to Microsoft. You don't win strategically by being cheap, especially when you are the underdog.

Think AD Sense 2.0 and Facebook deportalization.

Microsoft views Facebook as as an advertising platform, the asset that can help Redmond make up for the lost time to Google in search. An interesting fact about Facebook is that they know a lot about their users. With Facebook, folks like you and me expose their complete profile well beyond ZAG (Zip code, Age and Gender). Many reveal their personal interests by joining specific groups and registering to special events. So, Facebook has deep segmentation and behavioral information about consumers. Such consumer intelligence should allow them to do more precise ad targeting. In turn, relevant targeting should allow them to command a premium in advertising rates.

How does it compare to Google? Google draws advertising relevance from queries and hyperlink rank. In fact, Google is the undisputed king of the hill when it comes to contextual advertising. However, outside of search, contextual match may not always provide the most effective targeting. In many ways, demographic and behavioral targeting may prove more effective when it comes to videos and the long tail of content available on the internet. Behavioral targeting is where the advertising balance of power could eventually shift, creating a chip in the Google armor. That chip alone may well be worth $15 billion dollar to Microsoft.

Interestingly, social networking sites such as Facebook may not be the best place to advertise. The rumor is that Google AdSense has led to abysmal click-through on MySpace. After all, when interacting with friends, one has little attention span for ads. So,maybe, the true leverage of Facebook may be to evolve it into an advertising network for relying party sites such as MSN. After the Facebook application platform would come the Facebook advertising platform: a behavioral and social ad network to drive improved monetization outside of Facebook.

Today, AdSense is the only real game in town and a significant driver of revenue growth for Google. With 245M of new R&D dollars, fueled by identity intelligence, but respectful of user privacy and trust, Facebook may well hold enough assets in hands to become the alternative ad platform. IDSense anyone? Easier said than done of course, but at least, this perspective sounds like a worthwhile $15 billion bet to me.

Posted by at 10:46 AM | Permalink | Comments (0)

Digital Rights management is like Aesop's tongue. It can be the worst or the best of all things depending on who you ask. For consumers, it is often a synonym for big brother, second grade product experience and content usage restriction. For big music labels and movie studios, it is their best insurance policy against content piracy on the Internet, a distribution medium that fascinates and scares them at the same time.

A few months ago, Apple's Steve Jobs published His "thoughts on music" advocating the need for a DRM free world. The letter was accompanied by the release of iTunes Plus that provides DRM free EMI content to iTunes users. Of course, skeptics may find Steve Job's new credo too convenient. Indeed, these new thoughts appear to coincide with an increasing scrutiny from European regulators, who worry about the proprietary nature of FairPlay, Apple's homegrown DRM technology. iPod users however, already know that there are insanely greater reasons to stick to Apple music products than Apple's DRM lock on their tunes. Skepticism aside, Apple makes the compelling argument that music should be DRM free, arguing that consumers want DRM free content as it simplifies improves their user experience. Better user experience will drive more sales of digital content online, which should also be good news for the content owners, says Apple. Judging by the number of DRM free MP3 on my iPod and the constantly growing amount of traffic on Bittorrent, Steve Jobs may well have a point.

Although EMI has added strength to the argument, there are clear indications that the big content owners are about to throw the DRM baby with the digital content bath water (especially when it comes to video). However, DRM has made the digital content experience awkward at best. The competition between DRM systems and the lack of consistency in usage policy has led to a world of silos and content non-interoperability. This needs to be fixed or DRM will inevitably join the ranks of the powerful but extinguished technology dinosaurs. Labels and studios are fully aware of the stakes. To that end, in 2004, they created the CORAL consortium. CORAL mission was to provide interoperability between competing DRM solutions. The vision behind CORAL is powerful. It aims at re-creating the simplicity and elegance of the DVD model online. DVDs makes rights management invisible to the consumer's eye. One can buy a DVD from any store. DVD usage policies are simple and identical everywhere. One can run a DVD on any player from any manufacturer. It is simple and it just works. Yet, DVD content is not unprotected, proving that right management technology does not necessarily rime with bad user experience. CORAL has the right vision. Unfortunately, so far, it may have lacked the sense of focus and execution that has made the folks in Cupertino famous. But who knows, more than often, the second time may be the charm.

So DRM or not DRM? The prophecy is relatively straightforward. Content providers have one more shot at fixing the eco-system by creating an open marketplace for digital content. This marketplace should create interoperability across devices, and retail stores. Short than that, DRM will eventually disappear. The DVD has shown that a consistent format, DRM model and usage policy can lead to second to none user experience. There is still plenty of time to replicate the DVD model online. But it requires collaboration and coordination across the main industry stakeholders. In any case, the time has come to rethink the way digital content gets distributed online. Of course, it is not clear what formula will eventually triumph in the marketplace. Nevertheless, there is good news for you an me. Whether Steve Jobs or the content providers win, the DRM saga is heading towards a happy ending. At the end of this movie, consumers win, and that is all good.

Posted by at 6:14 PM | Permalink | Comments (0)

Last week, the Wall Street Journal posted an interesting article. According to WSJ, Facebook is working on an advertising system that leverages the massive amount of information that people reveal about themselves on the site. The intent is clear: drive higher monetization of Facebook advertising real-estate. But could there be a bigger idea there? Can identity and real-time consumer intelligence do for social networks and identity providers what search and page ranks did for Google: drive ad relevance and become a formidable monetization engine for identity platforms?

Of course, this is not quite a new idea. Targeting ads based on location and demography has always been part of ad network bag of tricks. Today, behavioral ad networks use cookies to track our navigation events and derive a consumer profile that can be used to target ads across sites and web sessions. Google is also doing some of that with GMail, although many folks are worried that reading their email to target advertising is as close to doing evil as California sparkling white wine to French champagne.

Nevertheless, it is clear that none of the guessing can be as accurate as what consumers are genuinely willing to reveal about themselves. Of course, this is precisely what most of us do on Facebook: publicly share personal information and interests. So, yes! Social communities are different animals in the sense that users have are pre-disposed to talk about themselves and reveal a lot. But, no! That does not mean that these users consent to let that information be used to drive more targeted advertising.

As a matter of fact, a study from Forrester indicates that only a third of us would welcome personalized ads. The probable truth is that but many consumers may find the approach way too spooky and a dangerous intrusion of their privacy. Eh! I sure would. So, this means that Facebook and other need to be extra careful before crossing the Rubicon of personalized advertising. Of course, if you are a marketer, 30% is not a rounding error. Consumer intelligence can be a significant business asset. Therefore, the evil temptation will be there.

So, can it work? I think so, but only under one fundamental and very strict principle: let the user decide, let the user opt-in, let the user be in control. That is where Facebook and everyone else need to borrow a page from "user-centric" identity management and OpenID. The user needs to be making the decision. In other words, the trick is to motivate consumers to opt-into personalized ads. Transparency is key. Service providers should explain that only non-identifiable information is being used. Then, they should pause and take a hard look at answering the mother of all questions: what is in it for the user?

If users are in control, then identity intelligence sharing can become a monetization engine. On the Internet, the exchange of name and password has very little business value which is why we still live in a world of identity silos despite the technological coolness of OpenID and the likes. Finally, a business model to share identities. Yet, this is a double edge sword. There is a long devide between consumer trust and ad personalization. In the end, consumers will have to decide whether any profile information is worth sharing with marketers. Facebook and the future identity providers cannot be self-serving. Their community must agree to it and it must benefit the community. Otherwise, that same community is likely to revolt. Once again, the answer is simple: make it worth the user's while. Welcome to the user-centric Internet!

Posted by at 10:42 AM | Permalink | Comments (0)