The DataPortability Project

Data Portability Wars : Google and Facebook vs. YOU

Steve Repetti — Tue, 05 Jul 2011 15:22:42 +0000

Well, here we go again.

The big companies love to embrace data portability and the freedom it provides its users, not to mention the press and goodwill that comes with it, as long as it doesn’t conflict with their corporate agenda.

Let’s call it what it is: Facebook and Google both support “convenient” data portability — at all times convenient for them, *sometimes* convenient for you.

Google and Facebook have both flirted with data portability and it was generally taken as a good sign when both hired leading open source/data portability advocates (Chris Messina and David Recordon respectively). Facebook’s APIs and social graph integration, as well as Google’s Takeout initiative, have been shining examples of the net result of this effort.

Still, despite these advances, both companies continue to “play” with your data – to your detriment. Back in February, Google removed an existing feature from its Android mobile phone operating system specifically to make it more difficult for users to integrate their Facebook contacts (Nexus S losing Facebook contacts sync as Google tightens data policy).

The latest salvo in this escalating war occurred while the US celebrated its Independence day holiday weekend: Facebook disabled a critical feature used to export your friends data (Facebook blocks Google Chrome extension for exporting friends). This appears to be a direct response to Google’s recent moves further into social networking: Google+ (Facebook blocks friend export tool in Google+ snub ).

The reality is that we gave both companies the right to monkey with our data. We accepted their terms of service when we joined their services and we continually agree when they make changes – for better or worse. And, while a few have left in protest, it is not practical to expect much more.

Let’s call it what it is: Facebook and Google both support “convenient” data portability — at all times convenient for them, *sometimes* convenient for you. And maybe that’s ok. After all, they are commercial enterprises answerable to boards and shareholders and subject to their leadership within.

I get it. Information is an asset, and why would anyone fiscally responsible intentionally dilute or give away an asset?

And therein is the conflict. Us versus them, my data versus their monetization of it.

I hereby challenge Google, Facebook, and all other interested parties to sit down at a DATA PORTABILITY SUMMIT and figure it out together.

This is complicated stuff. If Google and Facebook truly want to be the global purveyors of information that they purport to be, they’ll figure it out – or leave opportunity for the next company to come along and get it right. But the first thing they need to understand is that they cannot do it alone. When crafting global policy regarding user’s data they must include the user, otherwise they are simply more walled-gardens of varying heights.

So, before this thing spirals any further, let’s talk about it.

As Chairman of the International non-profit Data Portability organization, I hereby challenge Google, Facebook, and all other interested parties to sit down at a DATA PORTABILITY SUMMIT and figure it out together. Name the place, name the time – or your users will. Now is your chance to truly show leadership on a global scale. But know this: that coveted asset of information you possess exists solely because of your users. It’s ok to be capitalistic, and its good not to be evil, but it’s time to make data portability convenient for us all.

Interested in the DATA PORTABILITY SUMMIT? Let me know: steve@radwebtech.com

Steve Repetti
Chairman, DataPortability.org

Merc: Battle brewing over control of personal data online

Phil Wolff — Thu, 30 Jun 2011 16:14:56 +0000

Mike Swift writes up the personal data space as a contest between individuals and large corporations. Swift interviewed Kaliya Hamlin of the Personal Data Ecosystem Consortium and PDEC members Reputation.com, Personal, and Singly. The Consortium doesn’t approach the challenge as a direct conflict. They see a realignment of behavior by people and enterprises producing new economic value for both, weaving a third way that creates, respects, and enforces personal control over personal data.

These startups are finding their own way into the data portability and control challenges. Singly’s Locker Project is an open source personal data store, a place to hold your data on your own PC or server and put that data to use. Reputation.com offers a service to find and shape your publicly visible data across the web. Personal gives you tools share your life’s details, opinions and experiences with just those people you trust.

The Merc didn’t interview the large companies, NGOs and government agencies holding data about billions of people. While many of those enterprises have management champions for personal control, portability principles and business models don’t dominate their executive suites. Helping them find their way is another challenge.

Google Unleashes New Data Portability Initiative: Google Takeout

Steve Repetti — Tue, 28 Jun 2011 20:50:33 +0000

Google today unveiled a new service that provides advanced Data Portability across its diverse platform. Google Takeout (http://www.google.com/takeout) makes it easy to extract your data from a variety of Google Services including: Buzz, Contact and Circles, Picasa Web Albums, and Profile. The information is provided in a variety of formats, including vCard and JSON (JavaScript Object Notation), and can be quickly downloaded onto your local computer.

In many ways this is not unlike the Data Portability initiatives over at Facebook, and it is certainly a welcome addition to the Google universe. And now that Google is moving more into the social networking space with its just announced Google+ project (http://plus.google.com), the value of Google’s Data Portability efforts to its end-users will likely substantially increase.

Data Portability Applauds US CIO, Mourns Departure

Steve Repetti — Fri, 17 Jun 2011 02:17:02 +0000

Today, friends of Data Portability lost an ally in their cause when the Federal CIO, Vivek Kundra, announced he will be leaving his post in August. Mr. Kundra was the first-ever Chief Information Officer of the United States. During his tenure, Mr. Kundra championed the use of open standards, cloud computing, accessibility, and data portability through a variety of initiatives but lately saw his budgets slashed almost to the point of ineffectiveness. The irony of this is that his cost-saving initiatives netted the Government billions in savings, yet he was unable to save his own projects.

We are at a time when information is instantaneous and permeates every aspect of our lives. Data portability, privacy, and accessibility are the heart of the matter and leadership in this area is game changing on a global scale. If we screw this up we become second fiddle to those that do get it. Mr. Kundra was on the right path, and we at the Data Portability organization applaud his efforts as he re-enters the private sector. We wish him well at his new post at Harvard and hope his voice and passion never lose their strength.

Through this all, our Federal Government and politicians would do well to reassess the importance of the initiatives brought forth by real-world need and championed by Mr. Kundra, for failure to do so will be the real loss felt by the people and businesses of this country.

–Steve Repetti, Chairman, DataPortability.org

IIW12: An NSTIC Project Risk Analysis

Phil Wolff — Thu, 12 May 2011 18:04:31 +0000

At last week’s Internet Identity Workshop in Mountain View, California, I led a brainstorming session to identify risks to the success of the new National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “EN-stick”). The strategy is to encourage many non-government organizations to provide digital identity and personal data services in a way that meets the needs of individuals, identity providers and those who rely on digital identity. What could go wrong with a project like this? What can be done to avoid these threats and risks? To mitigate them when they show up? Meeting notes…

Risks

Lack of adoption. NSTIC relies on the private sector to invest and build identity infrastructure. There’s a real chance that this could happen slowly or unevenly. We’ve seen great technologies wither when they don’t reach critical mass.

Impatience for learning curve. We learn by doing and we learn more from problems and failures. NSTIC as a whole could be unfairly discredited after some projects or products fail for technical or business reasons.

Usability failures. Great products fail on even minor user experience defects. We know very little about what great user experience looks like for this next generation of personal data control.

Interop failures. Systems that should work together in theory may not in practice. Sometimes this is technical philosophy, ego, fuzzy specs, culture gaps, or regulatory differences, and local optimization.

Overscope. We’ve all seen protocols that work at first, become burdened as new features pile on, and lose their clarity and momentum as a result.

Phishing and Malware ($). We know that bad actors will follow the money, as they have from email to search to social media. Stakeholders could lose faith and abandon trust frameworks.

Perversion of principles ($). NSTIC lists core principles. Those principles will be eroded, if not attacked, unless monitored and defended.

Overpromising (by Tech to Policy). Silicon Valley has a tendency to tell Washington that technology offers silver bullets to huge problems.

Dystopian fear. Maybe your government really is out to get you, but dark overwhelming fears could slow or stop the project.

Waiting for winners. One strategy for risk is to wait for a handful of leaders to emerge before joining. This stifles investment, experimentation, and deep learning. The ecosystem needs pioneers and early adopters before winners can emerge.

Regulatory blocks. National and local laws and regulations may interfere with the ability of the ecosystem to grow. Privacy laws, liability, and antitrust rules could stall engineering, investment and adoption.

Uncertainty over liability. However the ecosystem works out liability, uncertainty about the resolution threatens investment.

Short attention span. This is not a weekend project. Will the ecosystem persist until it becomes mainstream?

Hype cycle. Many technologies don’t survive the hype cycle’s peak of inflated expectations or the trough of disillusionment.

Chicken vs. Egg. The system needs governance, startups, large corporate and government users, and the public to buy in. Nobody wants to jump in first.

Prevention and Mitigation Actions

Highlight small successes. We should celebrate small, incremental successes more than big-bang moments. Don’t oversell or overpromise.

Industry Marketing and PR. The ecosystem needs its own media and voice to respond to concerns, to put forth a common vision, to reach out to newbies and decision makers, to evangelize the benefits of the approach.

Share community UX experience. We could plan and pool knowledge and experiments as a community of practice. Where a Google might not be able to try different login UIs , variation being perceived as phishing, smaller companies can experiment and share results, leading to convergence and adoption.

Cultivate Engineering Focus. Keeping designers and engineers focused on current release cycles helps a developer community avoid feature creep and intriguing digressions.

Foster Interop Testing. Other industries develop standards for testing interop, hold interop workshops and set up backchannels for feedback. We just need a convening body to coordinate tests.

Formulate, publish and update a Clear/Graded Roadmap. Short term plans with long term visions. Plans to reach specific business and technology milestones. Long term visions for where those protocols and practices should go. Clearly communicated and widely agreed upon so the industry avoids forking, surprises, and hype.

Industry association outreach. The NSTIC strategy depends on achieving a critical mass of adoption within various communities. Many are represented by industry associations or professional organizations. Outreach services could provide education, evangelism, engagement and help with rough spots in adoption.

Recruit legacy identity authentication communities. NSTIC is not the first attempt to solve these problems. A look at NIST SP 800-63 shows existing identity and security standards have communities of their own, including tens of thousands of implementers. Outreach can smooth the way for education and adoption.

Security Council. It’s not too early to start a security conversation within the NSTIC ecosystem. At a minimum, we could start a working group to prepare for the first wave of phishing and identity theft.

Government Affairs. Governments are huge stakeholders in NSTIC. Not just US federal government agencies but US state and local governments. There is every reason to expect this program to be transnational so governments around the world are also stakeholders. They will want to understand the policy implications of the rapidly changing technologies, and the effect rules, regulations, directives and laws will have on the ecosystem. Effective communication and advocacy on behalf of the industry, especially for the many small startups and the interests of individuals who lack a voice, could keep government perspectives and actions cordial and supportive.

OIX Risk Wiki. OIX has an active security thread on its wiki.

Risk, Response, and Community

So this suggests three roles for an NSTIC consortium: Communicate, Convene, and Community.

Many of these responses involve marketing communication functions on behalf of the community’s stakeholders. As listed above, industry marketing and public relations, government affairs, highlighting small accomplishments, publishing a roadmap, are the kinds of things a consortium can do well. Speakers bureau, anyone?

Similarly, bringing people together to talk and work is another role for an NSTIC consortium. We can serve some of our outreach goals by inviting people and organizations to join in projects and conversations. For example we could invite identity providers and relying parties to interop workshops. We might host security roundtables and mailing lists.

Last, today’s identity ecosystem doesn’t have a real voice for individuals, a way for people to talk about this topic. A consortium might offer community services to help people talk to each other, with the industry, and with other stakeholders.

The “Death to NSTIC!” motto, all in fun, reminds us bad things happen and preparedness is part of planning.

I want to thank the IIW folks who crowded into room E for their work, as reported here. I also want to thank the Identity Commons for creating an environment where IIW can emerge.

Tuesday’s DataPortability session at IIW12

Phil Wolff — Wed, 04 May 2011 23:56:13 +0000

We took a stab at rewriting the ten Portability Policy questions as user demands, behavior we want.

The list so far.

Document your APIs and data formats.
Support existing identities.
Support referencing to authoritative data in a location of my choosing. (include by reference)
Support auto-updating from authoritative data in a location of my choosing. (pull)
Support auto-updating to authoritative data in a location of my choosing. (push and notify)
Support foreign updates on my behalf. (accept writes)
Support ability to retrieve all data provided by user.

Support ability to retrieve all data created from that data.

Support for retrieval of public data.
Support for closing account and deletion of all my data.
List all locations where you store my data.
List all locations where all entities store my data.

Some of the conversation…

The list of demands seems incomplete. For example, we haven’t discussed transitive data portability duties (a service’s partners’ partners’ partners’ duties). We haven’t asked for disclosures when portability services fail.

Degrees of portability, from "none" to "lots".

We want the demands to be technology/solution neutral.

Scope – what data is covered – is complex and probably needs its own section or clause. Doc Searls’s "kinds of data" is a model for this. Data I create by typing or other explicit action. Data I co-create with a site/service/app by my behavior (like click streams). Data I co-create with other users like conversations. Data derived by a service from the other data.

We should consider situations where data is never "stored," always in flight.

Time permitting, we’ll have another session tomorrow.

World Economic Forum starts work on Data Portability

Phil Wolff — Fri, 29 Apr 2011 14:42:24 +0000

When titans of industry and state meet, worlds can change. The World Economic Forum launched a three year “Rethinking Personal Data” project, including data portability. Their first report, Personal Data: The Emergence of a New Asset Class, shows their direction.

A new asset class? That’s a telling use of language. Investopedia refers to securities with “similar characteristics, behave similarly in the marketplace, and are subject to the same laws and regulations.” Stocks, bonds, cash, real estate, and intellectual property are common asset classes. Some managerial accountants defined human capital as a new asset class.

Securities and IP go back hundreds of years. As a new asset class, personal data will have its own characteristics and market behavior, its own laws and regulations. We’ve barely mapped this new landscape. U.S. law doesn’t even recognize a theory of rights associated with personal data. So there is a great deal of work ahead. Some of that is ours, at the DataPortability Project. It falls to the DPP to crisply define data portability’s purpose, why it matters, how it fits into lives lived digitally. That’s some of our work at next week’s Internet Identity Workshop in Mountain View. [Skype me if you’d like an IIW discount code.]

Speed matters. A look at the chart below, from Bain, shows a rush to capitalize on billion dollar markets in data.

If we don’t embed data portability values and vision into the new identity and personal data infrastructure, it could take decades to achieve our goals.

So read WEF’s first report, below the fold. See where their thinking is now. And ask: where can we amplify their commitment to personal data portability?

WEF ITTC Personal Data New Asset Report 2011

#portability4trust: How we will bring data portability to trust frameworks this quarter.

Phil Wolff — Mon, 25 Apr 2011 18:08:59 +0000

Dial or Skype details for this Wednesday’s Conference Call to start before IIW.

Here’s how you can bring the ideas in our data portability policy to hundreds of millions of people. I’ll need your help in May and June to start. In short: build portability principles into boilerplate identity contracts.

What’s a trust framework?

Trust frameworks are the many contracts that say how all the parties who move your personal data should behave.

For example, there are contracts between you and organizations that hold and use your data. These can be a Facebook, a bank, a hospital, a phone company, a government agency, a school or a library. These organizations help you use your identity with them, like your Facebook ID, to prove who you are to third-parties.

Trust frameworks describe the contracts between you and each identity provider, between the identity provider and the relying parties who receive and change your data. Trust frameworks improve clarity and accountability and lower the cost and effort of sharing data well and safely.

These are the legal and policy counterparts to the technical protocols like OAuth used to sign you in among web sites and to move your data. There are a few trust frameworks live and more on the way. The contracts promise things like keeping your data safe or asking for permission before selling your data.

I believe they should include data portability practices among the promises made to users.

Why now?

NSTIC is an international program to encourage everyone to build and use trust frameworks. NSTIC is short for the National Strategy for Trusted Identity in Cyberspace. Here is the full text of the NSTIC strategy document. Last week the White House moved the NSTIC project office to the US Department of Commerce’s NIST, the National Institute of Standards and Technology. Corporate, startup and NGO interest are high.

The World Economic Forum launched a three year “Rethinking Personal Data” project, including data portability. Their first report, Personal Data: The Emergence of a New Asset Class, shows their directions.

The Personal Data Ecosystem Consortium is picking up members, traction, and launching three programs over the next few weeks.

What can we do as the DataPortability Project?

We can give organizations building trust frameworks the raw material they need to define data portability in practice and in enforceable contracts. They are writing standard language for millions of contracts right now.

Data Portability Trust Framework Documents

Teams building trust frameworks with data portability need our Project to draft, validate, refine, and publish these seven documents.

A portability principles manifesto. Listing the principles of data portability and why they matter.
A portability policy pledge. A short, direct promise to support the data portability principles.
A portability policy template. Like the questions found at PortabilityPolicy.org, a structured way to assure all data portability principles are addressed and disclosed, whether they are supported or not.
A portability policy minimum disclosure. Describe the least amount of disclosure required by a trust framework.
A portability policy minimum practice. Describe required data portability practices. This is prescriptive.
A portability policy recommended practice. Describe portability practices above and beyond the required. With time and support of the trust framework’s organization, recommended practices may become required.
A portability glossary. Defining our terms.

Some of these documents should and can be in simple, plain language. For example the manifesto should explain data portability persuasively.

Others should be sufficiently specific that a third-party could verify portability claims in practice. So if you say you delete all a user’s data on request, the minimum practice lists how that would be proved.

We’ll version these documents and bring them through stages of maturity, from proposed to draft to final, or a similar approach. This way everyone knows exactly what they sign up for.

The next 30 days.

Now through June. Project volunteers will write and edit the documents.

27 April. I’ll host a Portability for Trust Frameworks conference call Wednesday to get things started.

11:00 AM Pacific, 2:00 PM Eastern, 7:00 PM London, 20:00 Berlin, other local times.
In the USA: +1-201-793-9022, access code 1719146#.
Toll free via Skype:+9900827041719146.
Skype IM backchannel: http://tinyurl.com/dpptrust.
We will have weekly conference calls where they don’t conflict with other events.

3-5 May. The Internet Identity Workshop (IIW12). We will have data portability working sessions to scope, write, edit, and test the documents. See you there.

10-13 May. European Identity Conference. Munich. Not yet scheduled, but we’re hoping for a birds-of-a-feather session to discuss this work and recruit EU contributors. More than five hours of this EIC are on trust frameworks.

11-13 May. Telco 2 and Personal Data 5. London. I hope some of the Personal Data unconference attendees will schedule a working session on day three.

19-21 May. Privacy, Identity, Innovation 2011 conference (PII), with PrivacyCamp on Saturday. We’ll have working sessions during PrivacyCamp. Silicon Valley.

What you should do now.

Put time on your calendar for our events and conference calls. (5 minutes)
Join our low volume Google group (2 minutes).

Subscribe to "Data Portability Trust Framework"

Email:

Visit this group
Re-read the 10 Questions on PortabilityPolicy.org so you are familiar with the baseline documents. (10 minutes)
Invite fellow authors to work on this.
#Portability4Trust is our hashtag. Spread the word that we need help, please.
Cash. Some of this work will involve travel and professional services. The DataPortability Project is a 501(c)3 California charitable corporation. Underwrite our work with donations and in-kind legal services.

As always, I’m available to talk in private. +1-510-316-9773, skype:evanwolf, @evanwolf. – Phil Wolff.

A draft of slides for IIW below…

#Portability4Trust – Personal Data Portability for Trust Frameworks

NYT: Companies should give usage data to customers

Phil Wolff — Mon, 25 Apr 2011 14:05:37 +0000

There’s data I create explicitly, like typing my name or dialing a phone number. Then there’s data I create as a byproduct of my using a product. Economist Richard H. Thaler writes in the New York Times that companies should share usage data with their customers. “Show Us the Data. (It’s Ours, After All.)” reads the headline.

Is it really your data? It’s about you but the company spent time and money collecting that data, defining it, refining it, aggregating it, and turning it into something useful. Maybe they use it to serve you better. Or maybe they use it to drive down their costs, keep your prices high, and fight off competitors. Companies think of the data as theirs.

The DataPortability Project put off deciding about this type of data at first. Should you have a right to data “about you” in addition to data “by you”? My gut says yes. This is co-created data, my behavior and the company’s observations.

We should both have access to it and data portability principles should apply.

What do you think?

If you can help me get my hands on my data, call me at +1-510-343-5664, Skype me, follow @dataportability and @evanwolf. Visit our steering group’s Skype backchannel, where we talk through data portability topics of the day.

P.S. Here’s an example in practice today. A person being photographed has economic and privacy rights. Professionals require model release forms before publishing photographs. The observed data, the photo, is a joint product of the artist and the subject.

Notes from the ActivityStreams lunch

Phil Wolff — Sun, 10 Apr 2011 19:53:27 +0000

The ActivityStreams group’s technical efforts to finalize a spec in time for the next OpenSocial event in May are coming along nicely. What about the other elements that make for healthy protocol adoption?

Why am I posting AS updates to the DataPortability blog?

Activity Streams reflects our data portability values, helping users have their data wherever they go online. I’m participating in the AS effort on behalf of the #DPP.

— Phil Wolff, editor

We talked about what it takes to launch the ActivityStrea.ms site. This was about a half hour of our April 1st, 2011, four-hour lunch at Chevy’s in San Francisco during the Web 2.0 Expo.

We started with design questions.

Who is our site’s customer? We tried to categorize by organization size (BigCos, startups, individuals) but this didn’t work. Roles worked better. So far we’re clustering geeks (engineers, technologists) and non-geeks (suits, product managers, designers).

Goals? What might these users want when they visit?

Fix my stream. Technical help.
Learn. How to, specs, why.
Get. SDKs, code samples, books, t-shirts.
Discuss. Specs evolution, issues, implementation.
Promote my stream. Testimonials, leaderboard.
Build tools. Extensions, validators.

Unique Selling Proposition? Why would an organization adopt activity streams? We listed five business drivers:

With AS you have fewer protocols to support. You’ll use the Facebook APIs and then ActivityStreams APIs for everything else social. Benefits: Increased simplicity, lower up-front cost, lower maintenance cost.
AS brings many data sources to your site. This increases your service’s relevance to your customers. It also lowers the time and effort to implement and to minimize the cost of keeping up to date with hundreds of partner APIs.
AS is extensible. You can publish and consume data specific to your problems and markets. This means increased reach for your content, relevance for your users, and fit-to-market for your services.
AS offers better uptake than your custom API. Your updates will be consumable by the entire ecosystem.
AS is proven. A long list of large Internet companies use AS. This lowers engineering and adoption risks for your project.

KPIs. We brainstormed "Measures of Success" for the AS project launch. We might measure:

Adoption
- Registered AS publishers/consumers
- Developers using the SDK, documentation
- Validator activity
- Millions of activities shared
- github activity
Health
- Problem backlog
Community
- Conversation

Our conversation continues on the Activity Streams mailing list.