The Gilbane Report: Volume 9, Number 10

An Alternative Model of Personal Information Management

Download a PDF version of this article

Read the news for this issue.

Industry observers would generally agree that Web commerce has the potential to dramatically change relationships between businesses and customers for the benefit of all parties. However, this change has yet to come about because Web commerce is seriously handicapped by too much "friction" in the area of customer information exchange. Sharing personal information, not just financial but any type, requires a degree of convenience, control, and trust not yet available from any of the current or would-be mechanisms. This month contributor Girish Altekar argues passionately for a better way - one that is in sync with the freedom of choice the Web is all about.

This month's issue breaks with tradition in a couple of ways. Most obviously, it will appear that we are promoting technology. In a sense we are. However, Girish's article is a call to action to adopt a model rather than a call to buy a particular product. We believe he is onto something fundamental, and that the way we share personal information in the future is going to be a lot closer to the model he proposes than any of the current alternatives. It may not be obvious exactly how we'll get there, but it will happen. We publish Girish's article to broaden the debate and encourage both critical thinking and development. The second break with tradition is that we are making this issue available at no charge at www.gilbane.com, and you are encouraged to share it with anyone. We would love to hear what you think about this!

An Alternative Model of Personal Information Management

Information Driven Commerce Applications

Commerce on the Internet is information intensive and it cannot realize its true potential until consumers can safely and securely deliver to merchants the information that needs to be exchanged for the transaction being undertaken. The models being proposed currently, Project Liberty's Federated model, or Microsoft's Passport solution or any of the myriad wallet or identity management solutions fail to deliver what the consumers truly want - the ability to deliver their information in a reusable fashion to merchants of their choice without requiring an iota of involvement from any third party whatsoever.

In this article, Internet commerce refers to all transactions in which data is exchanged between customers and merchants regardless of whether a buying/selling transaction took place. A significant fraction of tomorrow's Internet commerce will involve consumers delivering their personal information (preferences, resume, driving records, W2s) or information about their personal objects (appliances, cars, homes) in a myriad applications involving customer support, technical support, the government, product logistics (return, repair) that we have just barely begun to imagine. Solutions currently being proposed are focused on the narrow e-commerce aspects of Internet transactions and do not adequately address the needs a generalized personal information transfer mechanism that can scale linearly as new applications for consumer data emerge.

The Big Brother Models

All the models being proposed currently invite consumers to join one particular data kingdom or the other, guaranteeing safety, convenience, and a one stop shopping experience. We will argue that far from liberating the consumer, these federations, in practice if not in intent, control and restrict the choices of the consumers who join them. They do not address even the most basic questions consumers have. Will you never, never sell my data? What if I want to shop at a place that is not part of your federation? Can I store any arbitrary bit of personal information in your repository? Hmmm…, do I really feel safe enough to do this? What if you start charging me for the service tomorrow at an unacceptable price? Can I take all my data and join another kingdom? The answers to all of these questions can be answered with pleasant enough marketing-speak but at the end of the day we are left with this uncertain dread that causes us to just leave it well enough alone. What suffers is Internet commerce and that is a loss to all, businesses and consumers alike.

Apart from the credit card business, there are few federated models in the real world. Credit cards, with their elaborate authentication schemes and business policies for fraud detection and prevention, are the only example of a widely used federated system where a person's credit card is universally accepted at millions of locations worldwide. No other universal identity management solutions are in commercial use today. Wouldn't it be ever so nice to go to an insurance office and to have them say, "Oh, lets not worry about filling out these tedious forms, just tell us what you need, the rest of the data we will get from the National Insurance Repository". The benefits to consumers are obvious but there are no such organizations simply because we will never put enough trust in such a repository. We would rather fill out these forms at mortgage offices, at insurance offices, at dentists' offices and thousands of others, simply because there never has been an acceptable alternative in the physical world.

In a free marketplace of diverse, competing preferences, it is hard to see how any single model can provide the choice and the flexibility demanded by consumers. Why not pursue an alternative that recognizes this reality? While others rush to create these huge repositories and kingdoms, we propose a fundamentally different alternative for the networked world, one that is centered on a responsible individual.

The Quick Personal Information Delivery (QPID) Alternative

The Internet is a liberating, dis-intermediating medium. While the attempts of overzealous politicians and activist judges in the US, France and elsewhere to control and curtail activity on the Internet are not surprising, the sponsors are realizing, much to their dismay, that the Internet is a beast that empowers individuals. Except where the State controls the telecommunications infrastructure, individuals are quite capable of deciding for themselves who to send messages to, exchange photographs with, buy from and sell to, and in general provide their personal information.

An important implication of the Internet on business is that intermediaries whose only value rests on being able capitalize on friction created by current information exchange mechanisms will eventually be eliminated from the Internet business gene pool. To some extent we see this today in the collapse of the dotcom businesses. By fits and starts, the control over who one does business with, and how, is being handed over to the most responsible individual in the world, the consumer! So instead of succumbing to the recent hype of third party data kingdoms, why not consider a mechanism that allows consumers to structure their most personal information on their own desktops, and create a mechanism that enables them to transmit it to a web site of their choice instantly?

By enabling individuals to create easily transferable personal information databases we put users in control of their personal information and make them open for business on their terms. The idea is simple:

1. Create a large number of XML vocabularies that describe various facets of an individual's life, their habits, preferences, possessions, purchases, etc. - things that are relatively unchanging.
2. Enable users to create instances of these XML documents (we call these instances QPIDs) to encapsulate personal information regarding that aspect of their life.
3. Have them name these QPIDs appropriately (according to their own worldview) and store them in safe secure directories on their own PCs.
4. When needed, have them transmit this data in a single click to a web site of their own choice.
5. Empower web sites with the server side tools to interpret and process the user data appropriately. That's it. No software to download, nothing. The following picture shows the basic two-step process.

The process of getting users to create these QPIDs and educating them about how to use them is a non-trivial task but creates opportunities to build easy-to-use tools. There are some people for whom this solution may never be simple enough to use. After all, many people still don't use PC banking or even email! However, we will argue that for relatively more sophisticated users - read educated, wealthy, responsible and self-confident - this mechanism provides enormous value in timesavings, reuse of information, control over their own destiny, and let's not forget, choice. And of course this is a highly prized demographic for web businesses.

The applications for which this technology can be deployed are many - and we're sure there are many more we haven't thought of yet. A quick short list
includes:

Web site registration - simple personal information.

Logins - no need to create a single sign-on, create a separate login QPID for every site you frequent.

Searching for travel bargains - store your travel preferences, drop them on various travel related web sites, have them search for the best deals that match your criteria. Search for air, hotel, and car rental bargains. Makes reservations a snap. (Sure, you would have to modify this QPID each time you travel, since your travel dates and destinations change, but that is still better than typing that same info in 5 different travel sites.)

Business Dealings - drop your business card QPID on a supplier/partner web site, specifying how you wish to be contacted.

Resumes - create your structured resume once; have the job sites search for precise matches.

Product Receipts - get your store to ship you an electronic product QPID for everything you buy and use it in technical support, customer support or repair/return applications. Keep the receipt for years.

Search for insurance - auto, home, life; as many times a year as you want.

Visiting a new doctor or a dentist - simply drop a set of QPIDs to tell them all that they need to know. Why sit listening to muzac in overstuffed chairs, repeatedly filling out forms that take a half hour to fill?

Car maintenance - make an appointment with your garage, provide them all the details they need to know about your car from your car manufacturer supplied car QPID. Receive repair QPIDs that provide a record of what was done to your car, when.

QPID is the first real consumer-oriented XML application. By using the power and the flexibility of XML, it liberates the consumer from arbitrary constraints imposed when a third party is required to facilitate the transaction between a consumer and a merchant. In doing so, QPID Technology makes possible, and enhances, the data rich Internet applications of the future.

A side benefit of using QPIDs is that it could obviate the need for stored cookies. Why allow web sites to store cookies on your PC, with the attendant risk of it creating trails in some databases you don't even know about, when you can login instantly whenever you want? There are interesting implications for businesses that rely on stored cookies to tell web merchants that visitor Jill wants to go to the Caribbean this month. Keen readers will note that if Jill wants to tell the web merchant this fact, she can now do so directly.

And then there is the wireless world

If you think typing personal information into a keyboard is difficult, you can bet that doing it on a small form wireless device will not appeal to consumers much. This is not a secret, and we know lots of people are thinking about ways in which to solve this problem, including changing the nature of mobile commerce to not require such data exchange. QPIDs that can be "phoned" to a wireless device from a PC might just do the trick.

Web Merchants Benefit Too

QPIDs are, unabashedly, a tool for consumer convenience. There is no doubt that QPIDs make it easy for customers to take their business elsewhere, thus putting downward pressures on pricing and upward pressures on real differentiators such as service, support, product quality etc. However, there are positive benefits for web businesses as well. These include:

• Reducing abandonment.
• Rich, accurate, current customer data - at least to the extent the customer wishes to provide it.
• Single, consistent, clean, customer database - no mishmash of data, inconsistent views generated from multiple customer touch points.
• Eliminating privacy liabilities - QPIDs can carry in built instructions on how merchants may use the data, giving merchants the ability to adhere to their customer's wishes.
• Business processes - merchants don't have to "belong" to a merchant network possibly requiring changes in business processes to conform. There are also positive impacts on branding and data ownership.

We believe that the convenience and consumer protection provided by QPIDs will bring about a geometric increase in the number of transactions that take place on the Internet, thus lowering the costs of business and increasing efficiencies across the board. Any merchants who feel threatened by QPIDs might do well to examine their competitive advantage if it depends on the fact that it is difficult for consumers to provide their information to someone else. How sustainable is that advantage when QPIDs become slightly more widely used?

Challenges

As we said earlier, we expect that there will be a segment of the population for which the QPID technology is not the perfect solution. In fact, there are some challenges to overcome, which we describe below.

No absolute control once data is transmitted

Because the transaction is completely between the user and the merchant, there is no control on what the merchant chooses to do with the data. QPID implementations can, and should, provide a mechanism for users to modify and delete their own information; however in the end there is no absolute defense against unscrupulous merchants. Users have to make informed decisions about who they do business with. This is no different than what they do today for a vast majority of Internet transactions. We will create client side P3P engine that helps the user understand a web site's privacy policies and act accordingly, but even then this is no guarantee that the data will never be misused. If a web site misrepresents how it intends to use the data a user provides, it seems to us that this is a case of fraud and, so the ultimate solution ought to rest with the courts.

Client-side security

There are some problems with respect to restricting unauthorized access to an individual's QPIDs. While this is a generic problem with personal assets on a shared PC and not unique to QPIDs, we are currently thinking about possible solutions.

QPIDs are Unauthenticated

As there can be no validation or authentication of data provided, users can create phony profiles or send in QPIDs that contain garbage data. But this is no different from "anonymous@example.com" today.

Implementing QPID - A Call for Action

Universal use of QPIDs would be ideal, but is unrealistic in the near term. However, the benefits of QPIDs do not require universal adoption. There are many specific applications, in business and in government, that require certain users to provide some input repeatedly. Just as today, many individual industries and supply chains are reaping the benefits of their own XML initiatives while waiting for industry groups and standards bodies to complete the task of creating and organizing XML vocabularies, we expect industry specific QPIDs to be developed and deployed even as QPIDs gain widespread acceptance. QPID Inc. is currently applying QPID technology to selected industry applications.

Large-scale acceptance will require influential organizations, businesses and consortiums, to agree upon standards and processes. It will also require consumers to demand their right to control their own personal information. The first step is to ensure that consumers know it is possible.

Whether you are a company doing business on the Web that wants a better relationship with your customers and more accurate data, a consumer concerned about control of your personal information and interested in a more convenient and friendly web experience, or a consortium or standards body looking to facilitate web business for your constituency, you need to be involved in QPID adoption. Visit us at www.qpid-central.com to learn more about QPIDs, and join us to make the Web a better experience for everyone.

Summary

Consumers want the ability to reuse their personal information, easily and rapidly. We believe that they are quite able to judge for themselves who they want to do business with, and the amount and the quality of information they wish to share. We also believe that they have the confidence they can adequately protect access to this information, as they currently do their financial information, on their own PCs.

The difference between QPIDs and the other models is simple - QPIDs lower barriers for consumers, and these other approaches raise them. QPIDs are consistent with the philosophy and spirit of the Internet, with free markets, and with individual freedom of choice. Why should you settle for anything less?

-- Girish Altekar
girish@deepcoolclear.com

Disclosure: Frank Gilbane is a strategic advisor to QPID, Inc., a company building solu-tions based on the model being proposed in this article.