QuadPlay and Beyond

If you search online for “Facebook privacy policy” you will get endless links to articles criticizing Facebook’s light approach to privacy. You can even find a chart showing how default settings have grown since 2005 to reveal almost all your personal details to friends, friends of friends, all Facebook users and even to the public Internet.

But it seems that critics failed to identify Facebook’s innovative approach towards privacy transparency, at least when it comes to 3^rd party applications. An approach, that I believe, should be adopted as the basis for a standard.

Get serious, we don’t read these

If you’ve installed programs on your computer, you probably clicked the accept checkbox many times without ever reading the End-User License Agreement (EULA). Well, at least if you are like me.

EULA screens, which usually appear as one of the first screens in the installation process, are the standard way of presenting users with programs’ terms and conditions. According to an online survey, published in 2009, only 2% (of 1987 participants) actually read EULAs. The rest 98% either “hit accept as fast as they could” or were unaware of EULAs all together.

In its revolutionary book “Privacy by Design”, Ann Cavoukian laid out the 7 principles for embedding privacy proactively into technology. The 6^th one is:

Visibility / Transparency

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify.

Put simply and in context, Privacy by Design requires applications to be transparent and communicate to consumers which data will be used, how and for what purpose.

The Facebook way

On June 2010, Facebook introduced a new way of granting user approval to applications.

Whenever you add a Facebook application, a dialog pops up with clear and discrete phrases stating what the application wants to do with your data. Among them are “Access my basic information”, “Access my photos and videos”, “Access my friends’ information”, “Send me email” and many more.

In fact, each Facebook application gets access to the user’s public information, including his name, profile picture, gender, and friends. If the application needs to access additional information, it has to request extended rights and these are propagated to users as the above dialog box. But Facebook do more than that. Their API actually allows applications access only to information approved by users.

Actually,  Facebook were able to solve two critical problems that have never been resolved properly by the software industry:

1. How to transparently notify users what the application is allowed to do with his information and get the user’s consent for that in a way that is understandable to common people.
2. Enforce these permissions so that applications would not be able to gain access to unauthorized information.

I don’t claim that Facebook’s privacy policy is the best on the Web. I am aware of their permissive default settings, and even how difficult it is to find some settings, not to mention delete your own account.  However my contention is that we can learn from their approach to application privacy and extend it for the benefit of other applications.

Privacy as a standard

In late October 2010, during the OECD Privacy Protection conference held in Jerusalem, a call was made to look for ways to standardize the way applications publish and enforce privacy policies.

Currently, most application developers choose to hide their terms of service and privacy policies in longish, legalistic, and un-readable documents (at least to normal people) that most people never open. Moreover, except on several mobile environments (for example, gaining access to location on iPhone or to specific JSRs in Java MIDP), no one took the responsibility for enforcing these terms, making sure they are not violated.

I believe that we need to completely change the paradigm and put more emphasis on transparency and enforcement. Although so far, we spoke only about Web applications, this approach can be easily extended to desktop applications as well.

In order to do that, we need to accept several new rules and guidelines:

1. A standard set of access permissions should be defined (probably by one of the standard organizations handling privacy). These permissions, which will be clear to the common user, might include options like “Allow access to local disk”, “Store an identifier on this computer to identify you the next time you visit our site” and more.
2. Each application or site should declare which of these access permissions is applicable to it
3. Users will be presented with a clear list of permissions (in a simple language) the application had asked for. The permissions will be collected by the underlying operating system (or run-time environment or even browser) and not the application itself to ensure their credibility and prevent fraud.
4. A simplified Terms of Use text will be provided with each application, in a non-legal language, describing the basic principles of the terms and conditions. A complete TOS can be provided as well.
5. Operating systems, execution run-times and browsers will enforce the granted permissions
6. If a breach attempt is detected (for example, an application was trying to access un authorized resources), this event should be published to a central website for everyone to see

This paradigm is not limited to software installations and should be used also in Web sites. Sites should provide a link to a page that states these terms and conditions for users to read, and also provide a machine-readable file (e.g., XML) that will ask the browser for permissions. Browsers could present these permissions to users or grant them automatically, depending on their settings. The most important thing is that browsers will be responsible also to enforcing these permissions.

It’s your turn

What do you think of the proposed scheme? Can it work? Can it be enforced?

“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time.” George Orwell 1984.

In the “old days”, before social media sites governed the earth, people were passive spectators in the great “WWW” show. Surfing the Web was about searching and consuming content with very little personal exposure. Back then, passionate discussions were held about the potential danger of cookies as they could reveal your IP address, and most people did not even consider disclosing their email address in public sites.

But this is all water under the bridge. Today, with more than 500 million Facebook registered users and 105 million Twitter users and 370,000 added daily, the rules of the game have definitely changed: most social network sites require users to provide personal profiles. Some sites, like Twitter, ask for only basic information while other, like LinkedIn and Facebook, offer a very detailed profile that includes personal details, employment and education history, likes and interests and more.

Many service providers are already exploring ways for leveraging social media in their business but still hesitate to harness its full power due to privacy limitations. As usual, technology advances much faster than laws. The existing legal and regulatory frameworks in Europe and the US date back to the 1980s and 1990s, and do not provide the necessary means to handle the new era of communications.

European laws and regulations are far more restrictive than those found in the US. Unlike the US which has adopted the “opt-out” model, where people need to explicitly opt-out of services, European legislators have taken the opposite approach of “opt-in”. In Europe for example, it is forbidden to collect or store sensitive private data without specific user consent. Moreover, European laws prohibit the transfer of private information about EU citizens outside of the EU (except for several exceptions like authorized territories and Safe Harbor agreements).

Recently, a new bill, submitted in the US on July 2010, suggested adopting the EU approach and restricting the collection, storage and transfer of information without explicit user consent. It’s not clear when (or if) the bill will pass, but it certainly brings a different and more consumer oriented approach to privacy laws in the US.

To add to the headache, privacy laws are very much territory-sensitive. Although there are federal privacy laws in the US, more than 40 states have legislated their own laws, sometimes adding limitations to protect their residents. In the EU, each country may develop a local set of laws in addition to EU regulations.

Impact on Service Providers

Currently, service providers are using social media primarily to engage with their customers via Facebook pages and applications, broadcast new offers and services, publish real-time service problems, and even receive care requests. Although it is possible to harness social media for more advanced services while complying with relevant laws and regulations, service providers are taking a very prudent approach as social media attracts a lot of public attention.

There is huge potential value in integrating social awareness into service providers’ systems and business processes. Social media creates rich data about users as they plug in information about themselves, their interests and activities, and their friends. It also exposes social insights that can be leveraged to improve user experiences that drive real business value. These social insights can be used by service providers to better identify and understand customer problems, improve offerings based on their actual interests and needs, and identify those who are at risk for switching providers. Insights can be translated into targeted promotions and advertising, by offering each customer suggestions or ads on the service provider’s website based on what they have, and what they need. And this is just the tip of the iceberg. Service providers can use social media to leverage the “wisdom of the crowd”— not only for support and care, but also for customer feedback and innovation. It can become a major channel for communications with customers in a way that humanizes service providers and creates new service experiences that combine content and social awareness.

The Bottom Line

When investigating international privacy principles, it seems to us that the key to socially aware applications lies in user consent. In most cases, if the user has expressed his explicit approval to what the service provider plans to do with his or her data, and if the user has a clear view into what type of data is being collected, then the provider is in the clear. On top of that, users should be offered a simple way to opt-out of the service (and have all their data erased) even after they’ve consented. Adopting this approach will open up a wealth of opportunities to service providers and allow them to tightly integrate social media applications and insights into their business processes.

Important disclaimer: We are not lawyers – it’s just what we have discovered, as layman, about the legal issues that surround the domain. Therefore, don’t use this or misunderstand it as a legal opinion – get your own, if needed.

Incidentally, as background, Tal is active in a working group of the World Economic Forum concerned with “rethinking personal information” – attempting to create a win-win-win situation for government, business, and individuals, in this new era of personal information. Oded is in charge of our strategy regarding social media solutions.

Now, it’s your turn

Do you think it’s possible to reconcile the geographic differences and find a universally workable (and legal) solution to harnessing personal information?

Post co-authored with Tal Givoly, Chief Scientist at Amdocs. Also published at Tal’s blog at Amdocs

It’s been a while since I last posted articles in this blog but now I am back in business, with many new issues related to innovation and business trends. Enjoy.

Mobile & fixed operators have long been looking for ways to decrease their OPEX and CAPEX in their service environment. In recent years, as more and more services were deployed inside the core network, the need to also reduce the complexity of service management has become crucial.

Service Orchestration (SO) is the ability to centrally manage multiple services from various aspects, including:

• Introduction of new services – services are far from being plug-n-play and the service environment needs to be well-defined. However, an SO environment simplifies the integration and configuration of new services as well as provide means to combine them in the general service logic and flows
• Service path selection – the dynamic selection, in run-time, of the services (and their order) that need to be invoked on the specific request or event
• Policy Decision Point (PDP) – a centralized application that defines the possible flows and policies. Flows typically consist of conditions, based on various parameters such as the user profile, context, access network, service specific state, operator policy etc., and may invoke actions (send SMS, insert header, invoke service etc.)
• Policy Enforcement Point (PEP) – PEPs are responsible for enforcing the decisions made by the PDP. Some PEPs may be provides as part of the SO solution while other need to be implemented by various services, such as a Messaging Gateway
• Centralized OSS/BSS interfaces – usually, SO is required to integrate with the operator’s OSS/BSS components and provide other services an API to access the consolidated data. This approach reduces the risk and complexity of having all services integrate with these sensitive systems, and decreases time-to-market for each new service

Some operators refer to this functionality as MSP (Multi-Service Procedure) and such solutions vary in scope and focus depending on the specific operator requirements. One example of such a process comes from the Vodafone group that has issued and MSP RFP more than a year ago. We already see several Vodafone OpCos that follow with their own RFP processes including VF Ireland, VF Czech and more.

One of the new requirements already seen in existing MSP or Service Orchestration processes is the need for mobile-fixed convergence. Some operators already require vendors to provide solutions that work on multiple access networks (mobile internet, mobile broadband, DSL, Wifi etc.).

There are several solutions in the market for handling service orchestration but most of them were designed for IT and enterprise environments and not for telecom services. From my experience, most of the out of the box solutions (e.g., BEA, Oracle) were not designed to support the complex and converged environment of today’s networks.

An interesting company that offers such a service orchestration platform is Unipier with its Intelligent Policy Suite (IPS) product and derivatives.

The IPS is a generic flow engine and PDP that provides code-free definitions of service logic (policies, flows). IPS may be invoked upon an incoming event (e.g., SMS sent, HTTP request etc.) to execute the relevant flows for that event and to instruct the PEP what to do next. The IPS can also invoke actions such as data manipulation, invocation of other services and more.

On top of the generic IPS, Unipier have built several tailored solutions, including Advertising, Promotions & Recommendation, Access Control, and User Privacy.

Another interesting company in this context is Flash Networks with its Harmony platform. Flash Network, which started as a data optimization company has taken a strategic decision to become an MSP player. Flash Networks leverages its deep understanding of service path selection and traffic analysis capabilities to provide an environment for the operator’s services.

I expect more operators to follow these steps as their networks become cluttered and complex and as mobile-fixed convergence gain momentum.

IP Multimedia Subsystem (IMS) defines the functional architecture for a managed IP-based network. It aims to provide a means for operators to create an open, standards-based network that delivers integrated multimedia services to increase revenue, while also reducing network CAPEX and OPEX.

Until recently IMS was mainly the province of fixed-line operators but now it is essential to the success of mobile and fixed operators who are losing revenue from traditional sources. Operators look at IMS and similar solutions because they need to start generating more revenue.

According to a research by ABI Research (2008), IMS is expected to provide mobile telephone operators with a forecasted $300 billion in extra revenue over the next five years, and major operators such as Sprint, Verizon and British Telecom (BT) will increasingly deploy IMS across their networks in a quickening tempo starting this year.

France Telecom estimates, that between 5-10 percent of its revenues will be derived from full or partial IMS services by the end of 2008. France Telecom also merged their fixed, mobile and Internet technical teams into one big entity aiming at providing a single service architecture.

IMS is being deployed gradually as an evolutionary, rather than a revolutionary process, however, it is important to understand that IMS dramatically changes the way telephone networks operate with implications on applications and network enablers.

IMS is a disruptive technology that has profound affect over companies providing services and solutions to mobile and fixed-line operators. It changes the way applications interact with the networks by providing a well-defined framework. The changes imposed by IMS require companies to adapt and adopt new technologies but it also creates new opportunities.

Small to medium companies usually tend not to invest sufficient resources in new emerging technologies until they are realize that it affects their direct revenues and threatens their position. For such companies, a gradual evolutionary approach is recommended in order to keep pace with the demand for IMS-compliant solutions.

In order to prepare your company for IMS, the following steps are recommended:

1. Research the impact and influence of IMS over your current products and examine new opportunities created by IMS. If you do not have IMS experts in your organization, it is recommended to hire an external expert that brings knowledge and expertise in IMS technology and in product analysis.
2. Company management should devise a migration plan towards IMS. This should include changes in current products as well as introduction of new products.
3. Develop MRD (Marketing Requirement Document) and PRD (Product Requirement Document) documents
4. Develop at least a high-level SysRD (System Requirements Document) that will be extending when time has come.
5. Educate the organization about IMS to increase awareness and expand knowledge.
6. Prepare marketing and sales materials (Press release, sales toolkit etc.) about the company’s readiness and compliance to IMS.
7. Prepare canned responses to possible IMS questions in your next RFI/RFPs
8. Follow IMS deployments and requirements by reading market researches and by speaking with customers in order to decide the best time for your organization to actually start developing your IMS plans

The apparent slowdown in the US economics is starting to show its face in the hi-tech industry. From one hand, share prices are going down and on the other, there is a destinct decline in HR recruitment, especially for executives.

Here are two examples:

• On Feb 8, Cisco‘s CEO John Chambers provided his troubling forecast for a slight drop in growth for Q3 and Q4. Since than, Cisco has declared a freeze in most recruitments worldwide.
• As usual, Amdocs froze all recruitments towards the end of 2007. However, Amdocs management has not released the leash yet and only selective recruitments are approved.

Discussions with several leading HR agencies in Israel reveal that there has been a decline in recruitments, and especially of executives in VP positions, all over the hi-tech industry affecting small startups as well as large public companies.

Want to share your recent trouble in finding a job? Add a comment below.

Congratulations! Hi-Take.com got a face lift and now its user interface is consistent with this blog.

What do you think about it?

Operators are now rolling out converged services on fixed and mobile networks, converting trials to commercial deployments. 2008 will see another spate of trials, as femtocell technology begins to become available.

According to a research by ABI Research, the move to FMC infrastructure is a natural evolution for the mobile network as broadband services, including Voice over IP and other Session Initiation Protocol (SIP) services, begin to be deployed. The research suggests that by 2012, FMC market will expand to 250 million users worldwide.

LinkedIn have recently announced a new mobile site targeted at users carrying iPhone, Blackberry or WAP phones. Linkedin mobile interface lets you perform some basic tasks on your LinkedIn account such as:

• Search LinkedIn profiles (including photos and bio) to help recall and connect with business acquaintances at events and conferences
• Research the common contacts they have with other professionals to help make real world referrals and introductions easier
• Invite professional acquaintances and peers you meet at events to LinkedIn with just their email address. Exchanging business cards is just not cool anymore!
• Receive regular Network update capabilities about your connections while on the go

Here are some of LinkedIn Features on your mobile device:

LinkedIn mobile is an excellent tool for people on the go as it lets them immediately look up people they meet and add them to their network.

The Multilang Firefox extension was developed to solved an annoying problem familiar to those of us having an additional keyboard layout on their PCs (e.g., Hebrew, Russian, Greek, French etc.).

Quite often, people type a URL in the address box without noticing that their active keyboard layout was left on a non-English mode, making their URL useless and forcing them to type it again.

This extension identifies such situations and automatically converts the URL to its intended value as if typed in English.

Since the conversion process is based on 2 character vectors stored in the Firefox preferences, users may define their own vectors and extend multilang to support any additional languages (unicode vectors can be defined from a menu item on the Tools menu).