Category Archives: IT business

IT security shapes business models

text slightly reworked from talk given to OIC, Oslo Dec. 2014

In his article The Nature of The Firm, Ronald Coase proposed that a firm forms and grow while transaction cost inside the firm are lower than outside it. I.e. a firm can do something cheaper and better in-house than going out in the marketplace for it.

OK, that’s a company, but what about their data ? It seems that something along those lines are going on there too.

Most of us have come across this in the form of federated login. You’re about to log in at a web application and are given the option of login in via Facebook. Or Twitter. OK, what happens if you click on the Facebook button ? Clearly something, since you enter the application in question and are now known as yourself.
This is where federated security comes in. If you where already logged in to Facebook, a message was sent to Facebook were your valid logon session was used to prepare a special access token. A token that the new application could use to establish a new session for you. If you where not already logged in to Facebook, you could log in now and the same thing would happen.
In any case you log in only to Facebook, and other web sites take advantage of this to log you in to their site too.
Acting in this capacity Facebook is called an Identity Provider. And no, that is NOT a deliberate pun. A company, or application that uses such a federated login, is in the jargon called a service provider.

Returning to Coase again. The application can have it’s own login and user database. Doing it in-house. Or you can go out in the market and contract for this service, as he suggests. Allowing login through Facebook.
OK, how much would such an external login service cost in the market? As it turns out, not very much.
For one thing, the marginal costs are low. Once you already have the users and their passwords in your database; adding a token exchange where by other applications can send their users over for authentication, is quite cheap.
Not only is it cheap to allow third parties use you login process, there is also revenue in it. You can now guarantee that the users have the same userid across platforms. All kinds of people would be very interested in that, and pay good money to ensure that it happened. And not just the NSA. Advertising and other businesses who make their money by analyzing consumer behavior likes federated login a whole lot. If you allow other companies to login their users via your platform, you control the origin of this data.

Considering the economies of scale being so much in favor of the federated login and those that make it happen. Why aren’t all logins federated ?

Well, more and more are.
But the savings may not be that large on the service provider side. The in-house part of Coases analysis. Just because you leave the authentication of your users to someone else doesn’t mean you can then forget about them. There is also that bit about authorization. What are people allowed to do. From a security point of view the whole point of identifying the users in the first place is so that we then can then look at our rules for what the user should be permitted. If we don’t know who they are we don’t know what they are allowed to do.

So you still end up needing a user database. And a database of rules for what the users are allowed to do. And maintain those things. Particularly that last bit can be complicated and expensive. Once you have all those things, handling the login isn’t that big of a deal.

From a revenue point of view things are a bit different. Identifying the users has it’s own value – selling information about the user to third parties.
You could limit yourself to just logging the user inn, so that you may accurately track him, but not bother about doing any authorization.

And this is what we see a lot of. Plenty of media sites accept federated login through the likes of Twitter and Facebook.

They only care about getting you name accurately. Their revenue comes from knowing it.
There is no fine grained access control or authorization going on. It is not worth it to them. Disqus.com is an example of this. And your email address is becoming your universal user id another.

Clearly Coase’s balance between transaction costs in the market place and in-house, are still very much in play.

This suggests a possible future.
If we think about a corporation as being fundamentally an agglomeration of data and business practices. Where interaction between businesses, trade, is an interaction between these agglomerations.
Returning to Coase’s starting question, the boundary between a corporation and the market and why they are where they are.
What defines the boundary of these data agglomerations? The authorization rules. The data might be located anywhere. At Dropbox even. But if you write the rules governing access to it, that data is part of your agglomeration, wherever it is. If someone wants to interact with your data or your business processes, you must write the rules to allow it to happen. Your rules map out your agglomeration. Outside the reach of your rules is outside your boundary.

Which sketches out the premise that the limit on the size and shape of a corporation is really a limit of information technology. Specifically the limit of authorization technology.

This is all very well, but what does that look like in real life. What are the business strategic implications of such limits. If they even exist.

There are grounds for suspecting that they do.

We have technical standards for federated login. Therefore we have the Facebook login example. A user known from other places on the web is more valuable on the consumer profiling market than one know just to yourself. Both parties gain. The consumer not so much.

But we do not have standards for federated authorization, much less any off-the-shelf technologies for it.

What should we expect to see if federated authorization were possible?

Truly distributed content for one thing.
At the moment digital content is licensed, which is another way of saying it is rented. Meaning that the right to authorize access to it has been delegated to the licensee for a limited period of time. And the licensee writes the authorization rules for the duration. A temporary data transfer from one agglomeration to another. The data is not really distributed, certainly not by you. Someone else distributes it on their own behalf.
This disintermediation is risky for both parties. If the owner overcharge for the license no one will buy one. Undercharge and you leave money on the table. For the licensee the risk are the reverse. Overpay and you lose money. This makes the distribution process contractually complicated. Made so in no small measure because there is no way to federate authorization. These risks mean that there will be much less of this business than there potentially could be.

So the idea that buying a ticket to a movie would get you a free repeat on Netflix is, as things currently stand, out of the question. Despite the obvious advantages for all concerned. The movie companies and Netflix are separate agglomerations.

And it’s not just media. All kinds of content. Medical records. It is impossible to have fine grained access control to the individual data items in such a record after it has been compiled. Therefore its distribution is exceedingly complex and cumbersome. If you can see any part, you can see the whole. If access to an individual item could be controlled wherever the document was, it would be simple to distribute it. Those that needed to, and had authorization to see an individual data field, could see it. Without always having to be cleared to see the whole thing. As it is,
we now have checkout clerks in pharmacies having access to much your medical records because they need to verify one small item in them.

If there was a pay version of Facebook, how much would it cost ?

Social media platforms, broadly defined comes of two forms, “free” and for-pay… And never the twain shall meet. Or is that so ?
Users of facebook have no choice. The “free” version is all they’ve got. Yahoo Mail has both a “free” version and a pay version. But it is not clear that that the pay version do not have the same drawbacks as the free version: relentless surveillance and selling of the gathered information to third parties. Sometimes the privacy policy states that information is not passed to outside companies. This often means that the information is given to “partnerships” i.e. to the same outside company but payment is taken in a different form. Perhaps somewhat anonymized but still valuable to the marketing dept. Maybe I am being a little cynical here, but in business it is the more prudent path.

New social media outfits pop up left and right. Lately some have tried other revenue models. caught my attention the other day. Like Facebook they try to fake-start exclusivity by being by-invitation only to start with. That will end soon enough. Apparently they are without advertising. “you are not the product” is their slogan. From the premise that those who pay are the customer, those who don’t are the product. Assuming that cash is the only form of payment. Some and indeed a great many people, are quite content to pay with their (digital)life.

It will be interesting to see how Ello progresses. I wish them every good fortune, but I suspect that business /greed will get the better of them. Once there is information about users that can be monetized, it will eventually.
Getting back to the original question. How much does a social media platform like Facebook cost? Adding a suitable profit margin and we have the price facing the users. A dollar (US) a month?. Two dollars? Five ?
The problem can be broken down. There are storage costs, network costs , the cost of computing power, developments costs. (and profits, of course)
The first three are falling by the day. The developments costs should scale nicely too – more users, lower development costs per user. I am assuming current the level of customer care and support will remain the same, and estimate zero costs here. These do not add up to a definite estimate on price, but suggest that whatever it is at the moment, it will be lower in future. Economies of scale can be misleading in social media. Here there is no special value of having absolutely everyone on the same platform, only enough, i.e those you want to be “social” with. Or more particularly use the platform to be in touch with. Linkedin is a special case where there is a premium on getting in touch with the people you DON’T already know. That being said, bigger is better.

And it leads to my next point, switching costs. Building up a profile takes time and effort. Moving to another platform will in general mean starting afresh. Not quite with a blank slate as most allow you to import contact lists from various other application, like Gmail and Yahoo Mail, and using those lists to find others of your contacts already on the platform. Which in the case of a new platform is unlikely to be very many. Then there is any other data you have provided to the platform: pictures, writings etc. The data export features are unlikely to be very helpfull. But some may find the loss of self-provided data to be the very reason to switch platfom and starting fresh; It is not a bug but a feature.

Never the less, switching costs increases the platform owners pricing power; And data portability reduces it. Which means that all social media platform have an interest in keeping the costs of leaving high and the costs of joining low. The winner-takes-all aspect of social media is well known. There is no price for second place. Yet new “platforms” keep emerging. It appears that however much one platform seems to be in the lead a new one can still emerge. Facebook supplanted MySpace but still felt compelled to buy WhatsApp. Now there is SnapChat. Many people are betting a great deal of money of what is going to be the next big thing. Few doubt that there will be one.
All of which suggest that while people have signifigant investments in which ever social media applications they happen to be using, they can and will move. This places an upper bound on what the user will pay (in cash or in privacy). If the terms are too exorbitant the users will move on that mauch more quickly.