Category Archives: Uncategorized

If there was a pay version of Facebook, how much would it cost ?

Social media platforms, broadly defined comes of two forms, “free” and for-pay… And never the twain shall meet. Or is that so ?
Users of facebook have no choice. The “free” version is all they’ve got. Yahoo Mail has both a “free” version and a pay version. But it is not clear that that the pay version do not have the same drawbacks as the free version: relentless surveillance and selling of the gathered information to third parties. Sometimes the privacy policy states that information is not passed to outside companies. This often means that the information is given to “partnerships” i.e. to the same outside company but payment is taken in a different form. Perhaps somewhat anonymized but still valuable to the marketing dept. Maybe I am being a little cynical here, but in business it is the more prudent path.

New social media outfits pop up left and right. Lately some have tried other revenue models. caught my attention the other day. Like Facebook they try to fake-start exclusivity by being by-invitation only to start with. That will end soon enough. Apparently they are without advertising. “you are not the product” is their slogan. From the premise that those who pay are the customer, those who don’t are the product. Assuming that cash is the only form of payment. Some and indeed a great many people, are quite content to pay with their (digital)life.

It will be interesting to see how Ello progresses. I wish them every good fortune, but I suspect that business /greed will get the better of them. Once there is information about users that can be monetized, it will eventually.
Getting back to the original question. How much does a social media platform like Facebook cost? Adding a suitable profit margin and we have the price facing the users. A dollar (US) a month?. Two dollars? Five ?
The problem can be broken down. There are storage costs, network costs , the cost of computing power, developments costs. (and profits, of course)
The first three are falling by the day. The developments costs should scale nicely too – more users, lower development costs per user. I am assuming current the level of customer care and support will remain the same, and estimate zero costs here. These do not add up to a definite estimate on price, but suggest that whatever it is at the moment, it will be lower in future. Economies of scale can be misleading in social media. Here there is no special value of having absolutely everyone on the same platform, only enough, i.e those you want to be “social” with. Or more particularly use the platform to be in touch with. Linkedin is a special case where there is a premium on getting in touch with the people you DON’T already know. That being said, bigger is better.

And it leads to my next point, switching costs. Building up a profile takes time and effort. Moving to another platform will in general mean starting afresh. Not quite with a blank slate as most allow you to import contact lists from various other application, like Gmail and Yahoo Mail, and using those lists to find others of your contacts already on the platform. Which in the case of a new platform is unlikely to be very many. Then there is any other data you have provided to the platform: pictures, writings etc. The data export features are unlikely to be very helpfull. But some may find the loss of self-provided data to be the very reason to switch platfom and starting fresh; It is not a bug but a feature.

Never the less, switching costs increases the platform owners pricing power; And data portability reduces it. Which means that all social media platform have an interest in keeping the costs of leaving high and the costs of joining low. The winner-takes-all aspect of social media is well known. There is no price for second place. Yet new “platforms” keep emerging. It appears that however much one platform seems to be in the lead a new one can still emerge. Facebook supplanted MySpace but still felt compelled to buy WhatsApp. Now there is SnapChat. Many people are betting a great deal of money of what is going to be the next big thing. Few doubt that there will be one.
All of which suggest that while people have signifigant investments in which ever social media applications they happen to be using, they can and will move. This places an upper bound on what the user will pay (in cash or in privacy). If the terms are too exorbitant the users will move on that mauch more quickly.

XACML made portable with PAML

XACML has been pronounced dead. Repeatedly. And in truth it has never been much used. But I think it still has potential. The standard has been around for years (version 2.0 in 2005) and allows for quite a bit of flexibility. Role based and attribute based. wikipedia provides a decent run down on XACML xacmlinfo.org is a superior resource for all things XACML.

Key for our purposes is the separate between decision and enforcement in XACML; The decision is made one place and enforced somewhere else. This permits the portability we’re looking for. There is nothing in XACML directly mandating online services. A PAML token should be usable for an extended period of time, and XACML allows this.

An XACML policy sample:

<Policy xmlns=”urn:oasis:names:tc:xacml:3.0:core:schema:wd-17″ PolicyId=”medi-xpath-test-policy” RuleCombiningAlgId=”urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable” Version=”1.0″>
<Description>XPath evaluation is done with respect to content elementand check for a matching value. Here content element has been bounded with custom namespace and prefix</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion&gt;
</PolicyDefaults>
<Target>
<AnyOf>
<AllOf>
<Match MatchId=”urn:oasis:names:tc:xacml:1.0:function:string-regexp-match”>
<AttributeValue DataType=”http://www.w3.org/2001/XMLSchema#string”>read</AttributeValue&gt;
<AttributeDesignator MustBePresent=”false” Category=”urn:oasis:names:tc:xacml:3.0:attribute-category:action” AttributeId=”urn:oasis:names:tc:xacml:1.0:action:action-id” DataType=”http://www.w3.org/2001/XMLSchema#string”></AttributeDesignator&gt;
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId=”rule1″ Effect=”Permit”>
<Description>Rule to match value in content element using XPath</Description>
<Condition>
<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:any-of”>
<Function FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-equal”></Function>
<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:string-one-and-only”>
<AttributeDesignator Category=”urn:oasis:names:tc:xacml:1.0:subject-category:access-subject” AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id” DataType=”http://www.w3.org/2001/XMLSchema#string&#8221; MustBePresent=”false”></AttributeDesignator>
</Apply>
<AttributeSelector MustBePresent=”false” Category=”urn:oasis:names:tc:xacml:3.0:attribute-category:resource” Path=”//ak:record/ak:patient/ak:patientId/text()” DataType=”http://www.w3.org/2001/XMLSchema#string”></AttributeSelector&gt;
</Apply>
</Condition>
</Rule>
<Rule RuleId=”rule2″ Effect=”Deny”>
<Description>Deny rule</Description>
</Rule>
</Policy>

The enforcement point examines the incoming request and create a XACML request, which may look something like this.

<Request xmlns=”urn:oasis:names:tc:xacml:3.0:core:schema:wd-17″ ReturnPolicyIdList=”false” CombinedDecision=”false”>
<Attributes Category=”urn:oasis:names:tc:xacml:1.0:subject-category:access-subject” >
<Attribute IncludeInResult=”false” AttributeId=”urn:oasis:names:tc:xacml:1.0:subject:subject-id”>
<AttributeValue DataType=”http://www.w3.org/2001/XMLSchema#string”>bob</AttributeValue&gt;
</Attribute>
</Attributes>
<Attributes Category=”urn:oasis:names:tc:xacml:3.0:attribute-category:resource”>
<Content>
<ak:record xmlns:ak=”http://akpower.org”&gt;
<ak:patient>
<ak:patientId>bob</ak:patientId>
<ak:patientName>
<ak:first>Bob</ak:first>
<ak:last>Allan</ak:last>
</ak:patientName>
<ak:patientContact>
<ak:street>51 Main road</ak:street>
<ak:city>Gampaha</ak:city>
<ak:state>Western</ak:state>
<ak:zip>11730</ak:zip>
<ak:phone>94332189873</ak:phone>
<ak:email>asela@gmail.com</ak:email>
</ak:patientContact>
<ak:patientDoB>1991-05-11</ak:patientDoB>
<ak:patientGender>male</ak:patientGender>
</ak:patient>
</ak:record>
</Content>
</Attributes>
<Attributes Category=”urn:oasis:names:tc:xacml:3.0:attribute-category:action”>
<Attribute IncludeInResult=”false” AttributeId=”urn:oasis:names:tc:xacml:1.0:action:action-id”>
<AttributeValue DataType=”http://www.w3.org/2001/XMLSchema#string”>read</AttributeValue&gt;
</Attribute>
</Attributes>
</Request>

The request is compared to policy and the request allowed or denied accordingly.

The enforcement point must have the capability to create a XACML request from the actual request, and be able to compare it to the applicable XACML policy. This is where PAML tokens comes in, as they can link the request with the policy that governs the request, by placing XACML policy inside the PAML tokens. PAML tokens are issued to users and the user is responsible for sending a token (or possibly more than one) that contains a XACML token that will allow the request. The issuer of the PAML token owns the data and includes in the PAML token the policy XACML containing the access control rules the data owner wants to enforce.

opening statement

This blog will be mostly about IT security and distributed data issues. And what better time to start when NSA pervasive monitoring of people on the web is getting some public attention. NSA’s activities has been well-known in the IT security industry for many years and broadly taken as a given; only with PRISM has the press more generally given this activity some attention.

However, the ethics and politics of government surveillance of individuals will not be a major focus in this blog. Though there may be som incidental connection when it comes to technical details: Businesses commercial and architectural decisions for their IT infrastructure may have some bearing on 3rd parties ability to conduct surveillance more generally.

Some posts will be quite high-level and some very low-level. Occasionally there will be nitty-gritty implementation details. Other times more general exploratory posts concerning business and technical practices.