KuppingerCole Analysts' View on User Empowerment / Life Management

Martin Kuppinger    

Article

The business case for user empowerment

Martin Kuppinger

At the end of the day, every good idea stays and falls with the business model. If there is no working business model, the best idea will fail. Some ideas appear at a later time and are successful then. Let’s take tablets. I used a Windows tablets back in the days of Windows XP, way before the Apple iPad arrived. But it obviously was too early for widespread adoption (and yes, it was a different concept than the iPad, but one that is quite popular these days again).

So, when talking about user empowerment, the first question must be: Is there a business case? I believe it is, more than ever before. When talking about user empowerment, we are talking about enabling the user to control their data. When looking at the fundamental concept we have outlined initially back in 2012 as Life Management Platforms (there is an updated version available, dating late 2013), this includes the ability of sharing data with other parties in a controlled way. It furthermore is built on the idea on having a centralized repository for personal information – at least logically centralized, physically it might be distributed.

Such centralized data store simplifies management of personal information, from scanned contracts to health data collected via one of these popular activity-tracking wristbands. Furthermore, users can manage their preferences, policies, etc. in a single location.

Thus, it seems to make a lot of sense for instance for health insurance companies to support the concept of Life Management Platforms.

However, there might be a counterargument: The health insurance company wants to get a full grip on the data. But is this really in conflict with supporting user empowerment and concepts such as Life Management Platforms? Honestly, I believe that there is a better business case for Health Insurance Companies in supporting user empowerment. Why?

  1. They get rid of the discussion what should happen to e.g. the data collected with an activity tracker once a customer moves to another health insurance company – the user can just revoke access to that information (OK, the health insurance still will have to care for its copies, but that is easier to solve, particularly within advanced approaches).
  2. However, the customer still might allow access to a pseudonymised version of that data – he (or she) might even do so without being a customer at all, which then would allow health insurance companies to gain access to more statistical information, allowing them to better shape rates and contracts. There might be even a centralized statistical service for the industry, collecting data across all health insurance companies.
  3. Anyway, the most compelling argument from my perspective is another one: It is quite simple to connect to a Life Management Platform. Supporting a variety of activity trackers and convincing the customers that they must rely on a specific one isn’t the best approach. Just connecting to a service that provides health data in a standardized way is simpler and cheaper. And the customer can use the activity tracker he wants or already does – if he wants to share the data and benefit from better rates.

User empowerment does not stand in stark contrast to the business model of most organizations. It is only in conflict with the business models of companies such as Facebook, Google, etc. However, in many cases, the organizations such as retailers, insurance companies, etc. do not really benefit from relying on the data these companies collect – they pay for it and they might even pay twice through unwillingly collecting information that is then sold to the competition.

For most organizations, supporting user empowerment means simplified access to information and less friction by privacy discussions. Yes, the users can revoke access – but companies also might build far better relationships with customers and thus minimize that risk. There are compelling business cases today. And, in contrast to 2012, the world appears being ready for solutions that force user empowerment.

Alexei Balaganski    

Article

Life Management Platforms: Players, Technologies, Standards

Alexei Balaganski

When KuppingerCole outlined the concept of Life Management Platforms several years ago, the perspective of numerous completely new business models based on user-centric management of personal data may have seemed a bit too farfetched to some. Although the very idea of customers being in control of their digital lives has been actively promoted for years by the efforts of ProjectVRM and although even back then the public demand for privacy was already strong, the interest in the topic was still largely academic.

Quite a lot has changed during these years. Explosive growth of mobile devices and cloud services has significantly altered the way businesses communicate with their partners and customers. Edward Snowden’s revelations have made a profound impression on the perceived importance of privacy. User empowerment is finally no longer an academic concept. The European Identity and Cloud Conference 2015 featured a whole track devoted to user managed identity and access, which provided an overview of recent developments as well as notable players in this field.

Qiy Foundation, one of the veteran players (in 2012, we have recognized them as the first real implementation of the LMP concept) has presented their newest developments and business partnerships. They were joined by Meeco, a new project centered around social channels and IoT devices, which has won this year’s European Identity and Cloud Award.

Such industry giants as Microsoft and IBM has presented their latest research in the field of user-managed identity as well. Both companies are doing extensive research targeted on technologies implementing the minimal disclosure principle fundamental for the Life Management Platform concept. Both Microsoft’s U-Prove and IBM’s Identity Mixer projects are aimed at giving users cryptographically certified, yet open and easy to use means of disclosing their personal information to online service providers in a controlled and privacy-enhancing manner. Both implement a superset of traditional Public Key Infrastructure functionality, but instead of having a single cryptographic public key, users can have an independent pseudonymized key for each transaction, which makes tracking impossible, yet still allows to verify any subset of personal information user may choose to share with a service provider.

Qiy Foundation, having the advantage of a very early start, already provides their own design and reference implementation of the whole stack of protocols and legal frameworks for an entire LMP ecosystem. Their biggest problem - and in fact the biggest obstacle for the whole future development in this area - is the lack of interoperability with other projects. However, as the LMP track and workshop at the EIC 2015 have shown, all parties working in this area are clearly aware of this challenge and are closely following each other’s developments.

In this regard, the role of Kantara Initiative cannot be overestimated. Not only this organization has been developing UMA, an important protocol for user-centric access management, privacy and consent, they are also running the Trust Framework Provider program, which ensures that various trust frameworks around the world are aligned with government regulations and each other. Still, looking at the success of the FIDO Alliance in the field of strong authentication, we cannot but hope to see in the nearest future some kind of a body uniting major players in the LMP field, driven by the shared vision and understanding that interoperability is the most critical factor for future developments.

Dave Kearns    

Comment

Who will become the Google, Facebook or Apple of Life Management Platforms?

Dave Kearns

A Life Management Platform (LMP) allows individuals to access all relevant information from their daily life and manage its lifecycle, in particular data that is sensitive and typically paper-bound today, like bank account information, insurance information, health information, or the key number of their car.

Three years ago, at EIC 2012, one of the major topics was Life Management Platforms (LMPs), which was described as “a concept which goes well beyond the limited reach of most of today’s Personal Data Stores and Personal Clouds. It will fundamentally affect the way individuals share personal data and thus will greatly influence social networks, CRM (Customer Relationship Management), eGovernment, and many other areas.”

In talking about LMPs, Martin Kuppinger wrote: “Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy and security-aware sharing of that information, without the risk of losing control of that information. A key concept is “informed pull” which allows consuming information from other parties, neither violating the interest of the individual for protecting his information nor the interest of the related party/parties.” (Advisory Note: Life Management Platforms: Control and Privacy for Personal Data - 70608)

It’s taken longer than we thought, but the fundamental principle that a person should have direct control of the information about themselves is finally taking hold. In particular, the work of the User Managed Access (UMA) group through the Kantara Initiative should be noted.

Fueled by the rise of cloud services (especially personal, public cloud services) and the explosive growth in the Internet of Things (IoT) which all leads to the concept we’ve identified as the Internet of Everything and Everyone (IoEE), Life Management Platforms – although not known by that name – are beginning to take their first, hesitant baby steps with everyone from the tech guru to the person in the street. The “platform” tends to be a smart, mobile device with a myriad of applications and services (known as “apps”) but the bottom line is that the data, the information, is, at least nominally, under control of the person using that platform. And the real platform is the cloud-based services, fed and fueled by public, standard Application Programming Interfaces (APIs) which provide the data for that mobile device everyone is using.

Social media, too, has had an effect. Using Facebook login, for example, to access other services people are learning to look closely at what those services are requesting (“your timeline, list of friends, birthday”) and, especially, what the service won’t do (“the service will not post on your behalf”). There’s still work to be done there, as the conditions are not negotiable yet but must be either accepted or rejected – but more flexible protocols will emerge to cover that. There’s also, of course, the fact that Facebook itself “spies” on your activity. Slowly, grudgingly, that is changing – but we’re not there yet. The next step is for enterprises to begin to provide the necessary tools that will enable the casual user to more completely control their data – and the release of their data to others – while protecting their privacy. Google (via Android), Apple (via IOS) and even Microsoft (thru Windows Mobile) are all in a position to become the first mover in this area – but only if they’re ready to fundamentally change their business model or complement their business models by an alternative approach. Indeed, some have taken tentative steps in that direction, while others seem to be headed in the opposite direction. Google and Facebook (and Microsoft, via Bing) do attempt to monetize your data. Apple tends to tell you what you want, then not allow you to change it.

But there are suggestions that users may be willing to pay for more control over their information- either in cash, or in licensing its re-use under strict guidelines. So who will step up? We shouldn’t ignore Facebook, of course, but – without a mobile operating system – they are at a disadvantage compared to the other three. And maybe, lurking in the wings, there’s an as yet undiscovered (or overlooked – yes, there are some interesting approaches) vendor ready to jump in and seize the market. After all, that’s what Google did (surprising Yahoo!) and Facebook did (supplanting MySpace) so there is precedent for a well-designed (i.e., using Privacy by Design principles) start-up to sweep this market. Someone will, we’re convinced of that. And just as soon as we’ve identified the key player, we’ll let you know so you can be prepared.

Related KuppingerCole Research

Related KuppingerCole Podcasts