But another aspect of PrefPass is that, unlike previous solutions such as form-filling utilities or single sign-on systems, PrefPass keeps users anonymous. This aspect is a bit more complicated.

Anonymous literally means “of unknown name,” but in reality we mean a lot more than that when we use the term. Does it mean that you don’t know who I am in the real world? That you don’t know that I’m the same person that writes a different blog? That you don’t know that I’m the same person that wrote the last post on this blog?

As far as I can tell, there isn’t really a standard way of characterizing these different degrees of anonymity. But there are some standard terms whose meanings can be perhaps slightly bent to cobble together a basic ranking:

– Unknown: absolutely nothing is known about the user

– Anonymous: the user is associated with an identifier that applies across transactions at a single site. Cookies are a common way of anonymously identifying users on a temporary basis.

– Pseudonymous: the user is associated with a pseudonym (AKA handle, username, or nickname) that applies at other sites. Most single sign-on (SSO) systems are designed to prove ownership of a pseudonym.

– Personally identifiable: the user is associated with information which can potentially be used to uniquely identify, contact, or locate them. Personally identifiable information (PII) includes things like name, telephone number, street address, and e-mail address.

One problem with pseudonymity is that it is susceptible to correlation, which can lead to personal identification. For example, if data associated with one pseudonym is collected across many sites, this richer dataset may make it possible to personally identify the user. Or if one site is compromised, this can affect the user across all sites where that pseudonym is used.

For these reasons and others, at PrefPass we decided to provide users with anonymity, not just pseudonymity. To do this, we used what in digital identity circles is called a unidirectional identifier. That just means that when you click on the PrefPass badge at two different sites, each site is provided with a different identifier. That way, each site can recognize you, but no one can tell that the same person joined those two sites.

Of course, PrefPass is all about user control, and with control comes responsibility. For example, you could manually enter a pseudonym at multiple sites where you use PrefPass to join. That would make you pseudonymous at those sites; but it would be your decision, not something built into PrefPass. And no other PrefPass sites would be affected by it.

Now, some might argue that true anonymity is impossible on the internet; that without extraordinary knowledge and care, anyone leaves a trail that can be pieced together to find out who they are in the real world. For example, see this recent blogosphere brouhaha.

But at least for me, that doesn’t at all mean that we should throw up our hands and sign our names on every page we visit. You can do a lot to remain anonymous on the internet, and as always, defaults matter. It’s true, if someone really wants to track you down, and is willing to dedicate time and money to doing so, there’s a decent chance they’ll succeed. But the same is true in the real world: if someone really wants to break into your house, they probably can. But that doesn’t mean that you shouldn’t lock your doors and safeguard the key. Most crimes are crimes of opportunity, and basic good habits will make a big difference in how likely you are to have problems.

I haven’t even touched here on another feature of PrefPass that complements anonymity: transparency. Details will have to wait for another day, but the basic fact is this: when you use PrefPass to personalize a site, the data being used for personalization is visible, editable, and controlled by you. The idea is that by making it easy for sites to ask you for your Prefs directly, they’ll have less reason to try to piece together your interests in some other way. In our view, the trade of Prefs for personalization is happening all the time on the web; so why not make it explicit, easy, anonymous, and transparent?

PS: “Degree of anonymity” is also actually a technical measure of how anonymous you are using a given anonymizing approach. Details here.

In the requisite three words, what is PrefPass all about?

As I was talking about in the last post, the idea is to keep things simple and anonymous for users, while giving sites exactly what they need:

– A user identifier (unidirectional: unique to the site and user)
– User prefs for personalization: keywords, interests, etc.

So what’s the point? To reduce the number of registrations and passwords you have to keep track of. How many times have you followed a link to a news site, or tried to check out a cool new app, and decided to bail out when you were faced with yet another registration form? PrefPass replaces that form with one click.

For sites, letting people bypass registration means attracting more users, providing better personalization, and earning higher ad revenues. PrefPass is really lightweight, so there’s no server side integration and no security worries, just a simple javascript button you add to the site. For an example of some things you can do with PrefPass, check out the demo site we set up at YourSuperNews.com.

For blogs, PrefPass is so easy to use that you can essentially add instant personalization to your blog. Check out the widgets in my sidebar for an example (more coming soon). If your blog or app has ads, you can earn more from them by targeting them to user interests, as they are here at EconoMeta. Even if you don’t have any ads, PrefPass complements stats like hits and pageviews by showing you what your readers actually are interested in — an example of this is the Audience Cloud in the sidebar here.

The point is that pretty much any site can be made better by being customized to user interests. And the purpose of PrefPass is to make it as easy as possible for the site and user to form the relationship needed to do this.

We’re off and running, with a long list of cool stuff on the way. Give it a try, and let us know what you think!

Here’s what I talked about. The concept of “digital identity” has been around for a long time, and usually includes all kinds of complicated functionalities. For example, an identity can:

– Prove you are the same person you were last time you visited
– Prove that you are a specific person or have certain attributes
– Prove that you have authorization or a reputation verified by a third party
– Grant permission for one site to pass your data on to another

But what does “identity” mean in reality for most consumer web apps? Well, basically, it usually means a registration form, an email validation, and then another username and password to remember.

This is kind of a pain for users, which makes it worth asking: what’s the *real* reason sites require registration? For most apps, it’s to do one or more of the following:

– Ensure the user is a human and not a bot
– Associate the user with site data (e.g. settings)
– Associate the user with preference data (e.g. interests)
– Contact the user (e.g. to email a forgotten password)
– Target ads to the user (to make more money)
– Associate the user with a specific person (e.g. a blogger)

Looking at this list, the interesting thing is that only the last item really requires an “identity” as most of us think of it. You’d think that the rest could be done without the oftentimes complex machinery of most identity solutions.

Well, it can, and from a certain perspective, that’s what PrefPass is all about! Instead of the same old [form -> email -> response -> password] sequence, why not just [click]? And why not make it completely anonymous? After all, only the last item above requires you to “prove” that you’re someone in particular. With anonymity, there’s no ID to remember, no privacy issues, no namespace to worry about — just [click]!

Microchunking identity means reducing it to its smallest usable parts. For example, there are some cool solutions that focus on proving that you own a blog URL — that’s a microchunk. With PrefPass, we’re focusing on letting you tell a site that you’re the same person as last time, and that you’re associated with some anonymous metadata representing your interests or preferences. That’s it. By keeping it simple, we hope to be able to solve some real problems for both sites and users, while making a big change in how much users can control their own data.

We’re just about to launch a limited beta, so if this sounds interesting to you, please help us out! You can request a beta invite by clicking on the PrefPass button in my sidebar or by going to PrefPass.com. We’re also looking for additional sites who want to try out PrefPass during the beta. If 1-click registration, instant personalization, or user-targeted ads that pay more sound interesting to you, please give me a shout at adam at prefpass dot com.

This is a powerful idea; but why limit it to media? It seems to me that the same logic applies to applications. A big part of what I think is exciting about the latest batch of web apps is that they microchunk what was once a monolithic software application (e.g. Office), make it web-native, and monetize its use via advertising and/or premium service fees.

Going back to digital media, a big part of why it can be effectively microchunked now is that certain enabling technologies are widespread enough to reduce the advantage once held by centralized media: things like editing tools, RSS syndication, and aggregators. The same thing is true for apps; enabling technologies here would include widespread broadband, more active browser techniques like AJAX, and standardized data formats.

I think that there are two main remaining barriers to microchunking apps. The first is the lack of many needed standardized data formats. One big help in this regard could be microformats. The second big remaining stumbling block is that of identity. Big applications, whether on the web or not, have the significant advantage that you just log in once, and then can easily use the different components of the app together.

So how could this identity barrier be knocked down? Well, how about microchunking identity?

As it so happens (or more like, partly motivating this post), microchunking identity is what I just talked about at BarCamp SF. I’ll get to that in the next post.

The liquidity in the maturing online advertising industry, which allows new applications to monetize utility to users quickly and directly.

In other words, if you can build an application that has enough utility for a decent number of users to start using it, you can turn that utility into dollars by, say, slapping up AdSense, which pays the bills and keeps the app up and running (perhaps competing with a platform aspiring to monopoly power).

The problem with this in the real world is that AdSense, which at the moment is the easiest way to put advertising on a small site, doesn’t really pay the bills all that well. One big reason for this is that the ads are usually pretty badly targeted when the context is a dynamic app, or a constantly changing document like a blog.

This is where the Web is different from other media: as many people have pointed out, the Web is neither one-to-many (broadcast) nor one-to-one (email); it’s many-to-many. That means that everyone can provide data as well as receive it. In particular, users can “pay” for content with more than just their attention; they can pay by supplying data about their interests that lets ads be better targeted. Although smaller sites currently have a hard time monetizing this data, in theory web applications should become economically viable at a much lower user base due to both more valuable targeted ad space and the previously discussed reductions in development and operations costs.

This idea of paying with data isn’t new, we already do it in several ways:

– Supplying search terms is a payment: your interests at that moment are targeting data (e.g. Google AdWords)
– Reading content is a payment: the content itself represents your interests (Google AdSense)
– Frequenting a site is a payment: your history at that site represents your interests (e.g. Amazon)
– Registering at a site is a payment: facts like zip code, age, and gender act as proxies for your probable interests (e.g. NYT)

This trade of data for content is what Matt Blumberg calls the “New Media Deal”, as I just found out by following a link from Fred Wilson. Matt’s description of this deal is really great, but it doesn’t mention what I think is a big problem: most people don’t get what the deal is! I don’t have any handy stats, but I’d bet that if you took a survey, most people wouldn’t know that the reason they’re always being asked to register and fill out forms is to help the site pay its bills by serving up more relevant ads. They probably think it’s to spam them or do market research or something (er, well, both of which might sometimes be the case actually).

It seems to me that asking users for data might work a lot better if users really understood what it was for. Matt addresses this in part with his next deal incarnation involving more user participation, the “We Media Deal”:

The more transparent the value exchange, the more willing you are to share your data.

But the examples he gives, of us being more likely to care about sharing our data if we know we can delete it and that it will be attributed to us, isn’t really what I have in mind here. Instead of trying to get data from users in indirect ways like surveys, registration, and tracking, why not just make the deal explicit? People understand that someone has to get paid to develop apps or write articles, and if we can pay with something other than money, that’s great!

I think it’s true that a lot of people are used to thinking in the “old media” way: as Matt puts it, we pay by “tolerating” a blizzard of ads, most of which are totally irrelevant to us. If the New Media Deal is made more explicit, I think people will see that everyone wins: a less painful type of payment can support a greater diversity of sites, where participation and mutual respect are values that are reinforced by capitalism and self-interest.

I got rid of the “expert” scope column, not because it’s not relevant, but because there weren’t any entries and aren’t likely to be anytime soon — seems like amateurs are more in fashion than experts these days. (UPDATE: Ethan rightly points out that Squidoo is an example of expert filtering, as is really any successful media outlet, including Mike’s TechCrunch itself; I updated the matrix to reflect this and a couple other suggestions — if anyone else has more suggestions for entries, please pass them on!)

Nivi also points out that there are other dimensions that could be added to this matrix, in particular that of metadata location. He mentions that a lot of this valuable data is on your desktop, to which I’d add that a lot is also “locked up” in various applications, e.g. your search history, your tags, your OPML list, etc.

I also thought a great point was that the metadata is about both you and the data it points to:

This metadata is metadata about the data it points to and metadata about your interests and attention. In fact, the utility of a piece of metadata in describing data may be inversely related to its utility in describing your interests. For example, your clicks describe your interests, but they don’t really say anything useful about the data you are clicking on. (Propers to Ethan Stock for this insight).

However, I’m not so sure about the idea of an inverse relationship between the utility of metadata along these two dimensions. Your clicks may not *directly* say anything useful about the data clicked on, but indirectly they’re at minimum a vote (as used by AdWords), and even better a proxy for collaborative filtering (as used by Amazon). Delicious makes this explicit by allowing you to pivot on users, tags (metadata), and URLs (the data pointed to); each one of these dimensions has a different meaning, but I think every one has some utility.

The popular perception is that people want anonymity; in fact, it appears that most people crave recognition. Many young people want it so much that they join multiple networking sites, rate themselves and friends on various scales, and fill in online questionnaires and surveys. Even as individuals evince more and more concern about privacy and identity theft, they flood onto the Web as themselves, publishing blogs, posting photos, contributing reviews, and revealing all (or so it seems) on dating sites.

In effect, people are trading anonymity for a voice.

Ed agrees, concluding that attention is the opposite of anonymity.

I agree with Esther that people are willing to part with anonymity for a voice, both to participate in conversations and to achieve recognition; and I also agree with Ed that part of raising a voice is to attract attention. But I’m not so sure that this is a global “trade,” or that attention is therefore the opposite of anonymity.

It seems to me that most people want both anonymity *and* a voice. And what they want most is *control* over whether they are anonymous or recognized in each transaction. Just because I publish a blog and contribute reviews doesn’t mean that I don’t want to be anonymous when surfing the net. I’d bet that most people who have left comments and contributions as themselves have also been in situations where they preferred to do so as an “anonymous coward”. In some cases it might just be a matter of being more polite, in others the subject might be sensitive and private, like a medical condition.

I think that a key reason that people want to control anonymity is that identity, like all personal data, has value; and so if I’m going to give up my anonymity, it should be in exchange for something valuable in return. Joining a social network gives me contact with like-minded people; blogging lets me participate in a conversation I care about; and I pretty much only fill out a form or questionnaire in order to get to on-line content that would be inaccessible otherwise.

People do and should have concerns about privacy and identity theft, but that doesn’t mean they want to live in an anonymous bubble; it means they want as much control as possible over whether each piece of personal data is completely private, accessible by a select group, or public for all to see. So rather than being the opposite of anonymity, I think that attention is one of many valuable things that can entice people to give up anonymity — but only if this happens in a manner that is under their control.

Robert was pointing out that the switching costs imposed by Web 1.0 companies to get a competitive advantage are being replaced by different switching costs created by the *users* of Web 2.0 companies. As an example he cited the switching costs created by the value of a social network at MySpace or a reputation on eBay, as opposed to the switching cost created by the email address and “walled garden” at AOL.

Dorrian then points out that users increasingly want to own their data, from their blog post comments to their purchase history at Amazon to their social network at LinkedIn. Ownership of this data implies portability, which lowers switching costs — even the above costs created by the user. But hey, that’s part of the evolution to Web 2.0, and the removal of such barriers should force companies to compete on the basis of better functionality and service.

On a theoretical level, I completely agree with Dorian; but more practically, I think that not all data is created equal in terms of how easy it is to separate from applications. For example, ownership of blog comments would be pretty simple to make happen, but it just hasn’t been important enough for long enough to really happen yet (beyond using trackbacks). Ownership of something like purchase history (or attention) is a bit more difficult: even if a standardized format exists for the data, it is harder for users to review it for accuracy or for applications to use it effectively. Moreover, the increased competition based on features will mean that many applications are likely to find any standard lacking when trying to differentiate their service. Thus it will still be necessary in many cases for the application to own user data, perhaps used in conjunction with the data owned by the user.

For sites like MySpace that build a multi-faceted environment for users to communicate and share interests, it’s hard to see how the data could be practically separated out. After all, MySpace is essentially a music-centered conglomeration of home pages, blogs, social networks, bulletin boards, etc. All of these components are available elsewhere separately, but users value the community architecture built by MySpace, and so let the service manage their data. Even if an easy way existed to export a specific user’s posts, links, forum comments, etc. it seems doubtful that many users would take advantage of it.

All that being said, it seems clear that the way things are evolving is towards more user control, and that the specific path that this evolution takes place will be driven by user demand. One can imagine a world where everyone owns their links and writings and social networks, and then leases them to applications; a MySpace then could build value by providing an easily navigable workspace and links to extra services like music streaming. But this will only happen if users want it. For user data that has little utility outside of MySpace, there will be little demand for inclusion in such an architecture; but users will want to own data that does have external utility, and will increasingly gravitate towards applications that respect this desire.

AttentionTrust is “a non-profit organization dedicated to promoting the basic rights of attention owners.” That means everyone! The particulars of what this means (the “rights” from the AttentionTrust home page) can be mapped pretty much directly to the kinds of things I’ve been talking about here:

– Property: you OWN and CONTROL your attention (and, I’d argue, all your other personal data)
– Mobility: you can TRANSFER your attention (implying that this data is separate from the apps that use it — see microformats)
– Economy: you get something in return if you TRADE your attention (or, I’d argue, allow others to collect it)
– Transparency: you can see how your attention is being used (and, I’d argue, when it’s being collected)

Wow! Attention even has its own microformat: attention.xml, also spearheaded by Steve along with a bunch of folks from Technorati. Needless to say, I joined right up:

I guess a big chunk of this blog has ended up being concerned with a generalization of the AttentionTrust idea: that you should “own” all your data, from your attention to your preferences to your identity to your social network. This ownership should then imply all the “rights” listed above.

Kudos to everyone involved with AttentionTrust! More from Steve, Seth, Ed Batista, and of course the indispensible TechCrunch.

Here I’d like to dive more deeply into this last question; so in light of those previous posts, the more specific question is “when are third party tracking cookies spyware?” This is probably best asked in the larger context of the question “when does marketing become spying?” And I think one way to address these questions without being distracted by technical issues is to think about a physical interaction rather than a virtual one on the web.

OK, so…say you walk into a store in a mall. This store has a lot of salespeople who watch what you’re doing and try to help out. This certainly can’t be a problem, that’s what salespeople are paid to do! But these salespeople have really good memories and work 24 hours a day, so if you come back to the store sometime later, they’ll recognize you and remember what you did last time you were there. At least for me, it’s hard to see this as a problem; this is essentially how stores strive to operate today.

Now let’s say you buy something at the store with a credit card. The salesperson now knows your name and other personal data, as well as having insight into your likes and dislikes from watching you in the store. You might even now be greeted by name when you come back later, and pointed to a new item the salesperson thinks might interest you. Again, this is an idealized version of how stores operate now, so it’s hard for me to see a problem; that being said, if it was possible I’d probably prefer it if my card went through without the salesperson looking at or remembering my info.

But what if, as you walked in, an iris scanner identified you via a third party database like in the movie “Minority Report,” or equivalently, the salesperson snapped your photo and faxed it to a third party service that sent back your name and other personal data. To me, this is definitely a violation of my privacy: the salespeople are free to watch me in their store all they want, but unless I decide to offer it, they should not know who I am.

Even worse, imagine that the store has the salespeople write down everything they know about you, then send it to a third party who puts it in a file under your name along with the reports from various other stores. This third party now sells your file to anyone who cares to pay for it. At least for me, this is the ultimate privacy violation: I’ll never live down the time I went to buy medicine for jock itch, the FBI will stake out my house after I buy rolling papers, and prospective landlords will reject my application when they find out that I buy a lot of powerful stereo gear.

OK, so now we’ve established some boundaries to what is definitely acceptable and not acceptable (at least to me; I’d be interested to hear from anyone with different ideas). Translating back to cookies:

– Tracking cookies are OK if they’re from the site I’m visiting
– Merging cookie data with PII I provide as part of a purchase or registration on the site seems hard to avoid and so is probably OK (although best avoided)
– If I don’t offer my PII, I should be assured of my anonymity, i.e. it is *not* OK for anyone to share the PII I provide with any third party

Now we get to the interesting part. What if, as you enter the mall, someone hands you a clipboard to carry around. Each time you leave a store, the salesperson scribbles down what they think you were interested in by watching your actions and puts it on your clipboard. Each time you enter a store, the salesperson takes your clipboard and reads it to learn what you might be interested in.

To me, this doesn’t raise a big privacy issue, but that’s because I’m assuming several things based on the physical metaphor:

– I know about the clipboard
– I can be sure that no salesperson will put any PII on my clipboard
– I can read through the clipboard and see what has been written about me
– I can throw away the clipboard anytime I want, and no one else has a copy

So mapping back to cookies, this means that to meet the above idea of acceptability, the following should be true of third party tracking cookies:

(1) I should know they’re present, and who can access them
(2) They should never contain or be merged with PII
(3) I should be able to review their content
(4) I should be able to delete them

Another relevant issue is (5) Why should I accept the clipboard? Imagining the scene at the mall, realistically there’d have to be some incentive for me to accept the clipboard beyond “better service” — I expect good service anyway, I’d have to be enticed by discounts, like for example Safeway and other supermarkets do with their “Club Cards.”

Wrapping all this up, it seems to me that a reasonable proposal regarding third party tracking cookies would be to essentially follow the above numbered points:

(1) A site should clearly notify users that it uses third party tracking cookies. Exactly how this is done is debatable, but the notification should be hard to miss, and should link to an up-to-date list of the other sites at which the cookie is active (the other stores that are “in the mall”).
(2) Users should be guaranteed that tracking data will never contain or be merged with PII. Whether this should be encoded in law or implemented via industry agreement is debatable.
(3) Third party tracking cookies contents should be reviewable by the user. This is *not* true now: even though you can examine the cookies on your computer, the contents are usually not human-readable. Third party cookie vendors should provide a consumer service that allows these cookies to be reviewed, and sites should link to these services, ideally as part of the notification in (1).
(4) The ability to delete is not an issue, cookies can always be deleted.
(5) Users should somehow benefit from accepting tracking via third party cookies.

This last item, (5), requires the most creativity; some ideas off the top of my head are:

– Sites could provide special or premium content to users who allow third party tracking cookies
– Third party tracking cookie vendors (network advertisers) could entice users to participate by offering input into marketing decisions or recommended product and services
– Advertisers could offer explicit discounts to users who allow third party cookies and who then click through the ads that use the resulting tracking data.

I’d love to hear any thoughts from others regarding these ideas. In the end, I think the goal should be for users to remain in complete control of their personal data, with any disbursement of this valuable data explicit and above-board. If this respect is afforded consumers, marketers will be able to do their job in a more effective and cooperative environment, so that the free content we all enjoy can be paid for.