Re: [projectvrm] Bots for VRM

[Peter Cranstone < >]

>> What is a VRM site? 

There isn't one - but there has to be a place I go to engage and understand the concept. What happens for example when I go to www.vrm.org ?

Hmmm. After all these years that site is still not taken and up and running with the marketing message explaining the concept. 

Let me offer this - you want to buy something - 99.9% of people simply go to www.amazon.com Tha's an INGRAINED behavior response. To overcome a behavior response you need a better value proposition to change people's behavior. This web site is pretty informative on the subject: http://bjfogg.com - here's a great quote:

• Most recently (in 2015) I created a course that was all about getting people to connect more with nature. Very fun. In this course, like all my previous classes, we focused on designing technology solutions to change behavior.
  

VRM needs a message, it needs a quantifiable value proposition, it needs in simple terms to explain 'what's in it for me'? Instead it's discussions about whether to send a Identifiers and Attributes across the Web in either a JSON file or as a Header. Both work - the customer doesn't care - all they want to hear is 'show me the money'. In my opinion if you want VRM to succeed then it needs a place that explains and communicates the message. 

Going back to Proff. Foggs site a behavior change occurs under two conditions - either when the individual is highly motivated OR the when solution is very simple to access (think NAVIGATION and USER INTERFACE). That's when the curve is closest and you can engage the trigger points. VRM needs that message. 

Why are the headwinds increasing for VRM?

1. Lack of a clear, concise, compelling, credible message that communicates the value proposition to the stakeholders in business terms.
   
2. GDPR

Why GDPR?

• The EU finally has had enough of America running the Internet of 'you're the product'. So after watching the slow motion train wreck that is the Do Not Track standard and the toothless Compliance Scope which was engineered in favor of business as usual, they decided to act. And they made a significant move...
  
  • They said that 'Business Strategy will drive IT architecture 
    
• That strategy is one of respect for the privacy for the individual regardless of their location
  

What does this mean - GDPR is now driving the technology bus and not the other way around (DNT). It also means that for the next 18 months the entire EU and other parts of the world will be focused on building GDPR compliance into their business operations AT ALL levels. They're about to change their business strategies to align with Privacy.

Unless you can prove that VRM is an important part of this process, then the train will have left the station. Businesses understand Profit and Loss, they understand Margin - that's the language you need to communicate to them with. How you deliver the bits is irrelevant - nobody on this list cares how Amazon.com works ONLY that it does work and I get what I want 2 days later.

Make VRM look like that and it will be a winner. 

Peter Cranstone

Sent with ProtonMail Secure Email.

-------- Original Message --------

Subject: Re: [projectvrm] Bots for VRM

Local Time: November 8, 2016 8:37 PM

UTC Time: November 9, 2016 3:37 AM

From:

To: Peter Cranstone < >

Jason Wong < >, Joe Andrieu < >, ProjectVRM list < >

Well, then we’ve got some work to do.

Quick question: what is a “VRM site?” 

Some context for brevity: I’m sleepless in Istanbul, watching CNN in a state of shock. 

Doc

On Nov 9, 2016, at 12:12 AM, Peter Cranstone < "> > wrote:

Sorry Doc - with the greatest respect I have to disagree with you.

Let's look at the facts - there are 563 days until enforcement can begin - or in old money 1 year 6 months and 17 days

• Currently there is not a single GDPR compliant web site that I can find on the Internet – for big companies they're almost out of time to build it
  
• NOBODY has calculated the financial MARGIN cost to a businesses bottom line. For starters there's the need to hire a Data Protection Officer and every part of the business will have to be reviewed to be in compliance. 
  
• Article 3, Clause 2, subsections A and B actually extend Privacy globally something that the folks over at DNT land don't quite understand yet because DNT does NOT support extensions like GPS location
  
• Currently the folks at DNT are trying to figure out how to make DNT work for GDPR... click on this link to read the list of current implementations: https://www.w3.org/wiki/Privacy/TPWG/TPE_Implementation_Report 
  
• Some CRITICAL takeaways
  
  • Only ONE browser has a consent API but it's NOT working – Every other browser is broken
    
  • There is NO mobile support for all of DNT conditions - Null, Zero and One
    
  • Of the 15 server side implementations ONLY 3 show some sort of compliance – NONE show GDPR compliance
    
  • There is ZERO discussion on Mobile apps. Currently there are about 3 million apps out there give or take. Nobody knows what is going on under the covers as it relates to your private data. GDPR will change that 
    
• There is NO accountability for vendors anymore as the Tracking Compliance Scope document has been placed in Note mode - this means nobody is doing anymore work on it because it's been superseded by GDPR
  
• The TCS is a MORAL obligation – GDPR is Legal Regulation with a fine for non compliance. 
  
• There are still NO VRM sites on the Internet
  
• Any VRM site that appears on the Internet will have to support Global/Country/Regional/Local privacy policies otherwise I'm not sure how it can be in business.
  

The GDPR defines personal data as: (See Article 4)

• (1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  

That sure looks like someone has clearly defined Identity, Identifier and Attributes. I'll be interested to compare them to Joe's definitions. If they're OUT of alignment the Regulation will win, because it's enforceable.

Bottom line - there's now a new sheriff in town.

Tick Toc.

Peter Cranstone

Sent with ProtonMail Secure Email.

-------- Original Message --------

Subject: Re: [projectvrm] Bots for VRM

Local Time: November 8, 2016 2:38 PM

UTC Time: November 8, 2016 9:38 PM

From: ">

To: Jason Wong < "> >

Joe Andrieu < "> >, Peter Cranstone < "> >, ProjectVRM list < "> >

Agreed. Good thread.

I should add that the GDPR hasn’t usurped VRM at all. Instead it has called forth lots of VRM development, and has made many companies much more receptive to signaling of intention from the individual’s side, while also reducing appetites for surveillance-harvested data. 

Doc

Istanbul, at the moment

On Nov 8, 2016, at 10:54 PM, Jason Wong < " class=""> > wrote:

Joe,

+1

Jason D. Wong MD MPH MBA, FACOG

(c) 301-675-1970

On Nov 8, 2016, at 3:45 PM, Joe Andrieu < " class=""> > wrote:

Much editing for brevity.

On Tue, Nov 8, 2016, at 09:36 AM, Peter Cranstone wrote:

Joe Andrieu wrote:

>> My identity is how I am seen and known by the world, and it exists, in its core, in the minds of those who see and know me.  All I can do is influence it. I can neither control it nor represent it in bits. <<

 

If you can neither control it nor represent it in bits, then by your own words, it cannot be coded. I don’t think that’s what you meant to say. I think you meant to say my Identity is a combination of my Identity and or Identifiers which are communicated as required by the context that i'm interacting with.

This is the language gap. You *cannot* digitally encode an identity. That's my point.  You can encode identifiers and attributes, but "identity" is more than the set of identifiers and attributes encoded in some system. Any system that treats identity as if it were things represented as bits is going to fail to meet the requirements of a real identity system, which *must* be based on the processes and mechanisms used to correlate individuals across contexts, including:

1. processes of correction when the bits are in error

2. processes of escalation when the system fails to perform as intended, i.e., when no interface addresses the failure

3. processes of elevation when correlation is ambiguous relative to the requested privileges

4. processes of evolution when the foundations of correlation shift

5. processes of bootstrapping new individuals into the system

6. processes of substitution when components of the system fail to provide services

7. mechanisms to prevent undesired correlations

Bits can be wrong. They can be falsified. They can be out-of-date. They can be of the wrong type. They can be unavailable because the subject isn't in the system or because part of the system is down.  All of these failure modes don't change the nature and fact of one's identity, they only describe demands on a system that MUST be robust in the face of these failures.

Networking existed LONG before the Internet. What the Internet did, and the reason it has proliferated and become the dominant network in the world is because of its robustness in the face of failure.

If you're going to claim *any* technology provides an Internet identity layer, you'll need to demonstrate a similar robustness in the face of failure.

IMO, simply adding encrypted headers to HTTP doesn't do that.

>> What we can do is describe how systems manage correlation, either enabling desired correlations or preventing undesired correlation <<

 

Yes, you could. However, this requires MY Identity/Identifier data in real time to make the correct decisions based on local/regional/country laws and context.

 

>> If we do that, we don't need to create "an identity layer" we can build systems that have understandable and appropriate methods of correlation. <<

 

No you can’t – they need real time Identity/Identifier information for correlation and local/regional/country compliance and context.

This is the language gap. Identity is not identifiers.  Treating it as such will lead to further confusion and poorly engineered, incomplete solutions.

 

Bottom line Joe – you’re going to transmit REAL-TIME bits (GDPR: Article 3, Clause 2) because neither Web servers or Human Observers are mind readers – they need the appropriate data to be compliant. And that data is going on the wire somehow.

Yes. But these bits are not identity. They are at best credentials, sometimes just identifiers, and other times unverified attributes.

 

After that it will come down to two things:

1. Execution/Adoption by the consumer (think behavioral change here)
   
2. Money
   

Either the VRM ecosystem creates tangible P&L value or it doesn’t. 

Pie is never free at the truck stop no matter what anyone tells you.

I'm not talking about adoption or execution or the "VRM ecosystem". 

I'm talking about whether or not any current or proposed Internet identity layer meets the requirements of "identity". I stand by my earlier assertion. Nothing I've seen to date has demonstrated it meets the needs for the constituencies who would depend on it.

-j

--

Joe Andrieu, PMP

" class="">

+1(805)705-8651

http://blog.joeandrieu.com