Bart Stevens recently suggested a breakdown on the potential economic impact of VRM, based largely on a post by Steve Rubel arguing that $1B is wasted in online advertising today.

First, I anticipate the Personal Datastore to become a design pattern that underlies other VRM services, rather than a service by itself. In fact, a PD isn’t really a PD unless it enables VRM services explicitly… Personal Datastores aren’t just online storage like Amazon’s S3.

Second, I think the $1 Billion number is far too small. Steve is only estimating the CPM costs for display ads that are literally missed by users during eye tracking studies. That’s an intriguing number because those ads truly are wasted… there isn’t even any brand exposure because the ads are not even seen. It’s like paying for ads in a magazine that is never opened by a real reader.

On the other hand, there are still plenty of ads that are seen by the wrong people and CPC ads that are clicked on by the wrong people. Note that for the “right” people, those ads arguably generate useful brand exposure, so they aren’t wasted.

When advertising starts with the advertiser, it inherently wastes money, as it inevitably buys placement in ineffective or misaligned media. By now it is an old chestnut that advertisers waste half their budget–they just don’t know which half. Sometimes advertising is an investment in exploring potential markets… the goal is the data gained in the test marketing, which isn’t entirely a waste. Other times advertising is educational outreach where the goal isn’t so much to trigger a sale, but instead to introduce people to new products and services. Sometimes this is called demand generation. And that still leaves a vast amount of waste, buying media (offline or online) that just doesn’t perform or create any value. The potential savings in these areas is not only missing from Rubel’s analysis, I’d wager it is far more than $1 billion.

The huge potential of VRM is to turn these models inside-out, by providing a scalable pipeline directly into the product development and sales divisions of capable firms. Instead of Vendors guessing what people want, VRM services can cost-effectively tell Vendors what people truly do want. If the product is available, the sales team can enable purchase and delivery. If the product doesn’t exist, the Vendor can create it if demand is sufficient.

This new paradigm is exactly the shift from Attention to Intention that Doc and I have been advocating. The Attention game is the world of traditional advertising, where the industrial manufacturer competes in mass media to get the attention of the right consumers in order to generate demand for their products and services. Given that attention, they seduce, cajole, and entertain in hopes of winning new sales.

The Intention game, on the other hand, starts with explicit requests from the user to fulfill actual demand. Sometimes that intention will be nascent, needing further exploration and discovery. But eventually, for the segment of the population that finds something they want or need, that intention shifts from educating oneself about available options to seeking specific satisfaction, that is, buying a solution. Because intention starts with the user’s commitment to take the relationship to the next level, it immediately takes a vast amount of guesswork and wasted advertising out of the equation.

This guesswork and wasted advertising is probably closer to $100 billion/year, but that’s just my gut feeling. And that number only addresses the loss side of the equation, that is, the money we save by not wasting product development and advertising dollars. It ignores the value of products and services that today languish as innumerable missed opportunities–missed because companies have no way to efficiently gauge true market demand. There are undoubtedly services and products that exist–or could be profitably offered today–which fail to reach customers because we don’t have a suitable mechanism for connecting the right customers with the right companies. This potential to close the gap between potential sales and unmet demand, is simply too large to estimate.

The Cost-Per-Action/Pay-for-Performance business model of Affiliate Marketing is likely to continue to transform the ad industry, significantly reducing billions in unnecessary expenses, including the $1B wasted on unseen display ads in Rubel’s analysis.

It won’t be until we transform explicit intent into new offerings and new sales that we unleash the vast potential that is VRM.

I’m not sure how I found it, but today I discovered a bit of a gem in the blogosphere: ValleyZen.

For a quick taste, check out the interview with Drue Kataoka on View from the Bay. It is amazing how a few simple words can have such a profound visceral impact.

Drue’s suggestions resonate with my user-centric world-view:

1. SIMPLIFY
   Focus on what’s important. Eliminate what’s not.
2. IMMEDIACY
   React to the moment — not to your fears and concerns.
3. BREAK YOUR RHYTHM
   Surprise yourself and those around you.
4. BE CALM
   Find Tranquility in Action.
5. GREEN FROM THE INSIDE OUT
   Begin with your own personal ecosystem.

Take time for yourself, reconnect and put things in perspective, and engage the world on your own terms, in the moment, sustainably.

When redefining technology in personal terms, Drue’s take on Zen packs a powerful punch.

Phil Whitehouse recently served up some nuggets to stimulate conversations at next week’s VRM2008 in Munich.

I’ve been thinking a lot about VRM lately. Not so much about what it means, but rather the mechanism of how it can work.

If you’re new to VRM, it can be summarised like this: it’s the reciprocal of CRM. Rather than being bombarded with advertising, much of which is irrelevant, and the rest irritating, wouldn’t it be nice if you could just tell vendors what you want, on your terms? Without even going to the trouble of looking for them? If they’re willing and able to respond, they do so. Everyone else goes on their merry way. It’s all about sharing the data you want with the people you want.

Some examples from Doc Searls (Cluetrain Manifesto dude), who heads up the VRM project, include:
I want to:

- Buy a power convertor near St.Paul’s in the next three hours, at any price
- Buy a stroller for twins near Highway 70 in Kansas today for under $300
- Buy an Apple laptop with a 500gb HDD and weighs under five pounds, as soon as it comes out
- Buy a double decaf cappuccino at the next exit on this highway
(You can see more examples presented by Doc on this photo)

There are a few big problems that need solving. Filtering is one (both on the outbound request and the way back in), targeting is another (how do you choose which vendor to share your data with?), organisation is a third (by what mechanism do customers agree to share their data, and in what form, while retaining control over it?).
…

don’t know much about establishing standards. My erstwhile colleague Paul Downey, on the other hand, represents BT at the W3C and thus knows a bit about standards. He sez this will be a hard problem to crack, and he’s probably right. Big question: to what extent would we, the customers, allow brokers to help create this standard?

My view is this problem needs to be overcome before VRM can move forward, regardless of whether brokers are involved.

…

Good stuff. As the chair of the Standards Committee for Project VRM, it might be obvious that I think we need to create some standards.

At the end of the day, interoperability requires either standards or one-to-one interoperability engineering. The user-centric Identity movement has grown like crazy in the last few years largely because a hybrid of these approaches have been used, as OpenID, Higgins, CardSpace, and Liberty (among others) took their 1.0 products and figured out how to make them work together, leveraging standards like WS* and SAML as they did so. The nice thing about standards is that once they are in place, they reduce an O(n^2) problem, where every software vendor has to coordinate with every other vendor, to an O(n) problem where each software vendor coordinates to the standard.

The problem with standards is they are slow to develop. But once you have some apps and some standards at the 1.0 level, the efforts towards interoperability can get serious traction, like they did with the user-centric Identity movement.

I’m hoping we can engender a similar development cycle with VRM. We need both working applications and formal standards and specifications, especially with regard to data formats and communications protocols.

I’ll diplomatically disagree and agree with Bart (read his comment on the original post) regarding leaving standards to others. On the one hand, we should leverage existing work as much as possible. For example, I see Higgins and XRI playing a major enabling role for us. On the other hand, while the Dataportability and Higgins guys are doing great work, they are not necessarily solving the problems VRM has set out to tackle, namely reinventing the marketplace on behalf of individuals while creating more value for vendors.

As an example, the Dataportability movement has framed the problem in terms of Data and Portability. This brings to mind exporting and importing “my” data from vendor to vendor. That’s a start toward liberating users from vendor silos. However, I think the real win is in user-centric services, where the location of the “data” is essentially irrelevant–even as it is hosted under the control of the user–and all user-authorized vendors can access the data through approved services.

That’s the idea behind the Personal Address Manager, which we’ll be discussing in Munich. Your actual postal address isn’t that much of a problem from a dataportability perspective. It’s just a few lines to enter and no real need to “export” it from some vendor’s silo. However, when you change your address, it would be nice for the new address to automatically propagate to those authorized to get it. Or, for more sophisticated vendors, to have the address provided on demand, so that they never send postal mail to the wrong address. Such a service would be automatically discoverable by vendors using the Identity layer to authenticate and authorize exactly who gets it.

I see the job of VRM as working through these scenarios from the user’s perspective and ensuring the development of enough standards and technology for a complete implementation.

In any case, I’m looking forward to seeing Phil and Bart at VRM2008. There’s plenty of room to continue this conversation. Join us if you can; it should be fun. =)

From Yahoo News:

Majority Uncomfortable with Websites Customizing Content Based Visitors Personal Profiles

Level of Comfort Increases When Privacy Safeguards Introduced

ROCHESTER, N.Y.–(BUSINESS WIRE)–A majority of U.S. adults are skeptical about the practice of websites using information about a person’s online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information.

Good stuff, although one should read closely to understand exactly what users dislike. Customization isn’t the problem… it’s the unauthorized invasion of privacy. The questions asked by Harris were rather leading. It would be interesting to see what people say to “if asked, would you allow a Search engine to provide enhanced results based on your behavior.” My understanding is most people do opt-in to the advanced features of Google desktop, which asks essentially the same question at install time. People don’t like surreptitious activities, but if you ask up front, it’s much easier for folks to say yes.

Here’s yours truly with Trent Adams and Steve Greenberg of Dataportability, talking about VRM. Also in the podcast: dataportability news and Kaliya Hamlin on the Data Sharing Summit.

The title says it all, as reported by the Guardian:

BT admits tracking 18,000 users with Phorm systems in 2006

Bummer. I kinda like BT.

The Washington Post today exposed considerable excesses by “fusion” centers organized post 9/11.

Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver’s license photographs and credit reports, according to a document obtained by The Washington Post.

…

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

…

The list of information resources was part of a survey conducted last year, officials familiar with the effort said. It shows that, like most police agencies, the fusion centers have subscriptions to private information-broker services that keep records about Americans’ locations, financial holdings, associates, relatives, firearms licenses and the like.

Centers serving New York and other states also tap into a Federal Trade Commission database with information about hundreds of thousands of identity-theft reports, the document and police interviews show.

Pennsylvania buys credit reports and uses face-recognition software to examine driver’s license photos, while analysts in Rhode Island have access to car-rental databases. In Maryland, authorities rely on a little-known data broker called Entersect, which claims it maintains 12 billion records about 98 percent of Americans.

In its online promotional material, Entersect calls itself “the silent partner to municipal, county, state, and federal justice agencies who access our databases every day to locate subjects, develop background information, secure information from a cellular or unlisted number, and much more.”

…

“There is never ever enough information when it comes to terrorism” said Maj. Steven G. O’Donnell, deputy superintendent of the Rhode Island State Police. “That’s what post-9/11 is about.”

The last statement pretty much sums up current institutional thinking on individual liberty and national security: in the fight against terrorism, we have a moral obligation to do everything we can. Everything.

It’s scary how much that position echoes that of fascism. As promoted by Mussolini, fascism builds a moral framework based on the primacy of the state. Fasciste means a bundle of sticks, symbolizing that the group is stronger than any individual. Fascism extends that thinking, declaring that each individual’s rights exist only insofar as they support the state. Or to restate, in the defense of the state, there are no individual rights.

Which, if you think about it, is exactly what anti-terrorist programs assert when claiming that terrorism trumps the rights and privileges of the suspect or accused. Due process, protection from unreasonable searches, freedom of speech. All of these have rights have been trampled on in the name of the War on Terror. The fusion centers are just one more institution created by the mindset that brought us illegal wiretaps, extraordinary extradition, secret prison camps, extra-territorial detention, and torture.

I understand law enforcement’s position. It is easier to enforce laws when you know everything about everyone, just like in a police state (see The Lives of Others for an Academy Award-winning story of pre-information age East Germany’s police state). But it is impossible for a police state to generate the economic and social well-being that emerges in a free society… and it is that well-being which, ultimately, is the core of U.S. global power. Simply put, undermining freedom undermines US security.

In contrast, consider the subtle brilliance of Kim Cameron’s Laws of Identity, in particular, law 2:

2. Minimal Disclosure for a Constrained Use

The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

At the same time, the value of identifying information decreases as the amount decreases. A system built with the principles of information minimalism is therefore a less attractive target for identity theft, reducing risk even further.

By limiting use to an explicit scenario (in conjunction with the use policy described in the Law of Control), the effectiveness of the “need to know” principle in reducing risk is further magnified. There is no longer the possibility of collecting and keeping information “just in case” it might one day be required.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

In the same way, unique identifiers that can be reused in other contexts (for example, drivers’ license numbers, Social Security Numbers, and the like) represent “more identifying information” than unique special-purpose identifiers that do not cross context. In this sense, acquiring and storing a Social Security Number represents a much greater risk than assigning a randomly generated student or employee number.

Numerous identity catastrophes have occurred where this law has been broken.

We can also express the Law of Minimal Disclosure this way: aggregation of identifying information also aggregates risk. To minimize risk, minimize aggregation.

Whether or not you think the War on Terror is being handled well, it is a demonstrable fact that human systems fail. People make mistakes.
And that means we can guarantee that institutions–even when acting in our own best interest–will make mistakes, like the admitted errors of the FBI, as reported by the NYT:

F.B.I. Made ‘Blanket’ Demands for Phone Records

WASHINGTON — Senior officials of the Federal Bureau of Investigation repeatedly approved the use of “blanket” records demands to justify the improper collection of thousands of phone records, according to officials briefed on the practice.

…

Under the USA Patriot Act, the F.B.I. received broadened authority to issue the national security letters on its own authority — without the approval of a judge — to gather records like phone bills or e-mail transactions that might be considered relevant to a particular terrorism investigation. The Justice Department inspector general found in March 2007 that the F.B.I. had routinely violated the standards for using the letters and that officials often cited “exigent” or emergency situations that did not really exist in issuing them to phone providers and other private companies.

F.B.I. Says Records Demands Are Curbed

WASHINGTON — The Federal Bureau of Investigation improperly obtained personal information on Americans in numerous terrorism investigations in 2006, but internal practices put in place since then appear to have helped curtail the problems, Bush administration officials said Wednesday.

The Justice Department’s inspector general is expected to issue a report in coming weeks that updates the findings of a major investigation last year into the F.B.I.’s use of so-called national security letters, which allow investigators to obtain telephone, e-mail and financial information on people involved in investigations without a court warrant.

Last year’s report caused an uproar in Congress when it was disclosed that the F.B.I., under powers granted by the USA Patriot Act, had misused its authority to gather records in thousands of instances from 2003 to 2005. The new report from the inspector general will examine the bureau’s use of the records demands in 2006.

At the end of the day, this isn’t about any particular individual, nor even any particular violation of our constitutional rights.

It’s about addressing the systemic problems of the information age. There will always be threats to national security. There will always be the drive to get as much data as possible into the hands of a few, elite law enforcement agencies, capable of acting in the “public good”. And there will always be those individuals who break the rules, whether for good intent or malicious device. We don’t need conspiracy theories to point out the dangers of centralizing all the information about everybody.

What we need is an open-eyed approach to building information systems on user-centric principles, such as Cameron’s seven Laws of Identity. Do that and a vast number of systemic risks of the information age go away.