Due the current data privacy issues hitting Facebook and also GDPR coming to full force, there is enormous global attention and many dialogues going about how things in data privacy should not be. At the same time, much less so about how they could or should be.
Facebook is just one tip of an iceberg. The World is full of poor user accounts where services care little to develop user accounts from a users perspective.
User accounts should no longer be “build-in” to every application, but separated from the actual services/applications used, to dedicated user account services, connected with API in between.
Time for dedicated user account service providers to emerge, where “user account” IS the service.
Make sense? So what is holding us back?
The reason is partly because something like this require deeper technical understanding, and fixing the old model requires fundamentally very different approach and motivation to start thinking and building things with a different architectural approach.
We can quite safely assume most people just consider all things related to software are one thing. Things that include everything inside one bundle or “package” run on a computer.
Considering the way most of us have learned to understand software via PC’s, this is very natural. Buy a “box of software”, install it to your computer and run it locally to use it.
Without thinking much more, most of us feel the same way towards online applications and services.
From users perspective, the main difference being that software runs on a cloud somewhere and to access/use the software, some way is required to for identifying user.
Where data is not really seen as a separate thing — “it’s just all part of the service”. Sure, more tech savvy people, developers and the likes already understand that way more is behind that experience.
But regardless of accelerating cloud technology developments, most applications are still build with same basic logic as past. Where biggest change have been to run applications on virtual cloud servers.
Why? Perhaps, the bosses are not so tech savvy or don't think to care, or care to learn.
Perhaps due mobile app’s,- more understanding about the separation between server software, UI, mobile apps and data with API’s in between, have started to emerge also among less tech savvy people to grasp.
Yet, still most non-tech business managers and leaders are making decisions regards digital strategies and applications in their business that are not much different than decades ago.
Not really understanding what opportunities API’s or other new technologies enable, or ways how applications can be designed, developed, operated and connected these days. Or what opportunities new things like serverless computing enable for anyone interested to learn.
And when it comes to API’s, those are mostly understood only as ways to open or get access to someone else’s features or data.
At the same time, Facebook, Google, Amazon and the likes, have been developing and utilizing all of the latest technical architecture opportunities already for a long time. And they have no reason, interest or upside to start changing common people or other businesses conceptual understanding about the “box of software” or downsides of monolithic applications in a digital era.
They are simply focused to strengthening and competing with their own ecosystems against others ecosystems, while eating less tech savvy businesses along the way, without even needing to compete much.
Software ≠ Data
“Software is eating the world” have been true for long time. But that too oversimplify what software is. — But as more and more people realize “software is just a tool” and the value captured is actually in data, some have started using a version “data is eating the world” instead.
The main takeaway is that, “software” — in people's minds is starting to “unbundle”.
Now with recent data breach topic with Facebook have suddenly bought this topic to everyone's attention. While GDPR compliance pressure is enforcing the same topic among those responsible for storing, handling and managing European citizens personal data.
We all need to start imagining, understanding and building a totally new approach in ways how future applications should look like.
First thing to really understand is simple.
Software and data are separate parts of “the package”. Software is the tool and data holds the value.
Features and business logic of software no longer needs to be “hardcoded” part of a database. And user data does not need to be stored on servers or even to every single service providing online services to private individuals. A more dedicated and user centric model can be used.
But because software is mostly understood as single monolithic application “all running on a single server” (virtual or physical) — also the use of API’s in between internal setups is not really been considered at business level as “business factors”.
These “monolithic” applications are already easy to unbundle to architecture where; actual business logic can live along with user experience design, at much more flexible user interface level, each “software feature” can be build as tiny independent software function accessible via API, and where data can be stored and accessed wherever via API as well.
When Mark Zuckerberg says; “At any given point in time, there isn’t just one version of Facebook running, there are probably 10,000.” It is exactly the type of architecture, what current available technologies already enables.
Time to change the mindset
The challenge to take advantage of all this available technology, is not the technology itself, capabilities of programmers, access to it or even the cost.
All the knowledge and building blocks needed are available for anyone with access to internet, to start using them for free. Being cheaper and faster to build and iterate, than any older architectural approaches.
The challenge is changing the minds of people. To unlearn the old ways, to learn a new way. Anyone who have worked in a position where you need to try change people's minds or perceptions, can understand the actual challenge.
On the other hand, those who understands drivers of disruption, can understand opportunities available with this paradox.
Those not “stuck with the old ways and legacy software”, can start leapfrogging ahead by just learning, imagining, designing and building new things (without need to unlearn or unbundle first), with totally new and more innovation friendly approach and architecture. Using tools that are many times cheaper and faster than those who are stuck with legacy architecture or mindset.
About data privacy and user data
Having covered the basic technical side and mindset challenges. Equipped with this understanding, let's reimagine the new architecture for user account and data privacy.
First, the data.
Anyone providing; a social network, e-commerce store, online stock trading online etc. their users data does not need to be inside the SAAS or online service providers setup.
These services don’t need to store service and users data all in the same bundle. They also don't need to take responsibility for it if they don't have it. Creating application specific user accounts that store user data is already optional.
There are many services online that don’t. Services that rely to other services like Facebook, Linkedin etc. to lets users login to their applications to use their services with existing account.
Only if the service in question business model is dependent on harvesting users data beyond providing better user experience, it’s clear that such services try to collect and store as much users data as possible.
The problem is not so much that they do, it’s more about why they do it, who has it and how they use it. At the same time, majority of online services do not operate with such business model or that it’s far from being their primary business mode.
But most still collect a lot of users data, because it’s been a common practice and a “standard” operating model due leagacy reasons. Most also don’t utilize this data they collect in any way, let alone to actually improve their customers experience.
With regulation like GDPR, it’s actually more cost and liability than and actual asset for the business. Similar as storing credit card information have been in past.
It’s easy to understand that in most of those services we create accounts to, have very limited and quickly outdating information about us. Making it close to impossible to use data to create better service user experience based on it.
As a result, users suffer from poor experience, when we are asked to keep creating and updating multiple user accounts in ever increasing number of online services.
Facebook, LinkedIn, Google etc. sign-in’s offer partial solution for this where user experience can be improved, with ability to get better and more up to data user data to serve users better becomes possible. But this too has complexities and can lead to very bad and complex user experiences IF there are multiple sign-in options available and the integration and user journeys to use & link those accounts are not properly thought.
With poor planning, users can easily end up creating duplicate user accounts to same service, without having any option to “merge” accounts, while service also count those as different users.
Another major issue with these solutions is related to current Facebook privacy issue topic, as these add to big ones having even more users private data in their “black boxes”.
The New Approach
User accounts should be separated to independent services, with a business model focused to serve the users and users personal data storing and data privacy. Connected with API’s to services serving their customers, very much the same way as now the Facebook, LinkedIn and the likes sign-in’s are.
It really seems like the only logical solution. A solution that is technically doable at global scale with cheaper technology than current status quo.
This approach can fix the current issues with online services and balance the power structures of services at the same time.
Services can choose not store and not be liable of users data completely, while getting richer, more up to date profile and data about their customer with users permission. Including data not collected by them, but added by other services.
This is also great news from innovators perspective. Startups developing new services can start to focus more on actual services than trying to figure out how could they ever access or collect type of information about their customers to deliver a good user experience in their service. But simply expect for each user be able to bring any personal data set along when using the service.
Both, existing and new services, can choose to save any data created by user or about the user, directly back to users own separate user/data account, instead into their own service, to contribute to users own data profile under users own control.
New User Experience
As a user, after the horror of realizing how much data is being collected by the facebook and the likes, what type of data is being collected, how it is utilized, monetized etc.
You either start feeling good that new model could actually even exist and become widespread, OR you start feeling unease about needing to take responsibility of your own data.
Just as you have started feeling good about the cloud services and started to feel those are more secure places to store your valuable data like your family pictures, — with all those great features coming along, like automatically creating nice bundles and heartwarming videos about the growth of your children.
Now you would be expected to start giving up on some of those services and start taking personal responsibility about your data. With even more data being aggregated in one location with full 360 degree profile about you?
No thanks! -you may think.
Well, — we all need to start looking and accepting things will and need to change. We can't simply continue to keep our heads in the sand, or ignore the topic.
We just need to collectively start building a better model with all those great features included. And as users, start taking our share of responsibility of our own data. If we really expect anything to start changing.
The good thing is that European Commission is already way ahead in having thought about this on it’s citizens behalf. EC is not just recommending this, heavily enforcing such approach with GDPR.
Considering EU as a market of 500M citizens, this is no small thing to accomplish.
What do people think about all this?
To make this work, we also need to cover this final point centralized personal data storage and user own responsibility and concern as well.
For the past year or so, I have talked about these models with many people from different parts of the world with varying profiles, from developers, to non-tech biz people, family members, random contacts etc. in various discussions and settings.
A conclusion of these discussions is that, their concern is real and it’s growing.
Once starting to understand the bigger picture, many actually concluded that perhaps the current way of how their data is distributed, actually starts to feel almost as a good idea, a way to protect against someone ever getting access to more complete profile about them… But unfortunately better approach is needed.
As a final piece, lets address this part properly as well.
Getting back again to what’s technically doable. The solution is not to store all of the users aggregated data in one place, to any one service or even in just one way.
Existing services and technologies can enable these “separate user accounts” ie. “data management accounts” also to be totally separate from where and how the users actual data is stored.
Providers of such “user accounts” can enable, — and users can then themself decide, — where and how their actual data is stored and who and how it can be accessed.
Including various privacy levels from public, non identifiable profiles to fully anonymous. As well as levels of security, starting from data encryption to storage locations and storage security aspects.
So these “data management/user accounts” need to be also separated from the actual ways of how and where data is stored.
One key challenge in developing these “data management account”- services will be to design user experience and user interfaces that are intuitive, understandable and easy to use, without forgetting to address the phishing and human error factors.
Users also need to be able to change their “data management account” service providers if they like, or even use several different data management account services at the same time, that are connected to their actual data storages.
It is logical that there is many different “user data management account” providers needed, to specialize for different industries and types of services, with different types of datasets needed to be manage by users.
It’s not realistic to expect one provider to be able to cater for all different dataset needs, nor would users be willing to centralize that much risk to any one provider any longer…
Hopefully by now, we have accomplished a basic understanding of the new online architecture to be, - one that properly creates logical separations between services, users accounts and users data. In a ways that take into account aspects of users rights, data privacy, — between serving users vs where users data needs to be stored.
We should not settle for anything less going forward.
The only reasons why someone would not approach the topic this way, is that it’s not good for their current business model or they are struggling to cope with their own digital transformation.
While all this is doable, there are still long ways to get there. Not least due the already mentioned human factors, to unlearn old habits and unbundle old ways. — To start learning, embracing and deploying the new ways.
But to get there, we all need to get started.
I believe many are happy that GDPR is coming and about about the development of more distributed models. While at the same time, there are also many other interesting visions emerging regards to what we can expect once we start getting there…
Where do I sign up?
As an online service provider (especially if impacted by GDPR), not operating with business model dependent on monetizing users data, or as a startup developing new software, perhaps you start feeling quite excited about the new opportunity to build or change your application and service architecture.
Some may see opportunity to start replicating some of the popular online services, but with a new user account model…
Those who start earlier. Have opportunity to start positioning their business to internet with very different architecture, user experience and set of expectations.
Interested to learn what I’m involved?
Have a look at www.prifina.com, where the team is building API separated user accounts with own data management for digital finance service related needs (3min intro video). Here is also a quick demo for first UX/UI of the application.
As well as www.circlepass.com, where Startup Commons is building such user account service with separated user data management, as part of EcosystemOS to serve innovation, entrepreneurship and startup ecosystems and related applications, and applications being built by new startups.
Get in touch, if you are interested to collaborate.