Like public tags, there is a strong interest here to have a generic Web platform to handle such thing tags, which would need to follow some basic principles:

• Be thing-centric. The tag must be primarily associated to the thing, whatever it is, and it should be able to provide information about that thing (e.g., link to user manuals, warranty information). On the opposite, the tag should not solely be a direct marketing fixture for the thing’s manufacturer and/or distributor.
• Give power to the thing’s owner and users. The tag is associated to something, this thing is owned by someone, and that person need to have control over the tag. Except from the core thing information mentioned above, the owner should have control on what they want the tag to do. If I want to use the tag conveniently placed on my coffee machine to launch my e-mail every morning, I should be able to do so, as long as I still have a way to access the other information associated to the tag when I want to. And if my daughter wants the same tag to trigger some other default action when she scans it, it’s fine too.

If we combine these two items, we get to an interesting VRM idea: the tag on the thing is the link between the thing’s owner/user and any businesses that may be linked to it, and the user keeps some control:

• The user/owner can contact the businesses if required.
• The businesses associated to the thing can contact the thing’s owner, only as authorized by the owner.
• The owner of a thing can transfer the ownership to another individual, who then becomes the contact for the businesses.

In a world where objects often have a lifecycle involving several individuals, this is a great way for businesses to keep in touch with the actual user of their products, while providing more control to the end users. Like usual, I strongly believe that this interaction strategy is likely to have better returns for businesses than basic “advertising push” strategies. And the service to users is real, even if it is limited to providing access to information related to their things.

Once again, I haven’t found anyone doing something even remotely similar to this among all the NFC companies that are popping up everywhere. If you are doing this or know someone who is doing it, please comment on this; I would love to take a look.

My first post will be a rant about something that is very-much holiday-related for me: package deliveries. I am a big-time online shopper, which means that I often get deliveries. And of course, during the holiday season, I get a lot of deliveries, from many different vendors.

Until recently, My deliveries were all coming to the office, as this was a local tradition in our Trusted Logic office. However, now, I work in an office with much fewer people, and sometimes from home, so it is not as easy to organize deliveries at the office. So, this holiday season, I got everything shipped at home.

Of course, I live in a closed residence (some code is required to get in), and my postal address allows you to find my mailbox easily, but not necessarily my house (no street numbers). All of this makes me a perfect guinea pig for testing delivery services.

So far, the best service remains the basic Post Office service. They have the key to the mailbox, so they will use it for anything that fits in it. Just great. Of course, if it doesn’t fit, I have to run to the Post Office and stand in line for a while. Even their express service is worse, because they need a signature. So, if I’m not home, they will not leave the package, however small, and I’m back to the Post Office.

With other delivery companies, things get much worse. First, going to the Post Office is not an option, because their “regional center” is often 30 or 40 kilometers away. Then, they don’t have the key to my mailbox, so they won’t leave a package, however small.

And finally, they call you when they are blocked right in front of a locked gate, or waiting outside your door. Even for me who works close from home, this is not very easy to handle, because we are not always immediately available, and because the guy can’t wait indefinitely. In the end, the “express” package took 24 hours to rush from Hong Kong to Nice, and one full week to get delivered. Not efficient.

So, what’s missing? Let’s consider two things:

• I can’t manage the delivery. I can track the package, I can know that the delivery guy has started and will try delivering to an empty home, but I can’t do anything about it.
• I can’t sign off for a delivery when I am not home. So, the guys won’t leave the package in my mailbox.

Now, if we look at both issues, we easily find out that this is a trust issue: delivery companies are not sure of who I am, so they will not trust me. Why so? Because they are not able to associate me to my package when I am at home, in front of them.

This definitely looks like a problem that can be solved. Companies like TrustFabric already allow you to selectively share information with companies. They don’t support this yet, but there is definitely some information that I would like to share with delivery companies (possibly including a detailed map, GPS coordinates, or whatever may get them to me).

Having this link through a trusted third party also solves the other issue. If I simply associate my TrustFabric account to a public credential (OpenID or similar), I can now login to their site and update the directions for the delivery, to lead them to where I actually am, or to acknowledge the fact that I am allowing them to leave the package in my mailbox without a written signature (a digital one will do).

As TrustFabric and others are getting their offers ready, this is getting closer to reality. Let’s hope for this new year that they will cover this delivery nightmare, and I will not have to do the same rant.

The value of the first wave was in the information itself (static Web, a.k.a. Web 1.0); the value of the second wave was in the sharing of information (social web, a.k.a. Web 2.0); the value of the third wave will be in the personalization of the Web experience. One of the key points is here the selection of information, the curation of information, as we are increasingly overflowed with information and content. Companies like Louis Ray’s my6sense are proposing to do just that.

On his post, Doc Searls compares the client-server relationship to a calf-cow relationship, with a strong dependency relationship between a service provider and its users, as exemplified by Facebook, Twitter, and many more. This kind of relationship puts the entire control in the hands of the service provider, which seems very wrong. Doc Searls’ example of Apple’s App Store conditions is the perfect example of this flawed relationship.

Everybody agrees that the personal Web includes personal mobile devices like smartphones and tablets, combined with contextual information, in particular location information. Personal devices will be important for building the personal Web, but not every application running on these devices belongs to the Personal Web. Old-style social services and information feeds will still be around, but making them “personal” on a mobile device is not sufficient.

A personal application needs to truly aim at providing the user with the best possible experience. In this best possible experience, of course, spam, unwanted ads, and other useless content should be gone. This can of course be considered as a threat to a flourishing business model by mobile marketers around the world. However, some other guys will see that as a wonderful opportunity: how to work with the users to bring them commercial information that they value? After all, most of us are actually considering a few purchases at any given time, and timely information about the offer would have a wonderful conversion rate. Let me take an example: I am currently looking for a bed for my son, because his bad quality bed broke. Today, I have two solutions to get information about beds: (1) take my car and drive around the area looking at furniture stores, or (2) Google what I am looking for, and search individually on each site. Both approaches are terribly ineffective, I just want to find a “bed for a 5-year-old boy, including plenty of storage, and if possible a small pull-out desk”. Well, this search is almost intractable, and I can’t find what I am looking for.

Of course, that is what VRM is about. Together with personalized curation, this is an important part of the Personal Web, but there is more into it. In particular, I want to regain ownership on my data, because it is mine. And I want to decide with whom I want to share it, and be able to change my mind.

If we go beyond VRM applications, the Personal Web will affect all aspects of computing. Let’s consider one of my favorite examples, Java Card 3.0 Connected. So far, this technology has failed to find a market. The main idea was to sell super-SIM cards to MNOs, allowing them to push more (static) content and more (social) services to their (captive) users. It didn’t work, for many reasons, but mostly because “smartphones ate our market”.

Java Card 3.0 Connected has some advantages, though: it is local, it is secure, it provides a Web interface. And it is really personal, in particular when it sits in a mobile phone. So, maybe that we can try to find someone (MNO for a SIM, but maybe also a phone manufacturer for an embedded SE, or anybody else for a secure SD Card) who would like to exploit this personal, interactive, secure token to bring elements of the Personal Web to their users. Plenty of applications are possible; the business model don’t necessarily exist today, but the space will be taken before the business model is ready.

So, let’s see who takes the space …

Why Flattr? Well, I looked around, and I really liked the idea behind it. I decide on a fixed amount on money to spend every month, and this amount is shared between all the items that I “Flattr” during a given month. The amounts don’t have to be enormous (minimum is 2€ per month), but the idea is here to regain power over our consumption of information.

Also, Flattr is also getting in the real world, with the possibility to use QR-code tags on physical items, allowing for instance visitors to show their appreciation for a work of art they see somewhere without necessarily buying it. This is supported by an Android application, which is even better.

Now, the question is to know whether what revenue Flattr will bring me compared to Google. My Adsense revenue was really small on this blog, around 20€/year, which basically paid for the hosting. Of course, that’s not the real reason for maintaining this blog. And actually, this is one additional reason to move to Flattr: in addition to the potential revenue, Flattr gives me the ability to get some information about the users who like what I write, share ideas with me, and other “social” advantages.

I’ll keep you updated on this. If I have the courage, the next step is SEO. For some reason, it has always been hard for me to become interested in this, but I would really like to see if this can make me climb up the charts. Also on the stack, the global look and feel of the site is becoming far from perfect, and the latest additions aren’t really well integrated; expect a few experiments in the coming weeks.

Even though I was not writing actively, I have spent a lot of time thinking of the business side of things (must be an age thing). Over the year, I have developed a passionate view of user-centered businesses, and more generally, of the fact that business does not necessarily have to be evil.

Reading about VRM, and regularly reading the Harvard Business Review has helped me develop a few new ideas. In particular, reading Umair Haque’s The New Capitalist Manifesto has been one of the highlights of 2010, because the book does not simply mention has business should be better, but it also shows how some businesses are already benefitting from being better, and that feels really good. If you want a bit of that feeling, reading the book is the best way, but you can also take a lookat the book’s blog.

The next part is to apply all these nice principles. I don’t know yet where and what my 2011 job will be about, but I will definitely spend some time and energy on that, and I hope that I will be able to share some of these thoughts here. But here are a few ways to start rebooting our business of smart cards and mobile security, by reminding a few things:

• Real people don’t really care about security. This doesn’t mean that we shouldn’t care about it, it means that we should naturally include it in products that real people want to use. Security is not a selling point, and bad security is not always considered an issue.
• Our mobile device is our personal device. We use our mobile phones for a lot of things, and that’s why these devices can be used to do even more. Our mobiles are our most personal connected object, let’s make it our root of trust.
• A mobile is more secure than a PC (today). Yes, using SIM cards and Trusted Execution Environments is important; but today, our mobile devices remain much more secure than our (Windows) PC, at least because they are less targeted. This may change, but it gives a nice window of opportunity for pushing interesting trust-related products with little security headaches.
• Over 90% of the people of the world are poorer than we are. Not everybody has an iPhone, but most have a mobile phone. Most don’t have bak accounts, but they have money. All of us need to exchange, to communicate, to trust, etc. We just have different ways. Let’s not just consider the habits of the rich.

So, I wish us all to remix all of this into fresh technical and business ideas, and to make something out of these in 2011.

Plus, of course, the usual wishes for health, wealth, and most importantly, happiness, extended to all the people you care about. And to spice things up, let’s hope for some good, disruptive change that will make our lives better.

I would love to have access to my supermarket bills in an Excel sheet. This would definitely allow me to better know what items cost me the most, or how I can save some money. I could also use that data to provide information back to my supermarket (like, “That item disappeared, I really liked it”, or “That brand is great, give me more”); I am sure that they would love that. Of course, I could provide the exact same information to their competitors (they won’t like that). I could also consolidate the information from all vendors and give it back to all vendors (now, they may like that). Basically, VRM could be good for businesses as well.

We could even go further than that, by using that data to claim coupons or more, i.e., to initiate new transactions (like, “I bought 8 packs of your cereal, and I want to claim the free sample of your candy bar”). Of course, such a use is a bit more complicated, because the transaction data needs to be somehow trusted.

The manifesto also contains a part that explains how we move from a large number of relationships to a smaller number of relationships, and an even small number of transactions. We can very easily see how this applies well on relationships between humans; however, it does not really apply to commercial relationship between a vendor and a customer. The manifesto provides a clue about achieving that:

Companies need to adjust their behaviour and the flow and exchange of data between vendors and customers needs more level and balanced. The defining characteristic of such relationships is that both parties are comfortable with it, and mutually benefit from it.

One obvious part of the deal is here that vendors need to change their behavior, and act with customers in a way that makes them comfortable. In a security jargon, we would rather use the word trust: once trust is established, the comfort is there. This is easy to achieve on the B2C Web, because the receiving party is a human being, whose trust depends on more or less tangible items. However, there is also an opposite direction: vendors must be comfortable with their customers.

In that opposite direction, the vendor is often represented by some computer, especially on the Web. Computers are very different from humans, in that they don’t establish trust in the same way. They usually require a formal authentication, they verify the origin of the data, etc.

That kind of trust will be required if we get into models where the data that we get back and consolidate from different vendors can be used as the basis for a new transaction, possibly with a new vendor. In such a case, the vendor would need to verify the information in order to be “comfortable” with it.

More generally, our personal information, and in particular our voluntarily provided information, can be much more valuable if it can be trusted. In a basic example, claiming that I am 18 is an interesting way to filter minors, but backing up this claim with an id and a proof of authentication is even stronger. If I can apply similar treatment to all my personal information, then this information will be trusted (by remote computers, by strangers, etc.), making it far more valuable.

Can we work out something that achieves this with our typical “trust device”, i.e., a mobile phone and a few smart cards? We can at least try, just like people are working in marketRIOT’s MINT project to identify and recommend formats to represent data. Comment or contact me if you know of such projects, or if you are interested to start something.

But the thing that really attracted me is a quote from the CEO of On-Demand Books, Dane Neller:

“We believe this is a revolution. Content retrieval is now centralized and production is decentralized.”

Hmmmm. So, Google has the contents. Fine for me, as they give me a simple access to a massive amount of content. Of course, book printers have the printers. Fine for me as well, as their printers are far more efficient than mine in all aspects. But how is the link made? Who forwards the content to the printer? Who certifies that the content is actually free of rights? And if it isn’t, who certifies that I have the right to print a copy of it?

Google can do all of this, of course. But now, this is not really fine for me, as it gives too much power to Google. It is perfectly OK to have Google certify that the “free” content they provide actually is, but it should also stop there. I don’t really want them to make the link, and I also want to be able to print content from other origin, and in particular, books that I buy, and books that I write (one so far, with my daughter, available at Lulu).

So, our first problem is the missing link. And here, we get very close to VRM. Since we want to interface any (printable) content with any printer, this link must be something that we, as users, control. If books are published in an open format, I can perfectly imagine a small widget or mobile application doing just that: getting content from a content source, and forwarding it to my printer of choice.

Things that are quite similar are starting to pop up, like the systems that use OAuth. However, in such cases, a bilateral agreement is required between the content provider and the service provider. So, we are not yet giving back the power to the user. But of course, as soon as we remove this bilateral agreement, an issue of trust surfaces: how do I know that the person who requires the service actually has the right to use the content. Well, that will be discussed in another post.

Our second problem is that book printing is just a very simple example. Photograph printing is another one; many times, I have wished to be able to print a few pictures and distribute them on the spot rather than psting them on some virtual wall. And we can even extend the same idea to cases in which the notion of content is more general, as well as the notion of service.

Now, I can take back my Java Card hat. In the near future, there will be embedded Web servers everywhere around us, providing a wide range of content and services. You can call that Java Card 3.0, Web of things, Ambient intelligence, but it is basically the same thing: We have content providers (the thermometer), service providers (the thermostat), and a link between them. I like to think that this link can be my mobile phone, and I can use it to associate a new thermometer to my thermostat. The funny thing is that the problem is exactly the same as above, and that at the center of it, we have the same old issue: trust.

Of course, there are other issues. But hey, I am not a web services guy, I am a security guy. So I see security problems. I like this one, and I’ll get back about it.

Basically, telecom operators are often taking the dreaded role of “pipe” operator, as they don’t really sell anything to their users beside connectivity. In the end, could this become an opportunity?

The lack of control of operators over their customers can become an advantage if operators start acting on their customer’s side, and help them build relationships with other entities, basically acting as a fourth party. Trust is an important component here, and operators are usually trusted by their customers, at least in some respects. After all, they are the ones that guarantee that we only get billed for what we consume, and they protect us against the bad guys out there on the net. And this trust can help them become a fourth party, which can bring an interesting revenue, as all lawyers know.

Of course, major operators also have a bad reputation of trying to squeeze every cent out of their customers’ pockets, and to use the ARPU as main measure of performance. The solution could be to setup a MVNO or a VISP, in order to start clean with a company that has no bad user relation history.

Of course, other actors have had problems selling advertising and connecting to partners. Microsoft, for instance, could attempt something on behalf of users. Of course, that would imply that Microsoft is able to honestly take their users’ side. Unlikely.