Could social networks revolutionize security? Seven degrees of "I trust you."

In the very first thought piece I wrote for Infrics.com, I discussed the idea that all the talk, all the hype about social networks online really came down to community--how the internet has made possible communities of shared interest.  Later, I compared the idea of online communities to the small village, and how pretty much everything we do in business, commerce, and personal lives includes some attempt to overcome the fact that our worlds are no longer defined by our respective villages.

We’ve also looked a lot at “the era of you,” about the  explosion of connectivity, social interaction, consumer-added value, and the ever-growing network of things.  You can now know more, in more places, and greatly personalize your interactions with each other, with your employer and colleagues, and with businesses.

In other articles, I’ve shared the concept of technology triggers, the idea that developments in two or more unrelated tech areas can trigger the emergence of a new technology or new business model.  For instance, digitization of music plus broadband networks = billion-dollar+ markets for Amazon and iTunes.  

Today, I’d like to extend all  of these concepts, and make a prediction:

Online security could be revolutionized by applying social tools to authentication. In addition to “what you have” and “what you know,” technology will let us reintroduce the most basic small village security concepts of all: “I know you,” and “I know who you know, and because I trust them, I trust you.”

The “seven degrees of separation” meme is well known, and all of us have experienced that small-world moment when we’ve discovered a friend or colleague in common with someone totally unexpected.  “Who do we both know” is something Facebook has used to great advantage; when you receive a friend request or look up someone’s profile, it tells you what friends you have in common.  For me, that’s the first thing I check: “are there a lot of them?  Who do I know in person I could ask about this stranger who wants to know me?”  

Authentication is everything. 

Take that question just a bit farther, and it’s easy to see that there is a taxonomy of relationships.  It started in the village model, “I do business with you and we have a history together.”  What are the determiners of confidence in “I know you?”

• Proximity--Is the association real (have met in person) or virtual (from online?) In-person does not automatically guarantee trustworthiness, there are people I have met casually once or twice, and I do not trust them nearly as much as some online friends I share many trusted friends with.  
• Role--what is the nature of the connection?  Friendship? Work? Client or Customer? Vendor? Famiy?
• Length of association--How long has this association existed?
• Shared communities--community affinity can predict areas that might match the authentication need.  For instance, if you’re considering going on a date with a new connection, shared friends would be important. If you’re considering voting for them, shared political involvement would be a key.
• Shared associations--If you and I work for the same employer, but are not connected otherwise, your connection to a mutual colleague could be more significant than your connection to a contractor for my home.
• Degree of personal contact--how many degrees of separation are there?  Are you a friend of a friend?  Note how LinkedIn uses social proximity in their 1st/2nd/3rd degree connection model.
• Frequency of association--for instance, if you see me on Facebook through a mutual friend, and send me a note with the friend request, “I’m the guy who rides in the same Metra car with you every day on the commute into Chicago,” that adds social depth to the likelihood of trustworthiness.  If I’ve used this credit card at your business 50 times in the last year with no problem, chances are high that this transaction will have no problem either.

How would it work?

Let’s take the simplest example, one that Facebook should offer today, but doesn’t.  Let’s say I have 100 friends.  John, with 500 friends, sends me a friend request, and we have 20 friends in common.  So, "friends in common" is 20% of my friends list, and 4% of John's friend list.  Shared numbers as an absolute are helpful, but the chance that his 4% will be as important as my 20% is lower.  Derive an index number by dividing 20 by 4 = 5.  If John also had 100 friends--20% shared--the index would be 1.  Now we have useful information; a higher percentage of shared friends tells me the chances are greater I’d want to be friends with the stranger who is saying hello.  

That’s social authentication, and as this example shows, it can be turned into metrics, which in turn can be used to predict the likelihood of trust.

In the Facebook example, it wouldn’t take much history of managing a friends list to get a sense for what index number is the threshold for those you want to add, at least in the absence of other information, such as an introductory letter.  

The result: the social trust index

As we develop indexes for each of the taxonomy areas, we can move to situational comparisons of trust threshold, and we can compare them across many instances of different people and situations to give a very useful complement to online and in-person authentication.  To sign in to online banking, you might need a social trust index no higher than 2.5.  To buy a latte at Starbucks, maybe a 6.  Starbucks would quickly amass average social trust metrics for their huge client base, and dynamically know on the spot whether a transaction were legitimate.

These numbers are purely arbitrary, the point is to demonstrate the value of social authentication.  Remember, the social trust index is not a fixed number like your FICO score, it changes based on your current location, role, purpose, and intent, and as your social connections evolve over time.

So, why could this be revolutionary?

This is the technology triggers model in action: take two or more things that are and extrapolate something that might be.  Social authentication will be a vital part of the future in which the digital personal assistant (DPA) will play such an important role, and it adds to the business opportunity for the company that gets there first.  Take the “what might be” out to a logical--and possible--conclusion, and you have a computer intelligence with you at all times, helping you manage your interactions with the world, using those interactions to constantly prove you are who you say, you have community associations to back that up, and you are recognized wherever you go.  

If I can sit here at Infrics.com and envision this future, can there be any doubt that teams from companies like Apple, Google, and Microsoft have not done the same?

I think the biggest potential benefit to social-based authentication is just how hard it would be to falsify, to game the system.  Think of the current means of security:  something you have can be stolen, or falsified.  Something you know can be guessed, stolen, maybe just looked up by picking up the keyboard in your office and looking underneath it for the passwords on the sticky note.

But the permutations of who you know are so vast, and span so many aspects of your life, the trust index that could be generated from the taxonomy above would be nearly impossible to defeat.  Security is never a game of certainty, it’s a game of odds. You do what’s possible to know you’re giving trust to the right person, and you accept a certain level of risk.  Social authentication represents a very significant way to minimize that risk, and apply the metaphor of village life to security in a tech-enabled world.  Passwords?  Keys?  "Who goes there?" "It's ME!" "Well, come on in!"

"Everything, Everywhere, All the Time" from Tech Crunch, and why TMI from technology is the best argument for the digital personal assistant

This is a good story from Tech Crunch, one that touches on several Infrics.com themes.

Photo from the Tech Crunch article

Everything, Everywhere, All The Time | TechCrunch:

The explosion of smartphones, "connected all the time" expectations, and the associated "community all the time" effect have put us in a strange place. As I've pointed out in my "era of you" coverage, we know more, in more places, at more times, than ever before.

But we still must be our own librarians and curators of all that information; as Sarah Perez points out, there's precious little technology helping us take that last vital step. It's exhausting and frustrating.

Perez doesn't connect the dots to the logical needed technology, but she gets close.  What we need is a technology interface that learns our behaviors and our needs, compares them to the massive information streams, and delivers it to us in a useful form.  We need the equivalent of the executive's personal assistant.

Which is one of the main reasons I believe that the digital personal assistant, (DPA) although still in its infancy, is one of the most promising emerging technologies. As I wrote in this article introducing "Rosie," it will also be a forthcoming business battleground because the DPA is a gateway to recommendations, search, and tech-assisted business transactions. As Perez writes, "I’m ready for a computer you don’t have to input much into at all. A truly useful system will see what you’re doing, learn from your activities, then begin to automate tasks for you. Not just in email, but everywhere. In everything. And all the time."

See this article, published today, about the way Apple is already using their 1st generation DPA, Siri, to bring that power to bear in its battle against Google.

Yelp, Twitter, and Apple's Anti-Google Coalition

'via Blog this'

Wired Magazine interview with Jeff Bezos: Kindle Fire, taking the long view, and why Amazon is the opposite of Apple

Image from wired.com

Steven Levy, a senior writer at Wired magazine, just shared a preview of an upcoming feature on Amazon.com's Jeff Bezos.

Jeff Bezos Owns the Web in More Ways Than you Think

I admire a lot about Amazon, and this article is well worth reading; do you agree with Google's Eric Schmidt, who says the four most important tech companies are Google, Apple, Facebook, and Amazon?

Much of what Amazon.com does falls right in line with the big ideas I've been evangelizing here on infrics.com: back-end standardization to enable agile deployment of services, and server-based, device independent delivery of applications and content are leadership areas for Amazon.  Levy presents the idea, which I think is spot-on, that if Apple is post-PC, Amazon is post-web, "in which our devices are simply a means for us to directly connect with the goodies in someone’s data center."  

I follow Steven Levy on Google +

Digital personal assistants: AI at your service, the ultimate "era of you" technology

I have to confess: I've never been senior enough in an organization to have my own personal assistant. But I've certainly worked closely enough with the vice presidents and C-suite crowd to see great personal assistants in action.

Digital personal assistants combine
elements of Hal 9000 and
Rosie, the robotic maid from
the Jetsons.
(without that annoying
"kill all the crew" part.)
Images from wikipedia.org

They know everything about what their boss is doing, where he or she is, what's important, and who has access.  They find things out, make appointments, get payments made and received, manage travel and entertainment: in general, they make the details of the boss's life easier, thereby letting the boss be more productive. Personal assistants are not appreciated nearly as much as they should be, but they are definitely seen as one of the great perks of being in senior management.

I believe that's about to change.

The evolution of several technology trends suggests  that one of the most important, disruptive, and profitable technologies on the horizon is the digital version of that invaluable staff member, with abilities augmented by artificial intelligence.  This is the ultimate expression of "the era of you" idea, in which technology gives individuals highly-customized services and information that once was the hallmark of the wealthy and highly privileged. It's augmented reality combined with someone you know and trust.

Today is an important day to get this story published, because a friend of mine posted a link last night to this story about news likely to break today from Apple:

Co-founder of Siri: Assistant launch is a 'world-changing event"

I had been alerting people to the importance of the Siri product before Apple bought it.  This is one of those "if A is possible and B is possible, then what C could exist?" tech trigger events.  Voice recognition, mobile connection, location awareness, and the ability to mash together useful information from multiple sources can all be brought to bear to make the personal assistant possible.

Here is an excerpt from an article I wrote in 2006, thinking of this idea as an extension of identity management:

“Even though he could pull up his entire office environment anywhere in the world, John made it a point to visit the office in person at least once a week, and today he had a face to face meeting with his marketing work team.  As the cab glided to a stop in front of the corporate research center, the display on his phone mirrored the charges on the cab system, and from the tiny wireless earbud he wore nonstop, his DC (digital concierge) asked “authorize to pay?” When he said “yes, add a $2 tip”, his voiceprint granted the payment; since the system knew he was in his business role, it compared the trip origin and destination, determined it was authorized business, and automatically billed the fare to his team project work center, while it took the $2 from his personal account. 

The door swung open steps ahead of John’s entry as a heads up display nearby showed “Welcome back, Mr. Porter”.  Although the system had wirelessly polled John’s phone to identify him and authorize his entry, if anyone else had tried to use the phone, it wouldn’t have worked.  The microchip implanted in John’s forearm had been digitally linked to his phone; without his presence, the phone and every bit of information it contained would have been useless. 

The 86th floor SE conference room had spectacular views.  When John entered the building, the room’s digital attendee list changed his name from black to blue.  Those already inside the conference room showed up in green.  “Hey Amy, who’s already here? Display only.” he asked his concierge. (Nobody had planned it, but as people began buying the concierge service from Google, they began insisting that it be programmed with personalities, and frequently referred to their computer assistant by name.) Since he didn’t need the names read to him, he just sent the list to the phone’s HD display. 

As John entered the conference room and sat down, the conference table recognized him, and his personal environment appeared on the screen at his seat, set to “work”.  When he finished the meeting, he’d switch to his personal life system and securely check home e-mail.  On presence screens throughout the company, people who had buddied him saw his status change to “in meeting, unavailable”.  John’s supervisor Ellen also had a second line under his name “marketing meeting at research center,” as did colleagues he had added to his work “trust list”. As his boss, Ellen had rights to call or message him in the meeting, but vendors and most of the rest of the world would automatically get his voicemail, IM catcher, or e-mail if they tried to reach him.”

Every event listed in John’s workday is possible with technology we now have.  Identity management tracks authorizations, yes.  But it also measures other crucial elements: location, presence, and role.  By interacting with the system day to day, users will build a complex database of their own preferences, overlaid with the rights and responsibilities that are part of work, family, and personal life. "

That was 5 years ago, but the idea is there: a friendly personal assistant, managing interactions between you and the world, seamlessly transitioning back and forth between business and personal life.  I called it a "digital concierge" then.  By now, I think it's pretty likely that facial recognition will be the authenticator rather than a two-part system using an implanted chip linked to a phone.  One key is the heuristic nature of the digital assistant.  It learns through interaction rather than complex settings of preferences, so it gets ever-better through use, and ever more personalized.

Once fully realized, I think the digital personal assistant will make some people rich beyond the dreams of avarice.  I also don't think a lot of people see this yet, so this morning, in advance of whatever Apple announces, consider this a heads-up.

--more on "the era of you," part of infrics.com's big ideas series