Missing Pieces of the SSI Ecosystem, Twitter needs Banking for Proof of Personhood and Real-Time Bidding is a Security Risk
Plus: Samsung Pay quietly becomes Samsung Wallet, OpenAI's Bid to Become a Data Titan and Debunking the Myth of “Anonymous” Data
Hi everyone, thanks for coming back to Customer Futures. Each week I unpack the disruptive shifts around digital wallets, Personal AI and digital customer relationships.
If you haven’t yet signed up, why not subscribe:
Hi folks, welcome back.
Another packed week where digital wallets meet Personal AI. Where self-sovereign ID meets customer engagement. And where customers are back in control.
Customer Futures is here to help you find the signal in the noise around the future of being a digital customer.
This week’s perspective: The ad exec and the 15-year-old problem.
Also:
OpenAI's Bid to Become a Data Titan
Twitter needs Banking for Proof of Personhood
Real-Time Bidding is a Security Risk
The Humane AI Pin is a bizarre cross between Google Glass and a pager
Missing Pieces of the SSI Ecosystem
Samsung Pay quietly becomes Samsung Wallet
India's ‘biggest’ data breach
Debunking the Myth of “Anonymous” Data
… plus other links about the future of digital customers you don’t want to miss
It’s a long one this week.
So grab your favourite coffee or nutritious fruit shake, a comfy chair, and Let’s Go.
PERSPECTIVE: The ad exec and the 15-year-old problem
"The customer is not a moron. He is your husband.” is a (slightly amended) famous quote from ad exec David Ogilvy.
It’s about paying attention to the customer.
For advertisers to think about who they are actually interacting with.
Here’s the Customer Futures version:
“The customer is not a moron, she is your 15-year-old child.”
Putting aside the quiet sexism in the original quote (“She is your wife”), we need to apply this same critical thinking about how businesses use customer data.
I call it the 15-year-old problem.
So your team needs to increase ‘engagement’ (whatever that means). You end up tracking your customers across the web, inside their apps and devices, and into their living room.
And you want your customers to spend more with you. You want to anticipate their every need before they express them. So you end up building a massive predictive analytics and recommendation engine. Pumping out a customer Next Best Action.
You collect every morsel of customer data, every profile, every click, swipe and tap. You produce that very clever Next Best Action, and you spray the results across your customer base with reckless abandon.
Hoping it will turn into sales.
Are you really paying attention to who you are messaging?
Are you really considering the other side of the targeted ‘engagement’, as David Ogilvy suggests?
Now ask yourself this:
Could that customer be your 15-year-old son or daughter? Or your niece or godson?
What if the data you are collecting and analysing was about someone in your family? Or a vulnerable person you know?
Does it feel different?
Does it change how you want to handle that customer data? Or what you collect in the first place?
It’s a good gut check.
To reflect on how we are using personal data inside the machinery of business.
For over a decade now I’ve believed - and seen for myself - that many, many people working directly with customer data feel uncomfortable.
They feel squeamish.
Teams working on CRM systems. People working on ‘customer engagement’ models and retention. Designers and developers working on ‘customer-centric’ platforms that store vast amounts of personal data.
And notably, the leaders who are terrified that it’s all going to come crumbling down around their ears when (not if) they get hacked.
I don’t have good data on any of this. But let’s assume it could be somewhere between 20% and 40% of these employees.
At least.
Very few teams want to create yet another customer database of First Name, Last Name, Email Address, Marketing Profile, Propensity to Buy X…
They just don’t want to buy yet another customer data API, hoping that the vendor really did get consent. They just don’t want to send all those interruptive push notifications as a call to action. Again and again and again.
With diminishing returns.
Cranking the digital handling, hoping things will change.
Because I’ve been in those workshops. Those meetings.
Where the ‘business outcomes’ trump sensible customer design choices. Where the team collectively leave their customer-ethics brains at the door.
“What a great idea! We can build another rich customer profile to assess what customers will buy next! And then we can serve that up to them across multiple channels!
“We finally have customer context! Let’s place another digital offer in that channel, and we’ll be able to get a 1.5% better response rate than last time! Now the click-through rate will be 2.8%, and maybe even 3% of those will buy the product!”
Here’s why it happens.
They can’t see a way out.
Not today, and not from the business side. Not with all the legacy IT and product assumptions as they are.
Today’s businesses are forced to carry on with the collect-analyse-spray model in order to hit this month’s numbers. To smash the customer KPI.
But what if marketing teams started on the customer side?
What if the whole experience was framed by the customer, not the business?
We’ve got to start thinking about the person at the centre of all this. The customer - including that 15-year-old - and their point of view.
Their needs. Their context. Their privacy. Not just the business’s OKRs.
Consider this: The average click-through rate on Google Ads - one of the best in the industry - is… wait for it…
3.17% for search. And 0.46% for display.
Are you kidding me?
And that’s only THE CLICKTHROUGH.
Not a purchase. Not a transaction. And certainly not a new digital relationship with a vast potential lifetime customer value.
Today’s customer engagement tools don’t work. Today’s customer profiling tools don’t work. Today’s assumptions about the customer - including the 15-year-old - don’t work.
We’ve got to start afresh.
Only by framing things around the customer - standing in their shoes, understanding what it would feel like if it was you or someone you know - can we see how broken our digital customer data industry is.
And what the prize might be if we get it right.
Because starting on the customer side - building digital trust, sharing data in a sensible and safe way, and creating new value with customers - is good for business.
Welcome to the future of being a digital customer. And welcome back to the Customer Futures Newsletter.
🧐 OpenAI's Bid to Become a Data Titan
Experts agree that AI companies will run out of training data very soon.
Perhaps in the next 6-12 months. The AI training models have already consumed most of what’s available online.
Once they gobble up what’s left, they’ll be reliant on their own synthetic datasets. The snake eats its own tail.
At which point, many claim, there will be a ‘model collapse’. Where GenAI falls apart.
So the big question now is: where to get more data?
Bret Kinsella believes OpenAI has four routes:
“OpenAI makes LLMs that could not exist without feeding them large piles of data. It does not have Google's or Meta’s data aggregation businesses, so it must determine how to efficiently source data to feed the models.
“Recent announcements and new products paint a clearer picture of how OpenAI intends to win the data war despite its origin as a data consumption and not a data generation business.
“An underrecognized story is that GPTs are the latest data source that will feed OpenAI’s hungry data models. The four key data source categories OpenAI is tapping into include:
Public Content - web and other sources
Partner Content - proprietary with robust metadata
User-Generated Content - freely shared data directly with OpenAI
Created Content - human and synthetically generated
From a Customer Futures point of view, you can already see there are fast troves of personal data yet to be included.
Both the datasets that customers already have that are kept private (receipts, warranties, bills, pension forecasts, boiler service records, credit card exhausts, household accounts and so much more).
Plus the vast oceans of new data streams people don’t yet produce (digital wearables, device feeds, Personal AI tools themselves, and all the not-yet-connected things… plus much more).
But here’s the big question.
Where should that personal data go? To the large AI platform providers centrally? Or to the customer’s own Personal AI?
Now ask yourself
What data will actually be shared? Will consumers be happy to pump their fresh datasets into the public models, or will there be privacy concerns?
How fast will Personal AI models for people take off? Will enterprises step in with their own “trust us” options?
Once these personal customer datasets are available, who actually owns the models?
How might my Personal AI - and these datasets - be funded? What are the ethics around that?
Can public AI models delete personal data? Does it matter? How should consumer protection work here?
OPEN AI DATA TITAN, MODEL COLLAPSE
✍️ Twitter needs Banking for Proof of Personhood
Dave Birch makes an(other) excellent point about ‘proof of personhood’.
It already exists in the banking system. It’s just not portable… yet.
“This isn’t only about social media, it’s about everything. We need to stop requiring personal data to enable transactions and instead require the relevant credentials necessary to enable to the specific interaction.
“There is a world of difference between me asking for your date of birth and me asking for proof that you are over 21, between me asking for your address and me asking for proof that you are resident in the continental United States, between me asking you to find pictures of tractors in a confusing array of blurred photographs and me asking for proof that you are a person.
That latter example, proof of personhood, is at the heart of the [Twitter/X] debacle. Since there is no IS-A-PERSON credential that TwiX can ask for, banks can’t charge them for it. But suppose there was such a credential? Then it would be a win-win for TwiX to pay $2 to get these credentials from a bank rather than spend $5 to get it themselves.”
Now ask yourself
How could this work for those in the shadow digital economy, and the non- and under-banked? Does BankID exclude too many for it to work?
How do we guard against privacy issues around banking credentials? Who gets to monetise them?
👀 Real-Time Bidding is a Security Risk
If you are not following Johnny Ryan, you should be.
He’s one of the clearest thinkers and communicators on the digital economy and privacy. And he leads much of the fight around citizen digital rights.
My favourite part: he’s a deep expert on how broken digital advertising is.
He believes that Real-Time Bidding (RTB) is the largest data breach on earth, and happens billions of times every day.
His latest expose on RTB with the Irish Council for Civil Liberties has uncovered a pretty unsettling security crisis in the EU.
RTB is being used to obtain compromising sensitive personal data about key European personnel and leaders.
Here are some of Johnny’s latest findings:
“These data flow from Real-Time Bidding (RTB), an advertising technology that is active on almost all websites and apps. RTB involves the broadcasting of sensitive data about people using those websites and apps to large numbers of other entities, without security measures to protect the data.
“This occurs billions of times a day.
“Our examination of tens of thousands of pages of RTB data reveals that EU military personnel and political decision-makers are targeted using RTB.
“RTB data often include location data or time-stamps or other identifiers that make it relatively easy for bad actors to link them to specific individuals.
“Even if target individuals use secure devices, data about them will still flow via RTB from personal devices, their friends, family, and compromising personal contacts.
“Our examination of RTB data reveals Cambridge Analytica style psychological profiling of target individuals’ movements, financial problems, mental health problems and vulnerabilities, including if they are likely survivors of sexual abuse.
Real-Time Bidding's security flaw is a national security problem.”
Wow.
Now ask yourself
How much are you relying on RTB for your marketing campaigns? Could a digital wallet strategy - where your customers could interact with you directly, rather than your spray-and-pray approach - offer a completely different advertising ROI? While being more secure and private?
How are your ads actually performing? What do really know about the people who are actually seeing and interacting with your content? What if your offers could be displayed directly to a customer who has expressed actual intent for that thing? How might a digital wallet help?
📌The Humane AI Pin is a bizarre cross between Google Glass and a pager
Ars Technica has an excellent takedown of the new ‘Pin’.
“As far as we can tell, it's a $700 screenless voice assistant box and, like all smartphone-ish devices released in the last 10 years, it has some AI in it. It's as if Google Glass had a baby with a pager from the 1990s.
“It's a voice assistant box, so that means it has a microphone and speaker. There's no hot word, and it's not always listening, so you'll be pressing a button to speak to it, and you'll get a response back.
“I've got to ask: Why wasn't this just a smartwatch? Some of the OpenAI-powered responses are pretty neat, but there's no reason not to have that just show up on a screen or be read aloud by a smartwatch.
“Even if you find a device like this interesting, not having an app store feels like a death sentence. Right now, it's completely unclear what services the Humane AI pin can interact with, and it feels like that list will only be about five items long.
“So far, the market has proven that basically no one wants to switch core services for some random piece of hardware.
Remember: the iPhone 1 was terrible. And I suspect the form and function of the Pin will change as it meets the cold, harsh reality of the market.
Where the Pin team can see and respond to how early adopters and super-fans use it.
There is something interesting here, though. But it’s unclear if this is a palm, blackberry, or iPhone moment.
🔥Missing Pieces of the SSI Ecosystem
The Polygon ID team have been quietly shipping some important pieces of the SSI puzzle for a while. All based on a new flavour of zero-knowledge proof (ZKP) technology.
Their latest ‘Release 5’ has some stuff worth noting.
It’s about ‘Credential Liquidity’. Getting more credentials into the hands of more people. And enabling those credentials to be used in more places.
Of note:
Cloud access. PolygonID credential ecosystems are now available on Cloud Marketplaces like Google Cloud Marketplace and Amazon Web Services. Also, the ability to store a revocation status on-chain.
Credentials marketplace. Users can now discover available credentials and their issuers. This is critically important to help users work out what they need (and where to get it).
Common Schemas. Reusable credential schemas for popular use cases including KYC, tourism, gaming, DAOs. Businesses can discover and re-use pre-existing schema. So they don’t have to reinvent the wheel each time.
A new on-chain issuer. PolygonID can now issue credentials using publicly-accessible data e.g. a credential that attests token ownership without disclosing the address. This is a very important bridge between Web3 (like NFTs) and Web5 (verifiable credentials).
Now ask yourself
How could you build a new data ecosystem organised around the customer? Where you could issue data to, or ask for data from, the customer themselves?
How will you let the customer know what data is available to them, or where to get it?
Are you exploring ZKP technology to minimise what data is actually shared in the first place?
🤔Samsung Pay quietly becomes Samsung Wallet
‘Samsung Pay’ is now ‘Samsung Wallet’. It’s a quiet 2mm shift but with huge implications. Another Data Major brings their existing wallet up to snuff.
Payment and receipt data? Fine. Airline tickets and documents? Fine. But there’s an ID twist: deep integration with the Indian Government's identity services.
Indian consumers can now store their digital documents like their Aadhaar card, driving license, PAN card, and Co-WIN vaccine certificate. They can also use a Samsung Wallet for authentication and login.
The inevitable march of the major digital wallets moving beyond payments.
Now ask yourself
As the Digital Wallet Majors (Apple, Google, Samsung) integrate fully - and natively - with government ID in most countries and states… how will this impact your identity and digital wallet strategy?
Do you even have an identity and digital wallet strategy? (I can help with that. Get in touch - just reply to this email).
😳India's biggest data breach
Speaking of Aadhaar, it just got hacked. Leaking details of 815M people.
Say that again: 815M People.
Data records include name, phone number, passport number, Aadhar Number, age, address. I mean…. Holy Moly.
We need a new way to handle data. A new way to store and authenticate personal information.
Where we not only ask for customer data, but also proof of where it came from.
When businesses request data from my digital wallet, the attributes can carry a digital watermark from my digital wallet itself. This means we can know if the data is legit from me or not.
I’ve said it before. This is about Customer Wallet Present vs. Customer Wallet Not Present.
India is actually pretty far along with the wallet game. Check out DigiLocker (citizen data store) and DigiYatra (travel wallet).
The question is how these wallet projects could improve security and privacy for Indian citizens while their personal data is now spilt all over the floor.
Now ask yourself
Do you really know where your customer data is coming from? How might a bad actor reuse stolen data in your ecosystem, and what are the risks?
Could you offer a digital wallet experience to lower those risks?
Is your Government ready for digital wallets?
How can your business get on the front foot, perhaps with digital wallets and credentials? So that you can respond quickly when your customer data systems get hacked too?
BREACH, WALLET PRESENT, DIGILOCKER, DIGIYATRA
👉Debunking the Myth of “Anonymous” Data
EFF highlights what personal data experts have said for years. True anonymity is very, very hard.
"Personal data can be considered on a spectrum of identifiability. At the top is data that can directly identify people, such as a name or state identity number, which can be referred to as “direct identifiers.”
“Next is information indirectly linked to individuals, like personal phone numbers and email addresses, which some call “indirect identifiers.” After this comes data connected to multiple people, such as a favorite restaurant or movie.
“The other end of this spectrum is information that cannot be linked to any specific person—such as aggregated census data, and data that is not directly related to individuals at all like weather reports.
“Data anonymization is often undertaken in two ways. First, some personal identifiers like our names and social security numbers might be deleted. Second, other categories of personal information might be modified—such as obscuring our bank account numbers.
“For example, the Safe Harbor provision contained with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires that only the first three digits of a zip code can be reported in scrubbed data.”
“But in practice, any attempt at de-identification requires removal not only of your identifiable information, but also of information that can identify you when considered in combination with other information known about you. Here's an example:
First, think about the number of people that share your specific ZIP or postal code.
Next, think about how many of those people also share your birthday.
Now, think about how many people share your exact birthday, ZIP code, and gender.
The reality is that you can be identified nearly 80% of the time using only your ZIP code, birthday, code, and gender.
One answer is to use digital wallets and verifiable credentials. To stop customers from sharing so much of their data in the first place.
Stop asking for customer data. Instead, ask questions of customer data.
Better questions: Do you live in state X (yes or no)? Are you older than 65 (yes or no)?
Now ask yourself
What customer data is your business collecting today, where you could instead ask a y/n question? Maybe the customer's age? (you don’t really need ‘date of birth’)
What might the data protection team say if you could dramatically lower the risk of handling customer data, when your database is filled with Y,N,N,Y,N rather than the actual customer attributes?
How could a digital wallet make the customer experience even better, so that you don’t even ask the customer for the raw data in the first place (one swipe, no form?)
OTHER THINGS
There are far too many interesting and important Customer Futures things to include in this edition. So here are some more links to chew on. Some have been open tabs for a while, and noteworthy:
OpenID4VC: OpenID for Verifiable Credentials LISTEN
Introducing Privacy Receipts into DLT and eIDAS READ
OECD Recommendation on Digital Identity READ
Identity in the Age of AI READ
EU General Court Clarifies When Pseudonymized Data is Considered Personal Data READ
New home builders implementing customer identity standards with a UPRN READ
Ten Actions Countries Should Take to Create a Digital-Identity Ecosystem READ
European Central Bank's Digital Euro: Research paper, including EUDI Wallet and Future Roadmap READ
And that’s a wrap. Stay tuned for more Customer Futures soon, both here and over at LinkedIn.
And if you’re not yet signed up, why not subscribe: