Cross-channel customer data and UK wireless internet legislation

>I imagine that irrespective of channel you need to abide
>by the The UK Data Protection Act of 1998

Yes - currently the carriers hold a significant amount of information about their users which is non-internet related, such as phone numbers called etc. etc., and this is highly confidential information that they are legally bound to keep safe. The same practice will be taken with WAP logging, in that it will need to be protected under the data protection act.

>If you provide a site for WAP-enabled phones to access
>then clearly you can analyse log files and any
>customer-entered data in the same way as a web site (as
>ABCe is doing for example).

Yes - as most WAP content is served from traditional web servers with a different content type set, the same logging of information can be kept by the servers. The most interesting aspect though is where else along the content delivery path this information is logged.

Currently WAP stack traffic normally originates over TCP/IP and then ends up over GSM and therefore has to go through a conversion process on the way. This conversion process has to identify where the data has come from, what the data is (to convert it) and what device it is heading for - and therefore there is also the logging of information at this point.

Most carriers will only allow customers to be delivered content through their own WAP gateway for exactly this reason, however the big area of contention comes when you look at banks, who are in direct conflict of that setup. Anyway, that's one for a later discussion.

> But how do you do privacy
>policies on a phone? Is that part of the contract you sign
>with the network operator? What if you don't sign a
>contract?

The toughest thing about the pre-pay market is that you have NO IDEA who the user of the phone is unless they reply with some form of mail-in or registration. Therefore, you have to be careful that you don't deliver them information that is potentially covered by subscriber contracts as they will need to explicitely agree to it.

BTW prepay is one of the biggest sources of creditcard fraud because of this anonymity, however it currently counts for over 50% of most carriers subscribers.

> Can handsets store persistent user cookies (like
>a PC user's hard drive) so that they only need log in
>once?

Some phones are provide the facility to do this, and the Nokia 7110 was the first to provide a fairly basic implementation of cookies, however common practice is to NOT leave behind any cookie information with users as the defacto is to not support it.

In the US the potential to use the MSN (mobile subscriber number) is there as some carriers are transmitting it all the way through the WAP gateway back to the 3rd party server, however privacy laws in Europe are currently forbidding this so I wouldn't rely on that as a means of tracking users.

OTA provides some way of configuring users phones by sending PDU encoded SMS messages to them containing information such as WAP bookmarks etc. however this is currently in a fairly basic implementation.

> What (customer) information do the network operators
>share with content providers if any? What are the
>regulations on this?

We have been asked to waiver all data rights on any carrier customers that have used our systems by all of our carrier customers, so apart from anonymous statistics, I don't believe they will allow any 3rd party stats. The carriers are very keen to keep controlling interest of their customers and that includes all data etc. stored on them.

>iTV has limitations e.g. current set top boxes cannot
>store persistent user cookies .......
>So I have a fairly clear idea about web and iTV but what
>about wireless? Same as iTV?

Some portals and carriers are now providing design and usage guidelines for the user experience that they want to achieve, and the 'whitelabelling' of services to the carrier's brand will only help enhance this.

I would expect wireless and iTV to be simiar in terms of data policies as they are both (relatively) walled gardens, and largely mediagroup/carrier owned.

Alex
Skwire Wireless Solutions

>Interesting. Assuming you wanted to uniquely identify a
>user across web, wireless and iTV (to deliver all the
>wonderful benefits of personalisation and eCRM to the user
>and business...), what do you think is current best
>practice for wireless?

Ah, the holy grail! In theory user behaviour is such that we have a realistic chance of doing this based on usage patterns of the three different devices. Focusing on wireless for the moment, one of the most interesting things about the usage of mobile phones is that they are very rarely lent to other people to use - so that means we have a 90%+ chance of knowing that our user is who they were last time based on their usage.

From the carrier's point of view, the phone itself has a unique International Mobile Equipment Identity (IMEI) which is known to the GSM network, as well as each individual GSM user having their own International Mobile Subscriber Identity (IMSI), so the carrier pretty much knows everything about their users they could want to. The question becomes what do they pass through to the content provider.

As discussed in the first post, this information is at the moment rarely passed through to the 3rd party content provider even if it is available so we have to depend on the user identifying themselves to us before we can personalise their experience. As with other session based media (iTV, Web), once the user is identified we can personalise to their tastes and profile.

Therefore for the near term future, we should except 3rd party wireless services to need identification for personalisation, however in business case scenarios or operator portals where the carrier identification information is passed through, we have a rich opporunity for adapting our content and services to our user.

>
>From a technology point of view it is relatively
>straightforward to provide a single back end that serves
>all 3 channels - a single customer database, content and
>presentation layers separated out etc.
>
>However, at the user end things get a little trickier. The
>lack of support for persistent cookies on set top boxes
>and handsets means that users have to re-identify
>themselves to the central brain each time - quite a pain
>for the user. And how should you do that identification?

Again - it's a case of making the operation as painless as possible for the user - even though they still have to go through it. During our software development cycle we started off with single username and password pairs across multiple platforms (Web, WAP, SMS) however this proved completely unusable for the user.

Therefore we created multiple access points for the same account based on the device the user was using. Web made best sense to stick with emailaddress as login, and user chosen alpha-numeric password as password as the user had a keyboard in front of them, however for WAP we switch over to phonenumber as login, and PIN as password. Finally for SMS where the user phone number IS sent as part of the data, we asked the user only for their PIN number.

We also did a number of other interesting things to increase usability and security. Asking the user on SMS for 2 randomly chosen parts of their 4 digit PIN number ensured that even if the phone was stolen and the SMS outbox still stored the number, if would only be 2 numbers of the 4 with no idea of what position they sit in the total number.

>On the web log-ins are relatively standard practice: user
>ID + password or similar. You have a keyboard so text
>entry is easy. Not so with iTV or wireless.
>
>In delivering a multi (digital) channel personalised
>proposition, users could use the web to configure and
>control their unique access / log-in process by channel
>e.g. you might set up a PIN code to identify yourself via
>iTV and wireless. Or a password which might be
>alphanumeric. You would still have to remember and
>re-enter that unique identifier each time, however, which
>is a big barrier to use.

The issue is to look at what the users want to use each device for and to tailor the delivery to that means. For a large German auction house who we worked with to add SMS services to their phone auctions, many users didn't have an email address and therefore more than likely no web access - so relying on web for all users to create their accounts isn't a 100% reliable method.

Instead we added the ability to register your mobile account using a call center dial-up, (expensive but effective) where web enabled call center staff could create the account for the users.

Ease of use is always a trade off with security and I think a numeric PIN number, with some pseudo-random character selection provides a good means of making things accessible while still safe.

>Also if a PIN needed to be unique (unlike for cash
>machines where the PIN is to help validate you are who
>your card says you are) the PINs could get too long for a
>user to remember. Any more than 10,000 customers and the
>PINs would need to be 5 digits rather than the customary 4
>and aren't our brains are already too full of codes, PINs
>and passwords to take 5 digits? A call centre might be
>needed to handle the 'forgot-my-log-in' enquiries... ;)

Here we begin to enter the territory of PKI and private/public key technologies which allow us to achieve nonrepudiation and authentication between two seperate parties. My team at Skywire (www.skywire.co.uk) have recently been doing a significant amount of work with a very large global carrier, and a leading security/cryptography software company in enabling their phone devices to carry individual certificates for their users to safely achieve exactly this kind of scenario.

It might be worth me doing an overview for the forum on how we are implementing all of this technology as it should be reality in about 9 months time!

>Do you have any insight on research or best practice
>thinking for unique user identification / log in via
>wireless?

Some of the above have been our best ideas, however phone.com (or whatever they last rebranded to) and Nokia provide some good thought leadership papers on this kind of thing in their developer zones. I would strongly recommend anyone who is yet to visit these areas to do so and read the good knowledge of white papers they have there.

>Does anyone have any inisght into best practice
>multi-channel unique user identification / log-in
>solutions?

I look forward to insight from others too about this.

Alex Judd

References :

GSM Identifiers (http://www.idi.ntnu.no/~palat/public/GSM/node17.html)

Web/WAP/SMS cross platform m-commerce software
(http://www.snaz.com)

Non-repudiation in the digital environment
(http://www.firstmonday.dk/issues/issue5_8/mccullagh/)