Trapped in the Data-Sharing Dilemma

Managing passwords and user credentials for a host of websites and apps has become increasingly challenging for consumers of digital content and services. To address this annoyance, large online platforms allow unaffiliated websites to authenticate users through a shared log-in — for instance, “Log in with Facebook.” However, such log-ins are more than just a simple solution to ease user frustration. They allow the issuing platforms to track user activity across multiple unaffiliated websites and apps, while the content or service providers adopting the log-ins receive demographic and behavioral data that can help them improve user experience.

Does this setup benefit all parties involved? Sometimes. But in many cases, providers become trapped in a data-sharing dilemma: They may have short-term incentives to adopt such log-ins but suffer negative economic impact in the long run.

The Limits of Data Sharing as a Profitable Strategy

We recently analyzed the competitive dynamics at play by creating a formal game theory model, which rests on the notion that sites adopting these log-ins typically face two types of competition. On the one hand, content and service providers addressing the same special interest (say, sports news websites) compete for users. It is usually this type of competition that prompts sites to use shared log-ins; they do it to offer a better and more personalized user experience. On the other hand, the issuing platform and the special interest providers adopting the log-ins are in competition for targeted advertisements. For example, a sportswear company may increase its advertising intensity on a sports news website or a social network, depending on where it can generate more successful advertising matches. In this case, sharing usage information through the log-in is likely to benefit the issuing platform more than the special interest providers, because more detailed user data provides relatively more help to the platform in increasing its ad-targeting ability. While a special interest provider can readily place targeted ads due to its thematic focus, the issuing platform’s audience is more diverse, which makes it more difficult to select the right ad for the right user.

Our findings point to a strategic challenge in today’s digital ecosystem: While other studies have examined exclusionary practices by major platforms, our research shows that content and service providers run the risk of dependency and exploitation when entering into data-sharing agreements with them. Indeed, in addition to shared log-ins, platforms also offer other services to third-party providers that present data-sharing issues.

For example, Amazon offers a Fulfillment by Amazon (FBA) service that allows marketplace sellers to ship products to Amazon’s warehouse first, at which point shipping is handled by Amazon. One incentive for third-party sellers to use FBA is that products become eligible for Amazon’s popular Prime program. Prime products are more visible and can be shipped faster, providing the sellers with a competitive advantage. But then Amazon gains valuable information about sellers’ businesses, such as details about manufacturers, product popularity, and customers who have bought the products, even outside Amazon’s marketplace. Sellers thus run the risk that their popular products will soon be sold by Amazon directly and that their customer data will be fed into Amazon’s recommender system.

Another example is Google’s Accelerated Mobile Pages (AMP) project, which offers websites that adopt this technology a competitive advantage through faster-loading landing pages and prominent placement in Google’s search results. To use AMP, websites must embed a script from Google’s servers that gives Google access to the sites’ connection data. In this way, Google limits the content or service provider’s access to usage data, because users who click on an AMP link do not reach the original website. This hamstrings providers’ advertising efforts and makes it more difficult to perform analytics on their AMP content. Given these limitations, a website’s ability to compete in the targeted advertisement market may even decrease from AMP adoption.

When Is a Data-Sharing Dilemma Likely to Occur?

Small organizations and startups are the most likely candidates to pursue data-sharing relationships with large platforms. Relative to well-established content and service providers, they experience more competitive pressure to enhance ad-targeting capabilities, improve user experience, and increase market share.

Our analysis suggests that shared log-ins are most tempting and most detrimental to adopting sites when the data obtained from the online platform enables a special interest provider to gain a large advantage in the competition for users. Here, the provider has a strong unilateral incentive to adopt the log-in, even if it recognizes that this will lead to a competitive disadvantage in the advertising market. However, the advantage in the competition for users is often short-lived, because competing providers are likely to adopt the log-in as well.

Even without fierce competition for users, the data-sharing dilemma can still occur because of strong competition for advertising. The user data that websites gain through shared log-ins promise targeting advantages over sites that do not adopt the log-in. But again, those advantages may level out as adoption becomes more widespread.

How to Mitigate the Competitive Risks

An irony of the data-sharing dilemma is that competitive pressure forces organizations to make strategic choices that, in fact, undermine their competitiveness in the long run. So, managers should weigh the long-term effects of data-sharing agreements, such as exploitation and dependence, against short-term benefits. We offer four strategies that may help managers navigate decision-making when it comes to log-in strategy:

1. Continually monitor benefits versus drawbacks and remain agile. To avoid becoming overly dependent on the (possibly free) services offered by platforms, content and service providers should continually reevaluate adoption decisions and be prepared to quickly reverse course without losing their footing in the market. Companies may also look for ways to minimize data-sharing trade-offs. For example, websites may obfuscate their own URLs to reduce the amount of information that can be inferred by log-in providers.

2. Use data-sharing agreements to increase differentiation from competitors. Data sharing may prove to be profitable in the long term for companies that can exploit the new data sources in ways that separate them from their competitors. For example, a music-streaming service may develop special capabilities to transform user data into improved recommendation algorithms and personalized playlists. If companies gain superior analytical skills or offer novel business models that differentiate them from rivals with access to the same data sources, log-in adoption is more likely to keep paying dividends.

3. Build alliances with competitors. Instead of reinforcing the power of giant online platforms, content and service providers that have been repurposing log-ins may band together to establish their own single sign-on solution. Open and user-driven single sign-ons (such as OpenID) exist but have failed to find wide adoption. However, blockchain technology presents an opportunity to reinvigorate the concept of a decentralized log-in structure, and several software projects are already innovating in this space.

4. Seek data-sharing partners from complementary markets. Companies of the so-called old economy, with well-established customer relationships that are not in immediate competition with advertising-financed online services, may represent attractive partners for alternative data-sharing agreements. Recent activities to this end, such as a newly founded alliance by German firms and new business models introduced by established companies, may offer such opportunities.1

Organizations must navigate data-sharing strategies carefully to find success. In addition to considering the competitive effects, they should assess data protection and privacy issues before adopting a log-in that is managed by a third party or sharing data externally. In a recent hacking attack on Facebook’s log-in, at least 50 million users were affected, and with them thousands of websites that have adopted the shared log-in.2 Clearly, such data breaches and the mishandling of data by partners can quickly erode the trust of users in one’s own services. Once that has happened, it’s hard to recover.