Archive for the ‘Identity’ Category

So what *should* the identity architecture look like?

February 1, 2012

[Crossposted to Google+, LiveJournal and Art of Conversation. That, in and of itself, illustrates some of the points I’m making.]
I’ve posted a lot (mainly on Google+) about the problems with the way Google is handling identity, and the various dangers of it. The just-linked article describes neatly why Google wants to mess up the identity architecture. But it’s worth spelling out the alternative, and how it should work to be best for the users.

I’ve been meaning to do a long writeup for months now, but keep getting distracted, so here’s the back-of-the-napkin summary. Consider it a sort of technical manifesto.

(Yes, this is the short version. It’s a quick and dirty writeup, just the spark for a lot more discussion. And most of it isn’t that novel: others have talked about it, but haven’t gotten far enough yet.)

There are, in principle, four principal layers in a well-constructed Internet identity architecture. I’m not going to go into the fine details, because from this viewpoint they don’t matter as much — what really matters is how they relate to each other. Suffice it to say, none of this is easy, but it’s all technically feasible if folks collectively want it enough.

All of these should be talking to each other through *open* protocols, with no back doors. That’s extremely important: the point of the exercise is that the individual should be able to control each of these layers him or herself. Even more importantly, no single company should be able to lock you into their stack: if you really value your privacy highly, you should get each of these from separate companies.

(I can’t overstate the importance of this. The success of the Internet has largely been due to its embrace of open protocols like IP, TCP, HTTP and so on. It is a travesty that the social network space has festered without them like this.)

The layers are:

Layer 1: Identity — this is the simple statement of “this is me”. Crucially, I should be able to have multiple of these, defined however I like. In my own case, there’s “Mark Waks” (the professional / business identity) and “Justin du Coeur” (the social / club identity). These Identities may provide additional details such as name, gender, or what-have-you, but don’t need to: all they really need to do is provide an authentication mechanism.

We already have Layer 1, in a couple of different forms. There are SOAP-based versions in the form of the WS-Security stack, and those are fairly elegant and well designed. In practice, OpenID is cruder but much more prevalent, works adequately for many purposes, and is used a lot. (Although not nearly as much as it should be.)

Layer 2: Social Grouping — this is the notion of G+ Circles, FB Lists, LJ Flists, and so on: groups of people that you define. These Groups may be public (everyone can see their existence) or private (only you know they exist). A Group is owned by one or more Identities, and contains any number of Identities. Note that a Group does *not* contain people, it contains Identities. One of the core principles here is that people know each other as Identities; how much they know about the relationship of a person and an Identity is a relatively private matter. (That is, lots of people know that “Mark Waks” is “Justin du Coeur”, but that should be a decision I control, not enforced by the software. The former should be in groups about these sorts of technology matters, the latter in discussions of the SCA and fandom.)

There have been some stabs at doing this properly, at least to the extent of sharing group information between applications. I don’t get the feeling that anybody has taken it seriously enough yet, and some providers (notably Facebook) deliberately make life difficult. But it’s been examined a lot.

Layer 3: Application — this is conceptually the top of the stack, but it interacts with the other layers in fairly subtle ways. This is all the stuff you can *do* online. In principle, all functionality belongs here, and shouldn’t get mixed in with the other layers.

Most systems get this wrong, mixing everything from personal information to chat into the Identity layer instead of formally separating it via APIs into a consistent Application layer. In particular, the big providers tend to treat applications as what everyone *else* gets to do, while privileging their own stuff. People have always objected when Microsoft does things like that; there is no reason for companies like Facebook and Google to get let off the hook.

There are some nascent proto-standards for this sort of thing, but I haven’t seen much agreement yet. It’s not going to be real until multiple companies are hosting applications using the same standard, and a fair number of companies are writing applications using it.

Layer 4: Aggregation — this is the elephant in the room, that everyone prefers to ignore, but it’s central to much of the privacy problem.

The thing is, if you really care about your privacy, you need to be able to control how your Identities relate to each other. The Identity provider, the Grouping provider, the Application provider — none of these should have to know about all of your Identities. Moreover, if one of them *does* own the collection of Identities, then they own you in a sense, and we fail the key objective of giving you control over your online world.

This is the heart of the various Google problems — I haven’t yet figured out whether they are being deliberately obtuse about this problem, or really don’t get it, or are struggling with its implications and (typically of Google) refuse to say anything at all until they have the one true solution built in-house, and are simply refusing to engage properly with the wider community. It was the heart of the issue with the Real Names policy (if everything has to be under a single real name, you get aggregated whether you like it or not), and it’s the heart of the issue with their new privacy policy (since it is now clear that you can’t separate your identities simply by using different apps).

Now of course, you *can* deal this today, by creating completely separate accounts and never letting them touch each other; that’s often recommended. But it’s a blithe non-answer, because the simple truth is that that’s horribly inconvenient. There simply isn’t good tool support for it, so at best it’s clunky.

This is the bit that’s actually technically challenging, because it affects the way the rest of the stack works. In principle, you want to be able to aggregate your *views* of applications — for example, be able to see all of the conversations that include all of your Identities in a single place. But doing this while getting real privacy means that the Applications have to be built in such a way that they can’t accidentally “leak” the relationships between the Identities, and that’s tricky. Still, it could likely be managed with a well-controlled environment, with well-defined APIs.

Separating things into clear layers like this, communicating via clear APIs, would improve the online social world in a lot of ways. It would level the playing field, letting in lots of competition in each of these spaces; at the same time, it would make it more economical to build new applications if you didn’t have to rewrite them for each social network.

And I should be clear: it’s entirely reasonable to cheat a bit. So long as a social network allows in outside versions of each of these protocols, there is nothing at all with it offering a full stack of all of them, integrated to make it easier for a naive user to get involved. Yes, there are some market risks with that sort of collusion, but let’s get real — most people want convenience, and do *not* care about things like privacy or openness. (Yes, they should. But the world doesn’t run on nice ideals.)

Why doesn’t it just happen? Plain and simply, because the above architecture doesn’t offer an obvious way to become a billionaire. In that, it’s much like the Internet itself. As an individual, you *want* the social network to be a commodity, the same way that the Internet is. But companies want to lock you into their walled gardens, because that’s how they get rich.

History points the way, though. Originally, the networks themselves were walled gardens — companies like Compuserve and Prodigy tried to lock you into their gardens, providing lots of features but not letting you walk outside. We didn’t put up with it then: we collectively instead went for the messy but inter-connected Internet, and those companies basically wound up in the dustbin.

And there’s no reason for us to put up with walled gardens now. The very fact that Facebook and Google+ (and Livejournal and and and) mostly don’t talk to each other illustrates how broken things are. That’s because each of those companies, ultimately, wants to own you and profit from you. We need to get away from that, and not *let* ourselves be owned.

How do we get there from here? Honestly, a lot of hard work on many peoples’ parts. Trying honest prototypes and experiments; agreeing standards; ultimately, building a system that does all the sorts of stuff that Facebook and Google+ do in a more open way. The public isn’t going to move away from them because of airy principles; they’re only going to move if we can build an alternative that is *better*, and demonstrate that to them. That’ll take patience.

But I do think it can be done — moreover, I think it *will* happen, because it is closer to what people want. Folks are pretty fed up with the split between the various social networks: it’s a real inconvenience for many people. It’s time to start building The Social Network, the social level corresponding to the unified Internet, so that we stop having to choose to fragment.

(And yes, I’m gradually talking myself into rebooting CommYou, with a radically different business plan…)

G+: Circles vs. Identity

July 11, 2011

All the conversation about social networking right now is of course about Google+.  I’m not going to bother recapping that: most of you know about it (and I think that XKCD summed up the current state pretty well), and a lot of you are already on it.  They do a lot right, and I fully expect it to improve rapidly, but let’s talk a bit about the biggest goof that I’ve seen so far.

The big deal about Google+ is the notion of “circles”.  These aren’t nearly as revolutionary as they’re made out to be (from the thousand-foot view, they’re similar to Facebook’s Lists), but they’re unusually well-executed and well-integrated.  The key observation Google made, correctly, is that most people run in multiple circles, and that those circles need to be front-and-center to the experience, not considered a minor detail.  I put a lot of information online, and different information should be shared with different circles.

So why, for heaven’s sake, do I have only one profile?  I suspect that the answer is that they simply tied into the existing Google Profile mechanism, and that they have been too influenced by Facebook.  But seriously, it indicates that they haven’t thought their own key insight through properly.

The thing is, for many people — possibly most — circles are more than just groups of people.  It’s not just that I am sharing different things with those people, it’s that I am potentially a different person to those people.  And I don’t mean in some sinister way, I mean the routine stuff: it’s almost cliche to say that we present multiple faces to the world, and it’s kind of astonishing that that hasn’t been properly recognized.

For me personally, this is a relatively minor detail: I’ve never tried to keep much separation between the real-world Mark and the better-known nom du SCA and plume and stuff Justin.  But for a lot of people, this separation really matters.  A common example or two:

  • I have many friends who participate in alternative lifestyles of one sort or another.  For many of them, it is deathly critical that they keep that well-separated from mundane life and especially from work — in some cases, crossing those identities could be a career-ender.
  • Almost every teenager is on social networks nowadays.  And let’s get real: most of them want to maintain a clean separation between the family side of the network and the friends side.  That’s normal and healthy — modern parental paranoia aside, teens need space to learn and grow on their own.
  • One flap that’s blown up pretty seriously lately surrounds the question of gender identification.  That points up the fact that these different identities potentially don’t publicly identify the same way.  Specifically, I suspect that some of the women I know would very much like to have multiple profiles, some of which identify as female (mainly for friends) and others which are specifically gender-neutral (for public consumption).

There are other examples, but it all ties together.  Google has bought into Facebook’s dreadfully mistakenbelief that you can and should only have one identity online, that it must be associated with your real name, and that it must be shared among all your circles.  This is uncharacteristically dumb of them: there is no good argument for it, and lots of reasons — the above and more — to kill it.

So here’s a specific gauntlet thrown down to Google: get the identity equation right.  You got conversation mostly right with Wave; you’ve gotten a lot of the social interactions right with G+.  But your identity mechanism is just plain broken.  People should have the ability to have an arbitrary number of identities, and the requirement to tie those publicly to real-world identity should be just plain scrapped.

(And let’s be clear here: I’m not calling for anonymity.  Anonymity is death to most social environments online.  I am calling for pseudonymity to be officially permitted and encouraged, so that people can present the appropriate face to the appropriate circles.)

Opinions?  Do you present multiple faces to the online world?  Would you use multiple profiles, if the option existed?


October 25, 2010

This was posted recently, in the always-excellent webcomic XKCD:

And what about all the people who won't be able to join the community because they're terrible at making helpful and constructive co -- ... oh

As always when XKCD is at its best, it’s both funny and thought-provoking, and quite on-target.

Here’s the question is raises, though: what’s the comment equivalent of the Turing Test?  Is the issue “bot or not”, “spam or not?” or “helpful or not?” Most spambots would fail the test described here; would human-generated astroturf?  Is “constructive” the right measure to use, to distinguish between “should be posted” and not?  It might be — indeed, the product-placement industry is almost based on this concept, and it’s better than simply asking “Do you think this is a bot?”.  But now I find myself looking for the best word to usefully express, “should this be here or not?”

To Bundle, or not To Bundle, that is the Question

October 21, 2010

I just got an unusually formal email from Google, saying that Google Groups is dropping a lot of functionality.  Specifically, they will no longer support customized welcome messages, pages or file storage for groups.  Essentially, they are going to stop pretending that they are competing with Yahoo Groups, in favor of trying to do a better job on mailing lists and forums.

They are quite clear, however, that you can still have group files and pages — it’s just that you should do files through Google Docs, and pages through Google Sites.

On the one hand, this actually makes a good deal of sense.  One of Google’s big problems is that they have lots of systems that are overlapping, or often completely redundant.  Having two separate file-management systems is a bit silly, so refactoring and merging them makes sense.

That said, I worry that they’re missing a key aspect of group identity.  Saying, “You can upload a file, and make it accessible only to a group” is not the same thing as saying, “You can upload a file within your group”.  The functionality may be the same, but the perceived user experience is very, very different.  Context matters, especially when you’re mucking with communities.

And frankly, I find myself disappointed that they claim to be focusing on mailing lists and forums, because that’s not the interesting problem.  I would far rather that they focus on community and identity, which are really the interesting problems that have not yet been well-solved.  Forums are a good use case for those, and it’s possible that they’ll do a lot of good along the way, but I would much rather get a really great, shareable and repurposeable group-management system than just another mailing-list operator.

So we’ll see.  What do you think?  Does this change sound good, bad or indifferent?  Is Google going in the right direction, or are they missing the boat?

Twitter makes a grab for namespace dominance

April 19, 2010

Twitter has been in the news a bunch lately, especially due to their new deal with the Library of Congress to archive the entire public feed of all tweets.

(And that is worth a brief tangent: what do people think about this?  Is a permanent archive of Twitter actually worthwhile in isolation?  How many conversations occur solely on Twitter, and how many are bouncing between that and other social and online media?  I sort of wonder if future historians are going to find this feed incredibly frustrating — basically getting to read half a conversation for the entire world.  But I digress…)

Anyway, today’s main Twitter topic is their new @Anywhere service, which is looking pretty clever.  It’s their equivalent of Facebook Connect, and many of the features are similar — for example, it allows you to log into Twitter via a third-party site and do Twitter-ish actions from it, lets the site do some actions on your behalf, and so on.

But the really intriguing bit that I note in their documentation is that, if you put a little @Anywhere Javascript into your site, it will scrape the page and hook up all @-tags for you.  That is, if someone refers to @jducoeur on the page, it’ll show up as a live Twitter link to me, with a popup card, a link to my Twitter feed, and so on.

This is smart and forward-looking, and recognizes that namespace matters.  Most services today still have completely flat namespaces, where everyone gets a unique moniker.  (With the conspicuous exception of Facebook.)  You can make arguments about whether that is good or bad (and I suspect most serious computer geeks would argue that it’s a horrible idea), but it’s damned convenient to have that global handle for yourself.  It’s not at all unusual for people at high-tech meetings these days to put their @-tag on their name badges, since it’s a convenient shorthand for finding them later.

But of course, there are a hundred disjoint services out there, each of which has its own namespace.  So what is your “real” handle?  Twitter wants to make that your Twitter handle — your @-tag is the center of your universe, from which people can get to the rest of your social world.  They’ve recognized that the @-tag is one of their key bits of intellectual property, and they’re starting to leverage it.

(I’ll note that Google Buzz is already doing some fancy and smart things with their own @-tags, having picked the style up from Twitter.  But that only works within Buzz — the interesting thing here is that Twitter is trying to reach outside its own domain.)

I don’t know if they’ll succeed in this, but it’s a smart game to play, and I’d bet that we’ll see more services try to dive for this.  I’ll be very curious to see if they get any traction with it…

Fake Identity, coming to a lawsuit near you

October 5, 2009

It’s been building for a while, but here’s the best example I’ve seen so far: a group of teens have been sued for impersonating another.  Basically, the four teens created a Facebook profile for their target, putting a lot of work into making it look real, and then used it to make their target look like a racist ass.  This probably isn’t unusual by now, but they went far enough to cause demonstrable harm to the kid, resulting in a defamation suit that sounds like it has a good chance of winning.

It does lead me to wonder where this is all going legally.  When we talk about “identity theft” today, we’re usually talking about schemes designed to steal your money or credit.  But this is a different sort of identity theft, perhaps even more damaging in the long run — taking control of your public profile and changing what people believe you to be.

I’m struck by the fact that, when this did turn into a lawsuit, the suit was defamation.  This seems to imply that the basic action of impersonation either isn’t illegal, or at least doesn’t result in a harsh enough punishment.  My gut says that it probably ought to be quite illegal, although my head says that it’s always difficult to write laws like this without pretty severe unintended consequences.

Opinions?  Do you think there should be harsh laws against this kind of identity theft — designed not to steal, but simply mislead?  Do you think it’s possible to write such a law well?  What sort of consequences is it likely to have?  I’m chewing this one over myself…

More on the legal limits of anonymity

August 21, 2009

Serves me right for letting myself get behind on my blog reading.

Yesterday, I talked about the need for clearer standards on when a publisher gives up an anonymous poster’s identity.  As it happens, there was progress on this front just a few days ago: Ars Technica posted a good article on almost this subject.  It’s not about blogging in this case, it’s about an apparently-false anonymous whistleblowing claim, but the basic principle is close — someone is claiming to have been defamed by an anonymous claim, and wants to find out who made the claim in order to sue them.

This time, the case apparently made it up to the appeals court, which has taken the contradictory previous decisions and attempted to craft a reasonable compromise.  The article gives the exact wording, but it basically boils down to requiring the plaintiff to demonstrate both that there are reasonable grounds and that they actually need the person to be unmasked.

So yay for intelligent judges, and at least a little progress towards laws and precedents that make sense in the modern age…

The inevitable limits to anonymity

August 20, 2009

I suspect that most folks will have heard about this, but I’ll refer my readers to this good article in SFGate about the “Skanks in NYC” case.  (Thanks to Aaron for the link.)

The short version: we’ve finally gotten a court case that came out with a ruling I’ve been expecting for a while, saying that there are limits to what you can get away with in blogging.  For a long time, there’s been a tacit assumption among many bloggers that they can say anything, and would be legally invulnerable — they saw that the system treated them as anonymous, and kind of figured that that meant they were untouchable.  This case ruled otherwise: it says that this particular blog crossed the line into defamation (at least, enough so to get a subpoena).  Moreover (and much more seriously), it ruled that Google has to turn over what records it has about the “anonymous” blogger.

Like I said, I’ve been expecting this.  The lines between blogging and publishing have long been blurry, and some blogs are obviously treading in libel territory.  I don’t see any real reason why the court would consider an op-ed column potentially libelous, while ignoring blogs like this.

Is it a good thing or bad?  Hard to say.  Anonymity does have its place, and is occasionally deathly critical; OTOH, 99% of uses of it (at least in the US) are simply venal.  IMO, this is an area where the law really needs to grapple with the problem seriously.  In particular, we need crystal-clear rules for when a “publisher” (such as Google in this case) can be coerced into turning over an anonymous poster’s information.  In this particular case I happen to think that it’s reasonable, but it’s the top of a slippery slope to more questionable requests.

In the meantime, keep in mind that your anonymity is not legally protected, at least not to an absolute degree.  So if it really matters, make sure that your tracks are well enough covered that the publisher’s contact information isn’t enough to track you down.

Opinions?  How do you feel about the legal lines here?  Is the demand to Google reasonable in this instance?  Where would you draw the line?

Trust and Impersonation in social networks

May 20, 2009

[A quick meta-note upfront: I haven’t been posting much lately, because I started a Real Nearly-Full-time Job a few weeks ago.  I’m continuing both CommYou and Art of Conversation, but my time is now much more limited.]

My friends mindways recently posted a link to an interesting but not surprising article about the growth of fraud in social networks.  The idea is quite simple: since Facebook verifies nothing but your email address, it is terribly easy to pretend to be someone else.

I’m not talking about fancy high-tech breaking of security here — it’s simply that, if I was to claim to be Bill Gates, how do you know that I’m not?  (In practice, a quick search turns up a bunch of them.)  More to the point, how do you know whether or not I’m your buddy Jim?  If I have Jim’s picture, and a little of the right biographical information on my profile, I sure look like Jim.  Do you vet your Facebook friends carefully, to see if they are who they say they are?  Would you even really have a way to do so, short of calling Jim and asking if he friended you on Facebook yesterday?

This is all the flipside of the “pseudonymity” question that comes up from time to time.  If you have a lot of persistent information online, that is all strongly linked together in a secure way, that counts as a fairly clear identity — perhaps not an identity linked back to the real world, but an identity.  OTOH, if all you have is a bunch of information about a real world identity, but no secure relationship between that and the online one, you don’t really have anything meaningful.  But most people are still used to thinking in terms of real names and faces, so the gut reaction is to believe the latter more than the former, even though it’s actually much easier to fake.

Curiously, I suspect that LiveJournal is actually less prone to this problem than Facebook is, precisely because it does not use your real name as your handle.  (And many/most people don’t use their picture for their icon.)  This preconditions people to be just a hair more suspicious: there isn’t the knee-jerk, “Oh, look — it’s Jim’s picture so it must be Jim.”  And on LJ, Who You Are is mostly determined by What You Say.  If you post a lot of things that only Jim would say, you’re probably Jim.  But just asserting your identity and friending people is more likely to make them suspicious: there is more burden of proof.

At least, that’s my guess.  I don’t know that anyone’s really studied the matter yet — it would be interesting to see what came out of such a study.

What do you think?  Have you found yourself more apt to simply friend someone on Facebook than on LJ, because they have the right user name and photo?  Do you think the rise of OpenID and other online-identity-linked mechanisms will gradually reduce this threat, by raising expectations of a deeper, richer and more consistent online profile?

Information Shadows, and the Difficulty of Anonymity

March 31, 2009

Chris Herot wrote a very interesting short post yesterday, with some of the ideas coming out of Foo Camp East.  Some of it will be unsurprising to folks here (most of whom, I think, have long since lamented how inadequate the word “friend” is for most social networks), but there are some neat references.

One point isn’t exactly surprising, but worth noting nonetheless: see this PDF, which argues for a formalism of “information shadows”.  (The PDF is 74 pages, but it’s actually not very long — it’s essentially a slide show, in the breezy Head-First style.  The file is large, but it’s mostly pictures.)

The initial argument is that, as we move into a world of ubiquitous computing, it will become more and more essential to have data that corresponds to real-world objects, and therefore we need ways to refer to those objects.  It’s not rocket science — indeed, it’s almost exactly why the URI standard is as ridiculously flexible as it is — but he makes a good argument that steam engine time is here for this idea.

Stick around to the final third of the document, though, which is where it gets really interesting.  He generalizes the concepts of “serials” and “services”, and explores how real-world and digital concepts are mushing together, to produce new models of ownership that simply couldn’t work before ubiquitous computing.  While the facts contained in it are well-known, it shows that there are some new emergent concepts in the air, and we should start thinking about what we can really do with them.

Also, Chris points to a paper that I’m sure will disturb a lot of people here (although, again, I suspect many will be unsurprised).  De-anonymizing Social Networks demonstrates that, if you simply know that somebody is on two different anonymous social networks (they use Twitter and Flickr), you can relate their handles together with a decently high degree of confidence simply by analyzing the topology of the social graph.

I haven’t read the paper in detail yet, so I’m not sure how well it generalizes, but it does illustrate that our cozy notions of anonymity aren’t as secure as we might wish.  Modern data-mining techniques are powerful, and keeping multiple identities truly separate is harder than it looks…