Posted on
by

Recently – both in my roll as a developer on the Elgg project, and as one of the organisers of Barcamp Transparency – I have found myself having to sign up for a whole bunch of accounts for various sites.

Each one asks me to fill in a profile, and each time I end up repeating myself. I am sick of it. This is the kind of thing OpenID was developed to partially solve, however I think this is overkill.

OpenID (as mentioned elsewhere) has problems and its uptake is declining. I rather think this is because it is trying to do far too much.

Gravatar on the other-hand is simple and to the point, requires the end user to do very little and is pretty damn simple to implement from a server point of view.

Could the same approach be used for profile fields? I think yes, and here’s how it might work…

  • First of all, we have a site somewhere which lets a user create an account and fill in their profile fields.
  • The profile comes pre-populated with common labels (name, description, location, interests etc), but lets users add extra fields if they like.
  • The service has a REST like API at the back end which accepts queries like: http://fooprofile.com/api/[field]/[md5 hash of email address]/ to which it returns a blob of text.
  • When a user creates a new account on bar.com, that site should attempt to pre-populate any profile fields with data from the service based on an md5 hash of their email address. These can of course be overridden locally.
  • Periodically bar.com should update its fields via the API, unless the user has overridden the profile field (or has otherwise selected not to do so).

Crucially with this light method, the user experience of the site remains pretty much unchanged and all the hard work is done magically in the background.

I also think that there is no need to specify what fields constitute a profile. The semantics of this will likely evolve naturally over time and there is no way to predict what extra fields will be needed. You wouldn’t dictate what tags someone would use, so why dictate profile fields?

In phase two of this you could easily imagine using OAuth to decide which fields a site has access to.

You could also imagine multiple providers being possible (providing the api was consistent). So when a user signs in to bar.com they are asked who there provider is – so they could select fooprofile.com or wibbleprofile.co.uk or any other provider. This would keep OpenID’s distributed nature, but without confusing the user too much – a url is always a url in this model.

So all that leaves is the single point authentication aspect as a distinct and separate problem, and one which must be solved in a way that is transparent to the user – perhaps an encrypted and public key authenticated token exchange using a similar technology as the above?

Just pondering….

Update: I have bashed together an example of the sort of thing I was talking about over here: http://skunk.marcus-povey.co.uk/aer/

Posted on
by

Yesterday I spent a fantastic day down at the university club attending the much anticipated Oxford Barcamp.

I can honestly say that the whole event came as an invigorating breath of fresh air and I want to say a great big thank you to all those who helped organise the event – as well as all those who attended!

For the uninitiated the first rule of Barcamp is that everyone needs to get involved which leads to some very exciting, sometimes heated, but always useful discussions.

One of the things that I am particularly excited about is the support there was for doing a Transparency camp in the UK… so much so that its actually happening!

The whole event has left me energised and enthusiastic. I have a stack of people I need to contact and a stack of really cool projects to read up on.

This is how conferences should be.

Posted on
by

'One nation under CCTV' taken by Mayu ;PAnyone who has spoken to me for more than a few minutes knows that I am very much a civil libertarian at heart, and believe that the so called compromise between freedom and security is one of the worst kinds of politically motivated false dichotomy.

Having grown up under the threat of IRA bombings and soviet nuclear annihilation, I honestly don’t feel terribly threatened by a bunch of disgruntled religious fundamentalists – despite government assurances that they are they deadliest thing since the Ebola virus.

The UK government’s latest crackpot plan to spy on its population – the announcement that along with monitoring all Internet usage, phone and SMS communication (including content via deep packet inspection) that they plan to monitor social networking sites such as Facebook comes as no real surprise, but has made a bit of a splash in the tech press and even made it onto the BBC.

The government has of course made the usual assurances that it is necessary to combat the threat posed by [terrorists/criminals/paedophiles/tax dodgers (delete as appropriate)] and that they won’t be looking at the content – just who is talking to who (bringing us back into the Stalinist purge era fallacy of  “guilt by association“).

However, other than being an example of the ongoing salami slicing of the privacy and hard won freedoms necessary for the proper running of a healthy democracy, I don’t believe that Facebook monitoring or even Streetview are in themselves the greatest threats to our life and liberty. Certainly when compared to all the other countless and more sinister intrusions into our liberties that the government is undertaking.

Indeed, the coverage this is getting may start to draw people’s attention to the fact that these networks are public and indeed anything that you put on the internet should be thought of as publishing. It is quite likely that it won’t be just your friends who see that unfortunate drunken picture of you, or your iPhone reported GPS  location.

What is worrying is what the prevailing governmental attitude means for the Social media and tech industry as a whole, which seems to be “regulate and control first, think later”.

What this measure does is add another expensive regulatory overhead (in this case archiving and logging user interaction to be sent to the government) for what is one on the few potential areas of growth in the UK economy – despite the recession, lack of government support for small business, ruinously expensive cost of hosting, the UK’s crippling tax regime (both business and personal), and its hidebound attitude to innovation.

The combined effect is that anyone who is going to be hosting a social network (or even starting a business) is going to be doing so overseas – increasing the already frightening flow of capital and talent out of the UK economy. Surely what we should be doing, especially in the current economic climate, is encouraging the growth of small business and an innovation culture rather than smothering it with expensive and unnecessary regulation?

Of course this was all conceived to appear to be Doing Something, and to target the big established networks. These networks would be told that in order for them to do business in the UK they must submit to this regulation – but this too could backfire.

As Youtube’s recent decision to block UK access to music videos goes some way to illustrate, the UK market is simply too small for us to be throwing our weight around in this way.

We are not China, and many companies are perfectly prepared to forego a slice of the UK market if they can make more money elsewhere and with far smaller overheads. Therefore we will likely be destroying a much needed area of growth in the fatally crippled UK economy for no reason whatsoever.

That is unless you buy into the idea that this will catch the mystical terrorist boogeyman – at least the ones who are smart enough to pose a real threat – who I imagine would use another method of communication… like for example, sending a letter.

Image: ‘One nation under CCTV’ taken by Mayu