Interesting stuff from around the web 2009-01-25

)
I'm going to be a daddy -- w00t!

Some nice publicity for the BBC music site

BBC’s Semantic Music Project [ReadWriteWeb]
“As more projects like this take advantage of the publicly available metadata available, the beginnings of a real semantic web can finally take root.” What a nice thing to say.

BBC Artists: Getting down with semantic Web [CNET UK]
BBC’s new music site gets a great write up on cnet. But why is it that there appears to be an inverse relationship between distance from the team and an understand of the project’s importance and benefit?

More good news…

Twitter can has OAuth? [factoryjoe.com]
Twitter API lead Alex Payne announced today that Twitter is now accepting applications to its OAuth private beta, making good on the promises he made on the Twitter API mailing list and had repeated on the January 8 Citizen Garden podcast.

Obama’s agenda for technology [whitehouse.gov]
“Protect the Openness of the Internet: Support the principle of network neutrality to preserve the benefits of open competition on the Internet.” I find the face that this is his first agenda point in “ensuring the full and free exchange if ideas through an open Internet and Diverse Media Outlets” surprising (for a politician) but truly wonderful.

Cool…

Harder, better, faster, stronger [digital urban]
“David Hubert wanted to make a video of London but I didn’t have a camcorder, so he took pictures instead. In fact he took more then 3000 pictures and put them all together into a video lasting less then 2 minutes with excellent result”

Identity, relationships and why OAuth and OpenID matter

Twitter hasn’t had a good start to 2009, it was hacked via a phishing scam and then there were concerns that your passwords were up for sale and that’s not a good thing; except there may be a silver lining to Twitter’s cloud because it has also reopened the password anti-pattern debate and the use of OAuth as a solution to the problem. Indeed it does now looks like Twitter will be implementing OAuth as a result. W00t!

touch by Meredith Farmer (Flickr). Some rights reserved.
Day 68 :: touch by Meredith Farmer (Flickr). Some rights reserved.

However, while it is great news that Twitter will be implementing OAuth soon, they haven’t yet and there are plenty of other services that don’t use it, it’s therefore worth pausing for a moment to consider how we’ve got here and what the issues are, because while it will be great — right now — it’s a bit rubbish.

We shouldn’t assume that either Twitter or the developers responsible for the third-party apps (those requesting your credentials) are trying to do anything malicious — far from it — as Chris Messina explains:

The difference between run-of-the-mill phishing and password anti-pattern cases is intent. Most third parties implement the anti-pattern out of necessity, in order to provide an enhanced service. The vast majority don’t do it to be malicious or because they intend to abuse their customers — quite the contrary! However, by accepting and storing customer credentials, these third parties are putting themselves in a potentially untenable situation: servers get hacked, data leaks and sometimes companies — along with their assets — are sold off with untold consequences for the integrity — or safety — of the original customer data.

The folks at Twitter are very aware of the risks associated with their users giving out usernames and passwords. But they also have concerns about the fix:

The downside is that OAuth suffers from many of the frustrating user experience issues and phishing scenarios that OpenID does. The workflow of opening an application, being bounced to your browser, having to login to twitter.com, approving the application, and then bouncing back is going to be lost on many novice users, or used as a means to phish them. Hopefully in time users will be educated, particularly as OAuth becomes the standard way to do API authentication.

Another downside is that OAuth is a hassle for developers. BasicAuth couldn’t be simpler (heck, it’s got “basic” in the name). OAuth requires a new set of tools. Those tools are currently semi-mature, but again, with time I’m confident they’ll improve. In the meantime, OAuth will greatly increase the barrier to entry for the Twitter API, something I’m not thrilled about.

Alex also points out that OAuth isn’t a magic bullet.

It also doesn’t change the fact that someone could sell OAuth tokens, although OAuth makes it easier to revoke credentials for a single application or site, rather than changing your password, which revokes credentials to all applications.

This doesn’t even begin to address the phishing threat that OAuth encourages – its own “anti-pattern”. Anyone confused about this would do well to read Lachlan Hardy’s blog post about this from earlier in 2008: http://log.lachstock.com.au/past/2008/4/1/phishing -fools/.

All these are valid points — and Ben Ward has written an excellent post discussing the UX issues and options associated with OAuth — but it also misses something very important. You can’t store someone’s identity without having a relationship.

Digital identities exist to enable human experiences online and if you store someone’s Identity you have a relationship. So when you force third party apps into collecting usernames, passwords (and any other snippet of someone’s Identity) it forces those users into having a relationship with that company — whether the individual or the company wants it. If you store someones identity you have a relationship with them. 

With technology we tend not to enable trust in the way most people use the term. Trust is based on relationships. In close relationships we make frequent, accurate observations that lead to a better understanding and close relationships, this process however, requires investment and commitment. That said a useful, good relationship provides value for all parties. Jamie Lewis has suggested that there are three types of relationship (on the web):

  1. Custodial Identities — identities are directly maintained by an organisation and a person has a direct relationship with the organisation;
  2. Contextual Identities — third parties are allowed to use some parts of an identity for certain purposes;
  3. Transactional Identities — credentials are passed for a limited time for a specific purpose to a third party.

Of course there are also some parts to identity which are shared and not wholly owned by any one party.

This mirrors how real world identities work. Our banks, employers and governments maintain custodial identities; whereas a pub, validating your age before serving alcohol need only have the yes/no question answered — are you over 18?

Twitter acts as a custodian for part of my online identity and I don’t want third party applications that use the Twitter API to also act as custodians but the lack of OAuth support means that whether I or they like it they have to. They should only have my transactional identity. Forcing them to hold a custodial identity places both parties (me and the service using the Twitter API) at risk and places unnecessary costs on the third party service (whether they realise it or not!).

But, if I’m honest, I don’t really want Twitter to act as Custodian for my Identity either — I would rather they held my Contextual Identity and my OpenID provider provided the Custodial Identity. That way I can pick a provider I trust to provide a secure identity service and then authorise Twitter to use part of my identity for a specific purpose, in this case micro-blogging. Services using the Twitter API then either use a transactional identity or reuse the contextual identity. I can then control my online identity, those organisations that have invested in appropriate security can provide Custodial Identity services and an ecosystem of services can be built on top of that.

UPDATE

Just wanted to correct a couple of mistakes, as pointed out by Chris, below:

1. Twitter was hacked with a dictionary attack against an admin’s account. Not from phishing, and not from a third-party’s database with Twitter credentials.
2. The phishing scam worked because it tricked people into thinking that they received a real email from Twitter.

Neither OpenID nor OAuth would have prevented this (although that not to say Twitter shouldn’t implement OAuth). Sorry about that.

How to help the network effect

Following my recent post considering BBC public value in the online world I was asked to write a piece for the BBC’s internal staff paper ariel. Here it is:

Front cover of ariel
Front cover of ariel

IF YOU READ the BBC’s internet blog you will know that we are considering the use of OpenID, an interesting though widely misunderstood, technology that could benefit everyone using the web by extending the generative nature of the web.

Technologies such as OpenID and it’s sister technology OAuth and, techniques such as Linked Data provide benefits that the BBC should be helping the web at large to adopt.

It might seem a bit geeky and not something that most people get right now, but then almost nobody gets Transport Layer Security either but I’m pleased that hasn’t stopped my bank implementing it; most people don’t understand HTTP but we all use it. The BBC, could help foster the adoption of these technologies for the benefit of the web at large by adopting them, by promoting best practice and by actively engaging in their development.

Tim Berners-Lee, creator of the web, has proposed a set of simple rules ‘to do the web right’ to achieve a semantically interlinked web of resources, accessible to man and machine. These rules are know as Linked Data.

But how does following these principles help the BBC? And how does that help the web at large? How does it add public value? The short answer is it provides a platform that allows others to build upon and provides our audience with a more coherent user experience.

If data is unconnected (as most of bbc.co.uk is) it is likely that those websites and the journeys across them will be incoherent. The web’s power comes from being interconnected. The value of any piece of content online is greatly enhanced if it is interconnected. This is due to the network effect, the classic example being the telephone. The more people who own a telephone, the more valuable each telephone becomes. Adding a telephone to a network makes every other telephone more useful. Adding semantically meaningful links to the web adds context and allows others to discover more information.

For example, by building bbc.co.uk/programmes and bbc.co.uk/music/beta in this fashion the new artist pages will become more useful by being joined to programmes – directly linking artist pages to those episodes that feature that artist. And the network effect goes both ways. Linking artists to programmes makes the programme pages more valuable – because there is more context, more discovery and more serendipity. The network effect really explodes once programmes and music are joined to the rest of the web.

The BBC has a role beyond its business needs because it can help create public value around useful technologies – and around its content for others to benefit.