Missing the point

Like most of you (probably), I’ve been reading the news around Google Buzz with interest. At this point, the regular as clockwork announcements from Google are treated somewhat routinely by the various technology blogs. Google announced foo, competitor bar says this and expert John Doe says that. Bla bla bla, revolutionary, bla bla similar to bla, bla. Etc. You might be tempted to dismiss Buzz as yet another Google service doomed to be ignored by most users. And you’d be right. Except it’s easy to forget that most of those announcements actually do have some substance. Sure, there have been a few less than exciting ones lately and not everything Google touches turns into gold but there is some genuinely cool stuff being pushed out into the world from Mountain View on a monthly, if not more frequent, basis.

So this week it’s Google Buzz. Personally, I think Buzz won’t last. At least not in its current gmail centric form. Focusing on Buzz is missing the point however. It will have a lasting effect similar to what happened with RSS a few years back. The reason is very simple, Google is big enough to cause everybody else to implement their APIs, even if buzz is not going to be a huge success. They showed this with open social, which world + dog now implements, despite it being very unsuccessful in user space. Google wave, same thing so far. The net effect of Buzz and the APIs that come with it will be internet wide endorsement of a new real time notification protocol, pubsubhubbub. In effect this will take twitter (already an implementer) to the next level. Think pubsubhubbub sinks and sources all over the internet and absolutely massive traffic between those sources and sinks. Every little internet site will be able to notify the world of whatever updates it has, every person on the internet will be able to subscribe to such notifications directly, or more importantly, indirectly to whichever other websites choose to consume, funnel and filter those notifications on their behalf. It’s so easy to implement that few will resist the temptation to do so.

Buzz is merely the first large scale consumer of pubsubhub notifications. Friendfeed tried something similar with RSS, was bought by Facebook and successfully eliminated as a Facebook competitor. However, Pubsubhubbub is the one protocol that Facebook won’t be able to ignore. For now they seem to stick with their closed everything model. This means there is Facebook and the rest of the world and well guarded boundaries between those. As the rest of the world becomes more interesting in terms of notifications, keeping Facebook isolated as it is today will become harder. Technically, there are no obstacles. The only reason Facebook is isolated is because it chooses to be isolated. Anybody who is not Facebook has a stake in committing to pubsubhubbub to be able to compete with Facebook. So Facebook becoming a consumer of pubsubhubbub type notifications is a matter of time, if only because it will simply be the easiest way for them to syndicate third party notifications (which is their core business). I’d be very surprised if they hadn’t got something implemented already. Facebook becoming a source of notifications is a different matter though. The beauty of the whole thing is that the more notifications originate outside of Facebook, the less this will matter. Already some of their status updates are simply syndicated from elsewhere (e.g. mine go through Twitter). Facebook is merely a place people go to see an aggregated view on what their friends do. It is not a major source of information, and ironically the limitations imposed by Facebook make it less competitive as such.

So, those dismissing Buzz for whatever reason are missing the point: it’s the APIs stupid! Open APIs, unrestricted syndication and aggregation of notifications, events, status updates, etc. It’s been talked about for ages, it’s about to happen in the next few months. First thing to catch up will be those little social network sites that almost nobody uses but collectively are used by everybody. Hook them up to buzz, twitter, etc. Result, more detailed event streams popping up outside of Facebook. Eventually people will start hooking up Facebook as well, with or without the help of Facebook. By this time endorsement will seem like a good survival strategy for Facebook.

What Apple Knows That Facebook Doesn’t

What Apple Knows That Facebook Doesn’t.

Business week has an interesting article on the economics of platforms. Interesting, but flawed. They compare two platforms (Facebook, and Apple’s mobile platform). The argument goes roughly as follows: Apple is using it’s platform to create a new market by being open and Facebook is using traditional methods of using the market as a control point. Apple is creating an open market and Facebook is making an open market more closed. The author even goes as far as to associate the keywords good and evil here.

The article is flawed because in fact Apple is not creating an open market. They have been removing applications that don’t fit their business model (e.g. anything VOIP related) and are still keeping people from writing about the APIs because NDA has not been lifted yet. Apple is acting as a dictator here. That it is a mostly benevolent one doesn’t matter. It doesn’t sound very open to me in any case. Or very new.

Sure, their platform is pretty nice and their online shop pretty usable. That’s definitely disruptive to the mobile industry, which is not used to good quality platforms and well designed use-cases such as online shops for applications. However, there’s a pretty big market for mobile applications and most people writing for the iphone don’t do so exclusively and instead target multiple mobile platforms. You can download several VOIP applications for S60 or mobile windows and other platforms, as well as numerous games, productivity apps, etc. Then there is J2ME of course with a few billion phones in the market right now. You might say it is crappy but it has a huge reach. Incidentally, Apple also blocks components from their shop that would enable people to run J2ME applications since an open source Java platform has in fact been ported long before Apple even ‘opened’ up their platform. That’s right, a good old case of reverse engineering. Apple’s platform is quite unique in the sense that people were developing for it long before Apple decided to hand out developer kits.

Facebook indeed is also not very open but they were first to a market that they created, which is pretty big by now. As a viral way of spreading new services to users it is pretty much unrivaled so far. It is Google that has created a competition for more openness with their Open Social platform, which is in many ways similar but has open specifications and may be implemented freely by other social networks. Both Google and Facebook have a very similar centralized identity model that is designed to lock users into their mutual platforms (Google Friends Connect & Facebook Connect). Google is maybe being somewhat more smart about it but they are after the same things here: making sure trafic flows through their services so that they can sell ads.

So, Facebook’s model is advertisement driven and Apple’s business is operator driven. Apple makes most of their money from deals with operators who subsidize iphones and give Apple a share of the subscription revenue. That’s brilliant business and Apple protects it by removing any application from their shop that has conflicting interests with this revenue stream.

However, the key point of the article that the platform serves as a market creation tool is interesting. Apple managed to create an impressive amount of revenue (relative to their tiny market share of the overall mobile market) and Facebook has managed to create a huge market for Facebook applications. Both are being challenged by competitors who have no choice to be more open.

Interestingly, Google is competing on both fronts and can be seen as the primary threat to both Apple and Facebook’s platforms. Google could end up opening up the mobile market for real because it is not protecting any financial interests there but instead are trying to spawn a mobile internet market. Android is designed from the ground up to do just that. It needs to be good enough for developers, users and operators and Google has worked hard to balance interests enough so as to not alienate any of these.

All three are fighting for the favours of developers. Developers, developers, developers! (throws chair across the room & jumps like a monkey). That too is not new although Microsoft seems to have forgotten about them lately.

Indie Social Networking

I have this page elsewhere on this site where I try to keep track of various accounts I have with social networks and other sites.  I updated it earlier today with some interesting additions.

It seems finally decentralized social networking is starting to happen. It’s all very low profile now but promising. It all started somewhere last week when I noticed that one of my colleagues, John Kemp was now micro blogging via something called identi.ca. I noticed this because his status in skype was telling me. Since we share similar interests in things like OpenID and a few other things, I decided to check it out. I never really bought into this twitter stuff and gave up on updating my Facebook status regularly long time ago. But this identi.ca looks rather cool, so I signed up.

It’s basically twitter minus some features (not yet implemented) with a few interesting twists:

  • You can sign in using OpenID
  • It’s open source. The software identi.ca is based on is called laconi.ca.
  • It’s completely open. It has all the hooks and obvious protocols implemented. For example, I microblog using a identi.ca contact in my jabber client (pidgin) over XMPP. There’s RSS and probably some more stuff.
  • Your friends info is available as FOAF, thus enabling Google’s Social Graph search to work with the data there and in other places (like e.g. your wordpress linkdump).
  • It’s decentralized, you can have laconi.ca friends on different servers. Like email, there is no need for everybody to be on the same server.
  • It’s written in PHP -> you can probably install it on any decent hosting provider you can now run your own microblog just like you can run your own blog.

Of course being low profile, there’s only the usual suspects active: i.e. people like me.

A second interesting site I bumped into is whoisi.com. It’s basically friendfeed or similar sites with a few interesting twists:

  • You don’t have to sign in or register. You just start using it.
  • In fact you can’t sign in and there’s little need because whoisi creates a nice account for you on the fly that you can access using the cookie it sets automatically or a url you can bookmark.
  • You can follow any person on the web and associate feeds with that person.
  • There’s no concept of your profile on whoisi. It’s simply a tool for following people, anonymously. They don’t even have to use whoisi in order for you to follow them.

It’s run by Christopher Blizzard who works at Mozilla. I’m not sure if he is doing this in his spare time or if this has a bigger Mozilla labs plan behind it. Either way, he’s a cool guy with good ideas obviously. Since whoisi didn’t know about me yet, I ended up following myself, which feels slightly hedonistic, and added most of the interesting feeds. Including of course my identi.ca feed.

It occurs to me that using identi.ca’s FOAF and Google’s Social Graph search, whoisi should be able to automatically find websites related to a person from a single url by just following the rel=me links that Google can produce and then any friends from the rel=friend links. Check out what Google finds out about me from providing www.jillesvangurp.com here.

This hooking up of simple building blocks is exactly the point of the decentralized social network. It’s nice to see some useful building blocks emerge that work towards making this happen. Basically, all the necessary building blocks are there already. From a single link it is possible to construct a very detailed view of what your friends are doing all over the web fully automatically. True all this is still a bit too difficult for the average user right now but I imagine that a bit of search and discovery magic would go a long way to making this just work on a lot of sites.

OpenID 2.0 and concerns about it

It seems JanRain is finally readying the final version of OpenID 2.0. There’s a great overview of some concerns that I mostly share on readwriteweb.com. Together with another recent standard (OAuth), OpenID 2.0 could be a huge step forward for web security and privacy.

Lets start with what OpenID is about and why, generally, it is a good idea. The situation right now on the web is that:

  • Pretty much every web site has its own identity solution. This means that users have to keep track of dozens of accounts. Generally users have only one or two email addresses so in practice that means most these accounts are actually tied to 1 email account. Imagine someone steals your gmail password and starts scanning your mail for all those nice account activation mails you’ve been getting for years. Hint: “mail me my password”, “reset my password”. In short, the current situation has a lot of security risks. It’s basically all the downsides of a centralized identity solution without any of the advantages. There are many valid concerns about using OpenID related to e.g. phishing. However, what most people overlook is that the current situation is much worse and also that many OpenID providers actually address the concerns by implementing various technical solutions and security practices. For example myopenid.com and verisign employ very sophisticated technologies that you won’t find on many websites where you would happily provide your credit card number. There is no technical reason whatsoever why openid providers can’t use the same or better authentication mechanisms that you probably use with your bank already.
  • While technically some websites could work together on identity, very few do and the ones that do tend to have very strong business ties (e.g. banks, local governments, etc. This means that in most cases, reusable identity is only usable on a handful of partner sites. Google, Microsoft, and Yahoo are great examples. They each have partner programs that allows externals to authenticate people with them. Only problem: almost nobody seems to do that. So reality check: OpenID is the only widespread single sign on solution on the web. There is nothing else. All the other stuff is hopelessly locked into commercial verticals. Microsoft has been trying for years to get their password solution to do what OpenID is doing today. They failed miserably so far.
  • Web sites are increasingly dependent on each other. Mashups started as an informal thing where site A used an API from site B and did something nice with it. Now these interactions are getting much more complex. The amount of sites involved in typical mashups is increasing and the amount of privacy sensitive data flying around in these mashups is also increasing. A very negative pattern that I’ve seen on several sites is the “please provide your gmail/hotmail/yahoo user password and we’ll import your friends” type feature. Do you really want to share your years of private email conversations with a startup run in a garage in California? Of course not! This is not a solution but a cheap hack. The reality is that something like OpenID + OAuth is really needed because right now many users are putting themselves in danger by happily providing their username and passwords.
  • Social networks like Facebook authenticate people for the many little apps that plug into them. So far Facebook is the most successful here. Facebook provides a nice glimpse of what OpenID makes possible on a much larger scale but it is still a centralized vertical. I am on Facebook and generally like what I see there but I’m not really comfortable with the notion that they are the web from now on (which seems to be implied in their centralized business model). Recent scares with their overly aggressive advertisement schemes shows that they can’t really be trusted.

OpenID is not a complete solution for the above problems and it is important to realize that is by design: it tries to solve only one problem and tries to solve it well. But generally it is a vast improvement over what is used today. Additionally, it can be complemented with protocols like OAuth which are about delegating permissions from one site to another on your behalf. OpenID and OAuth are very well integrated with the web architecture in the sense that they are not monolithic identity solutions but modular solutions designed to be combined with other modular solutions. This modular nature is essential because it allows for very diverse combinations of technology. This in turn allows different sites to implement the security they need but in a compatible way. For example, for some sites allowing any OpenID provider would be a bad idea. So, implement whitelisting and work with a set of OpenID providers you trust (e.g. Verisign).

OpenID and OAuth provide a very decent base level of protection that is not available from any other widely used technology currently. The closest thing to it is the Liberty Alliance/SAML/Microsoft family of identity products. These are designed for and applied exclusively in enterprise security products. You find them in banks and financial institutions; travel agencies, etc. These are also used on the web but invariably only to build verticals. Both Google and Microsoft use technologies like this to power their identity solutions. In fact, many OpenID identity providers also use these technolgies. For example, Microsoft is rumoured to OpenID enable their solution and several members of the Liberty Alliance (e.g. Sun) have been experimenting with OpenID as well. They are not mutually exclusive technologies.

It gets better though. Many OpenID providers are employing really advanced anti phishing technologies. Currently you and your cryptographically weak password are just sitting ducks for Russian/Nigerian/Whatever scammers. Even if you think your password is good, it probably isn’t. OpenID doesn’t specify how to authenticate. Consequently, OpenID providers are competing on usability and anti phishing features. For example, Verisign and myopenid.com employ techniques that makes them vastly more secure than most websites out there, including some where you make financial transactions. There has been a lot of criticism on openid and this has been picked up by those that implement it.

So now on to OpenID 2.0. This version is quite important because it is the result of many companies discussing what should be in there for a very long time. In some respects there are a few regrettable compromises and maybe not all of the spec is that good of an idea (e.g. .name support). But generally it is a vast improvement over OpenID 1.1 which is what is in use currently and which is technically flawed in several ways that 2.0 fixes. The reason 2.0 is important is because many companies have been holding off OpenID support until it was ready.

The hope/expectation is that those companies will start enabling OpenID logins for their sites over the next few months. The concern expressed here is that this may not actually happen and that in fact OpenID hype seems past its glory already. Looking at how few sites I can actually sign into with my OpenID today, I’d have to agree. As of yet, no major website has adopted OpenID. Sure there are plenty of identity providers that support OpenID but very few relying parties that accept identities from those providers. Most of the OpenID sites out there are simple blogs, startups web 2.0 type stuff, etc. The problem seems to be that everybody is waiting for everybody else and also that everybody is afraid of giving up control over their little clusters of users.

So ironically, even though there are many millions of openids out there, most of their owners don’t use them (or even are aware of having one). Pretty soon openid will be the authentication system with the most users on this planet (if not already) and people don’t even know about it. Even the largest web sites have no more than something like a hundred million users (which is a lot). Several of those sites are already openid identity providers (e.g. AOL).

The reason I hope OpenID does get some adoption is because if it isn’t it will take a very long term for something similar to emerge. This means that the current very undesirable situation is prolonged for a very long time. In my view a vast improvement is needed over the current situation and besides OpenID, there seems to be very little in terms of solutions that can realistically be used today.

The reason I am posting this is because over the past few months me and my colleagues have been struggling with how to do security in decentralized smart spaces. If you check my publications web site, you will see several recent workshop papers that provide a high level overview of what we are building. Most of these papers are pretty quiet on security so far even though obviously security and privacy is a huge concern in a world where user devices use each others services and mash them up with commercial services in both the local network and internet. Well, the solution we are applying in our research platform is a mix of OpenID, OAuth and some rather cool add-ons that we have invented to those. Unfortunately I can’t detail too much about our solutions yet except that I am very excited about them. Over the next year, we should be able to push out more information into the public.


I just installed Flock – The Social Web Browser. Right now I’m trying out the blog editor included with it to write this little review. To cut the review short, I’m planning uninstalling it after publishing this post.

Lets just start by saying that this feels like a nice bunch of concepts and potentially useful Firefox extensions but not as a drop in Firefox replacement. Besides, the default theme feels rather amateurish and I already miss my dozen Firefox extensions. And while I am pleased that it supports Facebook, I find the lack of support for much else a bit disappointing. For example, I’m also on Linked in; phib; claimid. I have several openid logins; I use several Google services, including reader, gmail and calendar. All of these are unsupported by the self proclaimed social web browser. Hell, it doesn’t even integrate webmail from e.g. google, yahoo or microsoft (I have accounts with all three). You can find an overview of social networking sites I use on my blog: http://blog.jillesvangurp.com/my-other-sites/. Most of the stuff there is unsupported by Flock.

An exception seems del.icio.us. However, the extension functionality I get in Firefox is much better than the bundled del.icio.us support in Flock which is rather useless. Similarly, the blog editor is nice but nothing I can’t get using several Firefox extensions. I suppose the facebook sidebar is nice, but again there is also a firefox extension for that.

A rather novel feature seems to be the media bar. However, in its current incarnation it is limited to harvesting media from just a handful of popular sites like facebook (again), youtube and flickr. That’s nice but not all that useful to me.

So overall I have a bit mixed feelings. On one hand, this feels like a polished product, on the other hand there’s not much that I can’t get installing a few Firefox extensions. With Firefox 3 around the corner, I’m not planning to use Flock 1.0 based on the old Firefox without most of the extensions I can’t do without. Nevertheless, there’s some good ideas that I would like to see adopted in the form of Firefox extensions.

Tags: , , ,


It seems I’ve been unaware of the little revolution that has been unfolding since May 24th. Before that, facebook was yet another social network popular mostly in the US. On that date, facebook opened up their API and made it possible for people to integrate their 3rd party services into facebook. Marc Andreesen explained the concept in a lengthy post that is well worth reading around mid June. This too went unnoticed by me. To my defense, I was on vacation first half of June and maybe a bit less connected than I usually am.

About two weeks ago, my neighbour, friend & colleague Christian del Rosso, invited me to facebook. He must have noticed that I didn’t catch up his earlier link to Marc Andreesen’s article. So I dutifully signed up not expecting much of it but somewhat curious to find out why facebook was being mentioned a lot lately. I’m already on linkedin and del.icio.us so I thought I was pretty well covered in this web 2.0 thing. Apparently not.

In the past two weeks, I found several people I know that recently created accounts on facebook. Facebook has the notion of networks and groups and I’m in several of those now, all rapidly growing. Finally in the last few days I started exploring facebook a bit more in depth and doing things like updating my profile, exploring other people’s profiles, and finally figuring out that there’s a shitload of cool applications that integrate into facebook. The proverbial penny dropped only a few days ago.

I’m on iLike, mytravelmap and flixster now. Also I have hooked up my blog and del.icio.us to facebook and of course installed the chuck norris fact generator. All very fun toys. The first three I would probably never have signed up for seperately.

The only thing that I don’t like is that openid is not part of facebook. That’s a pitty, because I believe the fully decentralized mash ups enabled by openid are the future. Ultimately, facebook is another vertical and the waiting is just for who will buy these guys (and for how much). It seems that .com bubble 2.0 is now well underway.

It would seem from the above that facebook is perfect. Of course it isn’t. I’ve encountered many issues so far: performance problems; parts of the site not working; strange errors and failing ajax stuff. Also I noticed that the entire thing seems to be written in php. That could give rise to some worries related to e.g. security and scalability. Opening it up to basically anybody who cares to develop 3rd party stuff does not exactly make it better.