A Christmas Story: OpenID, OAuth, My Home, and Your Privacy

905450_merry_christmasHere it is, Christmas Eve, almost time to celebrate Christmas in all the traditions it brings in our household.  We usually go visit my wife’s family, and then follow it up with telling the Christmas story out of the Bible and then we sing Christmas songs and each of us opens one present from another sibling or family member.  In our household, Christmas is all about spending time with family.  It’s all about home.  It’s all about spending personal time with those you’re closest with and maintaining the traditions you hold private and dear.

Thinking about home and family and Christmas, I realized today there’s a disconnect on the open web right now.  The privacy I mention is available in forms on the web such as Facebook, Gmail (to an extent), and in various forms amongst other web services throughout the web.  However when it comes to real life, there is a missing link when it comes to maintaining the privacy of where you are physically, and sharing that on the web so only your close friends and family know where that exact location is.

For instance, let’s say I want to have a Christmas party for just my immediate family, and maybe some close friends that I know follow me on Twitter or Facebook.  Right now the only way to do that is to either e-mail them each individually and reveal my exact location to each one, or blast it out publicly, potentially compromising the intimate experience we were trying to create.  At the same time I would be putting my family at risk by allowing unknown people to know where they are.

Another example is mail.  Let’s say this Christmas I want to arrange an easier way for my friends to send me gifts.  I publish some of the things I want for Christmas (I’m of course not that greedy to actually do that), and then I need a way to have you send me those gifts.  Or let’s take a more humble approach – perhaps I want to arrange sending money to a friend in need.  Or let’s say it’s my wedding and I want all my friends to know where they can send wedding gifts.  Right now there is absolutely no way you can blast that out publicly without compromising your physical location in some way.

Paul Carr of TechCrunch wrote about this exact issue several weeks ago.  He cited examples of people coming to his apartment for parties or get-togethers (on Halloween in this instance), and all checking in on FourSquare.  Immediately the exact coordinates of Paul could be made available to the world, all without Paul’s permission.  This is dangerous, especially to a writer of a publication whose employees and writers have been known to get constant threats and even death threats on a regular basis!  There has to be a solution.  Let’s move on to a few technologies I think could solve this.

DNS – the Router for the Web

DNS is the technology that pretty much powers the web from you, the user’s perspective.  I mentioned earlier that we are about to see a “war” at the same level as the browser wars of the late 90s and early 2000’s where companies like Google and Microsoft and others are all going to be fighting for a piece of the DNS pie.  Here’s how DNS works: with DNS, you type in a domain name, and that domain name gets translated through a sequence of various “name servers” throughout the web that eventually tell your browser the IP, or location of that content on the web.  Once your browser knows the location, it knows where to retrieve the content it needs to render to you.

The advantage of DNS to you as a user is that you do not need to know where each server is located.  You simply have to know an easy-to-remember name that the web “just knows” how to translate into an actual location (or IP).  You type in staynalive.com and it just knows how to find the servers that are producing the page you are reading this on.  In fact, many domains actually map to multiple locations, so having a single name to remember is advantageous, and provides a routing layer that can easily be changed.  I actually do this with my e-mail address.  jesse@staynalive.com points right now to my Gmail account.  Because I own the domain, staynalive.com, I can easily point that to just about any e-mail provider I like, and I completely control where my mail gets routed.  You the user only have to know the e-mail address though – it doesn’t matter where it ends up.  The web takes care of that based on how I set it to work.

There’s one problem with DNS though – it’s too anonymous.  Right now it’s all or nothing.  If you put something on the web, anyone can find out your location on the web, and in return, anyone can gain access to your content.  At the same time, there’s no way with DNS alone to identify actual people.  Your website just maps to a location, and anyone can see that location without any other measures in place.  Right now if you want to prevent a certain user from accessing your site, you’re stuck guessing just their IP, which they can technically change if they like.  It’s not a real person visiting your site – it’s just an IP – it’s just a location mapping back to your site.

Solving the Identity Problem Through OpenID

To solve the anonymity problem there had to be another layer added.  A protocol called OpenID was invented, which you, the website owner, could “identify” your website with a specific identity provider using just your DNS identifier (or Domain).  With your website linked to an identity provider, you can now use that specific domain (which remember, maps to a location or IP), to actually identify you as a real person.  By simply typing in your domain on participating OpenID-supported websites, they can automatically verify with your identity provider that it is in fact you logging in as the owner of that website.  Now, every website can also be associated with an actual individual, perhaps even more than a location.  Now you know with close certainty that the content my location is producing is actually coming from me.

There’s still a problem with this though.  You can know the content is coming from me.  However, there’s no way for me to control who’s seeing my content.  Sure, with OpenID I could in theory identify each and every person that visits my website as an actual person (assuming I provide the means to do so), but how do I filter that traffic so only those I want seeing my content are seeing it?

This goes back to the exact same problem I was mentioning with real-life locations – privacy.

The Future of the Open Web is Open Privacy Standards

The web still needs better ways to protect user privacy in an open, standardized way.  Facebook has built this into their API but they haven’t standardized it so others can integrate it into the traditional web experience.  You have to be a Facebook user to get full privacy from Facebook.

Currently there are several open standards in the works that are trying to attack this head on.  One of OAuth’s successors, WRAP, which Facebook is very involved in at the moment, strives to do this.  It is also in the vision for OAuth 2.0 (if I understand correctly), another successor to OAuth.  The success of the future Open Web, ironically, lies in privacy.  It lies in customized roles and authorization.  Ironically we’re going right back to the same problems Novell was trying to solve with the Enterprise market back in the 90s, but this time on a much larger, global scale.

Ubiquity

Now, I’d like to take a step back to my little Christmas story, and where especially around the Holiday season, I’d like to maintain a little privacy.  It’s time we stop thinking about just the web itself, and now start looking towards the future where the web, and our real lives are all going to be meshed into one.  Privacy is critical in this not-so-distant future of a world.

For the Open Web to succeed, it needs to be ubiquitous.  It needs to stretch far beyond just the browser and into our every day real lives.  When I was visiting the Kynetx offices last week Craig Burton shared a vision he has, where he sees people being able to go from room-to-room in a house, and having each room identify who the individual is.  Once identified the room can provide a contextual experience in the room itself for that user (adjust the lights, turn on the favorite TV channel, adjust the chair comfort, etc., etc.).  This is another reason I like what the Kynetx team is working on – open technologies must stretch far beyond just the browser!  You will see this in the next 5 years or less, by the way.

My hope is that we can keep in mind privacy, in not just a browser context, but real-life context as the Open Web is growing and being discussed and architected.  I want to be able to give the Post Office my OpenID on an envelope and have them immediately be able to verify my identity and know where to route my mail.  I want to be able to, on a whim, change where that mail is routed without changing the OpenID I give the Post Office.  I want to give certain close friends and family permissions (which I could revoke at any time) to look up my physical location, based on my OpenID if I choose.  I want to only provide my OpenID to apps like FourSquare and have them also respect that OpenID and not reveal my physical location to people I choose not to share it with.  OpenID and at the forefront, DNS, should be the routers, and at the same time, protectors of our physical locations and our real-life experiences.

This Christmas I want a web that thinks beyond its borders. I want a ubiquitous web that travels with me and gives me full power, not just on the web, but in my real life regarding the context I choose to receive.  I want the limits of DNS to go far beyond IP and into the walls of my own home.  Most of all I want all this to happen with open standards.  I want a web that protects my family.

My hope this Christmas is that you can be inspired.  May you spend a little more time thinking about how you can contribute to this effort.  How can you understand these technologies a little more?  How can you sacrifice a little to make the world a little more open?

May you all have a Merry Christmas and Happy Holiday Season.  Hopefully in 5 years I’ll be able to even tell you where I’ll be and where you can spend it with me and not worry about it getting in the hands of the wrong people..  Even in an Open Web, it’s all about Location, Location, Location!

Advertisements

4 thoughts on “A Christmas Story: OpenID, OAuth, My Home, and Your Privacy

  1. It's a good story! The one place I'd change it would be to drop the OpenID as your identity – what do you give to the post office? “google.com”? How do they verify it? Do you have to log on at a post office computer in front of an employee?

    Webfinger is trying to answer exactly this question; in the scenario above, instead of sharing your OpenID (whatever that means 😉 ), you share your email address. The post office does a lookup and finds that you share your location using Fire Eagle, and sends a request to fire eagle for an OAuth token, on behalf of deliveries@usps.com (or whatever the address is). You see this request (when you log into fire eagle, or fire eagle sends a notification to your inbox) and can approve or deny it. You can also pre-whitelist addresses, so that your family can see the location – all you need to do is add their email (re: webfinger) addresses into the whitelist, and your location service can automatically share your details with them.

    Happy Holidays!

    Like

  2. Blaine, Webfinger's a great idea! Admittedly I always forget it when I
    mention things like this (and I need to read more about it). I do remember
    the old days of Finger though – we used to use it as an additional way to
    look up people either breaking into our systems or that seemed suspicious in
    our server logs at a few places I worked.

    Man, having a single address you could map to a physical location with the
    Post Office would be so cool! Where's our Nation's CTO in this?

    Happy Holidays!

    Like

  3. It's a good story! The one place I'd change it would be to drop the OpenID as your identity – what do you give to the post office? “google.com”? How do they verify it? Do you have to log on at a post office computer in front of an employee?

    Webfinger is trying to answer exactly this question; in the scenario above, instead of sharing your OpenID (whatever that means 😉 ), you share your email address. The post office does a lookup and finds that you share your location using Fire Eagle, and sends a request to fire eagle for an OAuth token, on behalf of deliveries@usps.com (or whatever the address is). You see this request (when you log into fire eagle, or fire eagle sends a notification to your inbox) and can approve or deny it. You can also pre-whitelist addresses, so that your family can see the location – all you need to do is add their email (re: webfinger) addresses into the whitelist, and your location service can automatically share your details with them.

    Happy Holidays!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s