Distributed Social Networking requires Secure Online Identity

The recent Facebook vs. Your Privacy uproar has ignited a firestorm of activity, of which Diaspora* is the most recent viral player.  (In related news: EFF responded today with A Bill of Privacy Rights for Social Network Users but it continues under the assumption that your data is stored in each social network's data silo and is not generally available to you to manage and share exactly as you wish.)

Conversations about people owning their online identity have been around for over 25 years, with Broadcatch (1994, with initial ideas presented in 1983) and OpenPrivacy (2001) providing two examples of early social/technological attempts to create such a system.  (Disclaimer: I'm sure there are others, but these are the ones that immediately come to mind as, well, I was the principal behind both.)  Other, similar forays into this area include:

  •  6D is an identity-building application. Its purpose is to allow you to centralize your photos, thoughts, posts or anything else, but still share with friends, colleagues, or the world. (Their mission of "You own your content" reminds me of the WELL's famous "You own your own words" or "YOYOW" dating back to 1985.)
  • Onesocialweb is just like Facebook, but decentralized (the 'anti-Facebook'?). Built on top of the realtime XMPP protocol, using open standards like Activitystreams, vcard4, etc.
  • OStatus enables a decentralized micro-blogging environment (the 'anti-Twitter'). They already have hundreds of federated servers and leverage open standards like XMPP, OAuth, etc.
  • Tonido allows you to access and share your content directly through a web browser without uploading or worrying about storage limits.  In short, run your own Personal Cloud.

(A tip of the hat to Crosbie Fitch on the ProjectVRM list for these links)

Related efforts not specifically aimed at providing distributed secure identity include:

  • The Freenet Project has been providing a distributed, secure social network for over 20 years. From their home page: "Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect."
  • Project VRM is leading much of the thinking that goes into this area.  From the Project VRM site: "In a narrow sense, VRM (or Vendor Relationship Management) is the reciprocal — the customer side — of CRM (or Customer Relationship Management)."

The key issue in creating the "holy grail" of a decentralized online social networking service is the ability for people to own their own data.  (Free and open source software, transparent operations, choice of services, anonymity, pseudonimity and strongly verifiable identity are also key issues, but they are implementation details, some of which I've already discussed in Four More Laws of Identity.)  To facilitate this, a decentralized and secure identity solution must exist that enables people to authenticate as service providers and selectively share their data.

OpenID and OAuth are the major players in this field, but as Joe Andrieu recently wrote on the ProjectVRM mailing list: 'I think it's vastly more important that the "default" for online activity support a baseline standard of liberty and free association. And, frankly, I don't think we have that yet.'  Indeed, the "baseline standard" should enable 100% security from the outset, though specific implementations - such as a company HR database - are free to weaken the protocol in ways that they hopefully clearly describe before any data is entered.

A basic problem with these protocols is that they are strongly tied to DNS which can be subverted in localized applications, such as within a corporate or educational institution.  While DNS certainly provides ease of use and a low barrier to entry, I believe that an identity and personal profile management system that we expect people to feel safe using should allow for 100% security at the core.  Systems like Freenet are a step in the security direction, but secure identity remains elusive.

The good news is that there is a set of identity and data sharing mechanisms that meet all the requirements, namely the Extensible Resource Identifier (XRI) and XRI Data Interchange (XDI) protocols.  While these typically (to date) run on top of DNS, they are transport- and resource-discovery agnostic, enabling then to run on top of Freenet, GNUnet or even a private flat-file spreadsheet!  Initial social networks based on XRI could be simple, employing DNS and supporting one name per user, but there's nothing stopping it from evolving into an OpenPrivacy-like pseudonymous network with authenticated reputations.

Many who have been burned by Facebook and its ilk are looking toward decentralization as an escape from those walled gardens.  So now is the time to look again at a technology that's been passed over once (XRI existed long before OpenID, but it was still a specification in progress in the OASIS Standards body) and rally behind it to create true user-centric digital identity.  It is key to what Diaspora* is trying to do.


You (should) Own Your Online Identity

I just posted another piece of the puzzle on the CivicActions blog, see: You (should) Own Your Online Identity