Up Close with an Enigma

At last month's RSA conference in San Francisco, I stumbled upon a vintage 1944 model of the German crypothographic machine, popularly known as the Enigma. This particular machine was owned by the National Cryptologic Museum, and was part of a larger booth hosted by the National Security Agency. The staff at the exhibit were quite friendly and it didn't take much to convince someone from the NSA to talk on-camera about the Enigma. (I did decide to submit the video to the NSA public affairs office for final review.) Reading through the accompanying historical pamphlet and listening to NSA staffers, I developed a better appreciation for the contributions made by Polish authorities (and mathematicians) towards breaking what was then, the most important cryptographic machine in the world.

Also from RSA 2009:

Portable Contacts API Starts to Get Real

This evening Joseph and John of Plaxo and I have been hosting a hackathon at Six Apart for the Portable Contacts API (video about PorC). The Portable Contacts API is designed "to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all over the web."

We originally expected a handful of people to show up and hack on implementing bits of the specification, but so far have been blown away at the progress made and about the twenty people that came. Tomorrow is a summit style meeting hosted by MySpace also in San Francisco to try to finalize the specification among a wide range of providers and consumers. I'm expecting a handful of interesting demos, but wanted to share two that have already come together tonight.

Joseph Smarr and Kevin Marks of Google hacked together a web transformer that integrates Microformats, vCard, and the Portable Contacts API. Given Kevin's homepage which is full of Microformats, they've built an API that extracts his profile information from hCard, uses a public API from Technorati to transform it to vCard, and then exposes it as a Portable Contacts API endpoint. Not only does this work on Kevin's own page, but his Twitter profile as well which contains basic profile information such as name, homepage, and a short bio.

Brian Ellin of JanRain has successfully combined OpenID, XRDS-Simple, OAuth, and the Portable Contacts API to start showing how each of these building blocks should come together. Upon visiting his demo site he logs in using his OpenID. From there, the site discovers that Plaxo hosts his address book and requests access to it via OAuth. Finishing the flow, his demo site uses the Portable Contacts API to access information about his contacts directly from Plaxo. End to end, login with an OpenID and finish by giving the site access to your address book without having to fork over your password.

While the individual building blocks are fairly geeky themselves, pulling them together like has been happening tonight shows that we're only at the beginning of building the next generation of social networks. When the pieces work together, people won't have to know what's going on under the hood; it will just work--and will be almost like magic. John has more photos up on his blog.

MySpace's Data Availability is not Data Portability

Yesterday MySpace, Yahoo!, eBay, Photobucket (also owned by News Corp), and Twitter announced the Data Availability Initiative. While I could write at length about how this shows the big companies have already realized how to diminish the DataPortability group's brand by linking anything they do "data portability," that isn't the point of this post. The crux of the announcement yesterday was that shortly MySpace would begin allowing third-parties to embed MySpace profile information within their own services in the name of "data portability". Unfortunately, the details around this remain buzzword-laden at best.

Their press release yesterday stated:

Additionally, rather than updating information across the Web (e.g. default photo, favorite movies or music) for each site where a user spends time, now a user can update their profile in one place and dynamically share that information with the other sites they care about. MySpace will be rolling out a centralized location within the site that allows users to manage how their content and data is made available to third party sites they have chosen to engage with.

At first glance this seems like a great thing. MySpace is partnering with Yahoo!, eBay, Photobucket, and Twitter to solve a pain point on the web; the inability to keep parts of your profile in sync around the web where you'd like them to be. The announcement didn't however offer any insight into how this would work beyond that, "the MySpace Data Availability initiative uses OAUTH [sic] and Restful APIs as its core technology underpinnings." After this announcement I had the pleasure of speaking with a reporter who was on the briefing call. He explained that MySpace said that due to their terms of service the participating sites (e.g. Twitter) would not be allowed to cache or store any of the profile information. In my mind this led to the Data Availability API being structured in one of two ways: 1) on each page load Twitter makes a request to MySpace fetching the protected profile information via OAuth to then display on their site or 2) Twitter includes JavaScript which the browser then uses to fill in the corresponding profile information when it renders the page. Either case is not an example of data portability no matter how you define the term!

To make this worse one of the pieces of profile information made available is a list of a MySpace user's friends. Once again there are two reasonable ways to do this: 1) MySpace provides a user's friends as a list of hashed email addresses to Twitter or 2) MySpace provides a user's friends as a list of MySpace usernames. While the hashed email route would certainly be simpler and easier for sites like Twitter to match against their own user database, I highly doubt this will be the implementation due to concerns around undesired account linking. Rather I think MySpace will choose to provide a list of other MySpace usernames. What this means is that in order for Twitter to make use of the information they must encourage all of their users to fill in their MySpace account on Twitter so that they can map a MySpace username to a Twitter username. Obviously in the best interests of MySpace to have more of their profiles linked to from around the web thus increasing page rank, visitors, and thus ad revenue.

At the end of the day it seems that MySpace is trying to become a large centralized profile repository on the internet. One where information might be available but certainly not allowed to be actually moved outside the network's walls. A good try, but just as no one would like Microsoft own identity for the entire web with Passport I fail to see how others will let MySpace own all of the profiles.

Update: Just got off a plane from London and realized that I missed a link to Chris Saad, DataPortability's co-founder, explaining yesterday that they "hope to see the MySpace “Data Availability” initiative evolve toward becoming a compliant implementation of the DataPortability Best Practices." While MySpace did not say in their release that Data Availability is a form of data portability, it certainly seemed to be interpreted that way.

Building Better Silos

It's been good to watch the use of OpenID spread. It's great to see that ma.gnolia.com has dropped "traditional login" in favor of OpenID. And I was encouraged to read about Yahoo's support of OpenID. Granted, it took me a while to get around to trying it.
But when I got around to trying it, Yahoo!ID was a disappointment. The promise of OpenID is to return ownership of ID to the users, and to eliminate identity silos, in which the big sites compete to own your identity and your data. If that's the goal, Yahoo!ID may not be a step backwards, but it's certainly not much of a step forwards.

(continue reading)