Two tastes better together: Combining OpenID and OAuth with OpenID Connect

OpenID Connect

On Friday, David Recordon, one of the original authors of OpenID, released a single-page specification for OpenID Connect, a concept that I outlined on this blog in January before I joined Google.

I’m particularly excited about this early proposal because it builds on all the great progress that the community has made recently on a litany of technologies, including OAuth 2.0 and the link-based resource descriptor format (LRDD) and its emerging JSON-based variant (JRD).

But I’m most excited about OpenID Connect because it forces the OpenID community to evaluate the progress we’ve made over the last three years (OpenID 2.0 was introduced in 2007) and to think critically about where we go next, and how we get there, given what the market has indicated it wants.

Rearticulating the problem

When Brad Fitzpatrick first created OpenID, he was looking to solve a fairly mundane problem: develop a protocol that made it possible for a commenter to claim her comments on someone else’s blog. For the commenter, she had a way to vouch for her words; for the blog owner, he had a way to establish the authenticity of the comments left by his readers. Given this context, all that was required in the early days of OpenID was a stable way to uniquely identify people — gathering additional profile information wasn’t as necessary because blog commenting forms already asked for — and often required — that commenters supply their name and email address.

Thus the basic architecture of OpenID concerned itself with establishing identity across contexts (i.e. “Bob” from Context A is the same “Bob” found in Context B), rather than with profile portability. This focus lent itself to privacy-preserving anonymous and pseudonymous transactions where identity could be established without the need to divulge personally-identifying information, or without forcing you to collapse the boundaries of separate social contexts.

This feature of OpenID (called directed identity) enabled you to hold a single account at, say, yahoo.com, but sign in to third party sites using “non-correlatable identifiers”. That is, this feature made it possible to maintain discreet profiles for logging in to other sites across the web without needing a different password to manage each.

The ability to “select [the] OpenID identifier” that I want to share with stackoverflow.com is how this feature manifests on yahoo.com:

Yahoo - Select your OpenID identifier

The economics of user-centric identity

Features like directed identity, however, present several challenges for users and OpenID relying parties.

For users, these features complicate the sign in flow by introducing new interface surfaces (as seen above) and management tasks. They also increase the cognitive burden of registration by requiring a user to pick a profile (or create a new one) to use in a given context. Additionally, the ability to refrain from disclosing profile information when registering for a new service may seem economically advantageous to the user at the outset (“Aha! I refuse to tell you my name or email address!”) but results in unintended disadvantages over time.

That is, because OpenID users share less information with third parties, they are perceived as being “less valuable” than email-based registrants or users that connect to their Facebook or Twitter accounts.

Why? Simply put: OpenID, by design, favors the user rather than the relying party. In contrast, technologies like Facebook and Twitter Connect emphasize the benefits to relying parties. So while it might seem like an inconvenience to custom-tailor your personal privacy settings on Facebook, the liberal defaults are meant to make Facebook users’ accounts more valuable to relying parties than other, more privacy-preserving account configurations.

So, as Twitter and Facebook have grown in popularity and the number of sites willing to outsource their account management to them have increased, both OpenID users and providers find themselves in a predicament: if they continue to restrict the flow of data, the number of OpenID relying parties will diminish in favor of Facebook- and Twitter-Connected sites. If instead OpenID users become more liberal with the data that they are willing (and able) to share with third parties, they will still need to rally support from relying parties to be recognized as valuable users. Thus making more data available from OpenID users is the first essential step that we must take to regain our footing in the marketplace.

But it won’t be enough.

To overcome both the real and perceived economic disadvantage of supporting OpenID, we need to make adopting OpenID exceedingly simple, straight-forward, and economically advantageous — in real terms.

Why harmonizing “Connect” is important

I wrote my overview for OpenID Connect convinced that the “connect” verb (inherited from the Twitter and Facebook platforms) would help users distinguish between merely registering for a site and signing up for and sharing some data about themselves. Even though Facebook abandoned the “connect” brand at F8 this year, I’m still of the mind that the “connect” verb suits our purposes, even if it’s going to take several years to catch on in common usage.

In any case, if OpenID solves the problem of providing a stable and unique way to identify someone, then the “Connect” in OpenID Connect layers in the ability to access data on someone’s behalf (via conventional APIs like Portable Contacts or ActivityStreams).

It’s this assemblage of authentication and authorization technologies that the industry is calling out for — as evidenced by the success of Facebook and Twitter Connect and more recently, Messenger Connect from Microsoft and upstart efforts like Diaspora that cite OpenID among the technologies they intend to leverage. Without a common standard, each of these efforts is inventing its own custom-tailored solution, retarding industry-wide progress and delaying the development of next generation social applications.

Thus, by leveraging OAuth as the core of OpenID Connect, we can build on the consensus and momentum that has been achieved in the marketplace, and by weaving in a standard and much-simpler discovery mechanism, we can preserve the decentralized design of OpenID. Presuming that Facebook, Twitter, Google, and others all become OpenID Connect providers, that means that site operators can implement one connect API and interoperate with potentially dozens of providers with a single, well-understood open source stack of technologies.

Such an outcome would be good for relying parties (or “clients” in the parlance of Recordon’s proposal) as well as citizens of the web, who deserve a choice when it comes to entrusting a provider with their digital identity but are increasingly marginalized by “privacy-preserving technologies” that are not economically viable.

“Connect” also provides a convenient answer to the question of what kind of interface to present to the users who want to use their OpenID:

OpenID Connect

(Note that I also used the “connect” verb very intentionally in my social agent mockups for designing identity into the browser.)

If every site that supports third party authentication today added a “connect” button in place of their conventional “sign up” or “register” buttons and deployed a consistent user experience around picking a provider (some combination of NASCAR buttons and a type-anything email/URL field) that executed the OpenID Connect protocol, we’d be well along the path of decentralizing the social web, and restoring balance to the ecosystem.

What does OpenID stand for?

Of course, applying the OpenID brand to this solution isn’t something that I would do trivially, since the OpenID Foundation is the real authority for the trademark. However, at the foundation’s board meeting earlier this year at the OpenID Summit West, we unanimously decided to expand the scope of the OpenID Foundation’s mission to include advancing the technological underpinnings of internet identity in general, without regard for the existing OpenID technology.

This is a critical recasting of the role that OpenID and the OpenID Foundation plays in the ecosystem. Though there are other groups with similar mandates, the OpenID Foundation has decided to take on the internet identity opportunity as a general problem, rather than one narrowly scoped to disposable use cases.

In that light, it seems to me that we have come to a crossroads in the history of the foundation — however knowingly — and decided to take aggressive actions to advance the cause.

Without speaking for the foundation as a whole, I believe that it is essential that we are able to reconceive OpenID as the brand for decentralized digital identity. OpenID need not be thought of as merely an identity algorithm, but as a means for representing and conducting oneself online and across digital environments. Thus as the identity landscape undulates, the OpenID Foundation is in the position to articulate solutions that are not protocol-bound, but responsive to needs of the time, and able to adapt to and weather the shifting winds of technological progress.

After OpenID 2.0, OpenID Connect is the next significant reconceptualization of the technology that aims to meet the needs of a changing environment — one that is defined by the flow of data rather than by its suppression. It is in this context that I believe OpenID Connect can help usher forth the next evolution in digital identity technologies, building on the simplicity of OAuth 2.0 and the decentralized architecture of OpenID.

Two interviews on the open web from SXSW

You must have an HTML5-capable browser to watch this video. You may also download this video directly.

Funny how timing works out, but two interviews that I gave in March at SXSW have just been released.

The first — an interview with Abby Johnson for WebProNews — was recorded after my ActivityStreams talk and is embedded above. If you have trouble with the embedded video, you can download it directly. I discuss ActivityStreams, the open web and the role of the Open Web Foundation in providing a legal framework for developing interoperable web technologies. I also explain the historical background of FactoryCity.

In the second interview, with Eric Schwartzman, I discuss ActivityStreams for enterprise, and how information abundance will affect the relative value of data that is hoarded versus data that circulates. Of the interview Eric says: In the 5 years I’ve been producing this podcast, this discussion with Chris, recorded at South by Southwest (SXSW) 2010 directly following his presentation on activity streams, is one of the most compelling interviews I’ve ever recorded. I expect to include many of his ideas in my upcoming book “Social Marketing to the Business Customer” to be published by Wiley early next year.

If you’re interested in these subjects, I’ll be speaking at Northern Voice in Vancouver this weekend, at PARC Forum in Palo Alto on May 13, at Google I/O on May 19, and at GlueCon in Denver, May 27. I also maintain a list of previous interviews that I’ve given.

What I like about Facebook’s “openness”

likeLet’s get something straight: in my last post, I didn’t say that Facebook was evil.

Careful readers would understand that I said that funneling all user authentication (and thus the storage of all identities) through a single provider would be evil. I don’t care who that provider might be — but centralizing so much control — the fate of our collective digital existences! — in the hands of a single entity just can not be permitted.

That said, I do want to say some nice things about the open things that Facebook launched at F8, because as an advocate of the open web, there are some important lessons to be had that we’d do well to learn from.

  • Simplicity: I have to admit that Facebook impressed me with how simple they’ve made it to integrate with their platform, and how clear the value proposition is. From launching OAuth 2.0 (rather aggressively, since the standards process hasn’t even completed yet!) to removing the 24-hour caching policy, Facebook made considerable changes to their developer platform to ease adoption, integration, and promote implementation. This sets the bar for how easy (ideally) technologies like OpenID and ActivityStreams need to become.
  • Avoiding NIH (mostly): In particular, Facebook dispensed with their own proprietary authorization protocol and went with the emerging industry standard (OAuth 2.0). I hope that this move reduces complexity and friction for developers implementing secure protocols, increasing the number of available high quality OAuth libraries, and leads to fewer new developers needing to figure out signatures and crypto when sometimes even the experts get these things wrong. By standardizing on OAuth, we’re within range of dispensing with passwords once and for all (…okay, not quite).
  • Giving credit: I also think that Facebook deserves credit for giving credit to projects like Dublin Core, link-rel canonical, Microformats, and RDFa in their design of the Open Graph Protocol. I’ve seen many other efforts that start from scratch when plenty of other initiatives already exist simply because they’re unawares or don’t do their homework (one of which is the OpenLike effort!). I’m not sure I agree with the parts that Facebook extracted from these efforts, but as David Recordon said, we can fight over “where the quotes and angle-brackets should go“, but at the end of the day, they still shipped something that net-net increases the amount of machine-readable data on the web. And if they’re sincere in their efforts, this is just the beginning of what may emerge as a much wider definition of how more parties can both contribute to — and benefit from — the protocol.
  • Open licensing: Now that I’ve been involved in this area for a longer period of time, I’ve learned a simple truth: it’s hard to give things away, especially if you want other people to use them, even moreso when some of those potential users are competitors. But, that’s why the Open Web Foundation was created, and why David and I are board members. After setting up foundations over and over again, we decided that it needed to be easier to do! Now all the hard work of the Open Web Foundation’s legal committee is starting to pay off, and I am quite satisfied that Facebook has validated this effort. We’re still so early in the process that it’s not entirely clear how to make use of the Open Web Foundation’s agreement, but surely this will motivate us to find our own Creative Commons-like approach to proclaiming support for open web licensing on individual projects.

So, while I still have my reservations about Facebook’s master plan, they did do a number of things right — not everything — but I’m tough customer to please. When it comes to the identity stuff, I’m definitely non-plussed, but that’s where my ideology and their business needs collide — and I get it.

What this means is that we all need to show more hustle out on the field and get serious. With Facebook’s Hail Mary at F8, we just got set back a touchdown, and a field goal just ain’t gunna cut it.

Understanding the Open Graph Protocol

All likes lead to Facebook

I attended Facebook’s F8 conference yesterday (missed the keynote IRL, but you can catch it online) and came away pondering the Open Graph Protocol.

In they keynote Zuck said (as Luke Shepard calls him):

Today the web exists mostly as a series of unstructured links between pages. This has been a powerful model, but it’s really just the start. The open graph puts people at the center of the web. It means that the web can become a set of personally and semantically meaningful connections between people and things.

While I agree that the web is transmogrifying from a web of documents to a web of people, I have deep misgivings about what the Open Graph Protocol — along with Facebook’s new Like button — means for the open web.

There are three elements of Facebook’s announcements that seem to conspire against the web:

  • A new format
  • Convenient to implement
  • Facebook account required

First, to support the Open Graph Protocol, all you need to do is add some RDFa-formatted metatags to the HEAD of your HTML pages (as this example demonstrates, from IMDB):

Simple right? Indeed.

And from the looks of it, pretty innocuous. Structured data is good for the web, and I’d never argue to the contrary. I’m skeptical about calling this format “open” — because it smells more like openwashing from here, but I’m willing to give it the benefit of the doubt for now. (Similarly, XAuth still has to prove its openness cred, so I understand how these things can come together quickly behind closed doors and then adopt a more open footing over time.)

So, rather than using data that’s already on the web, everyone that wants to play Facebook’s game needs to go and retrofit their pages to include these new metadata types. While they’re busy with that (it should take a few minutes at most, really), won’t they also implement support for Facebook’s Like button? Isn’t that the motivation for supporting the Open Graph Protocol in the first place?

Why yes, yes it is.

And that’s the carrot to convince site publishers to support the Open Graph Protocol.

Here’s the rub though: those Like buttons only work for Facebook. I can’t just be signed in to any social web provider… it’s got to be Facebook. And on top of that, whenever I “like” something, I’m sending a signal back to Facebook that gets recorded on both my profile, and in my activity stream.

Ok, not a big deal, but think laterally: how about this? What if Larry and Sergey wanted to recreate PageRank today?

You know what I bet they wish they could have done? Forced anyone who wanted to add a page to the web to authenticate with them first. It sure would have kept out all those pesky spammers! Oh, and anyone that wanted to be part of the Google index, well they’d have to add additional metadata to their pages so that the content graph would be spic and span. Then add in the “like” button to track user engagement and then use that data to determine which pages and content to recommend to people based on their social connections (also stored on their server) and you’ve got a pretty compelling, centralized service. All those other pages from the long tail? Well, they’re just not that interesting anyway, right?

This sounds a lot to me like “Authenticated PageRank” — where everyone that wants to be listed in the index would have to get a Google account first. Sounds kind of smart, right? Except — shucks — there’s just one problem with this model: it’s evil!

When all likes lead to Facebook, and liking requires a Facebook account, and Facebook gets to hoard all of the metadata and likes around the interactions between people and content, it depletes the ecosystem of potential and chaos — those attributes which make the technology industry so interesting and competitive. It’s one thing for semantic and identity layers to emerge on the web, but it’s something else entirely for the all of the interactions on those layers to be piped through a single provider (and not just because that provider becomes a single point of failure).

I give Facebook credit for launching a compelling product, but it’s dishonest to think that the Facebook Open Graph Protocol benefits anyone more than Facebook — as it exists in its current incarnation, with Facebook accounts as the only valid participants.

As I and others have said before, your identity is too important to be owned by any one company.

Thus I’m looking forward to what efforts like OpenLike might do to tip back the scales, and bring the potential and value of such simple and meaningful interactions to other social identity providers across the web.


Please note that this post only represents my views and opinions as an independent citizen of the web, and not that of my employer.

The social agent, part 5: Narrated Video

Two weeks ago, I published the first four parts (1, 2, 3, and 4) of The Social Agent, my addition to the Mozilla Concept Series focused on online identity. I provided both interaction mockups and written essays illustrating the thinking behind the designs. While this work invited some feedback, I fear that my essays suffered from the TL;DR syndrome. Consequently I decided to try one more medium to explain The Social Agent: narrated video.

There are six videos in the series; you can also watch the entire uncut screencast (parts 1-6) if you’ve got a half hour to spare. Here they are:

Introduction

Identity in the Browser

People, Apps & Pages

Share

Follow

Connect

I’d be eager to hear your feedback, here or by email. There is also a mailing list that Mozilla set up to capture feedback.

If these ideas interest you, I’d also recommend checking out the Account Manager and Contacts prototypes that Mike Hanson, Dan MillsRagavan Srinivasan and the Mozilla Labs team produced.

The social agent, part 2: Connect

Mozilla Labs Official ConceptThis is the second part of the five part Mozilla Labs Concept Series on Online Identity. This post introduces and examines the verb “Connect” as the foundation of a more personalized browser — which I outlined in Part 1: The Social Agent.

Also take a look at the rest of my mockups (view as a slideshow) or visited the project overview.

. . .

When was the last time you created a new username and password so that you could make use of some website? Do you remember what username you picked, or which email address you used to sign up? Probably. But what about that support forum that you signed up for a couple weeks ago while you were home for the holidays? Did you write it down somewhere? Or worse: did you just use the same username and password that you use everywhere else?

Spreadsheets, text files, sticky notes, cheat-sheets, software and browser extensions — you name it, people have probably found some way to recruit every kind of notational tool there is to help them remember the countless passwords, PINs, IDs, usernames, and secrets needed to access the apps, websites, and services that they use on a regular basis. But we can do better.

Step 1: Activate

The social agent is designed to unify your online social experience. With that in mind, a social agent must become an extension of you in order to mediate your online interactions.

This is achieved by activating your browser against your preferred account provider when you first begin your online session, just as you activate your mobile phone before being able to make or receive calls. This is how the browser is turned into a social agent.

By activating your browser, you are effectively telling your browser who you are and where to store and access your data online.

Account Manager - Activate a New Account

Fortunately, you can activate using any account that you already have that supports a Connect API, like Twitter Connect or Facebook Connect (or soon, OpenID Connect). It is also conceivable to use the browser in an anonymous or “incognito mode”.

Step 2: Connect

Once activated, you can visit any site that supports Connect and with the click of a button, sign up and bring your profile, relationships, content, activities, and any other portable data with you. This process is identical to Facebook Connect or Twitter Connect, except that the interaction occurs between your social agent and the site you’re visiting.

What is a Connect API? Writing for the O’Reilly Radar blog in February last year, David Recordon defined the anatomy of “connect” as meeting four criteria:

  • Profile: Everything having to do with identity, account management and profile information ranging from sign in to sign out on the site I’m connecting with.
  • Relationships: Think social graph. Answers the questions of who do I know, who do I know who’s already here, and how I can invite others.
  • Content: Stuff. All of my posts, photos, bookmarks, video, links, etc that I’ve created on the site I’ve connected with.
  • Activity: Poked, bought, shared, posted, watched, loved, etc. All of the actions that things like the Activity Streams project are starting to take on.

OpenID ConnectThis is what the verb “connect” means for the social agent. The “connect” button communicates that your browser is going to share some amount of your profile data with the site that you’re connecting with. You’re not just signing in. You’re connecting — and creating a relationship with the site. You can of course change the data that the website gets — even after you’ve signed in — and the benefit of this model is that you have transparency into what data you’re sharing with whom.

Far from making it impossible for you to share your data, your social agent should help you mediate such decisions, guiding you about which sites to connect with, and providing context to help inform you actions.

Clicking Connect pulls a familiar browser-based UI

For this model to work, your connections are actually made between your preferred account provider and the third parties to which you’ve connected. Your account provider, then, acts as a hub for all of your online doings — collecting, maintaining, and mediating your browsing history, relationships and contacts, activities, transactions, content and media, and online profile. This provider should let you selectively configure how much, how little, or how long such your data is made available to third parties — much in the same way that you manage access on Twitter or Facebook today.

For you, this means that you get to pick an account provider of your choice — without needing to worry about remembering or managing passwords or usernames. Instead, you can have any number of accounts that are available to you wherever the web goes.

As a core feature of the social agent, connecting is the action you take whenever you want to establish an enduring an ongoing relationship with a site, service, or individual.

The social agent

Mozilla Labs Official ConceptLate last fall, from late November through December, I worked with Mozilla Labs to envision what the future of a more social browser might look like. Working with the team, I produced a series of mockups and written pieces that were designed to first layout a future scenario for what I call “pop computing” — an era when computing is cheap, abundant, and a part of the everyday environment.

Thus, this is the first of a five part series that re-imagines the browser as a “social agent” — and defines how it can do more to facilitate various social behaviors by supporting three verbs that can “socialize” the browsing experience: Connect, Follow, and Share.

Weave Identity

To put the ideas presented here into some context, I will begin with a vignette that describes a future computing scenario, motivated by three emerging conditions:

  • online account and data portability
  • ubiquitous networked access
  • decreasing cost of advanced computing devices

This scenario is intended to provoke us to peek around the corner of today’s browser paradigm. Little that is presented here is entirely novel. Instead, this sketch presupposes that the browser has learned new capabilities that take it from the document-centric era of the web into the age of people-centric web services. This “social agent” knows who you are and facilitates common tasks like connecting to sites, interacting with following people and information, and providing intuitive tools for sharing for than just links.

. . .

We begin at a conference, somewhere far from home that required air travel, sometime in the near-future. It doesn’t really matter what the subject of the conference is, where it’s happening specifically, or why you’re going. However, a big draw of this event is getting to meet fellow professionals and exchanging tips and experiences, with the outcome of the event some kind of shared digital artifacts that capture the top highlights. There will be ample WiFi at the event and something else: everyone attending the event is given a slate computer to use for the duration of the event.

In fact, this kind of access to computing has become quite common; and with data access and portability vastly improved, the need to carry around personal electronics of any kind has all but gone away. In fact, the very thought of bringing a personal laptop — even a netbook — to the conference — now seems obtuse, as though you were bringing your own rotary phone and Yellow Pages to the conference.

It is also not possible to “install” applications on the device; instead, any application or service you need is available on-demand, available as a zero-footprint web service.

This device is the definition of a web native device; it serves dual purposes: to make computing extremely convenient, and abundant. It omits all the distractions and bells and whistles in favor of a lean, clean user experience, and is designed to augment — rather than replace — human interaction, as a whiteboard or pad of paper might.

The “browser” on this device has been modified to accommodate a new mode of online interaction. While it has retained a number of browser conventions, it introduces new capabilities that enhance personalization, sharing, and collaboration by carving out specific interfaces dedicated to interacting with people and web services.

When you turn on the device for the first time, you’re asked to activate the machine by signing in to your preferred identity service provider. You can either choose from a list of well known providers or supply an OpenID Connect-enabled account address.

Activate

Once activated, the device becomes an “extension” of your existing digital identity and any activity that you perform on the device will be attached to that identity. You may activate additional identities in order to assume discreet roles, but most people get by with as few as one or two active digital identities at any given time.

To that point, passwords are a thing of the past. With the advances in data portability and service interoperability, all modern sites and web services accept users from other networks (just as we take for granted the ability to email people from different domains today), making it possible to connect with, follow, and share with people on other networks without needing to create a new account. For most people, you only need one account for all your computing activities.

Connect

To better illustrate activation, I’ll draw an analogy to selecting your active gamer profile on an Xbox: once you’ve logged in with your gamertag, all your high scores, achievements, customizations, and social connections get attached to your profile. You don’t create a new gamertag for every game you play, nor for every social network (Facebook, Twitter, Last.fm, etc) that you add to your profile. Instead, your gamertag is like a meta-identity to which you attach services, preferences, and attributes. This gamertag becomes a convenient, reusable identity.

Furthermore, if you visit a friend’s house and sign in to her Xbox with your gamertag, you’ll be able to bring all those preferences, connections, and achievements with you. You would set up and use the account system of this web-based device in the same way. In our future scenario, you would likely activate the same account that you use in your typical computing tasks while at the conference — picking up from where you left off — bringing access to all the resources and services you use, without the hassle of having to bring your own device, or remember more than one password.

During the course of the event, you would be able to make use of the built-in sharing capabilities to trade notes, photos, and videos with attendees co-located and remote. You could also follow those speakers and presenters who you find interesting, again, using the built-in features of the social agent.

Share

On the expo floor, you could use the device to wirelessly connect your account to any of the exhibitors, taking photos, making notes, and swapping contact information or gathering information to read later — which would all be seamlessly and securely synced to your cloud provider.

Follow

Best of all, because these activities would be performed under a primary account, it would be easy for you to revisit this experience later — filtering the connections and contacts you made by time, location, or contextual activity (for example, did you meet this person because they were a speaker, or were you introduced to this person through a mutual friend?). You would also have digital receipts of the information that you shared with people, and be able to recall the products and organizations you started following while at the event. In other words, rather than having to perform these different types of common tasks across a number of separate networks after the fact, your social agent would mediate these tasks for you — ultimately freeing you up to focus on the event itself — and the interactions with your fellow attendees.

. . .

Our opportunity, then, is to define how the browser could serve us better if it were recast as a social agent. To begin with, we need to make two assumptions:

  • First, there’s no reason why the browser should remain a passive bystander in our online experience. With increasing information abundance, we require smart and sophisticated tools that bring us the information that we need to know, when we need to know it, and that brings back our focus, productivity, and accelerates our understanding of the world around us.
  • Second, the social agent serves as an extension of the self into the web. Just as the mouse and keyboard facilitate the interaction between man and machine, the social agent facilitates the interaction between people through the medium of the web. We trust the keyboard to “communicate” our keystrokes to the computer just as we typed them, and expect the browser to help us articulate our connections other people directly. As the trust between the browser and man grows, we are extending ourselves into the digital medium — augmenting our access and ability to manipulate information — and enhancing our ability to connect with others. And yet, the browser is cast in the image of an infovore — and not a social being. Thus the potential to retool the browser as a social agent is huge, and remains largely unexplored territory, especially as we are spending more of our computing time in this application.

As the nexus of all of our online activities the browser is uniquely positioned to provide convenient and consistent access to friends, contacts, documents, and media across networks. And as an extension of man, the social agent is a fulcrum of user-centric computing — turning the individual into the point of integration by rejecting the current rash of fragmented service-centric identities. As far as the individual is concerned, it should be a choice whether one decides to fragment his identity into a thousand partial profiles strewn across the web, rather than a mandate.

From Mozilla’s perspective, the social agent offers dignity to the individual and brings balance to a chaotic ecosystem.

Just as Firefox has brought choice and innovation to a once-monopolistic browser market, the next generation browser must bring choice to the rapidly centralizing world of social networks. To achieve this, we need more than just another social network; we need a vision of the social web that is built on upon technological interoperability that fosters agency for the citizen of the web.

As my contribution to the Mozilla Concept Series on Identity, this series will explore the following hypotheses:

  • that people’s experience on the web would be enhanced if the browser offered more compelling, integrated social functionality
  • that the browser can be made social, becoming a personal, social agent
  • that a social agent can minimize the overhead of participating in the social web and maximize the benefits
  • that the architecture of identity in the browser is critical to achieving simplicity and clarifying the experience of social networking
  • that a social agent should simplify and reduce the work necessary of web developers to create secure, compelling social applications
  • that social functionality must be built into the browser in order to spread the benefits of the social web as wide as possible
  • that establishing trust is essential to growing the social web, and that trust can be earned by putting the individual, rather than services, at the center of the personal social web experience

This series of posts will sketch out a vision for the future of social computing, and is intended to provoke discussion, critique, and alternative proposals. In my mockups, I depict three new flows that adding three new verbs (connect, follow, and share) could bring to the browser. Subsequent posts will tackle each of these topics in turn:

  • Connect: acting as your social agent, the browser becomes an extension of yourself, making it easier and more secure to participate in the social web
  • Follow: as a replacement for the antiquated notion of “subscribing”, “following” becomes the general way to track the activities or feeds associated with a people, brands, celebrities, or social objects.
  • Share: as the fundamental activity of the social web, sharing media, content, and information is integrated into the browser and enhanced through making available social connections and publishing services