The Fall of Vidoop

Vidoop logoWhen I left Flock in 2006, I blogged the occasion, having helped start the company by contributing a vision for what I thought the web needed: a social browser.

When I was laid off from Vidoop last month, I didn’t so much as tweet about it. The circumstances were different this time. But because the lack of information coming from the company is disappointing (if not frankly irresponsible) it seemed time that I wrote down my recollection of what went down.
Continue reading “The Fall of Vidoop”

Responding to criticisms about OpenID: convenience, security and personal agency

Twitter / Chris Drackett:  openID should be dead... its over-rated.

Chris Dracket responded to one of my tweets the other day, saying that “OpenID should be dead… it’s way over-rated”. I’ve of course heard plenty of criticisms of OpenID, but hadn’t really heard that it was “overrated” (which implies that people have a higher opinion of OpenID than it merits).

Intrigued, I replied, asking him to elaborate, which he did via email:

I don’t know if overrated is the right word.. but I just don’t see OpenID ever catching on.. I think the main reason is that its too complex / scary of an idea for the normal user to understand and accept.

In my opinion the only way to make OpenID seem safe (for people who are worried about privacy online) is if the user has full control over the OpenID provider. While this is possible for people like you and me, my mom is never going to get to this point, and if she wants to use OpenID she is going to have to trust her sensitive data to AOL, MS, Google, etc. I think that people see giving this much “power” to a single provider as scary.

Lastly I think that OpenID is too complex to properly explain to someone and get them to use it. People understand usernames and passwords right away, and even OAuth, but OpenID in itself I think is too hard to grasp. I dunno, just a quick opinion.. I think there is a reason that we don’t have a single key on our key rings that opens our house, car, office and mailbox, not that that is a perfect/accurate analogy, but its close to how some people I’ve talked to think OpenID works.

Rather than respond privately, I asked whether it’d be okay if I posted his follow-up and replied on my blog. He obliged.

To summarize my interpretation of his points: OpenID is too complex and scary, potentially too insecure, and too confined to the hands of a few companies.

The summary of my rebuttals:


Convenience

OpenID should not be judged by today’s technological environment alone, but rather should be considered in the context of the migration to “cloud computing”, where people no longer access files on their local harddrive, but increasingly need to access data stored by web services.

All early technologies face criticism based on current trends and dominant behaviors, and OpenID is no different. At one time, people didn’t grok sending email between different services (in fact, you couldn’t). At one time, people didn’t grok IMing their AOL buddies using Google Talk (in fact, you couldn’t). At one time, you had one computer and your browser stored all of your passwords on the client-side (this is basically where we are today) and at one time, people accessed their photos, videos, and documents locally on their desktop (as is still the case for most people).

Cloud computing represents a shift in how people access and share data. Already, people rely less and less on physical media to store data and more and more on internet-based web services.

As a consequence, people will need a mechanism for referencing their data and services as convenient as the c: prompt. An OpenID, therefore, should become the referent people use to indicate where their data is “stored”.

An OpenID is not just about identification and blog comments; nor is it about reducing the number of passwords you have (that’s a by-product of user-centered design). Consider:

  • if I ask you where your photos are, you could say Flickr, and then prove it, because Flickr supports OpenID.
  • if I ask you where friends are, you might say MySpace, and then prove it, because MySpace will support OpenID.
  • if you host your own blog or website, you will be able to provide your address and then prove it, because you are OpenID-enabled.

The long-term benefit of OpenID is being able to refer to all the facets of your online identity and data sources with one handy — ideally memorable — web-friendly identifier. Rather than relying on my email addresses alone to identify myself, I would use my OpenIDs, and link to all the things that represent me online: from my resume to my photos to my current projects to my friends, web services and so on.

The big picture of cloud computing points to OpenIDs simplifying how people access, share and connect data to people and services.


Security

I’ve heard many people complain that if your OpenID gets hacked, then you’re screwed. They claim that it’s like putting all your eggs in one basket.

But that’s really no different than your email account getting hacked. Since your email address is used to reset your password, any or all of your accounts could have their passwords reset and changed; worse, the password and the account email address could be changed, locking you out completely.

At minimum, OpenID is no worse than the status quo.

At best, combined with OAuth, third-parties never need your account password, defeating the password anti-pattern and providing a more secure way to share your data.

Furthermore, because securing your OpenID is outside of the purview of the spec, you can choose an OpenID provider (or set up your own) with a level of security that fits your needs. So while many OpenID providers currently stick with the traditional username and password combo, others offer more sophisticated approaches, from client-side certificates and hardware keys to biometrics and image-based password shields (as in the case of my employer, Vidoop).

One added benefit of OpenID is the ability to audit and manage access to your account, just as you do with a credit card account. This means that you have a record of every time someone (hopefully you!) signs in to one of your accounts with your OpenID, as well as how frequently sign-ins occur, from which IP addresses and on what devices. From a security perspective, this is a major advantage over basic usernames and passwords, as collecting this information from each service provider would prove inconvenient and time-consuming, if even possible.

Given this benefit, it’s worth considering that identity technologies
are being pushed on the government. If you’re worried about putting all your eggs in one basket, would you think differently if the government owned that basket?

OpenID won’t force anyone to change their current behavior, certainly not right away. But wouldn’t it be better to have the option to choose an alternative way to secure your accounts if you wanted it? OpenID starts with the status quo and, coupled with OAuth, provides an opportunity to make things better.

We’re not going to make online computing more secure overnight, but it seems like a prudent place to start.


Personal agency for web citizens

Looking over the landscape of existing social software applications, I see very few (if any) that could not be enhanced by OpenID support.

OpenID is a cornerstone technology of the emerging social web, and adds value anywhere users have profiles, accounts or need access to remote data.

Historically, we’ve seen similar attempts at providing a universal login account. Microsoft even got the name right with “Passport”, but screwed up the network model. Any identity system, if it’s going to succeed on the open web, needs to be designed with user choice at its core, in order to facilitate marketplace competition. A single-origin federated identity network will always fail on the internet (as Joseph Smarr and John McCrea like to say of Facebook Connect: We’ve seen this movie before).

As such, selecting an identity provider should not be relegated to a default choice. Where you come from (what I call provenance) has meaning.

For example, if you connect to a service using your Facebook account, the relying party can presume that the profile information that Facebook supplies will be authentic, since Facebook works hard to ferret out fake accounts from its network (unlike MySpace). Similarly, signing in with a Google Account provides a verified email address.

Just like the issuing country of your passport may say something about you to the immigration official reviewing your documents, the OpenID provider that you use may also say something about you to the relying party that you’re signing in to. It is therefore critical that people make an informed choice about who provides (and protects) their identity online, and that the enabling technologies are built with the option for individuals to vouch for themselves.

In the network model where anyone can host their own independent OpenID (just like anyone can set up their own email server), competition may thrive. Where competition thrives, an ecosystem may arise, developed under the rubric of market dynamics and Darwinian survivalism. And in this model, the individual is at the center, rather than the services he or she uses.

This the citizen-centric model of the web, and each of us are sovereign citizens of the web. Since I define and host my own identity, I do not need to worry about services like Pownce being sold or I Want Sandy users left wanting. I have choice, I have bargaining power, and I have agency, and this is critical to the viability of the social web at scale.


Final words

OpenID is not overrated, it’s just early. We’re just getting started with writing the rules of social software on the web, and we’ve got a lot of bad habits to correct.

As cloud computing goes mainstream (evidenced in part by the growing popularity of Netbooks this holiday season!), we’re going to need a consumer-facing technology and brand like OpenID to help unify this new, more virtualized world, in order to make it universally accessible.

Fortunately, as we stack more and more technologies and services on our OpenIDs, we can independently innovate the security layer, developing increasingly sophisticated solutions as necessary to make sure that only the right people have access to our accounts and our data.

It is with with these changes that we must evaluate OpenID — not as a technology for 2008’s problems — but as a formative building block for 2009 and the future of the social web.

I’m joining Vidoop to work on DiSo full time

Twitter / Scott Kveton: w00t! @factoryjoe and @willnorris joining Vidoop ... :-) http://twurl.cc/18g

Well, Twitter, along with Marshall and his post on ReadWriteWeb, beat me to it, but I’m pretty excited to announce that, yes, I am joining Vidoop, along with Will Norris, to work full time on the DiSo (distributed social) Project.

For quite some time I’ve wanted to get the chance to get back to focusing on the work that I started with Flock — and that I’ve continued, more or less, with my involvement and advocacy of projects like microformats, OpenID and OAuth. These projects don’t accidentally relate to people using technology to behave socially: they exist to make it easier, and better, for people to use the web (and related technologies) to connect with one another safely, confidently, and without the need to to sign up with any particular network just to talk to their friends and people that they care about.

The reality is that people have long been able to connect to one another using technology — what was the first telegraph transmission if not the earliest poke heard round the world? The problem that we have today is that, with the proliferation of fairly large, non-interoperable social networks, it’s not as easy as email or telephones have been to connect to people, and so, the next generation of social networks are invariably going to need to make the process of connecting over the divides easier, safer and with less friction if people really are going to, as expected, continue to increase their use of the web for communication and social interaction.

So what is the DiSo Project?

DISO-PROJECTThe DiSo Project has humble roots. Basically Steve Ivy and I started hacking on a plugin that I’d written that added hcards to your contact list or blogroll. It was really stupidly simple, but when we combined it with Will Norris’ OpenID plugin, we realized that we were on to something — since contact lists were already represented as URLs, we now had a way to verify whether the person who ostensibly owned one of those URLs was leaving a comment, or signing in, and we could thereby add new features, expose private content or any number of other interesting social networking-like thing!

This lead me to start “sketching” ideas for WordPress plugins that would be useful in a distributed social network, and eventually Steve came up with the name, registered the domain, and we were off!

Since then, Stephen Paul Weber has jumped in and released additional plugins for OAuth, XRDS-Simple, actionstreams and profile import, and this was when the project was just a side project.

What’s this mean?

Working full time on this means that Will and I should be able to make much more progress, much more quickly, and to work with other projects and representatives from efforts like Drupal, BuddyPress and MovableType to get interop happening (eventually) between each project’s implementation.

Will and I will eventually be setting up an office in San Francisco, likely a shared office space (hybrid coworking), so if you’re a small company looking for a space in the city, let’s talk.

Meanwhile, if you want to know more about DiSo in particular, you should probably just check out the interview I did with myself about DiSo to get caught up to speed.

. . .

I’ll probably post more details later on, but for now I’m stoked to have the opportunity to work with a really talented and energized group of folks to work on the social layer of the open web.

Citizen Garden #6 on site-specific browsers featuring Jon Crosby and Todd Ditchendorf

Citizen Garden 6I’m not sure if I’ve mentioned it here before, but Larry Halff (Ma.gnolia) and I have been recording a series of podcasts with a bunch of interesting folks on topics ranging from data portability to data interop and authorization patterns to API-driven web services.

The intended audience of this podcast is really us, since it came out of lunches that Larry and I were having at Out the Door in downtown San Francisco. We realized that, while a lot of what we were talking about might be interesting to a wider audience, more importantly, starting a podcast of our conversations would give us a great pretext to invite folks who are inspiring us with their work to come out for some daikon cakes and Vietnamese ice coffee (following in the steps of Peter Rukavina et al’s Live from the Formosa Tea House podcast of course).

This past week, Larry and I brought together Todd Ditchendorf of Fluid.app and Jon Crosby of and recently to discuss site-specific browsers and related trends in cloud computing.

Obviously the question looms large about the competition between the open web, Adobe’s AIR platform and Microsoft’s Silverlight framework. With both Adobe and Microsoft jockeying for supreme “open” status with their platforms, we need to start asking the question differently: it’s no longer about whether a platform is “open”, but who controls its features, its priorities, and to what degree it facilitates interoperability by supporting industry-wide non-proprietary standards. Of course there’s always going to be proprietary development leading the way ahead of open development, and that’s fine. The difference, however, is that efforts like Mozilla’s , Todd’s Fluid.app and Jon’s Kloudkit give us completely open stacks for implementing a lot of compelling ideas and features using tools and technologies without having to pick a corporate partner. They also provide us with the flexibility to innovate independently and see which ideas stick, while also pushing and pulling on the future of browser technology directly.

In any case, you should probably just listen to this episode and let us know what you think.

If you want to subscribe to Citizen Garden, you can grab listen in iTunes, grab our feed or follow Citizen Garden on Twitter.

Thoughts on Mozilla

You can now directly download the video or the audio.

Spurred by a conversation I had today, I thought I’d post some wide-ranging and very rough thoughts on Mozilla. They’re pretty raw and uncensored, and I go for about 50 minutes, but it might be somewhat thought-provoking. At the least, I’d love to hear your thoughts — in agreement or vehement disagreement. Educate me!

And, here are the basic notes I was working from:

  1. the future of the web: silverlight, apollo, JavaFX — where are you?? where’s mozilla’s platform for the future?
  2. build tools. xul tools are in the crapper. look at webkit and xcode.
  3. dump spreadfirefox; get your focus back. power to the people — not more centralization. where’s the college teams? run it like a presidential but stop asking for donations. events, mash pits… MozCamps… whatever… I know something is happening in Japan with Joi Ito… but that’s about all I know about.
  4. out reach… mitchell is out there… but i feel like, with all due respect, she’s too coy… i think segolene royale — who recently lost the french election set a very good example.
  5. and, the press have no idea what mozilla is up to… where the money’s going… there’s work and a roadmap for FF3… but it’s all about FF3.
  6. joe six pack is not your audience. look at africa, non-profits, international audiences. green audiences. MozillaWifi… work with Meraki networks! Firefox + Wifi in a box. Bring the web to everyone stop being a browser company.
  7. Mozilla the platform… stop thinking of yourself as a browser company. stop competing with flock. start promoting platform uses of mozilla and treat these folks like GOLD! think of joost and songbird. as Microsoft has done, build an ecosystem of Firefox browsers…! And build the platform of support to nurture them. Make it possible for people to build sustainable businesses on top of Mozilla… provide all that infrastructure and support!
  8. CivicForge… like an ethical Cambrian House… the new sourceforge that works for non-developers… where’s the mozilla social network? sure they’re on Facebook, but it feels like a chore.
  9. leadership opportunities… Boxely… microformats… openid…. start prepping web designers for HTML5 if that’s the future.
  10. IE has caught up in the basics. They have tabs. They fixed popups and spyware. Firefox as an idea can sell; as a browser, not so much.
  11. Browsers are dead. They’re not interesting. Back to Joe Six Pack… he doesn’t care about browsers. He’ll use whatever is pre-installed. Need to get Firefox on Dells.. on Ubuntu… on the Mac. Songbird too. OEM for Joe Six Pack.
  12. Browsers are a commodity. People are happy with Safari, Firefox 2 and IE7. What comes next goes beyond the browser — again, Adobe, Microsoft and Sun are all betting on this.
  13. mobile. minimo is used by whom?
  14. Firefox as a flag — as a sports team… rah… rah! where’s the rebel yell? where’s the risk? where’s the backbone? Why can’t Firefox stand for more than web standards and safety? I don’t think Mozilla can afford to be reluctant or to pull any punches. They need to come out swinging every time. And be New York’s Babe Ruth to IE’s Boston Red Sox.
  15. open source is immortal; it’s time that mozilla starting acting open source. at this point what DON’T they have to lose? the world is not the world of 2005. i want to know what the mozilla of 2010 looks like. we’re blake ross? where’s parakey? where’s joe hewitt? where’s dave barron? there’s so much talent at mozilla… are things really happening? thank god kaply is in charge of microformats now. (but, firefox is NOT an information broker!)
  16. lastly… great hope for the future of firefox, despite what sounds like negative commentary.

Coworking survey and vote on the Net Squared Innovation Fund

I don’t normally cross-post, but seeing as how my blogs are starting to converge a bit, I don’t mind throwing this one in there…

First, Tara’s been collecting survey data on coworking trends — as well as what common experiences, expectations and desires are. We’ve received about 50 responses so far and would love to have more — especially from the LifeHacker and WebWorkerDaily communities.

If you’re interested, come fill out the survey, shouldn’t take more than a few minutes, and we’ll be sharing the data with everyone at the end.

Vote for my Project on NetSquaredSecond, I just blogged over on Citizen Agency about getting your vote out for the Net Squared Innovation Fund. We’re donating a good chunk of consulting time to the effort to help equip non-profits with the skills, technology and “2.0 know-how” that they need to stay competitive and be even more effective in their advocacy using modern tools.

I invite you to read through and familiarize yourself with the slate of proposals that are all in the running for a chunk of the $100,000 that’s been set aside specifically for 20 community-selected projects and then go vote!

Oh, and if you’re in the area tomorrow night, we’re hosting Gina Bianchini, the co-founder and CEO of Ning and Benjamin Rattray the CEO of Change.org at Net Tuesday on the topic of “How Nonprofits Can Use and Build Online Social Networks: Change.org and Ning at Net Tuesday”, starting at 6pm at Citizen Space. Should be an excellent event.

MacWorld events and Citizen Central

A bunch of upcoming events this week during MacWorld… many at Citizen Space, our coworking space. As usual, you can add these events to your calendar by clicking here.

Bonus next month:

Oh, and don’t forget to use Twitter to catalog your exploits by prepending your messages with macworld! Let’s annoy Buzz!