Diaspora Part Two

Published on Friday, May 28th 2010. Edited by Rat Outzipape. tag

Comparison With The Wider Technical Community
Does the Proposed Service Conflict with Existing Popular Services?
The 'Diaspora' System in a nutshell
The last point made by Danah Boyd about control over information flow is truistic. But a service that concentrates on addressing the issues of how to control information flow is certainly different to what we have at the moment.
In the sense of design philosophy, it does conflict with what is offered at the moment. As such a system evolves (as a result of user feedback however generated) this will become increasingly apparent. I believe that the defaults of Diaspora will revert to what was the norm prior to intense targeted marketing.
I assume the goal is of having user control over each piece of data or communication to expand, contract or remove access and to edit, version or delete as ownership and system constraints allow, whether flowing to the individual or flowing from the individual.
There are three distinct points of departure from Facebook in the envisaged architecture of Diaspora.
1. Facebook could not offer full security of the type possible with Diaspora, its architecture probably would not sustain this, or do so with difficulty.
2. Another consequence of Facebook architecture is that a huge amount of traffic is going through the same domain, this means that the autonomy of each Facebook profile does not exist apart from through the Facebook super domain. This is both a network issue (I understand that it is technically 'unhealthy' but lack details for this assertion) and contradicts one of the basic principals of the design of the internet, that each item (page) has a transparent and reliable identifying address (URL). This second point is a bit technical. It pertains to the ease with which Facebook may exchange data with other applications (while also respecting defined privacy).
This is not possible with Facebook, while I expect it will be intrinsic to Diaspora.
3. The Diaspora architecture is intrinsically less expensive to maintain. Without the centralised architecture there is no need to create such massive revenue streams to maintain and show profit from infrastructure.
The Wider Technical Community
W3C Initiatives
Casting our net for further guidance the W3C has several initiatives in the area we are interested in. Parts of most of their work intersect with our concerns.
It should be noted that, to my knowledge, W3C work is not based on 'customer' surveys.
W3C is well named, it is a fee paying consortium. It is based on polling interested parties, usually those from academia and industry who can give sufficient sponsorship to individuals to carry them through the writing and presentation to conference of papers and steer recommendations through different stages to acceptance.
However, for our purposes, the consortia structure works in reverse: We can use what surfaces in W3C as a measure of the concerns of different types of internet user.
It is also important to note that W3C has huge reputation but does not have any legal powers to impose recommendations or standards. W3C make recommendations on the basis of consensual committee agreements (how ever achieved, there may be a voting system for those with a registered interest). Sometimes those recommendations languish, or or ignored by the wider technical community. (This has happened often, providing some note worthy historical cases.)
One point to be made here is that, to my knowledge, in the UK, one of the largest users of IT that also actually intersects with much of W3C work, the UK Government, has not introduced a program of evaluation and adoption as a series of contractual obligations with it suppliers.
In other words, W3C can be circumvented in the implementation domain on a grand scale. As I will show later, when discussing the lack of standards that apply to the information domain, the behaviour of government as an influential lead body does have an impact on us.
W3C has done a lot of work in the area of privacy, Intellectual Property (that is concerning patents of solutions presented to W3C which are licensed on royalty free terms imposed on members of working groups), DRM, policy management and other.
Here I am going to narrow down my exploration by concentrating on one authentication and trust framework solution called FOAF+SSL. This technique has been extensively researched by the Social Web Architect, Henry Story. I build out from this, mentioning how it contrasts with other different proposals and measures.
I explain this in the section Architectural Objectives below.
The W3C Work on Privacy
P3P is The Platform for Privacy Preferences, do not confuse it with p2p which is Peer to Peer networking, also mentioned in these posts.
What follows is quoted from these materials:- 2002-04-16
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
Group Notes
2006-11-13
P3P really has become the mechanism by which web sites inform their users of how they use or intend to use their data. It has come to be restricted to the policy on sharing user addresses with other parties and so forth, but it's original intention was much broader in scope.
From The Platform for Privacy Preferences 1.1 (P3P1.1) Specification :-
  1. Introduction
The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
In Looking Back at P3P: Lessons for the Future, November 11, 2009, Ari Schwartz from The Centre for Democracy and Technology says:-
Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.
The following shows part of the W3C specification definition and its modification by a later note:-
1.1 The P3P 1.1 Specification
The P3P1.1 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema -- a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary.
1.1.1 Goals and Capabilities of P3P 1.1
P3P version 1.0 is a protocol designed to inform Web users about the data-collection practices of Web sites. It provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines:
* A standard schema for data a Web site may wish to collect, known as the "P3P base data schema" (5.5)
* A standard set of uses, recipients, data categories, and other privacy disclosures
* An XML format for expressing a privacy policy
* A means of associating privacy policies with Web pages or sites, and cookies
* A mechanism for transporting P3P policies over HTTP
The goal of P3P is twofold. First, it allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. Second, it enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may "opt-out" of or "opt-in" to.
From P3P Specification Note
The W3C Work on Privacy
Privacy Bird
This is a W3C tool used to filter browsing of other web sites, it is a filter of information coming in, not of user information going out:-
The Privacy Bird will help Internet users stay informed about how information they provide to Web sites could be used. The tool automatically searches for privacy policies at every website you visit. You can tell the software about your privacy concerns, and it will tell you whether each site's policies match your personal privacy preferences by using bird icons.
Privacy Bird
The W3C Work on Privacy
Protocol for Web Description Resources (POWDER)
W3C Recommendation 1 September 2009
This recent recommendation has great relevance to our present purpose. The recommendation is the subject of ongoing usage and implementation research. Notice "publication of descriptions of multiple resources" which is essentially a Semantic Web action, and difficult to achieve without using that technology. Facebook, as it is constructed, would find it difficult to comply with this recommendation and for that reason it is referred to as a walled garden. There is no way of understanding what is inside from outside, nor accessing it in a consistent manner (despite it being indexed and mined for analytics). Advanced implementations of foaf+ssl that I am advocating here, are designed exactly for this purpose.
The Protocol for Web Description Resources (POWDER) facilitates the publication of descriptions of multiple resources such as all those available from a Web site. These descriptions are always attributed to a named individual, organization or entity that may or may not be the creator of the described resources. This contrasts with more usual metadata that typically applies to a single resource, such as a specific document's title, which is usually provided by its author.
From POWDER 2009
(Example) Use case
2.1.8 Child protection B
  1. Thomas creates a portal offering what he considers to be terrific content for children. He adds a Description Resource expressing the view that all material available on the portal is suitable for children of all ages.
  2. Independently, a large content classification company, classification.example.org, crawls Thomas's portal and classifies it as being safe for children.
  3. Discovering this, Thomas updates his Description Resource with a link to the relevant entry in the online database operated at classification.example.org.
  4. 5 year old Briana visit's the portal. The parental control software installed by her parents notes the presence of the Description Resource and seeks confirmation of the claim that the site is child-safe by following the link to the classification.example.org database, which her parents have deemed trustworthy.
  5. On receiving such confirmation, access is granted and Briana enjoys the content Thomas has created. From POWDER 2007
Resources
0: Danah_Boyd
1: FOAF+SSL Alternative Implementation
2: Henry Story
3: P3P 1.1
4: The Centre for Democracy and Technology
5: P3P Specification Note
6: Privacy Bird
7: POWDER 2009
8: POWDER 2007
Adam Saltiel
May 2010
 

0 comments:

top