“Social Graph” is not just a singular noun.

“The Social Graph” is a popular misnomer that has plagued the social networking portability conversation ever since Brad Fitzpatrick catalyzed the blogosphere with a vision about the Global Social Graph.

But in fact, “The Social Graph” has little real value outside of computer science elegance. Nobody but Big Brother, the TSA, the CIA, and [insert surveillance agency of your jurisdiction here], actually want that single, monolithic view of all the relationships in the world. That’s The Social Graph.

In contrast, my social graph is hugely valuable to me. Your social graph matters to you. And it might be interesting to discover where our graph (plural) overlap. But neither of us actually care about The Social Graph.

At the VRM Workshop 2008, here at Harvard’s Berkman Center for Internet and Society, it came out that “social graph” is actually plural.

Like fish.

The Social Graph is a misleading distraction, a handy buzzword we can all slip into our cocktail conversations. But the real value is in the personal, independent social graph we all have. Plural.

If you think about it, that’s the only way you can really make sense of it in our user-centric, user-driven world.

At EIC2008 last month, Dale Olds of Novell’s Bandit Project gave me a few minutes and some insight into how Novell (and others) are mixing open source with proprietary software to architect a whole new Identity paradigm online.

I’ve been following the user-centric Identity movement ever since Doc Searls talked me into attending IIW2006b, an unconference. EIC is a classic Enterprise technology sales conference on identity management. The two events couldn’t be more different, even though both have excellent content and are focused on Identity. EIC was all about big business selling to each other, while IIW is all about engineers making user-centric Identity work.

Identity? A lot of you are familiar with the term, but for those who might not know what I mean, I’m talking about how people authenticate themselves for access to online systems. Traditionally based on usernames and passwords, online Identity presents a host of problems, not the least of which is that an individual may have dozens or even hundreds of different usernames and passwords, one for each new web service or corporate LAN accessed. This proliferation is itself a security risk–as people reuse passwords despite the best efforts of zealous IT gurus everywhere. It is also an information management nightmare: how are we supposed to remember all of that? Which reinforces the problem of reused passwords and unfortunately typically insecure password reset. Today’s identity management software provides solutions to this problem, largely through federation and user-centric Identity.

In short, federation is how corporate IT systems rely on other corporate systems–provided by other departments or even other companies–to authenticate your identity and share information about you. It can be used for authentication, or as in the case of FaceBook’s Beacon, it can be used to pass on highly sensitive personal data. (Blockbuster is now in a lawsuit over this, which I expect they’ll lose.) As Doc Searls likes to put it, federation is about large companies having safe sex with each other, using your data. You can see how this starts to relate to your offline identity, as bits and pieces of your data trail could be used to build a profile and steal your identity or use it for other nefarious purposes, like spamming you with “targeted” ads.

In contrast, user-centric Identity is an architecture where individuals present the credentials of their choice for authentication at online services. Instead of the vendor-to-vendor systems integration and trust contracts of federation, “Relying Parties” authenticate a visitor by relying on the Identity services of an “Identity Provider” of the visitor’s choice. Relying parties may not accept all ID Providers, but in general, the choice of who authenticates your identity lies with you. Key technologies in this space are OpenID, InfoCards, and a variety of standards from the Liberty Alliance. These are the core of the conversation at IIW.

Of course, you can do federation with a user-centric Identity architecture; that’s not the point. The point is that in the user-centric world, the user is in charge of their identity. Or, as Doc Searls advocates, in the user-driven world, the user is driving the transaction.

So, when I sat down with Dale at EIC, I had already heard about Bandit—I even have the t-shirt—yet, I was wondering how Bandit fit into the whole mash up of technology behind user-centric Identity. I know that OpenID is a URL-based approach for identity that has generated significant traction because it is easy for relying parties to implement and for tech savvy users to use. I also know that Higgins and CardSpace both implement Information Cards, or InfoCards: one an open source, extendable client and server implementation, the other a polished proprietary client app from Microsoft. I even had some inkling of the various protocols created and under development by the Liberty Alliance, who started life as a federation standards group and has embraced user-centric approaches as it builds out its services stack. And I even knew about Sxipper and Vidoop, the first a client application that helps users manage their identity presentation online, whether the online services are user-centric or not, and the latter an Identity Provider with a unique method for verifying that you are you.

But what I didn’t quite get was how Bandit fit into it all. I know they are supporters of Higgins and Information Cards, but is Bandit a client app like Sxipper? A card selector like CardSpace? Is it a server implementation that could be used by companies like Vidoop? Is it open source and if so, how does it fit into Novell’s business model?

Dale was able to make it fairly clear: Bandit is an open source project supported by Novell. Bandit provided the card selector for the Higgins project and participate in OSIS (Open Source Identity Systems), a working group of the Identity Commons comprised of different Identity technology providers working towards interoperability. They also support the soon to be announced InfoCard Foundation, although there have been no official announcements by anyone yet about that particular project. Novell, as a separate entity, is putting engineering and organizational resources into these open source and interoperability efforts because they see a bright future in selling Identity management tools once we get the Internet Identity-enabled.

That’s when the light went on. Bandit is about helping create the entire infrastructure of Identity, the Identity Meta-System, as Kim Cameron calls it. Once that infrastructure is in place, Novell will be able to sell companies a number of tools that make it easy to leverage that infrastructure. As Dale put it, the open source part of this is about enabling Identity: assuring that the basic plumping and services are present and understood. The subsequent business model is helping companies manage identity, once we have the essential plumbing in place.

Think of it like http and HTML as enabling the world-wide-web, while products like Cold Fusion, IIS, and Drupal help companies manage web services. The web wouldn’t exist without the open source gift from CERN some fifteen years ago, and without that underlying plumbing of protocols and formats, software providers like Netscape, Microsoft, IBM, Sun, and Novell, wouldn’t have made a dollar selling web technologies to anyone. Instead, with a web-enabled world, literally thousands of companies competed to provide web software, making billions of dollars in the process.

Novell sees a similar dynamic with Identity. Clearly, so does Microsoft and Sun, and hundreds of other companies.

So do I. And it looks pretty damn cool from here.

p.s. my apologies for the lack of links and images. I realized I better post this before the real-time world overtakes me. I hope to see a bunch of you at IIW

p.s. bonus link: Doc Searls on vendors bankrolling open source.

For those of you who are curious about Powerset’s natural language search, here is an excellent, in-depth presentation (~1 hour 10 min) at the 2007 International Semantic Web Conference by founder & CTO Barney Pell.

Worth watching if next-generation search is on your radar.

Future

from xkcd.com

That about sums it up sometimes, doesn’t it?

If you haven’t already, you might considering reviewing the current proposed ICANN changes to Whois and consider sending in your comments. Mine follow.

In short, the proposed changes are more than morally questionable, they undermine the core infrastructure that keeps the Internet working.

(Many thanks to Doc Searls for pointing me to this issue.)

Dear ICANN,

I am writing to oppose the proposed changes to WhoIs.

ICANN has always been a technically driven overseer of the DNS and IP infrastructure, shrewdly navigating sometimes contentious waters with reliable continuation of Internet services as its guiding priniciple. If an action might (or would) reduce the stability of core Internet services such as DNS or the services relying on DNS, such as email and the World Wide Web, then that action was rejected until such stability could be assured.  This principle is the reason ICANN deserves its quasi-independent regulator status; decisions made contrary to this interest negate ICANN’s moral authority to administer Internet resources on behalf of the general welfare.

For example, by strictly focusing on this guiding principle, ICANN has managed to isolate the legal issues of trademark disputes from imprudent termination or transfer of domain control. Similarly, ICANN maintains rigorous policies and procedures that all domain registrars must follow at the termination of a registrant’s contract, specifically designed to assure that the current domain owner has every reasonable opportunity to assert their control and maintain a working domain that links to their Internet service.

The move to a limited-disclosure official point of contact is a move in the right direction, but a closer reading of the proposed recommendation suggests it is flawed in its details. The point of WhoIs is to allow for resolution of service quality issues, that is, to allow for a reliable continuation of services. The current recommendation instead creates a route for undesired intervention by interested parties, which can only reduce the quality of services.

Allowing access to unpublished information on the minimal criteria of “reasonable evidence of actionable harm” does nothing to ensure the future stability of Internet services and instead acts as a starting point for several players–whether private or public entities–to begin processes which would seek to interfere with such services. Enabling litigants or law enforcement further means to pursue the registrants in no way increases the stability of the services offered by the registrant and most likely increases the likelihood that such services be–rightly or wrongly–moderated or even terminated. In short, the clear and obvious natural result of the recommendation would be to decrease the stability of Internet services.

Not all services of course, just those that afford intervention because of “reasonable evidence of actionable harm.” However, the judgment of evidence is neither ICANN’s purpose nor its expertise. Most jurisdictions in the world provide appropriate mechanisms for judging evidence against the public welfare. In the United States, that means the courts. Should a private or public entity seek the unpublished information for any registrant, the appropriate route for discovery–assuming the point of contact refuses–is to demonstrate a legally justifiable reason to a judge and thereby secure a subpoena. This process both assures suitable access to otherwise private information /and/ provides appropriate protections against unwarranted searches and seizures. It would be a complete abandonment of its moral authority and a wild assumption of unwarranted power should ICANN seek to enable itself, or its registars, to act in judgment on evidence of the need for disclosure in the public welfare.

Finally, the potential hope that this system will ultimately make it easier to root out the bad guys fails in the situation where it is most required: the truly bad actors can easily bypass the presentation of their information in the database using any number of shell games, private corporations, and attorneys. By providing streamlined access to unpublished information, ICANN will not be assisting in the prosecution of justice against the worst terrorist and criminals, because such bad actors will avail themselves of one or more of the available workarounds. Instead, ICANN will be assisting public and private entities in the harassment and persecution of domain owners whose interests or activities have become a target of attention, all without suitable due process for those actors to prove in the appropriate venue that such owners should be revealed.

We already see this disparity today, with registrars charging a premium for “anonymous” registrations, which demands additional fees for those who want to protect their identity and personal property from would-be attackers. Clearly, those entities who are sophisticated criminals already avail themselves of these services. Therefore we can reasonably

assume that the bulk of the information in Whois is not the world’s most dangerous terrorists, but rather everyday folks… and in the case of criminals, those small time operators who don’t have the wherewithal to protect their identity through one or more layers of anonymous services.  While the idea of a limited-disclosure official point of contact seems to help with this problem, recommendation 2 proactively provides a loophole for the most tenacious and well-funded attackers to pursue their actions against domain name owners. In the end, this can only destablize those services which come under attack. It will not improve the services for anyone.

Ultimately, it is beyond the purpose and capability of ICANN and its registrars to make judgment on such cases and even more importantly, it is beyond your moral authority to support a scheme of offensive intervention against existing Internet services.  Your role is to act steadfastly in protecting the technical infrastructure underlying the functioning Internet. Anything contrary to that can only be considered an abandonment of your very reason to exist.

As such, I implore you in the strongest possible terms to reject the recommended changes and to retain your fundamental focus on assuring the reliable operation of the infrastructure underlying the Internet.

Sent by email October 25, 2007

Doc Searls points me to this accent test.

Tells me I’ve got no accent. Hmph.

Thanks Jamie Rubin for a nice little video:
Difficult jobs

My job is always challenging and difficult but it’s nothing compared to what this guy does everyday. I have no idea where this video comes from but it’s fascinating.

(via B.L. Ochman)

While in a conference call just now, my colleague was summarily ushered out of his building in San Francisco as two small explosions caused white smoke to billow out from manholes on Market Street near Van Ness.  Safety crews are on the scene and it seems to be clearing up.

Thought you might want to know.

I thought YouTube was enticing before. But their new super fast, groovy surfing bar takes it to a whole other level…

Check it out in this PSA about posting stuff online:

Talk about sucking my attention away…

Greetings and felicitations! Best wishes to everyone for a fabulous, productive, and wildly successful 2007.