- by the people, for the people!


Users and Groups

Well, it's been several months since I wrote the last post, and I have built a lot. In fact, I've already built a distributed social networking system that lets users sign up and publish various streams. I've also trained two developers in my framework and we'll be working together to finish this up and launch a basic version.

Well, the system is not ready for prime time yet. We still need to implement groups and finalize a protocol for the various publishers to be able to talk to each other. But along the way, there were many innovations, some of which led to patents.

First of all, a distributed system should decouple authentication from authorization. Authentication is a system by which we can tell that we are really dealing with the person we think we are. For that, we usually used a centralized system with a centralized namespace. (For example, the DNS system or certificate-issuing authorities, for https:// urls). When you care about peace of mind, you want to know that your bank's website is really being hosted by your bank.

On the other hand, once you have authenticated yourself with a publisher of streams, there is no reason why you must consume those streams through a centralized hub. In fact, you should be able to come back and re-authenticate yourself without having to connect to the central hub, since you can now use a certificate that the publisher has issued to you when you first logged in.

In fact, I've designed a system where you can deal with as many publishers as you want with only one set of credentials, and no one will be able to impersonate you. OAuth is already a step in the right direction, but it still relies on constantly authenticating with some centralized service in order to authorize it to release your data. If you and host own your data, you should not need to ask any external service to release it. The freemeet protocol has a similar interface to OAuth, with login in a pop-up window, except that login is more like *you* authorizing the publisher to access your streams (such as your name, etc.) With freemeet, no one has access to your data, except you, your host, and the freemeet users you have authorized.

Having built the system for users to sign up, host various streams, and invite other users, I am ready to begin building group capabilities. Since freemeet is a distributed platform, this proved to be a formidable design task. Who will host a group? How would messages be distributed? What about group privileges, privacy and so forth?

I am happy to say I was able to overcome these challenges and, in my opinion, design something truly ambitious. Groups, like many other things on freemeet, are built using streams that people subscribe to. They may be hosted by a particular publisher (such as freemeet.com) or no one at all, in which case the group is actually a resilient, decentralized entity that people can join and leave, but not delete. People in a group can work together on documents, calendars, chat together and much more. They can invite other people to join the group, and all of this works even if some users suddenly decide to host their accounts somewhere else. Freemeet groups will work with your email address, as well as your mobile phone.

In the meantime, facebook has been in the news once again for more privacy decisions. They rolled out a groups feature of their own, except they allowed anyone to add you to the group, the same way they already allow anyone to tag you in a note or facebook photo. The problem with this is, of course, that you can be tagged in compromising photos or added to compromising groups, and remain there until you un-tag yourself. Facebook's ideas are good, but I sometimes think they are too eager to make things viral. They already have 500 million users -- it's time to make things good and useful, not childish virality. They call it "more open and connected", but it sometimes seems irresponsible when a better alternative is available.

In this particular case, facebook could have done way better. Ask yourself: how come letting friends tag you in photos doesn't feel so bad as letting friends let everyone know where you are using Places? Well, for one, places has to do with the real world. But I think there's a more subtle reason here: you will remain tagged until you un-tag yourself. Your location moves all the time, but your presence in photos remains static. Therefore, you feel like you can eventually un-tag yourself in a photo, but since you move around all the time, you don't want to keep un-tagging yourself all the time.

When you get invited to a group on freemeet and visit it, you will get added to its member list, but there's a subtle difference: you won't get added to it until you follow the invite. If you want to leave, you will have only been there a second -- hardly enough time for anyone to do anything about it. You shouldn't be automatically added to a group you've never seen seen, since the responsibility is then on you to constantly un-add yourself.

It's little touches like this that I hope will make freemeet as pleasant to use as possible. They are actually side effects of freemeet's design focus -- to provide the maximum usefulness to people, deliver to them exactly the information they want, and help them share exactly what they want, with who they want. The controls should be simple and expressive enough so that you can focus on what you want to do, rather than how to do it. They should learn your preferences from your past actions and present intelligent suggestions to you next time you do an action. Freemeet will have all this and more. Stay tuned.

The problem of centralization, and its solution.

We've been hearing a lot lately about Facebook's new decisions and the privacy concerns they raise for regular people and even their governments. Several politicians have brought up questions about the general direction things are headed. Debates have raged back and forth whether online privacy is reasonable to expect when you're sharing with your friends. Some bloggers have come out in defense of facebook, and many believe that once you join everyone else online in social networking, you've basically forfeited the right to "own" the data you post online. Pete Cashmore from Mashable, for example, says: "true, facebook should have communicated better" but "to believe that information on Facebook or other social networks is inherently private or 'yours' is just wrong." Privacy concerns have never been an issue for Twitter because tweets were always public by default. Facebook, on the other hand, pulled what many feel to have been a bait-and-switch. There was a time when it was proud to be the network where most users entered their real name. That time is quickly fading.

This touches upon a core issue with today's internet, of which privacy is merely a symptom. Sure, privacy is important , but there is a greater issue at stake here, that is getting lost in all the debating. That issue is the centralization of power and responsibility.

The internet we know today has an interesting history. It was originally designed to be a decentralized network of computers, with no single point of failure. Take out one part, and the rest continues to function. But in the last 5-10 years, we have had an interesting phenomenon. Websites and companies that offered new kinds of services have gained massive user bases, and all the traffic, and the power, is right now being centralized in their hands.

In the early days, this was fairly innocuous. Google was a great search engine, so more and more people used it. Eventually, if you had a typical website, most of your traffic probably came from google, and if they ever decided to blacklist your site, your traffic would drop like a stone. Thus, in a very real sense, google had most website publishers by the proverbial balls -- but never the users. If I didn't like google as a user, I could easily switch to an alternative, like Yahoo or Bing. This was easy to do because the internet already had a decentralized system of navigating websites. Accessing yahoo was just as easy as accessing google.

Fast-forward to today. We are in a brave new world where giant, centralized social networks connect users and other users. Let's take a sober look at the implications of this. To see my friends' private photos, I would have to be a member of the network. After all, the photos aren't being shared publicly. In order to see that album from our last party, I'd have to participate in facebook. And this would be true not just for photos but any other types of social communication -- messages, invitations, notes (facebook's version of blogs), etc. These networks are walled gardens, that have to build features that already exist elsewhere. "Notes" is facebook's version of blogging, for example.

Why can this be a problem? There are many reasons. For one thing, if the service is down , I can't get updates from any of my own friends. This has happened so often with Twitter that "fail whale" became a famous phrase. When Twitter is down, you can't tweet and you can't get tweets from anyone you're following. Sure, Twitter needs a giant infrastructure that handles millions of people reading and writing to the system. But that's precisely because it's centralized. It would be silly to imagine a company that hosts everyone's email, and when their server farms are overloaded, no one in the entire world can send email to each other, even if they are down the hall.

Without a de-centralized alternative, we become completely dependent on these networks. Even with a way to export the data, leaving the network means leaving our friends and contacts behind. It's hard to get all your friends to move over to something else, so the peer pressure is on everyone to stay. Some people would say, "if you don't like it, don't use it" -- but the fact is, not using it carries a higher and higher cost every year. Just like the frog in the frying pan where the heat is being turned up ever so slightly, eventually you realize you're caught. If facebook asked you tomorrow to pay $1 a month for its services, how many of you would be willing to walk away and never see your friends' photos and updates again?

Another big problem is what everyone is currently talking about: privacy. To be fair, many large companies like Google and Yahoo try to be very careful with their users' data, and build tools that respect users' privacy. For example, Yahoo joined the OpenSocial, OAuth and OpenID initiatives but built extra safeguards (called "scopes") to make privacy work the way Yahoo users expect it to work. And I believe that facebook is also trying to balance user privacy with its ambitions to be the biggest social hub in the world and push the envelope. They've seen twitter and they decided that public content is good for them (more traffic, more money, indexing all around the web). So they are pushing their agenda so enthusiastically, they forgot to ask a large number of users whether they find the new privacy controls easy to use or even desirable. This could have easily been done with actual user testing. As the New York Times points out, facebook rolled out its new changes while its privacy policy is longer than the US constitution, and its privacy settings require a bewildering array of clicks to set up the privacy that most people desire.

Whether you agree or not with facebook's decisions -- and it is clear many people don't -- the fact remains that it is ONE company in charge of all our social data that we entrust to it. It's also a company interested in generating profits for all of its stakeholders, and it plans to stay ahead by pushing the envelope all the time. When it comes to us, though, our friendships are what's real. The site is just supposed to be a tool. But because we don't have an alternative, we are forced to go along with whatever it plans to do.

Facebook is super excited about its plans, though, as it has decided to go from merely being the world's largest social network, to also gaining as large a presence as possible on the web, through its "like" buttons and other "social plugins" that website publishers can place on their pages. Pretty soon, it won't only be facebook users that are tied into the system, but also most internet publishers who are dependent on traffic from all its 500M+ users. Already, it doesn't make much sense these days for a startup to make a site without letting people sign up with facebook and share the site with their "friends". Five years from now, the internet may very well be to a large extent facebook's world, and we'll just live in it. If facebook wants to compete with what your site does, they can kill it in an instant. Twitter has already announced their intention to compete with their ecosystem at their recent Chirp conference, disappointing many developers. They can certainly do this, because they own the platform. And even if you could take your data and run -- which you can -- where would you go?

The problem, in a nutshell, is that there is no de-centralized alternative for social networking, with its mix of public and private streams and updates, like there is for the older internet technologies like HTTP websites, email, and many others. We have been using these technologies reliably for years, and are not beholden to the whims of one company. This is made possible through common protocols (HTTP, SSL, TLS for websites, SMTP, POP and IMAP for email) and standards: (HTML, JSON, MIME, and so forth). That is what we need for social networking. Now some people are starting up efforts to build such a system , but we will have to wait and see what they'll come out with.

Imagine a different world 5 years from now, one where de-centralized standards for streams have been invented. First of all, people would be able to host their own profile, just like they host public blogs today. They could customize its appearance and download plugins that would enhance its operation. They would have ONE identity, which they host themselves, as opposed to dozens of accounts on different sites (youtube, facebook, flickr, bebo, myspace, etc.) From this place, they could authorize who can see the information they hosted, through a standard "stream" mechanism. For example, their relationship status would be a stream. Their name would be a stream that probably never changes. Their phone number could be a private stream that only some could see. When they update it, all the subscribers would get informed of the change -- so phone numbers would always be up-to-date. Friends visiting my profile be able to request access to my private streams, by clicking a button I placed such as "be my friend", or custom ones like "see where I am when I update my location". I would have full control over exactly what I grant to whom. Streams I would designate as being public would be very similar to RSS feeds and Twitter today. You'd still get updates, but I wouldn't have to approve your subscription.

In this scenario, we'd also solve the other big problem on the internet -- the problem of SPAM. By specifically subscribing to what you want to hear, you won't be inundated with a ton of "news" you don't care about. Just because I friend someone on facebook doesn't mean I am interested in the sheep they have grown in farmville. If my friend wants to send me a specific request to join farmville, that's one thing. But I don't want to have to listen to all the public/private/whatever streams someone is producing just because I "friended" them. I want control as a consumer of information over what I subscribe to, and what I get to hear. The decentralized streaming system would make this possible. It would be more than just for social networking. It would be a new layer for the web, a common standard that lets users subscribe to public and private streams from publishers, and lets publishers control who gets access to what. In fact, this model could also be used for publishers to offer paid subscriptions and actually make money off their streams, using it to cover the cost of producing and hosting the information -- something you can't do right now with your data on facebook, twitter, or anywhere else. That might also be an interesting solution for the newspaper and magazine industry.

Gregory Magarshak © 2011

Until freemeet launches, I'll just let facebook and twitter do their thing: