Foo Hack » Identity Isaac Schlueter on Web Development Tue, 03 Nov 2015 06:34:16 +0000 en The Internet is (today) a 16 year old child Sun, 01 Jun 2008 06:28:43 +0000 Isaac ...Read More]]> The web today is in its teenage years.

When you were a baby, you had one name (if even that, as far as you were concerned), and a very small network of people that you knew and trusted completely. Access equals trust for a baby. Identity is not worth thinking about, because it’s so simple. Exploration is everything, and while every step is clumsy and every word garbled, it’s all happening for the first time, so it’s magnificent and beautiful. Meaningful accomplishments happen almost daily, and every advance is huge.

The advent of TCP/IP and the HTTP protocol; DNS protocols; the HTML language, and powerful browsers to interpret it; email; the migration of a bunch of different networks into a single over-arching network. These were the internet’s baby steps and first words.

The web entered the “I WANT” phase of toddlerhood through the 90s. Suddenly, the notion that you could actually BUY and SELL things on the web hit the fan. People made MONEY, and that opened up all these doors. Everyone got crazy with the frenzy of it. Venture capital poured into the valley, backed by the absolutely magical idea that advertisers’ budgets would grow as fast as online advertising space. Instead, the simple and timeless rules of supply and demand kicked in, and the bubble burst. The web got put on time-out, and pouted for a while about it.

In the bubble, as in childhood, there were some fantasies crushed, and some lessons learned. We got Yahoo and Google and Amazon out of that frenzy, and a bunch of other technologies and companies and insights that I’m sure we’re all really glad to have. didn’t make it, but let’s face it, was pretty damn stupid. I pick on unfairly, because it’s one of the only failed bubble companies that I remember. But I do remember, and that’s actually pretty respectable, compared to all the other failures that are completely forgotten.

Between the bubble bursting and today, the web has been in Junior High. Angsty, a bit more aware of the world, and just starting to make the first groping steps towards self-identification and social activity; but it’s still essentially immature. Friendster and Blogging and MySpace and Facebook got everyone realizing that the web really is a person-to-person thing, and not just a company-to-consumer thing. And of course, there have been posers at the party, just trying to look and act like the popular kids to get attention. You know the sites I mean. It’s a revolutionary new site! It’s got badges, and you can build a friend list! Upload your avatar! But you do that, and realize, there’s nothing here.

As in junior high, splitting the quality from the chaff is pretty tricky. I didn’t sign up for Twitter for a long while, just because I’ve gotten burned by the early adopter tax too many times. Yes, I know all these sites don’t cost money, but they do cost time, and that’s a limited resource. If I sign up and enter my info and upload an avatar and find my friends, and then never use the site, I’ve just wasted a lot of time. And it’s not fun enough to justify the expense.

The High School years, and especially the “tweens” from about 9 to 13, are often marked by exactly this sort of constant self re-invention, but it’s very superficial. You identify with a tribe based on music, or hair styles, or clothing. It’s practice for the real world when no one will establish our identities for us. Since they don’t really understand yet who they are as people, or what kinds of people they really want to be around long-term, kids in this age tend to get by with trial and error. Before this age, children don’t really “own” their identity; they are what their parents say they are. By the time they get to High School, they’re driving the identity ship, even if they do sail it around in circles.

The “social networking” sites, even the more useful or popular ones, are essentially shallow. There is a concept of a “friend”, and that’s it. Either we are friends, or we aren’t; maybe there’s 2 or 3 groups that I can put my friends in, but that’s just 2 or 3 binary choices instead of 1—there’s still very little richness. We need to invent our identity and pick our clothes every time we want to use a website. Without a lot of formal introductions, this group of friends knows nothing about my other groups. And so on.

Some people make a few life-long friends in High School, but that’s pretty rare, I think. More common are people who part ways, and then meet again after college, and find that they once again enjoy each others’ company. Far more common than that, though, are people who branch off after high school, and never look back, (except when they get a friend request on Facebook, that is, and even then it’s just a bit of Oh, you’re doing good? Me, too. You hear Joe had a kid? Yeah, I know. Well, take care! and then they go back to doing their own separate lives again.)

In college, things generally change. Some kids keep experimenting with different faces for a while, but at some point, they realize that they’re going to have to be grown-ups, and they’re hopefully faced with enough challenging work that the games get to be less relevant. When you have to keep a C+ average to stay on the football team and keep your scholarship, it doesn’t make much sense to be mean to nerds. The adults around you gradually stop telling you what to do, and instead tell you to pick what you want to do. The depth of our social interaction changes, as well. People date in high school; in college, people get married and have kids. (Not many of them any more, but we all probably knew someone who graduated pregnant. I was born while my parents were both students at USD.)

When you get out of college, they stop telling you to pick what you want to do. If you don’t want to do it, you don’t. The relationships are as deep or meaningless as you want them to be. You’re limited only by your own imagination.

I think that, today, we’re somewhere close to the highschool/college cusp. If the web is a child, it’s about 16; just got its drivers’ license, but still doesn’t have anywhere really worthwhile to go. The most interesting aspects of the web’s maturation are, in my opinion:

  1. Consistent, user-owned identity, which doesn’t change from place to place. I’m talking about OpenID, but OpenID is just part of the solution. OpenID is a name, but identity is also a whole brand. We’re not quite there yet, but the OpenSocial API specification and Facebook’s opening up of their APIs promises to lead towards some portability. And of course, there’s Own Your Identity and their yet-to-be released product, which looks very interesting. I’m definitely keeping my eye on that.

    The challenge will be to eliminate the management overhead of multiple personas, without eliminating the expressive power it affords. Your profile on LinkedIn might not be quite the same as your profile on Without user-controlled privacy, there’s no ownership in any meaningful sense, and thus, limited relevance. And, if it’s not easy, it’s not a solution.

  2. Many shallow social networks merging into a single rich matrix. While each site may only have one concept of “friend”, every one of their implications are a little different, and when I can link them all up to a single point of identification, it becomes very powerful and expressive. Just as you can have coworkers, friends, and family, and some coworkers are friends, some friends are family, and so on; if identity was user-owned and consistent, I’d be able to have twitter friends, some of whom I’m also connected to on Flickr, or talk to on IM, and so on. That social matrix exists today, but it’s very difficult to leverage.

    It’s yet to be shown (or even, fully conceived) what kind of information and usefulness can be teased out of this matrix. First, we need straightforward protocols to get at the data, and then I think we’ll all be surprised at how it can be used to enrich our lives.

That’s really what it’s all about: enriching the quality of our lives. People like to bitch about technology, but I think that’s just because people like to bitch. Remember in 1990, when you didn’t have a cell phone? What a compete and utter pain in the ass it was to meet someone at the movie theater? Remember when, if you wanted to show someone a document, you had to print it out—or, worse yet, photocopy it—and physically bring it to them? These are my “uphill both ways in the snow” stories for future generations.

The fact is, these things do make our lives better, overall, even with the new ways that we find to get annoyed by them. I’m very excited about what the Internet will look like when it’s all grown up.

Needed: chpass, finger, and pw for the web Mon, 10 Mar 2008 17:00:38 +0000 Isaac It’s been said that the best startups take a popular Unix command and bring it to the web. But there are a few that are poorly represented. I understand that I may be making a bad career move by discussing this openly on a blog, but quite honestly, my desire as a consumer for a satisfying product is enough to risk—-nay, hope—-that someone else makes a million dollars doing this before I get a chance to.

It’s been said that the best startups take a popular Unix command and bring it to the web. But there are a few that are poorly represented. I understand that I may be making a bad career move by discussing this openly on a blog, but quite honestly, my desire as a consumer for a satisfying product is enough to risk—-nay, hope—-that someone else makes a million dollars doing this before I get a chance to.

I’m thinking specifically chpass, finger, and pw.

I know what you’re thinking. There have been a few forays into this arena. MySpace, Facebook, and Plaxo come to mind, not to mention whatever else some MBA has stuck to a “social network” this week. (It’s just like a regular duck, but this one swims around the lake and lets you put all your friends in a list! I’ll be rich! The sad thing isn’t that he thinks it; the sad thing is that he just might be right.)

The social-for-the-sake-of-being-social sites tragically miss the point. I have resisted getting a Facebook account for a few years now, and even deleted my MySpace account. They seemed to require a lot of time and effort doing basically nothing, and didn’t give me what I really want.

Managing data is not (necessarily) enjoyable

I hate managing contact lists. The worst contact list, the one that is the hardest to manage, is the one in my head. Every day I get older, I get worse at remembering phone numbers, and I like to know who’s calling me. I like to see your picture when you call, see your real name when you email. I want my email program or my phone to know who you are when I start to type the three letters of your name that I can remember off-hand, even (especially!) if you’re someone I don’t talk to often.

That’s why I shelled out $40 for Missing Sync so that my phone and computer can share an address book. I have an Applescript program sitting on my back burner that will sync any contacts I add in Adium into this same collection, and even look up their contact details from Yahoo’s corporate intranet (since most of the time, they’re work mates.) Automated replication is still not great, but it eases the pain of managing multiple lists.

Facebook and MySpace are software platforms designed around the premise that managing a contact list is fun. And it can be in that 12-23 age range where we attempt to define ourselves and carve out our place in the world through our social connections. That’s a key demographic for advertisers. Good for you, Facebook. But if I wanted to spend all this time managing my friendships, I’d have more of them in real life. Ooh, burn! i mean… hey, wait a second..

Plaxo is actually a pretty good approximation of what I’d like to see, at least on the “managing contacts” side of things. Granted, I’ve been spamvited to their service by half a dozen people I hardly know, which is a classic example of “let’s be viral” gone horribly horribly wrong. But their product offering is pretty close. You get one contact list online, and it syncs with other areas. It’s unfocused since they’ve added “Pulse” (basically an RSS aggregator for your other web profiles), but still pretty good.

However, even Plaxo misses a key point, and makes several fatal flaws. I’m actually talking about a profile and contact management system that is much grander.

DRY — What Changed

In a relational database or data map, the idea is to keep a piece of data in only one place, and store the relationships between entities rather than making multiple copies. Most contact management systems, from a little black book to the cell phone contact list to Outlook to Plaxo, fail to implement this simple principle. Instead of making each node in the network keep track of all the data about all the other nodes in which it is interested, instead let each node control its own data, and store links to the nodes in which it is interested.

In the old days of land lines, the phone book was enough. If you knew someone’s name and city, you could get their phone number and, perhaps, their street address by performing a simple lookup. Each user had the option to control how much information was shared with the public. Until the autodialer came to telemarketing, the abuse rate was limited by the cost of using the technology.

Today, each person has many more pieces of contact information, and the cost of abuse is virtually zero. There is no way in hell that I’d let anyone publish my actual cell phone number, and once an email address is exposed, it’s basically useless. Spam fighting is an arm’s race, and an unfair one even for Google and Yahoo to fight.

Why we need those commands on the web

Back to my original point: chpass, finger, and pw.


add or change user database information

In other words, manage my info in one place.


The finger utility displays information about the system users.

In other words, look up the information that other have made available.


create, remove, modify & display system users and groups

In other words, specify who has permission to what.

Many large companies have some sort of online system like this. At Yahoo, it’s the almighty Backyard, the corp website that started as a list of email addresses and grew into a full-scale intranet with contact lookup and LDAP access. (It also features conference room booking and documentation searching and plenty of other handy things. But mostly, it’s still all about the mega employee contact list.)

You manage your own profile, and make sure that your numbers and whatnot are up to date. No one else ever has to worry about how to contact you, because it’s all in one place. However, that only works because access to the backyard system is tightly limited to current employees, so abusing the system would entail serious consequences for the abuser’s reputation (and career).

In other words, we have finger and chpass, but pw is being done manually by the HR department, which limits the possible size of the network considerably.

Abuse Prevention is Extremely Non-Trivial

The easier it is to use a networked contact management system, the easier it is to abuse. The more useful it is for you and your friends and associates, the more useful it is for spammers and scammers. Already, we have to keep our email addresses hidden from strangers. Imagine how much worse it would be if a PPC pusher could just e-finger “isaac.schlueter” and have my home address, email, phone number, instant messenger alias, birthday, and photo. Yes this is exactly the sort of information that I’d like to easily share with everyone else.

Everything that has been done so far in the area of email spam, while impressive and necessary, is fundamentally inadequate. As long as it remains profitable for a spammer to send out 100 billion emails every day, it will happen. Any attempts to prevent or avoid this behavior run counter to the incentives of the market; which is to say that it’s a bit like building a dam of sand and expecting to stop the Mississippi. Won’t happen. A bigger dam will take longer, but eventually, they’ll all crumble.

In order to truly divert human behavior, the incentive must be dealt with at the source. Direct attacks against the offenders (ie, shutting down their accounts) are not effective in the long run (they just get new accounts.) Negative incentives, such as putting spammers in jail, are not going to be effective in the long run, because it doesn’t push the cost of spamming up high enough. John Q. Spammer doesn’t think he’ll be the one to get caught, and he’s probably right.

I don’t claim to have this bit of the system figured out, not by a long shot. But I have a few ideas.


In real life, we meet a lot of people, and many of them can and do annoy us by contacting us in unwanted, if mostly harmless, ways. The foul smelling man who stops babbling for a second to ask me for a quarter. The smiling woman who shoves a tract at me and tells me I’m going to hell. Sadly, the list goes on and on and on.


  1. It’s easy to size someone up quickly, because:
  2. Annoying people build a reputation for being annoying, because:
  3. They’re real people and you can see who they are.

There are still, of course, the violent offender and the con man. However, in real life, direct attacks incur a high degree of risk, due to the chances of being caught or retaliated against, and so law enforcement has a relatively easy time keeping serious criminals in check. And those looking to do you harm by gaining confidence and taking advantage of it, well, they’ll always be around, but they’re pretty rare and the reputational aspects keep them somewhat in check as well.


Entrance into this global open personnel file would require that an account be tied to a single real person, who doesn’t have any other account in the system. Accounts that are not “backed” by some kind of reliable identity are only given some kind of limited provisional access—-perhaps they can email a user through the system, but they cannot get the user’s “real” email address, and users would be able to deny access altogether to unidentified strangers if they chose.

Identification is itself a non-trivial task requiring a high degree of trust from the web site. Even if you know it’s 100% secure, being asked for your date of birth, SSN or passport, and a major credit card is a tall order. Without biometrics, it must come down to discrete bits of information at some point, which can be (and often are) faked.

A rinky-dink fly-by-night startup can’t hope to achieve this level of trust quickly. And, without getting a critical mass of users, the value proposition to new users is a lot tougher.

The company to build this system would need:

  1. A huge base of existing users and preferably their contact details, too.
  2. A strong reputation for protecting user data.
  3. Impressive engineering resources and domain knowledge in the areas of spam protection and social networking.
  4. A serious commitment to open APIs that help the web as a whole.

If it’s not everywhere…

…then it may as well not be anywhere. The goal of this system would be to revolutionize contact management the same way that email and hypertext revolutionized written communication.

Just as email works in any email client, and web pages work can be viewed by any browser, the APIs provided by this system would have to be completely open. Any application must be allowed to interact with them, both to change data and fetch it.

In order for it to work, and really have the effect that I’m talking about, there must be absolutely no lock-in, no up-sell, and reasonably liberal rate limits.


How does something like this make money? That’s an open question, and a big one, probably part of the reason why I’m still pushing bits in a day job and not out getting VC to build this thing. I also happen to really like what I do at that day job.

Maybe it would have to be something built under the Apache foundation or some other OSS group, and sponsored by donations of capital and resources from some major players in the online social arenas. Maybe there’s some clever way in which smaller users and early adopters get the API for free, but then charge everyone else.

Who could do this? What’s going on now?

OpenID is a great start, but what we really need is an open profile and open contact list system, and OpenID doesn’t provide that.

Google’s Open Social is an interesting product, but the more I read about it, the more I think it’s not quite low-level enough to really deliver on what I’d like to see here. While it promises to expose social data to third-party applications in an API that could be consistent across social websites, it doesn’t fully address the issue of being able to manage contact data in a distributed way.

As I said above, the company to do this will need:

  1. A huge base of existing users and preferably their contact details, too.
  2. A strong reputation for protecting user data.
  3. Impressive engineering resources and domain knowledge in the areas of spam protection and social networking.
  4. A serious commitment to open APIs that help the web as a whole.

Yahoo has all four of these, but that whole China escapade has damaged Yahoo’s reputation in the eyes of many users. Of any company on the web, however, Yahoo has perhaps the most to gain from such a system and a lot of resources and domain knowledge to throw at the problem.

Even if they only share user information when presented with a subpoena, that means that using this system exposes my information to governmental intrusion, which is deeply problematic. In order to be truly trustworthy, a stronger commitment to protecting privacy needs to be in place than just words on a corporate press release. The officers of the company to provide this service should enter into a binding agreement that they will not knowingly expose user information, even in the face of governmental pressure.

Like I said, I don’t have all the answers to this product. But I know that, as a user, I’d be absolutely delighted to see something like this take hold.