The first of the two big problems I see with TypeKey is easy to solve. Just don’t do it.
The first problem is that TypeKey encourages the wide distribution of a single unique identifier for it’s users – all over the net. Each site that uses TypeKey is given the same unique identifier for a user. This makes it significantly easier to invade the privacy of the users. For example if I visit sites on: depression, cats, damsels in distress, and terrorist strategies this unique identifier enables other parties to collect all that information about my behavior.
The fix is simple. Don’t hand out a universal identifing token!
Instead TypeKey should hand out a different token to each site. If the site wishes to obtain additional information it’s users it then has two choices. It can ask the user. It can go back to TypeKey. That matches up with user’s expections. Users do not expect sites that want to know more about them to go around conspiring with other sites.
Of course an identity system isn’t much use if you can’t use it to find out more about users. So the current design allows sites to query TypePad: “Tell me about user 12.” This needs to change so they ask: “This is site 35 tell me more about user 14.” TypePad can then assure it only tells sites it trusts this additional information. As an added benefit this also allows TypePad to let users configure exactly what things should be revealed to which sites.
Nothing about this alternative design precludes users from revealing as much as they like. What’s key is not to build a system that enables unnecessary revealing. Particularly not revealing by parties who users just happen to interact with incidentally.
I’m sure that it wasn’t Six Apart‘s intent to create a foundation that helps to enable invading user’s privacy. But sadly that’s what they are headed for.
Hey Ben,
when I first read this stuff about typekey (2-3 days ago) my initial reaction was.
1) kerberos
2) MS Passport
3) and sun’s liberty alliance thing
how is this different to what these 3 things are trying to achive?
The installed base of web browsers is an immovable object; or at least it’s not going to move quickly particularly given Microsoft’s market power in the browser space and all those funny old WAP phones.
So kerberos, while elegant, won’t help solve the authentication problems faced by real world web sites.
Passport like all the popular single sign on web solutions is based on redirecting the user over to a central authority and then bouncing them back. Since the central authority in that case is Microsoft the Monopoly they are hard to trust. They haven’t had much luck selling to large web site operators. Large sites are particularly uncomfortable putting anybody between them and their users for all kinds of reasons. For example reliablity.
The liberty alliance (full disclosure I have some involvement in Liberty) is a bunch of folks that need to solve the privacy/authentication/sign-on problem. Financial institutions, phone companies, travel, portals, etc. etc. as well as some technology vendors including Sun. I’ve been hear to say they have the problem solved – even if the result is mightly complex to get your head around.
I doubt that Liberty protocols could stretch down to be something that the typical blog or wiki could implement – for example they really assume more SSL infrastructure than these little open systems typically have.
That said there are certainly lots of good design patterns there worth understanding. For example the design pattern suggested in this posting for how to assure a global unique identifier doesn’t polute the user’s identity – that is used in Liberty.
But what about peole that *want* to be uniquely identified across blogs? I don’t know if you’ve noticed, but almost every user likes to use the same exact user details on every open comment site. Bob voluntarily posts that he is in fact named Bob and runs bob.com even as he comments on sites about cats, photography, war, and/or baking.
A lot of users complain about having to fill in the same info on every site — bob, bob@bob.com, http://bob.com, yes, save my personal info so I don’t have to enter it yet again. Also, some folks have tried to figure out a way to verify that bob is really the same bob at bob.com using all sorts of systems like PGP, other central ID authorities (like Flickr), etc.
You’re arguing for the libertarian edge case in a system that 99% of users want and will welcome.You think it will invade your privacy? Fine, don’t sign up.
User 14 of example.com! Thanks for writing. 🙂
Cool! I don’t think I’ve ever had the “libertarian” label ascribed to me.
The design challenge is to assure that folks that wish to be highly revealing are given that option while folks that want to keep their identity configured so commenting on a blog doesn’t lead to revealing the name of their cat.
The design challenge is to make it a lot harder for spammers to ruin the open internet while at the same time not making it easier for bad actors to accumulate detailed profiles of you and me.
The good news is you can have both! We know how to solve this problem. If we grab the oportunity to get it right. If we don’t grab that oportunity we are just enabling bad outcomes. Why do that?
As I have argued before. The internet designers have keep pushing the identity problem out to the next layer because it is hard, subtle, and like you note solving it makes any number of groups (libertarians included) scared your going to take their freedoms and privacty away. The time has come to solve it.
Let’s try to do it right.
ben-
glad to see you bringing up liberty…certainly this type of “standard” is where TypeKey should’ve turned first….but as you said, it may be overly complex for that.
that said, perhaps a piece of saml (not even all of it) would do the trick. my company is sponsor of sourid.org (yes, i know — blatant self-promotion 😉 — we’d love to help on that front (we’ve got an open source saml toolkit available there).
Eric – It isn’t self promotion if you don’t give the correct url 🙂
http://sourceid.org/
– ben
… except that the reason anyone even mentions Kerberos these days is that modern IE supports SPNEGO (within an AD-like context at least, but you can build one with existing Free code) with GSSAPI and Kerberos. Safari does too (well, it is botched in current versions but it’s not far off, and they have an expressed interest in making it work, *because* IE works.) The Mozilla-oid browsers have a plugin too.
Of course, it would probably be more infrastructure than anyone wants for blogger-tags, really – but it’s not that it isn’t *there*.
About the unique/global identifier…
Think about what Typekey is trying to solve (comment spam).
Without a global identifier, each blog is left on its own to figure out which IDs correspond to known spammers.
Julien – That! is exactly the right question to ask next. I’ll try to write something about that.
It’s exactly the right question because on the one hand we want to preclude the creation of models of users that invade their privacy; while at the same time we need to enable a model that reveals if they are are aren’t a spammer.
Orchestrating that is the trick.
Having a local ID for each blog is better than nothing, except that maybe the upside isn’t worth it (commenters need to authenticate, and your ID filtering isn’t most efficient).
If you want to flag spammers outside of one individual blog, you need to cross-reference lists of spammers. But cross-referencing is exactly what you consider a privacy problem…
Do you have any idea how to reconcile both objectives?
Ian, the situation is different with Passport. Passport does not allow the sharing of any personally identifiable information across sites; sites are required to present user with terms of use & privacy policy, etc. and that applies only to the particular site, and so on. Ben is correct; systems like Passport and Liberty have thought through the privacy issue very deeply. You should know what you are getting into if you join up with a service and do not just assume they have privacy taken care of; as Ben points out. Like user14 says, sometimes the user does not care about privacy. But don’t pretend that the system *has* privacy when it doesn’t.
I’ve been testing MT3 for over a month now, and I was a skeptical about TypeKey as anyone else. I’m here to tell you right now, it’s been drastically blown out of proportion.
If you’ve ever used Friendster, you’ve probably exposed yourself to a greater privacy risk than you’ll ever have with TypeKey. Do you know what the required pieces of info for a TypeKey account are?
1. A login
2. A password
3. Your name
4. A nickname that you can optionally display in place of your real name in the comments you make.
That’s it. Everything else is optional. I don’t care what Burningbird thinks, this is *far* from the “Patriot Act of Weblogging.” Give me a break.
Adam,
The concern Ben is bringing up is not related to the information you give directly to TypeKey, but the trace you leave around the web with your universal ID (without knowing it if you are not too sophisticated)
– ask
http://www.danasoft.com/sig/
Pingback: Curiosity is bliss
Pingback: Curiosity is bliss
Pingback: Ask Bj
Pingback: Curiosity is bliss
Pingback: Curiosity is bliss