Liminal Existence


The web is facing a serious identity crisis. Many have written about it but, having thought a lot about this problem over the past few years, I can’t help but feel that something important has been missed in most discussions.

Aza Raskin cuts to the heart of the matter:

“Your identity is too important to be owned by any one company.
Your friends are too important to be owned by any one company.”

I’ll go one step further, and say that the centralisation of identity is stifling innovation on the web. Kellan recounts a quote from a friend, on the subject of Facebook’s f8 announcements: “Well, [Facebook] gave Foursquare a 6 month reprieve.” This is not a hopeful view.

So what’s the alternative? What’s missing from the conversation? I think it’s important to take a view from the perspective of usability; how are we going to use this new conception of identity? The answer is simple: exactly as we do today. The fundamentals of social networking haven’t changed from day one. There’s a website, you log on, and you add friends so that you can share content with them. This basic model applies to every successful social internet technology, from email to IM to Friendster to Facebook to FourSquare.

Logging On

Logging on is easy. Whether it’s a password, OpenID, @anywhere, Firefox Contacts, or Facebook Connect, the principle remains the same: the user proves to their server that they are a particular individual. In that sense, any protocols or approaches beyond username and password are just icing on the cake. They’re ways to make logging in easier, to increase conversion rates (at least, in theory), but they don’t fundamentally change what we can do on the web.

So once we’ve logged on, how do we add friends?

Adding Friends

This is the part that’s missing from the conversation. How does it work today? Well, you have two options: either you find someone’s profile page and click “add” (which doesn’t work across sites, or if you can’t find your friend’s profile page), or you find other users on the site by entering their email address. Often the latter approach is achieved by the site opening up your email address book and looking for friends in bulk, but fundamentally it boils down to “Find email address of friend, search users database for that email address, add friend.”

OpenID doesn’t help, because I don’t even know my OpenID URL, let alone my friends’ OpenID URLs. The “ID” in OpenID is a bit of a misnomer. OAuth doesn’t help – Twitter and Facebook use OAuth under the covers for @anywhere and Facebook Connect, but that only helps me, the site using @anywhere/FB Connect, and Twitter and/or Facebook themselves. It also doesn’t help us get away from Aza’s point, that your identity remains in the hands of a single company.

The solution, as I said to Tim O’Reilly, is Webfinger. Indeed, webfinger was born out of struggling with exactly this problem of representing multi-faceted identity on the web in a way that can’t be controlled by any one company. The approach is essentially to invert the currently-closed user databases, and put social network affiliation in the hands of the users, in our hands, all while keeping the user experience the same as with current and past social software.

I won’t go into the technical details here, but in essence the workflow from a site builder’s perspective looks like this:

  1. Kate ( meets Fiona ( at APE, and the two exchange email (re: webfinger) addresses.
  2. Kate wants to stay in touch with Fiona, so she logs on to her social network of choice (“ZineSpace”), and enters Fiona’s address.
  3. ZineSpace supports photos, microblogging, and calendaring, and discovers via a webfinger lookup that Fiona has a photostream at Sketchr, tweets at, but doesn’t share a calendar. ZineSpace uses PubSubHubbub to send subscribe requests to Sketchr and on behalf of
  4. Sketchr and look up Kate’s webfinger profile, and use her published photo to show the incoming friend/follow request to Fiona.
  5. Fiona uses her microblog for work, so she declines that invitation, but approves the friend request on Sketchr, and adds Kate as a friend (asymmetric follow) on Sketchr.
  6. Even though she declined the request, Fiona wants to keep up with Kate’s life, and has a personal Tweetter account that’s not published on her public webfinger profile. She logs in there and adds as a friend.
  7. Tweetter sends a subscribe request to ZineSpace (discovered via the webfinger profile) on behalf of ZineSpace knows that Fiona wants to see Kate’s microblog posts, so auto-approves the request and sends a reverse-follow request (which is again automatically approved).

Now, five things are important to keep in mind when thinking about this process:

  1. Shareable Addresses are what make this exchange possible. Kate and Fiona can’t be reasonably expected to remember all of their various profile URLs, nor can they be expected to remember each other’s profile URLs. Their webfinger addresses act as mnemonics for their distributed identities.
  2. Webfinger is just a discovery mechanism. HTTP remains the transport mechanism for this approach, which means that everyone can participate.
  3. We have not exposed any personal information about Kate or Fiona, and more importantly, we haven’t exposed any information about Kate or Fiona’s relationships. They can do that if they wish (e.g., by linking to a FoAF or XFN profile from their Webfinger profiles), but the approach doesn’t make any assumptions about what information must or must not be shared.
  4. Subscription = Relationship. The underlying approach doesn’t say what kind of relationship the two are creating, but rather allows protocols or data transports on top of the exchange to do so. Fiona could decide that she doesn’t like Kate’s sketches, or that Kate posts too much, and simply tell Sketchr to hide Fiona’s posts. As far as Kate’s concerned, Fiona is still subscribed, and still viewing her photos. Alternatively, Fiona could send an unsubscribe request to Kate, signalling that the relationship no longer exists. The semantics are up to the application developer at either end.
  5. No Passwords are involved in the exchange. Kate and Fiona don’t need to exchange PGP keys, either, or rely on some complicated “Web Of Trust.” All they need to do is trust the servers they use (zinespace, sketchr,, and their email providers); if they can’t do that, then they have bigger problems. This one’s really important, because RSS and Atom were meant to be the future of content exchange. RSS and Atom have completely failed to enable private feeds, because they require passwords to do so. That sucks, and webfinger offers a workable solution to this persistent problem.

Sharing Content

Once relationships have been established, sharing content is entirely up to the individuals and sites involved. Obviously, we need common protocols for this, but we can use Atom and PubSubHubbub, some domain-specific protocol (e.g., Portable Contacts/ActivityStreams), or we’ll figure it out as we go along. Direct or private messages are just special forms of general distribution content (i.e., the subscriber has asked to receive content from the publisher, whether that content was broadcast or is a directed message).

There are a lot of things that I haven’t covered in this post. The technology is simple, but not trivial, and it is still very new. There aren’t yet tools that make this easy (if you’d like to work on building them, contact me!)

Hot Code Loading in Node.js

Reading through Fever today, this post by Jack Moffitt caught my eye. In it, he discusses a hack to allow a running Python process to dynamically reload code. While the hack itself, shall we say, lacks subtlety, Jack’s post got me thinking. It’s true, Erlang’s hot code loading is a great feature, enabling Erlang’s 99.9999999% uptime claims. It occurred to me that it wouldn’t be terribly difficult to implement for node.js’ CommonJS-based module loader.

A few hours (and a tasty home-made Paella later), here’s my answer: Hotload node branch.

Umm… What does it do?

var requestHandler = require('./myRequestHandler');

process.watchFile('./myRequestHandler', function () {
  requestHandler = require('./myRequestHandler');

var reqHandlerClosure = function (req, res) {
  requestHandler.handle(req, res);


Now, any time you modify myRequestHandler.js, the above code will notice and replace the local requestHandler with the new code. Any existing requests will continue to use the old code, while any new incoming requests will use the new code. All without shutting down the server, bouncing any requests, prematurely killing any requests, or even relying on an intelligent load balancer.

Awesome! How does it work?

Basically, all node modules are created as sandboxes, so that as long as you don’t use global variables, you can be sure that any modules you write won’t stomp on others’ code, and vice versa, you can be sure that others’ modules won’t stomp on your code.

Modules are loaded by require()ing them and assigning the return to a local variable, like so:

var http = require('http');

The important insight is that the return value of require() is a self-contained closure. There’s no reason it has to be the same each time. Essentially, require(file) says “read file, seal it in a protective case, and return that protective case.” require() is smart, though, and caches modules so that multiple attempts to require() the same module don’t waste time (synchronously) reading from disk. Those caches don’t get invalidated, though, and even though we can detect when files change, we can’t just call require() again, since the cached version takes precedence.

There are a few ways to fix this, but the subtleties rapidly complicate matters. If the ultimate goal is to allow an already-executing module (e.g., an http request handler) to continue executing while new code is loaded, then automatic code reloading is out, since changing one module will change them all. In the approach I’ve taken here, I tried to achieve two goals:

  1. Make minimal changes to the existing node.js require() logic.
  2. Ensure that any require() calls within an already-loaded module will return functions corresponding to the pre-hot load version of the code.

The latter goal is important because a module expects a specific set of behaviour from the modules on which it depends. Hot loading only works so long as modules have a consistent view of the world.

To accomplish these goals, all I’ve done is move the module cache from a global one into the module itself. Reloading is minimised by copying parent’s caches into child modules (made fast and efficient thanks to V8’s approach to variable handling). Any module can load a new version of any loaded modules by first removing that module from its local cache. This doesn’t affect any other modules (including dependent modules), but will ensure that any sub-modules are reloaded, as long as they’re not in the parent’s cache.

By taking a relatively conservative approach to module reloading, I believe this is a flexible and powerful approach to hot code reloading. Most server applications have a strongly hierarchical code structure; as long as code reloading is done at the top-level, before many modules have been required, it can be done simply and efficiently.

While I hope this patch or a modified one will make it into node.js, this approach can be adapted to exist outside of node’s core, at the expense of maintaining two require() implementations.

Simple Addressing for the Web, Part 1

Addressing is important. It’s something that many people have tried to solve.

I’m interested in addressing because it’s an important piece of web-scale messaging, and of the federated social networks that are an emergent property of verified cross-site communication. In order to communicate with someone, you need to be able to route your communications to them.

The URL is the thing. Except when it’s not.

The URL was supposed to become the way that we negotiated identity. We were supposed to have a “home page,” a place on the internet to call our own. It didn’t quite work out that way, and at the same time as Geocities is shutting down, we’re finally facing the need for a strong conception of identity on the web.

It goes without saying these days that everything we do, everything we interact with, has an associated URL. I can give you my blog URL so that you can read my posts, or my calendar URL so that you can invite me to events. However, for the vast majority of users, URLs aren’t a viable option. Fundamentally, it’s a lack of consistency (or, put another way, unbridled diversity) that makes URLs unusable as identity markers. Take the following URLs as a proof-by-example:


All of the above are URLs which I see while interacting with sites on the web. Unlike postal addressing, phone numbers, or email, there’s no consistency. The path part of the domain may as well be line noise in the latter four examples. By association, the pattern used by Flickr, MySpace, and Twitter is a fluke. Beyond that, my username doesn’t match across the three social networking sites, and as such it’s nearly impossible for a friend, relative, or co-worker to guess what my URL is, even given a domain.

I don’t see a way to fix URLs across the web so that we can encourage people to use them as identifiers. OpenID has tried, and the results are nothing short of abysmal.

Back to the Future

If not URLs, what should our new web addressable identities look like? The simplest answer is “like an email address.” They’re universally recognizable. Billions of people have email addresses and know how to use them. All the major IM providers have moved towards email-like addresses as identifiers (gone are the integers of ICQ). Most importantly, email addresses are easy to construct and resolve.

The net result of this line of thought is that instead of @blaine for my Twitter address, I’d be, and on I’d be I could share my Myspace identity as, and on Facebook I could be

The problem is that those addresses conflict with an already-existing namespace, specifically email. Which isn’t surprising, but it is problematic. Can you send me an email at or What happens when you do? Unfortunately, there aren’t clear answers for those questions, and while some social networks might choose to make “Social Network Addresses” work as email addresses, it would be an uphill battle to convince all providers to do so.

Use What’s Already There

I’ve been thinking about this problem a lot lately, and while the approach of re-using email semantics to provide human-readable web addresses/identities is very attractive, the proliferation of addresses (one for each network) and namespace collisions are less than ideal. After having extensive conversations with Alexis Richardson and Tony Garnock-Jones, the general approach for discovery became clear to me, but I didn’t have a more generally applicable form for the addresses themselves.

Eventually, talking over the problem with John Panzer and Breno de Medeiros at Social Web Foo, the solution was there, blazing as bright as the California Sun; Google Profiles means that Google is now providing links to all my social network profiles. They’re also my email provider.

My email address is If you transform that to, you get my profile data, and away we go. Every email provider these days has a website, and Eran’s LRDD, new on the scene, provides a discovery mechanism that everyone (i.e., every mail provider, even if they’re only hosting static content) can implement in just a few minutes.

This is an important, exciting transformation. Now, with one identifier, I can share all the social bits of myself to anyone I please.

Where are my photos?

Where’s my calendar?

What’s my phone number? Look it up with, and I’ll give you permission to see it and store it in your address book.

They’re all the same.

If I want to share a different set of social interactions, say, my work identity, I can give my Osmosoft or BT addresses, and, respectively. Now just photos of conferences come up, and the calendar that you’ll find is my work calendar, not my social calendar.

Talking about this problem with others unearthed a post last year by Brad Fitzpatrick and EAUT, which were both aimed at solving the OpenID problem, but both take the same approach as the one that I outline here. EAUT seems to have been lost in the swamps of XRDS-Simple, and Brad’s post was probably too early to the races, in true Brad style (if you want to know what’s coming to the internet in five years, just read his blog posts).

With a swift and general agreement-in-principle, there’s been some very positive movement towards promoting this concept as a way to bring the power of strong identity that email provides to the web. John has an excellent post on the subject, and it seems like a name for the project has emerged: WebFinger.

Part Two (coming tomorrow) goes in depth about how this all works on the tech side. Bits on the wire, as Tim Bray says.

Easy Android

Let me start by saying that I’m very impressed with Android, and the ease with which I was able to scratch an itch was impressive. The fact that I’m not locked into Apple’s app store world is nice; I don’t know what the specific terms are for Google’s marketplace (I haven’t signed up yet), but frankly I trust them more than I do Apple.

Full Disclosure: at Social Web Foo, Joshua very kindly gave me (and about 50 others) a free Android Dev Phone. He gave strict instructions to actually write something for it, and I probably wouldn’t have bought a dev phone (nor written <shudder> the Java against the emulator), so the fact that I have done so worked out.

I hadn’t written a line of Java before. Shock, horror. It’s just as annoying as everyone always said, but developing for Android with Eclipse is pretty straightfoward. The documentation is good. I started with the basics, and pretty quickly moved to example code. Most notably, the NotePad application that comes bundled with the Android SDK.

Once the Eclipse and the SDK was downloaded and installed, it only took about five minutes to get my first app up and running. Getting a list view of hard-coded data took another ten minutes, and modifying the code to display a different view when one of the items was clicked took about two hours (keep in mind that I was learning Java with the patience of a Ruby programmer here).

The Bad

Honestly, there’s not a lot that I was upset by. Coming from Rails, defining table structures and setters and getters and all the explicit typing is pretty annoying. Cutting and pasting code meant that I had a few mismatched data structure definitions, and the error messages were less than useful, since all that fancy type matching means that when something doesn’t match up in your XML configuration file, Java can’t tell you where to go to fix it. Figuring out where I had mismatched strings in XML config files easily took another couple of hours, which sucked, but it seems like the kind of thing that you’d get used to. Functional brain damage, I suppose.

The Good

Android is a developer’s platform. The way that content, and well, everything is addressed is fantastic. There are hooks for everything, and the tutorials encourage you to do the right thing out of the box. The documentation really only makes sense once you get it, but for the really simple app I’ve been working on, the examples were more than sufficient to get things going.

Basically, every data source is addressable through a ”content://” URI scheme. What that means is that any application can provide hooks (if they know about your data source) to view, edit, or list bits of data. I expose a set of short recipes (from @cookbook) at content://org.romeda.provider.Cookbook/recipes. That means that as long as, say, Tweetie knows that there’s the provider exists, they could add a hook to allow people to add any tweet as a recipe. It also provides hooks for other applications to know when new recipes are published (or, for example, I could tie into a Twitter provider on the phone and piggyback discovery of new updates to that, rather that running my own polling process), in addition to hooks to view, edit, or any action you can imagine.

The best thing about this is that the whole system works the same way. You register an “Intent”, and the OS lets you know when something in the system is relevant. The simplest (but seriously awesome) example of this is if you want to intercept an outgoing call and rewrite the number (or just make the call over a voip stack, for example). You just register your intent to handle ACTION_NEW_OUTGOING_CALL, and away you go. A simple data passing interface lets you receive and attach data to the messages.

The other thing that’s great about Android that I noticed right away is that the default views are extremely simple to use and customize, and they save their own state. Without writing any special code to remember where a user is in the scroll buffer, and without doing any work to remember which view a user was in (e.g., list or item view, edit, etc), the default behaviour is to remember. It’s the embodiment of everything Google’s been doing on the web lately — don’t save, ever, because saving is stupid. Either you’ve published/archived/sent/deleted something, or it’s in a draft form. The draft is implicitly persistent, and avoids the user ever losing work. This is in stark contrast to the iPhone, where Safari’s horrible constant reloading of pages boggles the mind, and burns through roaming data minutes like there’s no tomorrow.

The Code

So it’s not fancy, and it doesn’t even fetch the recipes yet, but I’m posting the code here since it’s pretty damned simple at this point, and demonstrates making an app with two views. I’ll update it as time allows.

Automatic Bootstrapping of Rev=canonical

Kellan’s work on making URL shortening not suck is great, but killing and tinyurl just isn’t going to happen. Sadly for Joshua, this is the way the internet works, and if he doesn’t like it, tough shit.

So far I’ve only seen one site that (awesomely) shortens URLs with rev=canoncial (I’m sure there are more, but I haven’t seen them. So there.) Simon Willison has done some great work on his blog, and throwing at Kellan’s shortener results in Brilliant!

Except no one will use it, because, well, is useful for doing things like tracking how far that link you sent got, and there’s a degree of muscle memory involved. This is the sort of vi-versus-emacs argument that just isn’t going to go away. Also, here’s the same post shortened by, tinyurl and this Simon-Willison’s-post-about-rev=canonical specific URL shortener that I just linked to in the previous paragraph. So why fight it? You really can’t win.

There is hope, though. I live in the dark ages, and Blogger publishes my posts as static HTML over SCP or FTP or some other totally inappropriate protocol. Since there’s no <$BlogItemShortURL$> tag in Blogger’s template syntax, I’m completely unable to do what Simon’s done, without migrating to a self-hosted blogging system (contrary to popular belief, not all programmers are compelled to write their own blogging systems (erm, on second thought, ignore twitter)).

Anyhow, it turns out that I can be as cool as Simon, just with one step of indirection:

<link rev="canonical" href="<$BlogItemPermalinkURL$>"/>
<link rev="canonical" href="<$BlogItemPermalinkURL$>"/>

Strike that, Blogger fucking sucks and so I’ve created a shell script that converts a placeholder into rev=canonical links. Man, that was a pain in the ass. Why do I still use Blogger? Anyhow, the point stands if your blogging software doesn’t totally suck and will give you a permalink anywhere in the template engine. Which is probably true unless you’re using Blogger. Ugh.

So this is great. Now my blog posts are rev=canonical™ compliant, and I you didn’t have to change anything at all, beyond shoving a couple of lines of HTML into your blog template. People that use and tinyurl are happy, because they don’t need to change their behaviour, and people that use rev=canonical are happy, because they can just by following the links provided for them.

Now of course this doesn’t address two of Joshua’s concerns. First, I still have no idea where my traffic is coming from, because I don’t run my own URL shortener. I don’t want to run my own URL shortener. What I see here is an opening for and/or tinyurl to allow me to see the stats of redirects (Dear FeedBurnerGoogle: Please purchase or tinyurl or build your own), which they should be able to do easily since all I would need to do is prove that I own by sticking some secretly named file at the domain root or otherwise.

The second concern that remains unaddressed is what happens when the URL shorteners go away? Well, we have the same problem on the web. The answer to that was/is The Internet Archive, so herewith The (Tiny) Internet Archive.

Currently it’s just a proof-of-concept. I don’t guarantee in any way that the links posted there will persist. That said, the free quotas that come with Google App Engine allow enough space to store around two million links, and $0.15 per month for every additional two million links, so I’m sure it won’t be a problem. Who knows, maybe will take it over?

The code that’s up is available on github here: TinyArchive. If you have suggestions, please send them my way or fork the code and send me patches. It was just a pre-coffee morning hack, my first stab at App Engine, and my first Python code in what seems like forever.

Facebook Is Closed for Anything

From Mark Zuckerberg’s post responding to the criticisms of their new ToS:

“We think this is the right way for Facebook to work, and it is consistent with how other services like email work.”

If that’s the case, then why the onerous licensing? I’m quite sure that people running email servers don’t need to negotiate licenses to send and receive email to and from one another. Asymmetrical persistence is a feature, not a bug, of email.

Facebook couldn’t figure out how to replicate email in a closed, centrally controlled corporate environment (hint: you can’t). Resorting to legalese is a by-product of their broken closed model (yes, this includes their support of OpenID and their Facebook PlatformPlantation).

“There is no system today that enables me to share my email address with you and then simultaneously lets me control who you share it with and also lets you control what services you share it with.”

That’s because you can’t control such things. At the end of the day, I can write down a phone number from a screen, and paste it up on telephone poles anywhere I please, shout it out at the top of my lungs. There’s no law that prevents me from doing that, and even if there were, it would be completely unenforceable.

The music and film industries have been fighting this losing battle for years, and frankly it’s depressing to see a major web property co-opting the notion of openness while playing essentially the same DRM game.

With legalese like this, I’m expecting the big announcement at f8 to be OpenFacebookHappyDRM. Code name: Hotel California.

You can OpenID in any time of day, but you can never leave…


If you’re interested in scalability and performance as it pertains to internet applications, or if you’re involved in or looking to build a reliable internet-based system, go to Velocity.

I was fortunate enough to attend the O’Reilly Velocity Summit back in January, which was a Foo-Style event designed to provide some context leading into the actual conference in June. If the conference is one tenth as good as the summit, it will be amazing. Jesse is an amazing organizer and a man with a vision.

Anyhow, instead of reading my off-the-cuff posts about obvious things that are much more fun to talk about while drinking in Miami, go to Velocity and learn this stuff for real.


Updated: Go read Steve’s Dynamic Languages Strike Back. It’s a longer read, but it’s much more interesting, and he’s much smarter than I am.

LOL. <– this is a link. Read Ola’s post, first.

For all those who don’t get it, languages don’t scale, architectures do.

Now, some languages are faster than others. That means that to complete a given operation, it costs less, everything else being equal. Costing less is a good thing. But developers also cost money, so if you have to spend money on developers’ time porting from one language to another then you might not be saving any money at all, and really you’re just treading water.

Once upon a time, Shell Scripts were used to write CGI applications. With the correct architecture, and enough money, you could build Google with tcsh. No, really. It wouldn’t be fun, and you’d be dumb, because there are much cheaper ways to do it. But then again, if you stuck with it, perhaps you’d optimize tcsh to be really fast at spawning and serving up web requests. Faster than Java, faster than <insert your favourite language here>. Faster means cheaper, it doesn’t mean more scalable.

I point to exhibit A. Perl used to be slow. Now it beats JoCaml with the bestest concurrency (re: “Scalability”) around. What was Perl built for? Parsing text. Lots of it. All the time. It’s fast. Does it mean that you can’t build Wide Finder with another language? Absolutely not. Does it mean that you couldn’t build Wide Finder to scale out to a trillion documents with gawk? If you answered “yes”, go back to the start of this post and read again! :-) If you’re still answering “yes,” try reading some more. Leonard, Ted, Joe, Cal, and Theo are good places to start.

If you answered “no,” congratulations! Pat yourself on the back for knowing what scalability means.

FoWA Miami Rocked.

I’ve been busy getting [Twitter] ready for SXSW, and have completely failed at email and, well, everything except work, since then. Before I actually land get drunk in Austin, I wanted to make a quick post about how great FoWA Miami was.

After giving my workshop, I attended Joe’s workshop on scalability, which was an amazingly thorough discussion, and I highly recommend attending anything that Joe does in the future (including the panel that he, Cal, and others are on at SxSW. I didn’t catch many of the session talks on Friday, as I spent much of my time talking to attendees, but the “Building a Web App in 45 minutes” panel was a fun experiment, and both Cal and Gary were energetic, brilliant, amazing, all that good stuff. If you get a chance to see either of them speak, don’t pass it up. Especially Gary, as you’re likely to get free wine, even if he makes you eat dirt beforehand.

I had some hiccups during the demo / discussion portion of my workshop, but the first part went well, I think, and I’m looking forward to some great applications that incorporate Jabber soon. My talk, “Bringing your web app to the masses” went well, except for the part where Twitter went down in the middle of it, and I got a call from work (which I waited until after the talk to answer).

Some heckling ensued, but I was happy to be able to address the audience’s questions about Twitter in an open and honest way. The atmosphere that Carsonified has managed to foster at FoWA helped a ton.

Mel, Ryan, Lisa, Keir, and Elliot did a fantastic job organizing everything, and Tantek and Brian put together an amazing lineup of speakers and workshops. Seriously inspiring stuff.

If they’ll have me, I’ll definitely be going to any conferences they hold in the future. They’ve come a long way since the FoWA San Francisco in Fall 2006, and it looks like they’ll just keep getting better.

Google Entaglement

I’ve done a fair bit of security work, and generally try to care about the finer details of privacy and security. However, one of the things that I’ve learned is that more often than not, no amount of digital security past a certain point is going to help, since usually the threat model isn’t an advanced technological attack, it’s a social one.

Thus far, Google has done a pretty good job of keeping private things private and public things public. I’ve spoken to people on the Google Reader team, and the main reason they haven’t added support for private feeds is their acute concern for privacy.

Today Google announced a limited trial of storing health records online. This seems reasonable and doable in a secure way, but I’m sure they’ll get lots of unwarranted flak for the long-awaited project.

However, there will and should be some warranted flak. It turns out that they’re using your regular Google account to store this information, and will provide access to it using your regular password, no doubt through yet another Google login page. I’ve heard concerns that OAuth supports phishing (from Google people), but project infighting and power struggles at Google that result in tens of login pages, all slightly (or dramatically) different, all using the same credentials supports phishing much moreso.

I strongly support patients’ rights to access their medical information, and Google is probably one of just a handful of organizations that can do the necessary coordination work and stand up to invasive organizations at scale. However, they need to stop thinking of this data as theirs, because it’s not — it’s your data. Using the same password as your email to access your health records is something that should be actively discouraged. If Google wants to present a unified interface, they should expose an API and use OAuth or AuthSub, just like any other third party that would consume the data.

Now, I may be over-reacting, but I had an interaction yesterday that suggests to me that I’m not. Someone using GTalk sent a chat request to; this email address has an MX record that resolves to, and the corresponding JID resolves to However, I have claimed my address on GMail, and associated it with my primary GTalk ID ( When I accepted the chat request, the response came from my GTalk account,

In effect, Google had done something clever, and in so doing broke the Jabber spec, ignored my own self-hosted Jabber server, and exposed my personal email address without asking my permission.

In this case, it wasn’t a big deal, I don’t care, etc. Others might, though, and I only knew that it was happening because the person on the other end of the chat was tech-savvy enough to realize what had happened. Also, email addresses and connections between them are hardly closely-guarded secrets. The thing I take away from this is that Google is being sloppy. There’s a lot going on, and it’s hard to keep track of it all. That your health records are being tied to your Google account just reeks of some power struggle where the Google account people want to bolster their product’s internal importance (or have managed to do so that they get veto power where they shouldn’t have it), and it’s simply not a pragmatic choice. There’s a reason your health records aren’t stored at the DMV, and it’s not out of convenience. Just sayin’.