January 26, 2005

The business -- and technology -- of finding a friend in cyberspace

Author: Roger Smith

If you're an inveterate reader of blogs, then you're probably ready for the latest phenomenon roiling the Internet: social networking software (SNS). SNS enables the development of so-called "Friend of a Friend" networks (FOAF, for short) such as Ryze.com, Linkedin.com, and AlwaysOn.com that have come to the fore the past couple of years. MySpace.com, designed for the high school and college-age crowd, also has grown rapidly.

These online personal or business networking sites are exploding in use, often adding tens of thousands of new users every month. Like the enormously popular dating site Friendster.com, all these sites are based on the "six degrees of separation" principle. That's the notion that any two random people on the planet are connected by an average of six acquaintances -- a claim that has been around for some time and supported most recently by a 2003 study reported in the journal Science.

Wikipedia, the free, collaboratively-edited Web encyclopedia (itself a type of social network application), describes social networking as the process of connecting individuals via friends, relatives, and acquaintances, allowing a person to build a "personal network." These networks can then branch out and allow friends to connect with people inside their accepted social circle.

How these "accepted" social circles are defined seems to be developing as a key differentiator for a lot of FOAF networks, as multimedia pioneer and Macromedia co-founder Marc Canter recently opined. "Though explicit social networking could be considered the hot new trend in software today, it is a solution without a context. Only by placing digital identity, social networking, and Web services into a particular context -- can their full potential be exploited."

Broadband Mechanics, Canter's latest company (which he founded in 1999), is currently working on a new generation of SNS tools for on-line communities called Digital Lifestyle Aggregators (DLAs) that will assist end users in keeping track of their personal and/or families' digital music, photo, video, and file collections -- as well as providing them with home publishing capabilities to create, store, and distribute their own content.

"What's been missing from social networking up until now are the activities and transactions that should follow once people have found each other," Canter said, explaining that many of the SNS sites like Friendster, etc. seem to be focused on building the biggest network rather than encouraging richer communication between participants. "[It's not surprising you see] the drop-off of interest in these boring SNS sites -- after you've connected up with all these people, there's often nothing to do. Instead of having one SNS with 1 million people, I'd rather see 1 million social networks with 10 people in them," Canter said.

Implicit versus explicit

Canter distinguishes explicit social networks in which participants actively invite new members and consciously build their network (a la Tribe, Friendster, and Linkedin) from either implicit SNS sites like Craigslist, a community-driven classifieds system, or SNS sites that derive metadata from email use and other activities of people to build maps of social networks (such as Spoke and Plaxo). An example of an explicit network is Broadband Mechanics' client AlwaysOn, which is a social network targeted at technology industry insiders. AlwaysOn users are identified by an online profile, which they write and control, and many post photos of themselves. Craigslist users, on the other hand, are anonymous unless they choose otherwise.

Privacy a hot-button issue

The concept of trusted user identity is a hot button issue for a lot of people building social networking applications. Canter favors a commercial approach similar to that of Sxip Networks Sxip (pronounced "skip") is a personal identity service, like Microsoft Passport, that allows users to authenticate with an identity provider (a Homesite) and then release identity information to other Websites (Membersites) in a network of trust similar to the Liberty Alliance federation scheme.

A typical Sxip scenario involves a Homesite performing a Domain Name Service (DNS) lookup to check the URL for the Membersite's logo to confirm that the Membersite is in fact a registered Sxip Membersite. Sxip's commercial efforts are intended to dovetail with the efforts of the Friend of a Friend (FOAF) project that is working to create a standard for machine-readable FOAF profiles. Similar to a vCard (electronic business card), a FOAF profile is a way to describe yourself -- your name, email address, and the people you're friends with -- using XML and RDF. Standardized machine-readable FOAF profiles will allow software to process these descriptions, perhaps as part of an automated search engine, to discover information about you and the communities of which you're a member. Although based on open-source code, Sxip is owned and run by a small Vancouver, Canada startup, Sxip Networks.

Privacy activist Dave Del Torto, for one, doesn't share Canter's faith in the benign effect of the marketplace when it comes to defining a circle of trust for SNS applications.

"The idea that privacy issues always seem to get in the way of necessary early profits is sadly consistent with the 'we'll strap some secure-looking stuff on once some companies have made their money' kind of attitude that's gotten the net/Web into the current predicament," says Del Torto. "Nearly every serious security scientist I've ever spoken to concurs that international standards need to be strengthened; this is not 'idealism,' it's being practical," adds Del Torto, founder and executive director of the CryptoRights Foundation, a non-governmental organization which, among other things, promotes the use of cryptography by human rights workers in third-world countries.

Likewise, Drummond Reed, CTO of Seattle-based Cordance Corp. and a trustee of the Identity Commons group, clarifies, "There can't be a social Web without ensuring that every user can effectively control the dissemination and use of their personal data. The social networking sites all agree to that -- they take great pains to let every user control their links. Now what we need is an open protocol for doing this everywhere, just like IP and the Web," Reed said.

Both Del Torto and Reed favor an approach to trust federation for social networking sites that adds a new layer of universal private addressing to the existing IP numbering and DNS naming layers used on the Internet today.

Proposed XRI layer adds a location-independent persistence identifier layer to the current Internet infrastructure of IP addresses and DNS names.") Specifically, they support user-controlled personal contact gateways known as i-names that are hosted by "i-brokers." I-name syntax and i-name services are based on the XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) specifications under development by the OASIS standards body and XDI.org, an international non-profit organization that manages i-name technology in the public interest.

Canter's response is that the XRI/XDI efforts are overkill. "For now, Sxip will suffice. But given the paranoid maniacs running around (promoting XRI/XDI,) it may be necessary to defuse their complaints by doing an Open PeoplesDNS later," he said.

Del Torto, in turn, responds that Canter's proposed "Open" PeoplesDNS is a "bogus idea, since anyone who wants to right now can set up their own DNS server and jump right in." He reiterates: "[It's important to realize that] FOAF 'files' are people; some aspects of a person are public and some are private, and that person needs to be able to choose which, when, how, with whom and why. 'Password protection' does not privacy or security make. Attribute encryption with a technology like i-names is practically mandatory in order to have something remain a useful privacy foundation as we move the entire net forward into the future."

In reply to Canter's accusation that the XRI/XDI proponents are "paranoid maniacs," Del Torto retorts: "Well, he's got his head firmly rooted in the sand, bless his colorful little tail feathers. Open research into these privacy mechanisms is absolutely essential, and anytime a corporation tries to 'sell' you your own privacy, you should run, not walk, away from them like the snake oil salesmen, snake oil apologists, or ostriches they really are."

To join, or not to join

As the heated exchange between Canter and Del Torto illustrates, privacy is one of the most contentious issues for people building SNS applications. Whether privacy is defined by traditional DNS style lookups using standardized FOAF profiles or by adding a new identifier layer to the current Internet infrastructure of IP addresses and DNS names, there does seems to be agreement on the need for some sort of decentralized security application that does not have to rely upon hierarchical and bureaucratic relationships between any of the SNS parties.

With SNS applications just now gaining wide acceptance, it seems obvious that a clear respect for users' privacy is pivotal for all those people wanting to join on-line groups or use SNS tools, services and applications.

Of course, it also seems obvious that there will be continue to be a few of us, like the late Groucho Marx, who are reluctant to join any club willing to have us as members.

Roger Smith, former technical editor of Software Development magazine, is a free-lance writer based in San Francisco.

Click Here!