Woke up this morning to catch this really disappointing article claiming George W. Bush, Dick Cheney and Donald Rumsfeld covered up that hundreds of innocent men were sent to the Guantánamo Bay prison camp because they feared that releasing them would harm the push for war in Iraq and the broader War on Terror. Maybe I have been naive but that wasn’t the shocking part.

The shocking part, for me, came from a seemingly quick side comment (emphasis mine):

Colonel Wilkerson, a long-time critic of the Bush Administration’s approach to counter-terrorism and the war in Iraq, claimed that the majority of detainees — children as young as 12 and men as old as 93, he said — never saw a US soldier when they were captured. He said that many were turned over by Afghans and Pakistanis for up to $5,000. Little or no evidence was produced as to why they had been taken.

Children as young as 12? Dangerous terrorists? Men as old as 93? Not subject to a civil hearing or given legal notice as to why they are being detained? Children?! Treated as hostile enemy combatants who don’t deserve a court hearing? Little kids who never necessarily understood why they were being detained? Why doesn’t the article expand on this little comment? Does everyone know about this? Am I the only one shocked?

Please, someone explain this to me. I’m having a hard time wrapping my head around it. Even if everyone there were guilty, dangerous terrorists it’s still a difficult fact to wrap my head around that a child doesn’t deserve a court hearing. According to the Colonel Wilkerson though we’re talking about innocent children. Ugh!

So I’m browsing the Digg headlines and I come across this article about a federal appeals court ruling that the FCC lacks the authority to meddle in the affairs of broadband providers. "This is great news!" I think to myself. I’m an evangelist for open, free, unregulated internet. I’m a supporter of net neutrality and am very concerned about information control currently being carried out all around the world to silence citizens, conceal truths, and discourage opposition to unjust rule. Which is why I was completely stunned to find the Yahoo! article painted these events with a negative brush and the comments about the article were a waterfall of tears and desperate cries for a savior.

Make no mistake: this is about control which is about power. Governments steal it, corporations patent it, and citizens lose it. Right now the control is largely in the hands of the bandwidth providers and that scares us. There is a very real incentive for large corporations to purchase road blocks for their potential competitors. I’m not naive. I fully understand this would be absolutely horrendous and none of us — none of us — can afford to tolerate it. I also think it’s a little odd that the FCC claimed to be able to fix this issue. Since when did the FCC have control over the internet? This ruling answers that question: they never did. If you think the FCC ensuring net neutrality is the one and only goal, then you either haven’t been around long enough or haven’t been paying attention. This is about using your support for net neutrality to position themselves as the agency in control of the internet. Hope you’re ready for Hulu, Grooveshark, and Last.fm to suck like television and radio.

The internet is an unbounded, uncontrolled, unbiased, global, data manifesting, exponentially accelerating, unstoppable beast. For freedom loving people of the world; it is a reason to rejoice, raise a glass of wine for a toast, and dance around a grassy field in a Hobbit-like utopia. For governments, corporations, and other persons or entities that exist with a incessant desire to control; it is a marauding devil bear with virgin blood eyes vomiting nuclear holocaust onto your family. In other words it’s the scariest thing to be invented and embraced since the U.S. Constitution.

The internet is a scary place. It has profanity and porn. That offends people. It has free speech. That really offends people. There are viruses and hackers and identity thieves and sensitive intellectual property and banks and finances and medical records and serious business and on and on and on. That’s a lot of real estate and natural resources. Surely, we need somebody to come along and tell us what to do about it because we’re clearly out of our minds, right? We need the FCC to be our savior, don’t we? … Hell no!

So, to reiterate. This whole FCC being shot down? It’s a good thing. Embrace it! Yes, we still need to figure out how we will ensure corporations aren’t going to start showing bandwidth favoritism but if you’re paying attention we already have that: it’s you. Stop relying on Daddy so much. We’ll figure this one out on our own.

 Today while working I’ve been listening to TED Talks and I caught this one by Philip K. Howard talking about our modern view of law, how it is inhibiting our ability to live a free life, and four ways we can fix our broken system. This is powerful stuff! Find some time this week to listen to this. It will move you.

In the physical world, privacy is evaluated as a series of probabilities and assumptions which are often anchored to a network of trust. If you write something on a piece of paper and hide it in your mattress, the likelihood that someone will find it is relatively small because paper is a very primitive data distribution technology. It has real, physical limitations which directly impact the probability that the information will be discovered. If you share information with your best friend or doctor or pastor, internally there are different evaluations of trust which are built on an unbounded series of factors. If they violate that trust and share the information with someone else, there is still a trust evaluation on the other end for the recipient who must determine if the source is reliable (are they making something up about you).

On the web, information moves differently. The data received can be a literal copy of the data sent regardless of how many times it hops around the nodes. The vast majority of our data is shared by proxy through faceless web services which we entrust to be good stewards of our data and our intentions. Out here, there is no such thing as private; only less public. Compounding the problem is what I refer to as the unidirectional path of online privacy which dictates that once something moves along the gradient of privacy (or the degree to which something is public information) towards being more public it can not be moved back to be more private. This is different from the physical world where information can potentially be taken back and disposed of. On the web, all data you see is technically a copy of some original source which most likely does not exist anymore because it was held in temporary memory. The rules and "social norms" of the web are different out here.

We recently have seen a shift in Facebook’s attitude towards privacy. Now, it seems, we are seeing Google test the waters of the new privacy standard (warning: link contains vulgarity):

I use my private Gmail account to email my boyfriend and my mother.

There’s a BIG drop-off between them and my other “most frequent” contacts.

You know who my third most frequent contact is?

My abusive ex-husband.

Which is why it’s SO EXCITING, Google, that you AUTOMATICALLY allowed all my most frequent contacts access to my Reader, including all the comments I’ve made on Reader items, usually shared with my boyfriend, who I had NO REASON to hide my current location or workplace from, and never did.

My other most frequent contacts? Other friends of Flint’s.

Oh, also, people who email my ANONYMOUS blog account, which gets forwarded to my personal account. They are frequent contacts as well. Most of them, they are nice people. Some of them are probably nice but a little unbalanced and scary. A minority of them — but the minority that emails me the most, thus becoming FREQUENT — are psychotic men who think I deserve to be raped because I keep a blog about how I do not deserve to be raped, and this apparently causes the Hulk rage.

Privacy is important. Let me say that again: Privacy is important! We have a lot of work to do. We’re still figuring out how data ownership and privacy works on the web. One thing, to me, is clear: people want to be treated closer to their local norms on the global stage.

Food for thought.

Chris Messina has a wonderful write up about something I’ve had a lot of interest in called The Death of the URL. I highly recommend taking a look. While I think he is correct, I have a slightly different perspective. I agree that the current effort by some companies to take advantage of new interfaces to funnel users (ahem: money) their way is dangerous and deserves every pint of paranoia but ultimately they won’t last. Those companies know that it won’t last but they’ll make a boat load of money, build their brand, and look like saints when they finally open up.

On the other hand, I really dislike the implication that we need the URL in all its raw glory. The idea of future generations growing up without knowing what a URL is does not scare me — it delights me. If the web has shown me anything it’s that, out here, once something is open it doesn’t close. What we’re afraid of in the exhibits on display in Chris’ post is not the removal of the URL it’s the removal of the flexibility a URL provides. I would prefer to frame the death of the URL as the death of the file path. Which is to say, it’s not really dead, it has just matured into a more visually compelling and human-oriented metaphor.

Most people get along well enough without knowing the path to 99.99% of the files on their computer and even when they think they know the path it’s actually a symbolic representation rather than the true file path (ie: “It’s under My Downloads”). The URL has been called the modern command line interface and I think that’s pretty accurate. I can’t know for sure but it would not surprise me if clinging on to the URL will eventually put you in the equivalent camp of those Linux users who are today confident that Windows users are simply “wrong” that the command line is hard to use.

I don’t want to see text. I want to see Pages, Photos, Videos, and Apps. Modern location bars in browsers still consider a URL to be mundane text. The location bar is really good at helping me when I’m typing but I still can’t “grab it” and “share it” without copying and pasting it manually. When I right click on the location bar in FireFox, why am I given only textual options? This is the mentality of the command line engineers and, luckily for them, it serves us well enough for right now. There’s a manual way of doing it for now.

Exhibit “E” of Chris’ post includes the OpenID “NASCAR” problem. Identity in the browser will solve this. I would desperately love to see OpenID (which is a URL) be thought of more as a “thing” just as Information Cards are a “thing”. Kim Cameron was spot on the money when he discussed this point years ago. Since OpenID is a URL it needs to be a “thing” just as a Bookmark is a “thing” we can visually interact with in the browser. Why can’t my OpenID provider “push” my OpenID to my browser like a certificate? Why can’t I click on my OpenID (maybe represented as a “card” on a website) and have it “bookmarked” into my browser for use elsewhere? There’s a reason why cookies commonly hold a users identity. The need to “push” identity to the owner is easier then asking them to copy something or remember something.

Once the identity “NASCAR” issue is addressed, all other related issues can be addressed. We won’t need to see a million share buttons at the end of each blog post because the website will “know” me and ask my OpenID (via XRD) what share services I use. Now please, click one of the share buttons below… sorry if you don’t use any of those services. I was forced to assume you use a major service because I don’t yet know you. Eventually, I will.

Sometimes I’m very late in getting the latest and greatest. I wait until I can say “I need” something rather than “I want” something. My last cell phone lasted me about 5 years to become the only one on the block with an antenna in its old age. Aww, I loved that phone — it was so punk rock! A speaker volume so loud that entire city blocks knew I was getting a call. Tough as nails it had been dropped, thrown, slammed, burned, drowned, spit on, knifed (yes, I said knifed), and still worked flawlessly without a single scratch on the screen. Alas, while the iPhone might be a physical pansy compared to my old friend, it was more attractive for the apps to be more productive. So I got an iPhone, gave my old friend a proper burial, and was given a new number and the start of the problem known as “Rick.”

So who’s Rick? That’s part of the problem, I don’t know. Through my powers of deductive reasoning I can only surmise that he is a jerk face that left me with his number while he is reclined on a yacht drinking fairy beverages out on the pacific somewhere while watching me with his spy satellites and laughing hysterically with two gorgeous babes on his arms as all of his jerk friends call me completely baffled that I’m not Rick!! For the past 6 months, I’ve received a call asking to speak to Rick between 3 to 15 times a week. I kindly inform the callers that Rick is a jerk face who probably hated them too much to remind them to update their contacts. Perhaps Rick is Mr. Astley and this is his way of saying he’s never going to give me up.

Maybe I’m being too hard on Rick. After all, I got a new number too and I had to notify all my contacts. The real problem is that we’re still using phone numbers — an identifier invented where teller operated switch boards would use the numbers to drill down to a specific state, city, or neighborhood. The OpenID community thinks URL’s are difficult for people to understand! Imagine a series of seemingly random numbers that actually point to locations on a grid. Phone numbers were invented to point to a machine but I want an identifier that will point to me. My phone number is just an attribute to my identity. This would be like trying to find your best friend in a crowded restaurant but you’re only able to identify him by what shoes he’s wearing. What we really need is an OpenID.

If phones were actually “smart” phones capable of taking an OpenID, Rick would not be a jerk. He would have changed his phone number attribute and all of his friends would never know the wiser. Maybe even that luxurious example is missing the mark though. Why bother with phone numbers at all? I mean, when was the last time you went to Google by typing their IP address? What Rick really needs to do is allow his phone service provider to respond on his behalf and the only identity attribute Rick needs to handle is “Current Phone Service Provider”. I’m getting ahead of myself, though.

This illustrates a subtle point to why URI-based identifiers are so powerful and superior to other identifiers (such as e-mail, imho). Just like the DNS system itself, there are no special guarantees of application support. A registered domain does not necessarily have the ability to respond to website requests through HTTP nor does it necessarily have the ability to respond to SSH, FTP, SMTP, or any other number of applications. It does, however, provide a human-readable identifier that can be used by applications that need to point to that machine. In the context of a web browser, we’re informing the application that we expect the domain to be able to respond to HTTP requests. In the context of a mail client, we’re informing the application that we expect the domain to be able to respond to SMTP requests.

Following that logic through to fruition, I believe my iPhone Contacts application should know that the OpenID I am supplying should be able to respond to HTTP requests following a “Get-Phone-Number” protocol yet to be defined. So Rick, if you’re out there and you read this, I understand. It’s okay. I forgive you … you jerk.

Technical Note: XRD would actually be the more important technology in the scenario described here. OpenID is not necessarily a requirement to something like this existing but I would imagine some form of identity attribute ownership authentication would be needed.

The OpenID community has recognized that the User Experience (UX) is not acceptable. People from several points of interest have come together to discuss and share ideas to improve the experience. There is currently growing consensus around certain ideas that I feel is risky and other areas I feel there is a missed opportunity. Before I get to my point of disagreement with the community, I’ll highlight what I think we can all agree on.

Where We Agree …

Current Directed Identity UI implementations do not scale.

Directed Identity lets users specify an OpenID Provider (OP) as their OpenID URI without having to specify their actual OpenID URI upfront (ie: using “myspace.com” instead of “myspace.com/{user}”). This is a really great idea but it has led to a user-friendly yet un-scalable UI trend with provider buttons.

The web has already seen this concept with content sharing through third-party services. There are hundreds of services that users can share content through. The explosion of these sharing-capable services has led to ad-hoc interface “solutions” which ultimately aren’t very usable and don’t necessarily provide the user with tools that are relevant to their needs. Ironically, user-centric identity has the ability to resolve this issue for content sharing services. Unfortunately, the dilemma is shifted from one type of service to another which could further introduce confusion. I have already witnessed a case where a user was told they could login via Facebook Connect and mistakenly clicked on a “Share with Facebook” link because they saw the Facebook icon.

The bad news is there may be no direct solution to this problem. The good news is there may be indirect solutions by educating the user about OpenID, better introductory UX, and bringing identity to the browser (which I will elaborate on in future articles).

The UX needs a consistent look-and-feel and functional flow.

Modern web design philosophy dictates that a unique and memorable experience is highly desirable. Purple, Rock, Scissors employs this philosophy religiously through various look-and-feels. The important concept to grasp here is that the OpenID UX is an abstract idea just as headers, site navigation, and footers are abstract ideas. They may appear different and there may be radically experimental iterations of these ideas, but overall they follow the same principles (header is at the top and should contain the site name, site navigation should be available to every page and accurately depict page hierarchy, footers should contain extraneous information pertinent to the site).

Since OpenID (and other user-centric identity systems) are going to be a brand new concept to most users, innovation in look-and-feel should be kept to a minimum otherwise it will impede upon user acclimation rates. Fortunately, there seems to be a lot of agreement in this space within the community.

There are three areas within this space that need agreement: Login, Action Prompts, and Logout. The login look-and-feel is currently pathetic and wildly inconsistent. Action Prompts are any point the user is paused during the functional flow to make a decision and currently I have yet to see a single provider faithfully communicate to the user exactly what is going on. I’m well versed in user-centric identity and even I felt unsure exactly when I was about to share information from one domain to another (such as the portable contacts flow with Google). Typography and design elements must be bold and clear to ensure the user knows they are about to open their identity information up to a third party. Logout has yet to be a focus of UX discussions but there is disagreement on what “Logout” should mean. Does it mean logout of this site or does it mean logout of all sites? Whatever the answer may be, this information needs to be clearly communicated to the user.

These concepts may seem very basic, and they are, but you would be surprised just how much variable room exists even within these basics. This aspect of OpenID is very, very important and must be consistent across domains!

Where We Disagree …

I believe pop-ups are dangerous and intrusive.

Facebook Connect has provided the OpenID community with a fairly solid model for how to improve the UX. There are many things I absolutely love about the Facebook Connect UX. Unfortunately, the Facebook Connect UX was invented under assumptions that do not apply to OpenID and the community needs to carefully consider what those differences may be.

Modal dialogs are XHTML+CSS overlays that appear, stylistically, as windows on top of page content. When the user is presented a modal dialog, they are under the correct assumption that they are still dealing with the same site. The OpenID community is intending to recommend both modal dialogs and pop-up windows. This is dangerous behavior! Pop-ups are even suggested to take on a similar size and shape as their modal counterparts which makes things even worse! A little CSS-trickery can duplicate the pop-up window effect. We all know this, it’s already used by spammers to trick users. Why are we considering something even remotely similar to how websites trick users?

The OpenID community puzzles me on this issue. On the one hand, there is extreme pessimism toward the standard users’ ability to comprehend what OpenID is all about. On the other hand, they are suggesting we employ a tactic traditionally used by malicious and fraudulent phishing sites to trick standard users’ into providing credentials when they should not! We can’t have it both ways. Confusion will be our fault if we go forward with this idea. As a side note, I would also like to point out the pop-up approach is usually not very good for mobile devices but I’ll save that conversation when I address identity in the browser in a later post.

My recommendation is to present the user with modal dialogs only. If the user needs to be redirected to their provider for any reason, the user should be informed of this requirement and then either given a link or automatically redirected after a countdown. The link can open a new window if desired (which in my browser would open a new tab, far less intrusive than a pop-up). This will further encourage smart behavior on the users part to never supply credentials unless they are confident they are on their provider site.

I believe OpenID should NOT be hidden from the user.

We have what can be called a good problem. Directed identity for popular brands has been proven to work with impressive click-through rates. This revelation has inspired a lot of people to suggest OpenID should be pushed to the background. Even though I disagree with this, I do want to concede for a moment that all the arguments are very sound and follow good reasoning.

The problem I really have with this is that it is a missed opportunity. Researchers have discovered that displaying a popular brand on a button that says, “Use {brand} to login!” has been very well received by users. I’m not sure why this comes as a surprise. People have built an affinity with popular brands. They naturally gravitate towards what is familiar. We are passing up a perfect opportunity to use popular brands as a means to bootstrap the OpenID brand into familiarity.

The following brands are identity providers and this is how I would say I relate to them:

• Google means search.
• Yahoo! means web portal.
• MySpace means social network.
• AOL means chat room (sorry, AOL).

None of these brands mean “login” and the closest brand that comes to “identity” is probably MySpace. OpenID, however, can easily mean “login” to users. By always displaying the OpenID brand to users regardless of how they login, they will eventually learn to associate that brand with login mechanisms. Why is this mental association important? Because it means eventually the OpenID brand can stand on its own. Don’t see “Google” up there? No worries, you can type what you don’t see into this box that you’ve come to know as login mechanism.

I do not fault relying parties on this as much as I fault identity providers. In my opinion, it is the identity providers responsibility to let users know they have an OpenID. Create a standardized design like a drivers license looking box with an OpenID logo in it with their URI. Display it prominently on their account page or profile page. They don’t even need to immediately understand what OpenID is. Simply showing them something they feel they own (their URI) alongside the brand (the logo and the term “OpenID”) will start to build an association in their mind. This is important.

Most of the counter arguments to this will, in one form or another, be built upon an embedded pessimism toward users that I do not share. Sometimes talking to technical people leaves me with the impression that standard users probably put corks on their steak knives so they don’t mistakenly jab themselves in the eye when they’re hungry. Let’s give people the benefit of the doubt. E-mail addresses and URL’s are geeky too, remember? Typing “blah dot something dot com slash doodah dot wut” is not a natural human impulse but apparently a lot of us have figured out how to do that.

This is not the part of my post where I go on to explain how I caught my Mom copying and pasting an SQL injection attack on a website because it allowed her to force people to add her as a friend (although it’s a great story and I really, really want to). That’s not the point. This is geeky stuff. I’m just saying, it is possible to make OpenID easy to understand without having to hide it under a rock. Make the UX clean, clear, and include no surprises and people will adopt it.

Chris Messina, David Recordon, John McCrea, Josh Elman, and Kaliya Hamlin got together for The Social Web TV at SXSW to muse about the differences between “real identity” versus pseudonyms as we have grown accustom to using on the web. It’s interesting to hear people at the forefront of identity talk about so-called “fabricated” identity with the subtle implication that it is something undesirable. I believe there are two overlapping discussions here: one about identity and the other about identifiers.

OpenID is a great technology for many reasons but relevant to this topic it is specifically great for three reasons:

1. Identifiers are limitless and easy to create.
2. There is no central governing body to the creation of identifiers.
3. As soon as an identifier is generated it can be used.

The reason I like this design so much is that it unknowingly mirrors what human beings have grown accustom to in regards to identifiers. In reality, I have several identifiers:

• Aaron van Kaam
• Rabbit
• VK

Those are terms others have used to refer to me. Identifiers can also be assigned based on location, appearance, or hundreds of other factors. These are all valid identifiers:

• The guy with the pink and blue bike
• The guy who lives at 404 Not Found Street
• Mike Ortiz’s friend
• The guy over there.

We wouldn’t think of these as identifiers because that isn’t the sort of language we use in practice but they serve the same function as a digital identifier. Some of these identifiers are temporary because they are based on relationships, location, or possessions but OpenID also has the potential for temporary identifiers.

Chris Messina may believe the identifier “Chris Messina” is closer to his identity than “factoryjoe” but from a web perspective it is whatever he chooses to make it. In the real world, I am sometimes called Rabbit. In fact, I’m more comfortable being called by that name even though it is not my name in any legal sense. Does it matter? I don’t think it does. Any more than being called “The guy with blond hair”. The identifier is meant to serve the purpose of pointing to my identity and to that purpose it serves it well.

I question the importance and value people are placing on the quality of Facebook granted identity. Ultimately, for most business purposes, the only important thing is that money is able to be transferred from one point or another. Whether the money comes from “Aaron” or “Rabbit” really doesn’t matter to most businesses. Marketing people will always cringe and pitch a fit to my logic here and that’s because they don’t get it. Identity is meant to be fluid. The web did not give birth to pseudonyms because we were lacking a proper namespace. The web has pseudonyms because it falls in line with how we internally process identity.

Thoughts?