A lot of people are now familiar with Open Standards and Open Source, although many still do not understand the reasons why we need to vigorously protect Open Standards or why Open Source is important to everyone including the people who do not use any Open Source.

On the other hand, very few people have ever heard of Data Portability and even less about the reasons why it is essential to us and the future of our data the web.

The lack of Data Portability.

The success of social networks and other collaborative web sites unveils the problem:

• What happens to our data if a web site decides to cancel our account for some reason?
• What happens if we disagree with a change in the terms of use of a web site where we have stored our own data for years?
• What happens if the web site where we have entered our data for many years, goes under without notice?
• What happens if we feel that the government of the country where our data is hosted abusively eavesdrops on our lives and data?
• What happens if the web site we use to store our data looses our data?
• Can we truly and finely control who has access to which of our data we store on the web?
• Can we move our own data from one web site to another or split it among other web sites?
• Can we even make a backup of our own data from a web site?
• Can we update our data on all the web sites we use simultaneously?

Data Portability is about controlling Our OWN data. This is about Ownership of what used to belong to us before we or someone else put it on the web. Data Portability is about our ability to manage our personal data stored on various web sites unencumbered by limitations of these web sites.

The current situation is akin of a bank which would have all rights over our money and we would have very few rights. This bank could wipe-out our account without notice because we would have been impolite to a teller or because our we failed the bank dress code for customers. The bank would reject any request to transfer our cash to a different bank. The bank could go bankrupt and our cash would disappear in the process.

What can we do about the current situation?

The first thing we need to do is to stop being blind to the problem, communicate around us about the need for Data Portability standards, and relentlessly ask our service providers to implement Data Portability standards.

Data Portability standards are still in their infancy and a lot of standardization work still need to be done until we can address the above issues. But at least we need service providers to consider the implementation of the standards that already exist such as (but not limited to):

• OpenID, a service to allow the use of the same identity by multiple service providers and thus allowing the sharing of information based on a global identification for users.
• hCard, a microformat to publish contact information
• FOAF (Friend of a Friend), an XML format to describe people relationships
• XFN (XHTML Friends Network), a microformat to describe people relationships
• OAuth, an authentication method allowing one web site to access our data from another web site without disclosing our password of one website to the other.
• OpenMicroBlogging to privide micro-blogging services interoperability, using OAuth.

I am currently working on a proposed open standard to enable users to control which of their data can be accessed by whom and from which services.

See also:
A Bill of Rights for Users of the Social Web

Loading mentions Retweet

Yesterday morning at OSCON, David Recordon announced the creation of the Open Web Foundation. According to the announcement, "the Open Web Foundation is an attempt to create a home for community-driven specifications".

| View | Upload your own

This new foundation will hopefully enable faster development of open data specifications such as my authorization web service.

Loading mentions Retweet

I am currently performing research on an Open Source Authorization Web Service for web applications.

Most web sites with users and users' data have to provide an authorization service to decide which data a user can access and under which conditions (read, write, delete, ...).

In Wikipedia, anyone can modify unrestricted articles, users registered for more than 3 months can modify restricted articles, only administrators can delete an article. Administrators are authorized by other existing administrators.

In the LinkedIn service, users are only able to access information from their friends, and less information as their relationship distance increases with other users. The information accessed is read-only for friends' data and full access for most personal information. More complex rules exist for recommendations which can only be accepted by a user and modified only by the sender at the express request of the receiver and under the control of a trusted third party, the LinkedIn service itself. Also LinkedIn users cannot break their relationship with their friends, only an administrator can do this.

In a hypothetical accounting service, accountants are able to add, modify or delete accounting records for a month. Then records can only be read for ten years and cannot be deleted or edited by anyone including company owners. Finally after ten years, accounting records can be deleted by owners but still cannot be edited.

In some banking service, account holders can view their bank accounts and perform payments with additional authentication or a per-use basis.

The same or greater complexity applies to all social network sites and enterprise services managing data and users.

Databases (SQL and others) alone cannot provide these services as the SQL language is far too limited and therefore all services must implement an authorization layer or service within their service to marshal database access. Built-in database access controls are seldom used except to limit what the service can do as a whole versus what database administrators can do.

Complex authorization relationships are non trivial to develop, error-prone and hence very costly and lengthy to implement. In some cases the time to market features is significantly increased because engineers far underestimate the overhaul of their authorization schemes and subsequent performance and scalability degradation.

The lack of a separate authorization service and distinct data model makes it very difficult to manage authorization data and even more difficult and error-prone to change authorization schemes.

As social networks and other internet services develop there is a growing need for information sharing between services, data backup and subsequent users' need to control their own data.

End-users should not be required to re-enter over and over their personal information, they should be able to authorize service providers some access to their own data. Service providers also benefit from existing information and enrich end-users experience therefore increasing the value of personal data. This provides for a positive-value feedback loop where data enables services that in turn increase the value of existing data and entices users to enter additional data.

While developing the DataFever network the most vital service to develop quickly became a versatile, scalable, low-delay, and reliable authorization web service. As such I have defined a number of concepts to express complex authorization rules encompassing data licensing issues with data contracts, and resource groups.

After specifying the authorization web service, I realized that this constituted a major building block to deliver the vision for The DataFever Network.

Related Post:
What is Data Portability and why is it important to all of us?

Related Wikipedia Articles:
Identity and Access Management
Data Portability
OAuth
XRI
Dataweb
Social Web
Open Social
OpenMicroBlogging

Loading mentions Retweet