DWBP17: The Portability Policy

June 2nd, 2010  |  Published in Podcasts  |  1 Comment

Please note: The Portability Policy is only in beta right now and will be formally published on June 15.

In this episode Elias, Steve and Christian meet to discuss the StartupBus project, the recent Facebook discussion and how a Portability Policy might help the world!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, Download AAC with chapters, 34,7MB, 0:37:36)


Steve Greenberg, VAST.com Inc., blog, twitter

Elias Bizannes, VAST.com Inc., Chair of the DataPortability Project Steering Group (blog, twitter)

Christian Scholz, COM.lounge GmbH (blog, twitter)


The StartupBus

  • What was the StartupBus (http://startupbus.com)
  • How is it related to DataPortability?
  • Any learnings from doing it?
  • When will the next one happen? What will be different?
  • What does it mean if we can create new technology during the bus ride?
  • What about different speeds of invention and regulation?

Facebook and Privacy

  • What is a social contract?
  • Is everything good now?
  • Is it really a problem what Facebook is doing?
  • Is it realistic that people will change their way of using Facebook? Looks more
    as if they are calling for regulation (FB as a utility service)
  • What’s easier for govt: Regulating services or educating citizens. And how does
    both work in a connected world with different cultures and governments?
  • What is Facebook’s take on Data Portability?

The Portability Policy


  • What is the Portability Policy?
  • Why do we need it?
  • How would an example look like?
  • How do you create a PortabilityPolicy for your site?
  • Will there be icons? 🙂
  • Does this guarantee interoperability?
  • What are the expectations in getting adoption? Are there talks happening

DWBP16: Trent is back!

May 17th, 2010  |  Published in Podcasts

Now that Trent is back we finally got around to make a new episode and finally can talk about Facebook. Not the “old news” of the changes from the F8 conference as planned first but about it’s privacy issues instead.

Will distributed social networks be the solution? Will the finally take off? Or will Facebook stay the centralized place for everybody?

Also in this episode: A summary of the European Identity Conference.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 44.3MB, 0:47:19)


Eve Maler, PayPal, UMA Group at Kantara Initiave (blog, twitter)

Steve Greenberg, VAST.com, Inc, blog, twitter

J. Trent Adams, ISOC(blog, twitter)

Christian Scholz, COM.lounge GmbH (blog, twitter)



IIW, May 17-19


OpenID Summit Europe, June 8th, London


European e-Identity Management Conference, 9-10 June


Report: European Identity Conference (http://id-conf.com)

UMA workshop info:

Eve’s preso that was a prelude to the Data Portability panel.

“We’re all individuals!” … “I’m not.”

Facebook’s Privacy Problem

Steve’s Issue with Facebook

Two quick points, one about the geneal privacy conversation and the other about the “Like” button.

It’s not simply about “privacy” in the sense that I don’t want people to hear what I’m saying.  I use twitter nearly every day and, yes, I even blog once in a while.  But, like most people, I speak differently depending on the audience.  I say things to my friends that I might not say in public, or at the very least I’d say them more diplomatically.   Facebook led me to believe that the things I was posting would be seen only by the people I chose, so I sometimes used my “inside” voice (shut up, yes I do).  Then Facebook said, “oh yeah, we decided to make everything public because it’s profitable for us to pretend that privacy is dead.”  When people complained about this, their answer was: “Sucker”.

To me, it’s a simple question: What expectation did they lead me to have about who would see what I do on their service?  Imagine that FB was good, but one of my friends was republishing everything that I wrote.  Would that be ok, if that was a person?  No, it wouldn’t.  And if, when I said to that person, “what are you doing” and they responded, “I publish everything you write because I think privacy is dead”, I’d say “You don’t get to make that decision for me.”

I’m also very troubled by what they’re doing with the Like button.  Imagine that my hypothetical friend said to me, “Because you’re my friend, I’m going to watch over your shoulder as you surf the internet and write down every site that you go to… and tell everyone”.  You might say, “This is just a way for you to share stuff back to facebook.  They only do this when you click ‘Like'”, but I don’t think that’s true.   I think that it’s a stealth web tracking tool.

It looks to me as though the “Like” button is a tracking network for advertisers.  Early on there was a bug where sites you visited would silently add apps to your profile when you visited their site.  This wouldn’t be possible if Facebook wasn’t tracking the places you visited, even when you don’t click like.

So, what this looks like to me is that Facebook is leveraging their users to get sites to add facebook connect and the “like” button.  The sites get the potential of broad distribution, the users get to share cool stuff with their friends.  The price?  Facebook gets to track everything you do, and everywhere you go, for the purpose of selling it to advertses.  For me, at least, that price is too high.  I still use Facebook, but I use it very differently and I sign out when I’m done.  And I clear my cookies.

Am I being paranoid?  Aren’t there fifty tracking tokens on every web page I visit?  Sure, but none of them know exactly who I am.  That’s the part I don’t like.  I don’t mind being targeted as a member of a demographic (none of us is really the unique snowflake we think we are), but when you start to track exactly me by name and address, and tell my friends about it?  Not cool, dude.

Ok, thank you.  Also, I haven’t seen anyone talk about how the Like button is tracking us.  That’s downright creepy.

Yes, there’s been a dearth of comment on the implications of “Like” so far. I don’t think people really get it yet.

“Why I don’t like ‘Like'”

I’ve noticed that in tech conversations lately, no one can say the word “like” anymore without saying it ironically/specially/FB-ishly. Annoying! It comes out already uppercased with air quotes.

We’re children of the ironic 80s.  Everything we have ever said was in uppercase with air quotes 😀

DWBP15: On OAuth 2.0

March 30th, 2010  |  Published in Podcasts  |  1 Comment

Work on OAuth2.0 has just begun and we invited David Recordon, one of the participants in the effort, to chat with us about where he sees the effort going.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 28.5MB, 0:30:08)



  • David Recordon
    • works at Facebook for 6 months
    • on open standards and open source
  • Introduction of OAuth
    • valet key on the web
    • more granular access
    • Example: Twitter
  • How do we make it really easy to develop for it for a wide audience
  • OAuth 1.0 about 3 years ago
  • On OAuth WRAP and OAuth 2.0:Original public WRAP spec from Nov 2009
    OAuth WRAP Internet-Draft from Jan 2010
  • a collaboration started between MSFT, Yahoo and Google
  • similar problem. then called WRAP, then renamed to OAuth WRAP because it’s similar but simpler
  • WRAP relies on SSL, OAuth 1.0 doesn’t require it
  • 3 years ago SSL seemed a bit crazy, now it’s better supported
  • OAuth 1.0 relies on signatures
  • signatures are hard to think about for normal developers
  • SSL is widely deployed. Can we replace Signatures with SSL?
  • this was last fall
  • only public prototype of WRAP was shipped on friendfeed last fall (after IIW)
  • How do we go and combine OAuth 1.0 and the new ideas of WRAP? => OAuth 2.0
  • really easy for developers to implement
  • What are profiles?
  • WRAP introduced different authentication flows
  • Is this easier to implement? What do I need to implement then?
    • the idea is that you have a lot of components which are mixed together
    • not sure if this will be the end result in OAuth 2.0
    • you have to implement at least one of them.
  • Does a negotiation take place?
    • No, it’s simpler than that
    • The client application already knows it’s context
    • based on that you pick the profile
  • What about dynamic discovery?
    • That’s out of scope for now, might be built in the future.
    • might be done in the future
  • client side needs to be as flexible as possible
  • UMA work is interested in utilizing OAuth
  • Profiles are designed to be independant of each other (web appl, mobile app, TV, …)
  • Is profile the right word? Maybe client binding
  • How do OpenID and OAuth2.0 are related?
  • OAuth has no dynamic discovery yet
  • from a philosophical perspective they feel complementary
  • How does FB Connect relate to it?
  • We pretty clearly see OAuth as the direction we want to move to
  • depends on final version etc. of course
  • about 3 weeks ago he sent an outline
  • a week ago he published a draft specification
  • Book
    • working on it the past year on OpenID
    • developer best practices
    • hard to write a book which is not too soon out of date
  • Not sure if WebFinger is easy enough. Too many specifications to read

DWBP14: The Ballad of John and Yoko

March 9th, 2010  |  Published in Podcasts

This time we have an episode packed with news. So here we go:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 43MB, 0:47:17)


Data Without Borders Episode 13: Money without Borders

February 24th, 2010  |  Published in Podcasts

Here is episode 13 of the Data Without Borders podcast where we will mainly talk about SWIFT, what it is and how the EU parliament rejected the deal with the US.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3)


These are rough notes from the podcast. Better you listen to it for the full scoop!

Short News

Webfinger enabled now on all gmail accounts

WebFinger: Given an identifier for a person, how do I find out what services that person uses?
Steve said: As I’ve said over and over, email addresses aren’t going to win. They won five years ago.

Time for the OpenID people to stop being Hiroo Onoda.

Old adage from politics – “If you’re explaining, you’re losing”

The German privacy paradox

Jeff Jarvis on the german privacy paradox

As a group, Germans are more private than anyone I know. My German grandfather-in-law used to lecture me: “People do not need to know that.” Germans complain about Google Streetview taking pictures of them … inpublic. They’re going after Facebook on privacy. They say that Google Analytics violates privacy. They even enable convicted killers to expunge their names from Wikipedia out of privacy. And now they’re up in arms about airport body scanners.
Yet go into a German sauna, and there the Germans are, male and female, together, sweaty and naked. Germans protect the privacy of everything but their private parts.

SWIFT agreement between EU and US rejected by the EU parliament

The Guardian article on it

Result: 378 to 196 votes against it

“Our laws are being broken and under this agreement they would continue to be broken. Parliament should not be complicit in this,” said Jeanine Hennis-Plasschaert, a Dutch liberal MEP. “The security of European citizens is not being compromised. Targeted transatlantic data-exchange will remain possible through other legal instruments. If the US administration would propose to the US Congress something equivalent to this – to transfer in bulk bank data of American citizens to a foreign power – we all know what the US Congress would say.”

Washington had applied intense pressure on the parliament to agree to the pact, with Hillary Clinton, the US secretary of state, and Timothy Geithner, US treasury chief, appealing to Jerzy Buzek, the president of the European parliament.
The parliament veto applies to data from Swift – the Society for Worldwide Interbank Financial Telecommunications – which is based outside Brussels and co-ordinates millions of financial transfers and transactions every day on behalf of thousands of banks.

SWIFT is the messaging backbone that connects banks internationally. It’s not a clearing house, it’s a communication system.

SWIFT – Society for Worldwide Interbank Financial Telecommunications, a cooperative of banks and other financial institutions that facilitates trillions of dollars in daily international transactions. Its members include almost 8,000 financial institutions in more than 200 countries.

The majority of international interbank messages use the SWIFT network. As of November 2008[update], SWIFT linked 8,740 financial institutions in 209 countries.[1] SWIFT transports financial messages in a highly secure way, but does not hold accounts for its members and does not perform any form of clearing or settlement.

Here is a Forbes article that says international cooperation has prevented money from getting to Al Queda, leaving them close to bankrupt: http://www.forbes.com/forbes/2010/0301/terrorism-funds-finance-osama-al-qaeda-bankrupt.html

The argument *for* this agreement in the first place was that the international banking network was being used to funnel money to terrorist groups. Most of us agree that this is a bad thing – and things were pretty scary back in 2002 – so the US and European governments agreed to start watching who sent money where.

The devil is in the details, though. One of the things we’ve seen in the US is that programs that are set up for one reason have a funny way of being used for other reasons. It’s entirely possible that this anti-terrorist tool was now being used to track… drug smugglers. Drugs finance terrorism, right? That’s not too far afield. So to get to the drug smugglers they go after… suspected money launderers in general. These guys are probably pretty far from actual terrorism but they’re criminals, right?

It’s very possible that there was serious scope creep in the program, and the govenments went “Hey, this isn’t what we signed up for”.

EU parliament now stronger on privacy/civil rights issues?

Gerry Beuchelt’s blog post on Germany “getting closer to the peak of hypocrisy” in its position on privacy (check out his whole series) – it references the earlier days of the SWIFT agreement effort, so maybe all is not lost!

One of his earlier posts: http://blog.beuchelt.org/2009/06/20/Orwell+20.aspx

What happens when a bureaucracy goes wild? Well, you can end up in a situation where private companies are facing the most restrictive privacy regime in the world, while government agencies are at liberty to spy on their people at will. Germany – my country of origin, and the country that claims to have “Informationelle Selbstbestimmung” (roughly: information self-determination) – has now completed a fairly comprehensive system of laws limiting fundamental human rights viz-a-viz the government:…

What does this mean?

Google Wave hijacking problem: Eve would love to be able to “UMA-protect” waves and all other web resources exposed as such. 🙂

Google Buzz

Privacy Threat: News story on Google Buzz’s “huge privacy flaw”

API docs: http://code.google.com/intl/en/apis/buzz/

The first thing you need to do on a site like FB or Twitter is tell it who your friends are. It’s a pain, and as sites get big people get annoyed with invite/friend messages. This is why back in 2004 everyone thought that it was going to be AOL, MSFT, or Yahoo that took down MySpace. They were the ones who already had the massive web of IM and email connections. They already knew, so they didn’t need you to re-create the list of who you care about.

Google is trying to sidestep that by basing it on your email. They already know who you communicate with because they have the messages.

The problem with buzz is that my friends and my business associates are all mixed together in my email. Buzz picked an initial set for me that was almost entirely business contacts. There are people I keep AWAY FROM on twitter and FB. Thanks, big G!

over 9 million posts and comments

Data Without Borders Episode 12: It’s not my fault!

February 3rd, 2010  |  Published in Podcasts  |  3 Comments

This time we feature a conversation with Drummond Reed. Not only is he in the Steering Group of the DataPortability Project but he also wears a lot of heads. In this episode he will talk about those hats and we especially talk about Open Identity Exchange (OIX) in depth.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3)


Drummond and Eve co-authored an IEEE Security and Privacy journal article called “The Venn of Identity” that discusses the information card model and other models that attempt to solve “user-centric identity”.

How the U.S. government’s need for assurance may or may not match commercial/social requirements for assurance: How to rest assured.

The XRI TC works on the Extensible Resource Descriptor (XRD) metadata format

Christian’s Python implementation of an XRD parser

Data Privacy Day

New privacy icon

Open Identity Exchange (OIX)

XRD + Webfinger = crazy delicious

“It’s not *my* fault! You suck!” Greeting Card

Data Without Borders Episode 11: Happy New Year with Facebook and Google

January 21st, 2010  |  Published in Podcasts

The year has just started but is full of news. We talk about the privacy discussions around Facebook and we look into the Google-China situation.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3)

Facebook and Privacy

Google vs. China

Data Without Borders Episode 10: Happy Silvester

December 22nd, 2009  |  Published in Podcasts

It’s nearly 2010 and it’s time for Christian, Eve and Steve to look a bit ahead on what’s coming next!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3)



Data Without Borders Episode 9: What’s In A Name?

December 14th, 2009  |  Published in Podcasts

This time Elias Bizannes, Trent Adams and Christian Scholz talk about the new DataPortability Project Steering Group, the Facebook Privacy changes and in depth about the ongoing discussions over at the Open Web Foundation.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 57 min, 51 MB)


DataPortability Project News



Data Without Borders Episode 8: Spy vs. Spy

November 22nd, 2009  |  Published in Podcasts

How does travelling in space and time influence our privacy? And why are we all so depressed in this episode? Find out now!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

(Download MP3, 50 min, 46 MB)