At the heart of the recent Scoble vs Facebook problem we see one of the big potential evils of the Web; insecure onwards delegation. A real tough nut to crack.
Would you like to come rifling through my filing cabinets? Perhaps take and copy a few things you think are interesting? There's very few people I'd trust to do that, maybe just my bookkeeper. What risks am I exposed to if my bookkeeper and I share data in, say Google Spreadsheets? Because we can. Because it's there. Because it's free.
(B-oo-kk-ee-p-e-r incidentally, is the only word in the English language I'm aware of with three double letters in a row. I'd love to be shown others...)
Google Docs, and similar applications which work in the internet security domain often have these super-cool collaboration features, which enable me and my numbers guy to do work together so much more easily, with so much friction removed, like, snail-mail. It wasn't very long ago folks, not really, that most post that turned up in your house was actually important, and not just paper copies of stuff you could see, at your leisure, online. You used to run your life through things that arrived by post - statements, bills, magazine subscriptions you didn't see any other way
Any data I share on this inter-web 2.0 thing, is not secure from vindictive behaviour by my chosen collaborators. If a so-called-friend turns on me; or maybe I don't pay a bill, then someone might start forwarding copies of my data, and maybe even delegated rights to change stuff along with it. In some industries, such as banking or health, there's a good deal of control over delegation; consequently even with someone on the inside, it's increasingly hard to hack a bank. Meaning sadly another possible childhood "what I want to be when I grow up" dream bit the dust.
All this modern social software though, it makes it pretty easy to share stuff, consequently maybe too many folk can get at some pretty personal details now.
I think it's quite possible we have a couple of high profile privacy scandals coming up soon, where a new kind of phishing attack appears that gets virally into some social network and starts leaking "innocent" peoples data to nasty people as it spreads. How many of you, if you're in my Facebook friends list, and I tell you to add a seemingly cool application, go ahead and do that? Do you click all the defaults for security, and maybe let it then act as you and send itself to your list? How identifiable does that make you? How many links, on or off facebook does the agent need to follow - with the delegated rights to your profile - in order to do damage to your online reputation, or worse, in real-i-tea. Let me ask you, before you added the evil app I seemed to recommend, did you think that my account could be compromised?
What we need is some system that says and checks up. For sure, ok, you can see the names of all my girlfriends, but don't tell anyone else (they get jealous). And if you do I curse you with my fiery daemons and my killer LISP attack.
I need to have full visibility of what people do with their access to my data, so that I can analyse it for security breaches - in real time, probably using a highly trusted agent that someone else wrote... (ad infinitum).
Better still, i need to have full control of delegation rights, where I can specify user rights such as canReadUntil, canWriteUntil, canTransferRights, and use them for specifying delegation tokens. Course it needs to be user understandable - and therein lies the conundrum. As social software becomes easier to use, across devices and networks, and with the flexible mashability that is so useful for avoiding context switching (between applications), people will release more and more data into a collaborative cloud without second guessing the consequences. Early adopters are vulnerable especially if they think themselves invincible.
What we have right now just isn't good enough for a world of consumers who want software agents to act on their behalves. Not that they've realised yet that it already happens...
So, guys at oAuth, SecPal, or anyone else with some interesting delegation work going on, please tell me, how's the plumbing going? And how on earth do we surface it to the novice so that they can use it, without it feeling like a big step backwards just for the sake of security (perhaps like Vista does)?
Am I missing a trick, are we seeing instead a natural evolution towards a universal mind meld, and the inevitable, painful, data leaks just a way of bringing us closer to full Gaian consciousness?
Whatever, I'm sure it would all be fine as long as we could just be excellent to each other