Controlling Access to Metadata
I really like the idea behind Flickr, but I am noticing a big problem. To allow my friends and family to see the photos I publish, I have to convince them to get Flickr accounts. Forcing geeks to memorize a different name and password for each system they use to communicate with friends is tolerable, but it doesn’t fly with normal people. Each additional account name and password you ask my grandma to maintain is another roadblock to her adopting a communication habit. This problem extends across all microcontent publishing systems. The instant you try to slap on access control, you chop off 95% of the potential users of the system, because they aren’t going to bother signing up for yet another account.
In a way, this is a good thing. The current situation is overwhelmingly biased in favor of public information, and public information is the best information. When the WWW first appeared, people panicked: ?What, it doesn’t have passwords?!? You mean anyone can read my web page?!Who would ever publish there?? We added various forms of authentication, but in the meantime people discovered that uncontrolled information can change the world. If the web had pushed SSL, certs, and authentication as part of the core model from the start, I doubt the WWW ever would have happened. So by the same token, I think that lack of access controls in metadata/microcontent systems is actually helping people to concentrate on things which do not need access control, but which have broader social benefit.
On the other hand, there are times when you want access control. Wouldn’t it be nice if you could control access to your metadata simply by using whichever account names your friends and family use most, whether e-bay, hotmail, yahoo, gmail, or whatever? Then as long as the corresponding service (Yahoo, e-bay, etc.) could give you a token affirming that the caller was indeed ?joe@gmail.com? or whatever, they could view the metadata. Or better yet, if the web had a single concept of identity that you could pin to, regardless of who the signin authority was.
Now, I am aware of things like Liberty Alliance, TypeKey, Passport (of course), which try to offer services for a shared ID across sites. These are all good ideas, and some of them even have adoption, but it is all still too geeky. Any site that wants to offer access-sensitive services to non-geeks is going to need to support the identity stores that non-geeks use. That means Amazon, E-Bay, Yahoo, Hotmail, and maybe Google one day. Telling my Grandma to get a TypeKey account in addition to an e-bay account is a nonstarter. She just won’t do it. So rather than waiting for the ?grand unified ID framework? to materialize, perhaps sites like Flickr should just implement Passport support and sign some deals with Yahoo, Amazon, and E-bay to honor their IDs as well. Supporting four incompatible identity services and getting 10 million extra customers as a result is not necessarily a bad thing.