Manifesto

The Current Situation...

The Web we know is based on centralized resources, the so called 'silo' approach. Offering particular services would usually involve having to create dedicated accounts for each user, tying and limiting the user to this particular service and/or resource. Furthermore, users have no control over how their personal account data is used by the service. Recently there have been numerous cases where social networks have made public certain private details of their users (see Facebook and Google Buzz), which made people realize the importance of online privacy and public data control.

One may argue that better privacy policies may reduce the risk of exposure. However, even if users decide to protect their public data or even remove their accounts, there is no guarantee that the process is instant and permanent, since most countries have passed laws which require that online data be stored for several months up to one year or even more.

Another important issue deals with authentication and identification. Most services authenticate users based on username and password combinations. Federated and single sign-on services like OpenID have proven to be quite useful. However, implementing a cross-domain authentication and user management system not only requires a lot of effort from large entities in order to make everything compatible, but also powerful trust relationships. In addition, once authentication has been performed, services still require that users have local profiles.

To put things into perspective, let's take the case of Facebook. Its success attracts more and more people to use it, encouraging its developers to provide even more services. When these services prove useful, users start to depend on them on a daily basis. There have been people recently discussing the possibility of having Facebook acting as a bank, or as an intermediary payment service (think PayPal). How bad it would be if all the services offered by Facebook suddenly become inaccessible, if all the time and data so carefully invested into developing a rich user profile was wasted/lost?

MyProfile

This is where MyProfile comes into play. It tries to address the shortcomings of silo-based user accounts, cross-domain authentication and identification, as well as data sharing and propagation.

Authentication and Identification

In order to perform authentication and identification, MyProfile is based on the recent standard proposed by W3C's WebID Community Group, and the Friend of a Friend (FOAF) ontology.

WebID proposes a way to uniquely identify a person, company, organization, or other agents, using a URI which is included in an X.509 browser certificate. The authentication process relies on TLS to validate that the private key in use matches the public key of the declared certificate, as well as the public key found in the profile at the location indicated by the URI. In other words, it provides a cryptographic way of authenticating and identifying a user, based on resources managed by the user -- the browser certificate and the corresponding profile accessible at the URI location.

The FOAF project is creating a Web of machine-readable pages describing people, the links between them and the things they create and do; it is a contribution to the linked information system known as the Web. FOAF defines an open, decentralized technology for connecting social Web sites, and the people they describe.

Initially, combining WebID and FOAF offers users the possibility to directly participate in their interactions across the Web, by allowing them to use a unique identity (pointing to a unique user account / profile), across multiple domains and services. This approach comes in contrast to current practices, where the Web centralizes all our personal data through the multitude of online forms we have to fill in, instead of allowing users to carefully select which information they want to make public when accessing a particular service.

Depending on the user's social interactions on the Web, the profile could also contain resources like blog and forum posts, or even mailing list messages, all described using the Semantically-Interlinked Online Communities (SIOC) ontology. We can safely say that the user's profile can contain an unlimited number of resources, as long as they can be expressed using standard semantic web vocabularies.

Requirements

When trying to model access control and privacy policies for social web applications, we have to take into account several requirements.

  • Interoperable. Nobody likes being forced to use one identity solution over the other, meaning that users must always be allowed to choose their favorite platform. Also, sometimes projects are no longer maintained, forcing people to look for alternatives. In these cases, it is imperative that users have the means to import or export their data. Even if most services already provide user data in common formats like CSV or XLS, there is no way to preserve the privacy policies set in place by the user. We believe that only by using the Semantic Web can a true graph of a user’s identity be preserved across platforms.
  • Adaptive to social dynamics. Since human relations are very dynamic, the proposed model must reflect these changes in the system’s policies.
  • Fine-grained privacy settings. If a photo shall be shared only with a restricted set of people (maybe not even known in advance), it should be easy to express such requirement.
  • Natural language interface and feedback. Defining privacy preferences has to remain a simple and straightforward process. Ambiguity must be avoided, therefore access control decisions should be transparent and well explained to users. Similarly, the specification of privacy preferences has to protect users from a plethora of check boxes defining which friend is allowed to access which file or from similar complicated policy definitions.
  • Security mechanisms. The solution must fulfil basic security and privacy requirements, such as reliability, support authentication and delegation of rights, etc.

Back to top