Thoughts on Diaspora
The other day a friend sent me the link to a story about an interesting upstart web project called Diaspora. The article piqued my interest and I decided that I wanted to do some more reading. As usual the reading led to more questions and thoughts. It soon after became apparent that a short reply wouldn’t do things justice.
The core idea of Diaspora seems to be to equalize the power imbalance that social networking and it’s buzz-word friends (Web 2.0, Cloud Computing, Software as a Service, etc) have stirred up. We’ve created a network of walled gardens each with financial interests in our content and personal information. The Diaspora project’s approach to solving this is for individuals to host their own network of a sort (a seed). Each of these seeds can then reach out to other seeds to form a decentralized network. The project poses that by reclaiming your data you can secure your social connections and only allow sharing on the terms you feel comfortable with.
They are certainly goals I can agree with. The privacy terms of Facebook and the other major social networks (as if there even is another network of the scale of Facebook…) are continuing to degrade. The project sounds wonderful, but the cynical realist in me wants more details.
The project has the core idea of what they need to do. Decentralization is a key goal and that’s good. One organization having so much information is pretty terrifying. You can’t be empowered until you’re running the show yourself, so the fragmented seed idea is great. The internet has largely had this idea built in from the start. Probably the best demonstration of this is the world wide web itself. E-mail was the same way, but with the rise of hosts like Hotmail and Gmail coupled with the difficulty of running your own mail server I’d argue these days are fading. They mention using OpenPGP to protect the privacy of an individual’s data. This is great, done right and seeds wouldn’t be able to read private conversations between you and another user.
Things start to fall apart when you get into the details. The fact is there really aren’t any details available. I understand that the project is in the very early stages and they are hesitant to get pulled into specs that will never be finished but it’s worrisome regardless. The concepts they are talking about are not easy to hammer down right.
From a security standpoint they glaze over most of the problems associated with decentralized networks. There are almost always issues of trust between the nodes of the network. PGP encryption can likely handle a lot of these concerns through the use of signatures and identity verification, but it’s not easy to get right. A FAQ section on the Diaspora project mentions creating:
“A good secure protocol, encrypted at every leg, including a specification for a lightweight, probably HTTPS, RESTful set of routes. We see all of this communication happening between two Diaspora servers, rather than strictly between peers.”.1
I find this curious in two regards:
- Since each seed is meant to be run at an individual (or near individual) level as a self hosted web service how do they plan to account for SSL certificates? They mention the multitude of individuals running blogs with software like Wordpress. I think that the majority of these hosted blogs are HTTP and not HTTPS. Self signed certificates are an option, but Firefox, Internet Explorer and Safari all do their best to make it as difficult and scary as possible for an end user.
- Second, I’m getting confused by terminology now. If a seed is a Diaspora server, then what are the peers? Individual users?
From a user experience perspective they are in for even more trouble. They seem to wave PGP around as the solution to all of their security woes. This is great except that they’ve made very little mention about how they’ll make PGP workable for the average person. OpenPGP has been available for a long time and wrapped in lots of plugins and GUI’s. I’ve never seen one that was safely usable by the average person.
If PGP is going to handle the trust issues between servers and users then the users have to be educated about key signing and that a key is only as good as the network of trust behind it. Further, the signing, encryption, signature verification, and decryption processes have to be made intuitive. Ultimately I think this means hiding the entire notion of a public and private key, but good luck with that.
Finally, some of their own goals seem to be contradicted by the features they advertise. If the goal is to improve the privacy and control of your information why are there so many features aimed around pushing it back out of Diaspora? The data source agnosticism that Diaspora preaches is great for ensuring that data already out in the “cloud” on sites like Facebook, Twitter and Flickr can be imported to Diaspora easily. The part that I struggle with is embodied in text like this:
Now that you have your information in your seed, it will connect to every service you used to have for you. For example, your seed will keep pulling tweets and you will still be able to see your Facebook newsfeed. In fact, Diaspora will make those services better! Upload an image to Flickr and your seed can automatically generate a tweet from the caption and link. Social networking will just get better when you have control over your data.2
If Diaspora is going to be pushing my content from Flickr to Twitter for instance, do I really control it any better? I’ve added myself and my seed as an intermediary sure, but ultimately the content is still controlled by Flickr and Twitter as well. They mention replacing these sites totally one day, but I wonder if it will ever happen when they deliberately set out to make it so easy to stick with it.
I also find myself wondering whether things will follow in the footsteps of XMPP. XMPP has many of the same goals of Diaspora at the Instant Message (IM) service level. Diaspora is planning to account for the difficulty of running your own seed by offering a public service ala Wordpress.com. Jabber has been handled similarly with the more technically elite running their own Jabber servers and the rest using publicly run outfits. What might be interesting is if someone does what Google Chat did to Jabber and offered Diaspora services out of their walled garden. This would still likely be beneficial to the current state of affairs but undermines the idea that we should all be in total control of our information.
Ultimately I will reserve judgment on the viability of the project until more details and perhaps a prototype are unveiled. Clearly there is a lot of ambition and good nature behind the project. I hope that they can carry it to a point that the greater open source community can be convinced to jump in and refine things.
- Daniel
1 Diaspora – A Response to Mr. Villa
2 Diaspora – A Little More About the Project
Transmissions:
← An open letter to DuneMUD Dropping Drop.io →
