The Social Graph Pt3: Inversion of Control

(This post is part three of a series: here's part one & part two)

Okay, I've had my rant and ramble about the current situation with Web 2.0 social networks, what I think the Social Graph is and why I think the existing implementations don't match up to the reality; so now I'm going to propose my idea for where we should go next.

The core of this idea is that a social network is comprised of many different services, each of which is atomic¹ (though potentially inter-dependent). The central, quintessential service is the identity provider - a service that can vouch for you, presenting an online identity. When you use Sign In with Twitter or Facebook Connect, that's an identity provider in action.

An extension of the identity provider is the claims provider; this service handles the permissions that you give to the services you use. For example, a service may wish to send you notifications (via a notification service), but to do so it requires permission from you. So that it doesn't have to contact you every time to ask permission (which would just be ironic, given that it's asking permission to contact you in the first place) that service can contact the claims service and be issued a claim token (a digitally signed piece of data essentially saying "Service X may perform action Y") that it keeps hold of and presents to other services (like the notification service) to prove that you gave permission back when you registered. This is the same as the permission options that you get for Facebook apps, allowing an app to post on your timeline, send you emails, read your profile data, et cetera. In essence, the claims service controls which other services can perform tasks on your behalf or access your data.

This leads on to some of the other requisite services for a functional social network; you'll need a profile service that shares your personal information (given appropriate permissions, of course); a notification service that feeds information back to you via SMS, email or in-app notifications; a contacts services, which stores your list of friends, follows, "circles" and so on, acting as a claims service but for other identities, and as a routing map, saying who can see what parts of your profile, follow your feed or receive updates from you (storing the structures of the Social Graph); a feed/publishing service, that lets you share those statuses and updates; a photo-sharing/file-sharing service; a tagging service; and so on.

Of course, none of this is especially revolutionary, and already exists explicitly (as in Facebook) or implicitly (as in the ecosystem around Twitter). Where it gets interesting is when we consider the case of services interacting with each other in the abstract terms above.

Let's say I sign up to one of the newspaper apps that seem to have sprung up on Facebook recently. The app wants to know who I am, presumably to track my usage and which articles I read, so I type in my identity name (an example might be my email address, or my blog URL) then click the big sign-in button; it goes off to the identity server and verifies my identity (using an established process like OpenAuth or OpenID), then lets me in and I can go read articles. However, the newspaper app also wants to contact me; perhaps to let me know when new articles are published, or that someone has replied to a comment I posted. To do this, it needs to know how I want to be contacted; in this example, we're using the notification service which holds information about my contact details and preferences - the notification service I'm using (in this example) batches up my notifications and sends them in an hourly email. Someone else, using a different notification service, signs up to the newspaper app; they receive their notifications as SMSs. Both notification services implement a standard NotificationAPI v1.0, so all the newspaper app requires from me and the guy who prefers SMSs is the URL of our distinct notification services, and we then each get our customised notification behaviours. This is not unlike the drop-down in TweetDeck that allows me to pick which photo-sharing service I want to use (as mentioned back in part 2).

The downside to this approach is that every time I sign up to a new service or application, I have to configure it with all the different services in my customised social network that it happens to need; if it depends on a lot of services, this would be a nightmare. Equally, if I decide that actually, my notification service provider sucks and want to switch, I'd have to go round all my other services & reconfigure them. This leads, logically, to the need for a service provider service (mmm, metaservices) which keeps track of the different services that I use for different purposes. My identity service will likely know which service provider service (and claims provider service) I use, and all the other services I sign up to can then find out, via the identity service, which other service to use for each different purpose. In our newspaper app example, the app would contact my identity service to verify who I am & find out where my claims service & service provider service are; contact the claims provider to get permission to contact me; then contact the service provider service to find out which service to use for notifications. All of this happens entirely out of sight of the user, excepting the specific moments when user input is required - when the identity service needs the user to input their password, and the claims service checks with the user that the newspaper app is legit.

In a general sense, again, none of this is revolutionary. This pattern is already commonly used in software development - see dependency injection and inversion of control; and it's that latter concept that I think is so important. By controlling the injection of dependencies (e.g. providing your own choice of notification service) into the applications & services you're using, control of your social network switches from the service providers (Twitter, Facebook, Google, etc.) back to you. With interoperability via an open, published set of API standards, by returning control of each user's social networking platform to the user, it is possible to produce a free (or, at least, freer) market of services that users can combine to suit their needs and preferences; and diminish the barriers to data flow through the Social Graph.

There's plenty more detail to the design than that, of course; how different types of service can be described and denoted, how evolving standards (does your notification service support NotificationAPI v2.0?) are handled, how we bootstrap new users without presenting them with a hundred drop-downs (which notification service do you want? And your file-sharing service? And your URL shortener? Which flavour of sommelflange takes your fancy?), but I've covered the core of the concept. The next stage is to build a proof of concept, a small ecosystem of services from which you can devise your own social networking platform - another item for my long list of projects - so I'll update as that matures and hopefully have something to demonstrate as summer progresses. Feel free to get in touch if this sounds like something you'd like to help with, as there's plenty of work to do... ;-)

[1] Atomic in this sense meaning that a service is not coupled to or bundled with another service; and that it provides one (type of) service only. A service host might provide multiple services, but there's no requirement to use them all if you only need one. e.g. a photo-hosting service just hosts photos - it doesn't provide tagging, and a separate photo-tagging service is required for that.

Non-Euclidean Software

I've finally moved into this contracting gig and formed my own company: Non-Euclidean Software. Yes, the name is Lovecraft in-joke. No, it's not a very funny joke. Yes, the website is just a placeholder. I'll get round to adding some relevant bits like access to my open-source projects and the like when I have a free evening.

The Social Graph Pt2: Facebook is a Big Truck (in a Walled Garden)

And we're just dumping all our data on it.

(This post is my (somewhat belated) follow-up to an earlier ramble about viewing the Social Graph as an active medium and not just dataset.)

Imagine you wanted to send an email to someone; you have a GMail account and they have a Hotmail account. Sadly, you can't; you have to sign up with Hotmail (or, perhaps, convince your friend to switch to GMail) because in this world, email providers don't talk to each other. To be able to talk with everyone, you'd have to have multiple accounts - then again, you may already, because each email provider bundles additional value-add services along with email. Of course it's not actually integrated with the email service, so much as it is bound to the identity that your email address represents, but it's still an integral part of one service competing with another.

You will likely have realised I'm drawing an analogy of the current ecosystem of monolithic social networks - you cannot send a Direct Message from Twitter to a friend on Facebook¹; the more astute (and elderly, and probably also American) among you, however, will realise that I'm describing something that actually happened, back in the early days of the public Internet (80s to early 90s). The early ISP-equivalents peddled proprietary email, forums and file transfer services that only functioned within their networks; my experience of this was with CompuServe in '94, though by this point the ISPs were integrating more and it was only a couple of years before Internet access was opened up fully - I think I got my first Hotmail address in '96/97.

There are various flaws to this approach, some more obvious than others. An immediate issue is the network effect - if all my friends are on service A, I'm likely to join that service; but if a new service starts up with an amazing new feature, I need to drag all my friends across to make it worthwhile. And, as Google+ is discovering, the nature of the Social Graph as a dataflow network means that having friends on a network isn't enough - there has to be content being generated and flowing through the graph to make it worthwhile.
I've always been a believer² in the free market and would argue that customer lock-in stifles innovation & choice, while choice empowers users and enables them to fight back against abuses of power; and when we're talking about services that facilitate the flow of information, I would argue that partitioning dataflow networks can have as great an impact on the development of society as putting up physical barriers³.

But there are other, more integral factors. The issue of security is well-explained in this XKCD comic; essentially, the more services I sign up to the more risk there is of my identity being compromised. The solution to this is already in place - Facebook, Twitter and other services are allowing integration through Facebook Connect, OpenAuth & OpenID that opens their identity service to other service providers, resulting in an improved user experience (one-click "sign-ups"), improved security (as your username & password is only held by one service) & reduced fragmentation (as your identity on different services remains constant across all). This openness empowers and enables users to switch freely between identity providers without impacting their experience of a given service; just as I was able to switch between BT & VirginMedia as my internet providers without my access to the Internet changing (beyond, of course, an increase in speed on a cable connection - the distinction here being between quality of service & nature of service), I was able to switch from an LJ login to a GMail login when using StackOverflow, and my experience of the service remained the same (note that here we must distinguish between my identity as an individual (which is what StackOverflow cares about) and the identities presented by LJ & GMail distinctly, which function more as aspects or façades).

Indeed, the question of choice is central to the problem with modern social networks. If you don't like Facebook's handling of private data or their use of advertising to monetise their service, your choice is to stay or to leave; to have or have not. If you have concerns about Twitter's censorship policies or Google's data gathering, your choice is to have or have not. There are numerous issues, from constantly changing UIs to the ever-waiting Fail Whale to freedom of speech, that can only be tackled when users have the choice to have this or have that.

There is (and has been, slowly developing, over the past year or two) a movement to decentralise & distribute the functionality provided by the monolithic service providers. Consider this blog post on the move to federated social networks, the Diaspora* project (and on Wikipedia), a distributed, user-hosted social network, or YaCy, a decentralised search engine. It an important step, and with enough time (and a good UX) these projects should help us to dislodge the grip of monolithic Web 2.0 services; there is, however, a further step required in this process, and you can see it developing in the ecosystem of services around Twitter.

In addition to the core micro-blogging functionality of Twitter, references to other media are now possible through the emergence of dedicated value-add services (e.g. TwitPic, TwitVid, Deck.ly) or the filtering of existing media hosting (YouTube, web-comics, blogs, online news, etc.) through URL-shorteners⁴. Twitter clients are now integrating with a range of these to provide wider (and yet seamless) functionality to users, but without necessarily constraining users to a specific service. This quick snapshot of the TweetDeck options page shows this choice in action; there's two types of service that TweetDeck can consume, but the choice of which specific service provider is up to me. We're seeing two parallel developments in progress here:

• The ability for software (in this case a client, but potentially services) to consume other services⁵ on behalf of a user (and their associated identity)
• The ability for users to build & customise a conglomerate social networking service that provides the specific functionality that they need, whilst remaining completely compatible with everyone else's custom social network

The move to integrate services in this way is amply demonstrated by If This Then That, a Yahoo-Pipes-Lite that allows users to build active links between their services. IFFT uses a set of purpose-built adaptors for each type of interaction, but by using the standardised interfaces & APIs for content sharing & notifications that are in development by the federated social network projects, this can all be generalised and made freely interoperable.

---

Right, it's taken nearly two months of talking to people and rewriting to get this post this far, so I'll pause here and promise a third & final part with my thoughts on the ideal solution...well, it'll take less than two months, anyway.

---

[1] Indeed, a "friend" or a "subscribe" on Facebook is an entirely different and incompatible concept to a "follow" on Twitter.

[2] In the same sense that I believe free speech is generally beneficial if you're not a dick about it, as opposed to the way I believe in dinosaurs (they existed, but I doubt they'd be beneficial to the economy).

[3] Hmmm, that's probably worth a rant of its own. Adam Smith's Division of Digital Labour?

[4]The passing of data references (Pass/Call by Sharing) is a familiar concept to programmers, enabling developers to manipulate and exchange heavyweight objects (large data files like images & videos) using only lightweight references (URLs in this context).

[5]Oh, my goodness! Shut me down! Machines making machines. How perverse.