Uno de Waal

Uno de Waal’s online space covering everything about web2.0, social networks and internet related developments in South Africa and how it fits in with the rest of the world.

The problem with dataportability is with the providers, not services (duh)

Uno as Ideas, Products, Social Networks, Web2.0

Jan|21|2008

Going through my feeds this morning I once again came across the “bad user design” meme. A lot of people have been talking about it. Jeremy Keith, Josh Morgan, Brian Oberkirch, Dare Obasanjo, also even Paul Buchheit (the guy behind Gmail) and it was particularly explicit and loud when Robert Scoble went through that whole Plaxo/Facebook screenscraping episode.

Basically what people are saying is that it’s a bad idea to give sites your usernames/passwords when you sign up. This creates a bad anti-pattern and sets a horrible precedent for users who simply give their email user/pass to hundreds of different startups with dismal security standards making it very easy for hackers to get to your sensitive data. It’s called the “password anti-pattern”.

It’s not a new meme I’m proposing, seems like Simon Willison has wrote a bit about it as well, and it does seem like most people are proposing a similar solution - using OAuth to facilitate the authentication process. It’s exactly what I’m thinking, and I also think that we’re pointing fingers at the wrong people. At the moment we’re pointing fingers to a bunch of services, or new apps like Plaxo, Twitter, Spock, etc etc. It’s something we see in almost every new web app: “Import your friends!” And then we cry foul, blasting the service.

But, if the providers made that data accessable, through a properly secure API, would it not be possible to get around this? In my mind Flickr provides probably the best page-flow pattern. So I’m saying the PROVIDERS are making this anti-pattern possible. Facebook must make it VERY easy to export users, so must Gmail and so must Yahoo etc. This must be standardized so that containers (using Open Social terminology) can provide that data using some kind of token system, and it must also happen in a process that doesn’t ask for you user/pass. I believe that because it’s not possible, networks are leaving developers with no other option but to do screen scraping.

Hopefully now that pretty much every network has joined Dataportability.org we’ll see some of this stuff actually happening.

I realise that I must be missing the boat and that the tech is probably there. But being a non-tech I don’t know what’s possible. I’m just thinking that seeing all these services still asking for my user/pass is bad design, and that if all the sites haven’t adopted the token/authentication system, then there is something wrong.

Go OAuth! Go OpenID!

Technorati Tags: , , ,



8 Responses

  1. Openid » The problem with dataportability is with the providers, not services (duh)

    21|Jan|2008

    [...] Uno de Waal wrote an interesting post today on The problem with dataportability is with the providers, not services (duh)Here’s a quick excerpt Going through my feeds this morning I once again came across the “bad user design” meme. A lot of people have been talking about it. Jeremy Keith, Josh Morgan, Brian Oberkirch, Dare Obasanjo, also even Paul Buchheit (the guy behind Gmail) and it was particularly explicit and loud when Robert Scoble went through that whole Plaxo/Facebook screenscraping episode. Basically what people are saying is that it’s a bad idea to give sites your usernames/passwords when you sign up. This creates a bad an [...]

  2. Jaxon Rice

    21|Jan|2008

    Absolutely. The next generation of social networks will be built on this portability. No one wants to join a YANS (yet another social network) and enter duplicate information and a new social graph.

    As you pointed out the password anti-pattern is teaching people very bad practices and poses a huge threat to online security. OpenID and OAuth can provide answers to thsi problem - we just need to get Google and Microsoft on board with the concept.

  3. J. Trent Adams

    22|Jan|2008

    Great points, and it sounds like you’ve been noodling this for a while. In fact, based on your other related posts, it seems like it’d be great to have your voice added to the debate.

    You might consider joining the DataPortability.org Workgroup:

    http://groups.google.com/group/dataportability-public

    … and if you’re so inclined, there’re also a couple technical groups in which you might want to participate.

  4. alan

    23|Jan|2008

    thanks for making this one blip on the radar. yet another thing to bear in mind… ;)

  5. Justin Baum

    24|Jan|2008

    Nice post!

    I have been following this thread as well, and posted about it last night here…

    http://www.brosbeforeblogs.com/2008/01/is-increasing-t.html

    So I did point the finger at Pownce and raised the issue on their Satisfaction page. But I also caveated it by saying I can’t blame then for implementing the password anti-pattern. Everyone is jumping off the bridge and it is a big mess. So don’t let the services get off free. They need a proper talking too… because after all on the social web services can also be the providers and vice versa. Pownce is no less a provider of my identity than my google account. So by blaming the providers we are collectively pointing the finger at ourselves.

    The point of my post was that right now for a hungry startup full of people who know about the data portability issues growing a user’s network is more important than instilling best practices in how to handle their sensitive information. Sign of the times I suppose.

  6. Uno

    24|Jan|2008

    Hey Trent, I have already joined the dataportability group, I read it, but don’t always have the time to contribute.

    Justin - I do think that growing the network is probably most NB for users, but if you take that with these kinds of best practices, services should get more, quality users in.

    Also, what I’m saying is essentially that Google shouldn’t allow sites too be able to scrape data like that - they should develop the

  7. Younique - Where Marketing Meets IT » Blog Archive » Data Portability - Explained

    10|Feb|2008

    [...] in its infancy, however I believe it will become a standard once all parties concerned overcome their problems. If you would like to keep up-to-date with the progress of Data portability, you can visit or [...]

  8. Uno de Waal » Blog Archive » Gmail OAuth

    10|Mar|2008

    [...] with Gmail is going to do wonders for OAuth. There’s no publicity like bad publicity. I claimed it a while back and I still firmly believe that if the services make your data portable through [...]


Leave a reply