Skip to content

All My Hosted Stuff with Dynamic Sharing

In the near future, we’ll all be able to host our own data.

A few years ago it was very hard to do so, but possible, because nearly all the stuff being hosted was simple text with an occasional image or graphic. Then, our bandwidth increased and digital media creation tools were delivered into the hands of ‘the rest of us’. We quickly outstripped our ability to host and manage all our content and a market for hosted applications was born. It hit its stride with Web 2.0.

The boom created a fantastic amount of opportunity. It also stripped us of control. While we were distracted by all the shiny new toys being offered over AJAX, we forgot that owning our own stuff was important.

Today, we’re back to the time when most of the people on the web were seeing it through the AOL lens. Our data lives in silos and some of these silos even claim that your stuff is actually their stuff (have YOU read the Facebook Terms of Use?).

When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content. Facebook does not assert any ownership over your User Content; rather, as between us and you, subject to the rights granted to us in these Terms, you retain full ownership of all of your User Content and any intellectual property rights or other proprietary rights associated with your User Content.

We need to swing the pendulum back the other way. We need to be able to host ALL our own stuff, or at least, be the proxy whereby we manage access to all our own stuff (even if it’s hosted on a vetted, corporate-backed network in a large datacenter somewhere in the ‘cloud’).

When you come to see my pictures, you come through gallery.terrellrussell.com – but the images could actually be served from Flickr via API. And if/when I change that arrangement and move to smugmug.com via API, you’d still access them through gallery.terrellrussell.com.

terrellrussell_via_oauth

I want dynamic sharing. I want to be able to put all my bits in one place (for sanity, for ease of backup, etc.) but I want some control over how those bits are shared with others (if at all).

I want dynamic privacy based on a set of rules. These rules can be simple. These rules can be complex. There can be sets of rules that seem to cover 80% of the people 80% of the time. The flexibility in a system like that would be paramount – how we deal with that flexibility is a different problem to be solved.

I want sharing rulesets that determine which stuff is visible and which stuff isn’t. I want to have rulesets that determine this visibility by viewer, type of data (pictures/video/status), viewer tags, tags on the data, reputation from a third party, time of day, time passed since the creation of the stuff… Let it be whatever – that’s the point. A rules engine that can handle arbitrary rules and apply them on the fly.

The graphic above is a first attempt at drawing what I want. People will come to get stuff from me (or send stuff to me). Their request will be processed through a set of rules I’ve put in place, identified as coming from a person/device I know, and then filtered through whatever authorizations that person/device has been granted. If they are then allowed to see or receive what they’ve requested, I’ll send it to them.

This has to be done with open source tools and protocols and we’ve already got two of them in the wild. OpenID for authentication and OAuth for authorization. Additionally, we have XRDS-Simple for service discovery. We need an Open SharingRulesEngine (OShaRE?).

I want to have a full audit of how my stuff is getting accessed. I want the ability to drill down and figure out what’s going on. Not that I’ll use it very often – but I want to know that I can.

I want to be in control of who sees my content. If you see a photo I took, embedded somewhere else, I’d like to know that happened. I’d like to have a feel for where the edge of my ‘influence’ lies and how it’s interacting with the rest of the world.

We’ve seen rules engines and rulesets and recipes before. They exist for business and email (procmail) and distributed archival infrastructure (iRODS). Help me build one for granting access to my stuff!

This could all be a pipe dream. I’m not convinced one way or the other (the current sticking point is the realization that the gatekeeper software has to know about every piece of content I create/store… complex… but doable…). But I do know that if the option for individuals to host their own identity and their own content is available, the market for innovation will move that much faster. And that’s almost always a good thing.

Whaddya say? 2 years for basic infrastructure that can do this? 5-7 years before it’s polished and anyone is using it but me?

Tags: - - - - - - - - - - -

View blog reactions

{ 5 } Comments

  1. Fred | December 14, 2008 at 12:15 pm | Permalink

    Whoa. Bold, all caps and a retro Gary-style diagram!

  2. Terrell Russell | December 14, 2008 at 12:45 pm | Permalink

    well, in fairness, the all caps is the CSS :)

  3. Will Norris | December 14, 2008 at 6:53 pm | Permalink

    Do we actually need a common spec for the rules engine? We absolutely need open standards when two different parties are needing to interact, but I’m not sure that’s the case with a rules engine. The person or device will be communicating with terrellrussell.com using some protocol (maybe ATOM for subscribing to data feeds, or the Flickr API for publishing photos). That person or device will be authenticating to terrellrussell.com using either OpenID or OAuth. But the rules engine exists entirely within terrellrussell.com. The external person or device need not (and probably should not) know anything about the process used to derive at their granted privileges. Internally, terrellrussell.com could use any kind of rules engine… perhaps an existing enterprise vendor product, or something a little less heavyweight written as a WordPress plugin.

    All that being said, there is certainly value in having a common language for expressing the rules, just as there is in the enterprise environment. It allows you to use completely separate tools for managing and applying the rules if you wish, and also allows you to switch out the rules engine you are using, and migrate your rules over. It’s just yet another kind of personal data that needs to be made portable.

    I think perhaps a good approach to start with would be to find a decent rules language that will work for this use case (even if we were to just take a subset of an existing language), and try to build a lightweight WordPress plugin that uses that.

  4. Terrell Russell | December 17, 2008 at 11:15 am | Permalink

    No, I wasn’t really laying out a case for a new spec or protocol.

    I agree with you, it’s entirely contained within the infrastructure doing the ‘controlling’.

    I was more interested in a common approach (or language, as you say) to allowing access to ‘stuff’. A set of rules instead of particular binary decisions like normal ACLs. I think the ACL should be dynamically determined via a set of rules when a request is filtered through them.

    I haven’t found a rules engine in PHP…

    It basically needs to match a ‘left hand side’ to a condition, and then execute the ‘right hand side’. A binary ‘sharing’ decision would be made after running a request through all the stated rules.

  5. Julia | March 11, 2009 at 3:30 pm | Permalink

    Do you have any resources you recommend for learning about OAuth? I just got back from Drupalcon in DC where they were talking about integrating OAuth into Drupal 7. I’m still quite confused about what it means for me today and what I can do to speed its implementation.

    By the way, I found your post via the Barcamp RDU list of people. I’m a SILS grad.