Communicating freely

Archive for the ‘web applications’ Category

There is no such thing as a free lunch

Thursday, August 3rd, 2006

Gmail makes me nervous because it’s actually a giant advertising data farm.  Google harvests the text of every message and uses it to place little advertisements that suit my personal tastes or vices.  The Gmail threading system is smart.  It’s a terrifically designed web application.  It’s just worrying when we think about personal security.

I think the paradigm of ‘free’ services powered by advertising is not necessarily a good thing.  It offers a certain immediate service (free email!) but at a serious cost (Google gets to read everything you write).  People are going to have to realise that nothing is actually free.  There is a cost somewhere down the line when it comes to providing server farms with these services.

I don’t think that future web applications will be free.  I actually think I’ll be paying for a private web application when I take out my subscription to my operating system.  You know, I’ll buy my UbuntuPLUS package which will bundle a year of UbuntuMAIL and UbuntuPRODUCTIVITY and other web goodies to ensure my data can follow me around the world regardless of whether my laptop makes it with me or not.

I think there are two primary reasons for this occurring.  The first is that I don’t want Google reading my mail (calender, instant messages, office documents).  The other is that boxed software is becoming a commodity and the provision of useful web services is the next logical profit arena.

I posted a couple of days ago talking about how we can have private personal data on servers that provide web applications.  A comment replying to this assertion was posted to my blog suggesting that if a server does not interact with personal data its just a big storage mechanism and no more useful than a USB key.  I respectfully disagree.  Let me explain why.

There is personal data and there is personal data.  For instance, I am glad that my webmail provider knows my name because this allows us both to be pretty sure only the real Shane has access to the webmail account.  That’s personal, and that’s fine.  Google can have it.  However, I don’t want my webmail provider reading my incoming mail.  That’s personal and Google cannot have that.  I want encryption.  I want privacy.

Now, let’s imagine a service called ‘GooglePRIVATE’ which I paid for.  I give Google $24.95 a year to use their spiffy web application under the condition they never read my email.  They get my name and my credit card.  I get encrypted email.  We’re both happy.

GooglePRIVATE could work by storing my email in an encrypted database.  When I go to log onto GooglePRIVATE a session is established between my computer and their server.  My name and password give me access to my account and the password is also used to decrypt a local session of the database incrementally.  First of all the index arrives and shows my threads.  As I’m being absorbed by the message subjects the rest of the database is streaming and decrypting in the local session ready for use.

The server is providing storage, authentication and the algorithms for searching my mail.  It’s also the place where the web application lives (meaning updates are simple and automatic).  My local session is providing horsepower for decryption and the temporary session that holds my unencrypted mail.  When I’m done my database re-encrypts and drifts back to it’s home in the larger database at Google.

I’m sure you see where I’m going with this.  That’s a rough example of how I can envision web applications that don’t require a total loss of user privacy.  That’s the type of web application I would pay for because it would give me convenience without opening a door into my brain.  It’s bad enough with just me living in here.

When everything goes together…

Tuesday, August 1st, 2006

Sometimes weeks pass without having the decency to give proper notice. That’s my current situation. In the blink of an eye I find myself in August instead of mid-July, and I’m rather concerned that I’m ageing without proper supervision.

So much has occurred since my last post. I’ve participated in a rather interesting security round-table at Birmingham University for the South Birmingham LUG. I’ve attended LUG Radio Live. I’ve delivered an unusual security talk to Birmingham Perl Mongers. I’ve contributed to certification frameworks. I’ve compiled code. The list goes on.

The most interesting thing for me during these weeks has been the constantly reoccurring theme of ‘a change in computing’. One way or another everyone is muttering about it. We’re all getting that nervous feeling that the Internet and the desktop are altering significantly. We see signs. People are talking about services, solutions, evolution.

I feel like we’re back in 1996. We’re looking at something with massive potential and we’re trying to get our heads around it. In 1996 the ‘thing’ was the Internet. Now I suspect the big thing is convergence. I think we’re going to see increasing transparency between local and remote services. We’re about to see that leap beyond Web 2.0 that people can feel on the hairs on the back of their neck.

“Pardon?” I hear you ask.

Well, I have this sneaking suspicion that we’re going to see a new generation of web services that integrate fully with workstations. Can it a hunch, but I see signs that the constraint of the web browser on the delivery of remote services is about to be removed, and we’ll see them existing beside our local applications.

We’ve seen some technologists rooting around this area with things like widgets. We’ve seen Google playing with Google Earth. People are testing the waters to see how this stuff can work. I believe when someone gets their head around it fully we’ll see some pretty startling technology.

At it’s most fundamental level we need a way to deliver non-geographic services without having network latency. AJAX provided part of the conceptual solution for this but fails to realise the full potential of remote services. It really is awful that Meebo is stuck inside a wasteful browser window.

Perhaps the next step will be the creation of special APIs for remote services. These APIs would create windowing objects and interaction with a local graphical user interface. They would allow Meebo to give me a cheerful messenger client on my desktop without the browser. That would be cool. Take it a step further and you’ve got your email client, messenger client and calender acting local but with the collaborative power and non-geographical flexibility of the remote.

Someone at the back just passed out. I suspect they were thinking about security.

Let’s go over that point by point.

Number one: how do we ensure the remote system is safe? The answer is a password. We’re pretty used to that already.

Number two: how do we ensure that we can trust the data host? The answer is we don’t have to. The remote profile data can be encrypted and only decrypted on the local machine while it’s being used. I believe this is relatively easy to conceptualise. I’ll go into that more another time. The personal data held remotely (be it email or other) can be secured using perfectly normal methods like OpenPGP and S/MIME.

Number three: how do we ensure the local machine is not compromised by bad web applications? The answer is special APIs. The APIs would create virtual window objects with access to a browser engine but without allowing access to anything else. It would be a separate API set to the standard local application API. In other words, it would only create the impression of a local application object like a window or taskbar item. The actual processes are held in lonely containers or virtual machines.

I’m going to go over this stuff in more detail another time. I think there is a lot of merit in the assertion that local and remote will have their differences reduced to zero. It strikes me as the next logical step in ICT evolution.

I’m really bored of finding my laptop is dead, there is no power socket, and there’s a net café around the corner. I need a solution to give me my full productivity tools without having to think about physical machines or geographical location. I know I’m not the only one. If someone delivers these tools without us needing to reinvest in infrastructure they’ll have the proverbial ‘killer app’.

Do you agree with me? Do you think I’m talking nonsense? Do let me know. is the address for love, hate and everything in between.