What's going on with OAuth?

Over the past week there's been a variety of incorrect information shared about what's going on with the OAuth protocol. Chris Messina (Google), Dick Hardt (Microsoft), Eran Hammer-Lahav (Yahoo!), and I (Facebook) wrote this post to help provide a bit more clarity.

The OAuth protocol enables users to provide third-party access to their web resources without sharing their passwords; kind of like a valet key for the web. To date, OAuth 1.0a is the most successful such protocol deployed on the web. The origins of OAuth date back to late 2006, when a small group of web engineers, tired of reinventing the API authorization wheel, came together to find a common, open solution.

The protocol was derived from several existing API authorization protocols, including AOL, Flickr, Google, Microsoft, and Yahoo!. By developing a unified approach to API authorization, the goal was to reduce the burden of implementing any one of these protocols, and provide third party applications a more convenient and secure way to access user data. It is also well-established that security protocols are hard and often suffer from potential exploits. By focusing on an single, open protocol, the community could reduce the likelihood of an attack and respond faster when one occurs.

In the past two years, the number of services that require users to divulge their passwords to enable third-party access — the so-called password anti-pattern — has decreased dramatically. Today the most well-known and used deployment of OAuth 1.0a is the Twitter's API. (If you're interested in a more detailed explanation of OAuth, check out The Authoritative Guide to OAuth 1.0.)

Last year OAuth transitioned to the IETF as a new Working Group to produce version 1.1 which would be suitable for publication as an Internet Standard. The working group was tasked with reviewing the security and interoperability properties of the protocol, while maintaining as much backwards-compatibility as possible. As is sometimes the case in such efforts, there was little interest among the community in such a minor cleanup.

Introducing WRAP

At the same time, new use cases emerged as well as a significant amount of hands-on experience about the shortcomings and gaps in the 1.0a version of the protocol. A small group of developers herded by Dick Hardt started work on simplifying the protocol, inspired by the OAuth Session Extension proposed by Yahoo!. Originally dubbed "Simple OAuth", it was later renamed to WRAP (Web Resource Authorization Protocol) to reflect the fact that it is a different protocol. It is now known as OAuth WRAP.

WRAP attempts to simplify the OAuth protocol, primarily by dropping the signatures, and replacing them with a requirement to acquire short lived tokens over SSL. It is not an even trade-off, and the new proposal has a different set of security characteristics, benefits, and shortcomings.

In 2007 when OAuth 1.0 was being created, SSL was used sparingly for APIs. As CPUs have become faster and more specialized SSL hardware has been deployed, it has become increasingly possible to operate APIs over SSL. Some APIs, like the Google Health Data API or Yahoo!'s Fire Eagle API, operate fully over SSL anyway as developers are interacting with non-public data. Using SSL obviates the primary purpose of the cryptography used in OAuth 1.0a, which was designed for transferring data over insecure channels.

WRAP addresses two areas in which the 1.0a protocol is lacking: it offers new ways to obtain tokens, and it evolves the architecture to enable other roles to issue tokens (other than the server). OAuth 1.0a offers a single browser-based redirection flow used to send the user from the application to the server, obtain approval, and return to the application. WRAP adds a few new flows for obtaining authorization and tokens mainly designed around providing better experiences on devices such as your XBox, desktop applications like TweetDeck, or fully JavaScript based implementations like Facebook Connect. And unlike 1.0a where the server issues and verifies every token, the tokens in OAuth WRAP are short lived and can represent claims issued by an authorization server, providing scale and security benefits for large operators.

Judging by the original "Simple OAuth" moniker, the goal behind WRAP was not to confuse developers or compete with OAuth. The intention, rather, was to promote OAuth and increase long term adoption by offering an SSL variant. Therefore, if you're building a new API today and are trying to decide between deploying OAuth 1.0a or OAuth WRAP, nine times out of ten you should continue deploying OAuth 1.0a. But start experimenting with WRAP when its features are important to you and you are comfortable making changes as it evolves.

Building OAuth 2.0

WRAP brought the use cases and experiences that inspired it to the attention of the IETF working group. The consensus is that we now have enough implementation experience and new requirements to begin work on OAuth 2.0, instead of a minor revision. OAuth 2.0 will likely contain two parts, one defining an authentication scheme for accessing resources using tokens, and the second defining a rich set of authorization schemes for obtaining such tokens. By separating the two parts, we will be able to provide the right level of abstraction and modularity to support both the SSL-based approach taken by WRAP as well as the existing signature-based approach taken by 1.0a.

In many ways, OAuth 2.0 will be the result of combining the best ideas from both protocols. The authentication part will built on top of 1.0a while the authorization part will build on top of WRAP. It is important to remember that it is very early in the process, and that all these decision will be made by the members of the IETF OAuth working group. In other words, by those who show up. The goal is to have a set of stable drafts for OAuth 2.0 by the upcoming IETF OAuth Working Group meeting in March at the 77th IETF meeting.

For those implementing OAuth 1.0a today, a new edition has been published as an RFC draft which was accepted by the community as a replacement for the original 1.0a specification. This new specification does not change the protocol, but is more readable, includes many clarifications, errata, and examples, and thus easier to implement.

If you're interested in keeping track of what's going on with OAuth, Hueinverse's OAuth page is a great place to watch. To get involved and take part in this important work, dig into the IETF OAuth Working Group and WRAP discussion list.

How has the Internet Changed the Way You Think?

Every year, John Brockman, a New York based author, editor, publisher, and book agent, reaches out to a community of thought leaders and scientists and asks a question for his World Question Center.

Brockman's 2010 question, How has the internet changed the way you think? evoked thoughtful answers from a range of people, including Brian Eno, Rudy Rucker, Clay Shirky, Martin Rees and many others. The full collection of posts can be found here.

I took the opportunity to explore the tension between my physical and virtual lives. A topic Jim Stogdill wrote about a few days ago.

NAVIGATING PHYSICAL AND VIRTUAL LIVES

Before the Internet, I made more trips to the library and more phone calls. I read more books and my point of view was narrower and less informed. I walked more, biked more, hiked more, and played more. I made love more often.

The seductive online sages, scholars, and muses that joyfully take my curious mind where ever it needs to go, where ever it can imagine going, whenever it wants, are beguiling. All my beloved screens offer infinite, charming, playful, powerful, informative, social windows into global human experience.

The Internet, the online virtual universe, is my jungle gym and I swing from bar to bar: learning about: how writing can be either isolating or social; DIY Drones (unmanned aerial vehicles) at a Maker Faire; where to find a quantified self meetup; or how to make Sach moan sngo num pachok. I can use image search to look up hope or success or play. I can find a video on virtually anything; I learned how to safely open a young Thai coconut from this Internet of wonder.

As I stare out my window, at the unusually beautiful Seattle weather, I realize, I haven't been out to walk yet today — sweet Internet juices still dripping down my chin. I'll mind the clock now, so I can emerge back into the physical world.

The physical world is where I not only see, I also feel — a friend's loving gaze in conversation; the movement of my arms and legs and the breeze on my face as I walk outside; and the company of friends for a game night and potluck dinner. The Internet supports my thinking and the physical world supports that, as well as, rich sensing and feeling experiences.

It's no accident we're a culture increasingly obsessed with the Food Network and Farmer's Markets — they engage our senses and bring us together with others.

How has the Internet changed my thinking? The more I've loved and known it, the clearer the contrast, the more intense the tension between a physical life and a virtual life. The Internet stole my body, now a lifeless form hunched in front of a glowing screen. My senses dulled as my greedy mind became one with the global brain we call the Internet.

I am confident that I can find out about nearly anything online and also confident that in my time offline, I can be more fully alive. The only tool I've found for this balancing act is intention.

The sense of contrast between my online and offline lives has turned me back toward prizing the pleasures of the physical world. I now move with more resolve between each of these worlds, choosing one, then the other — surrendering neither.

How has the internet changed the way you think?

Four short links: 8 January 2010

Healthcare Data, GNU Econometrics Library, Visualizing Changes, View Source Under Attack

1. Testing, Testing -- at the end of an interesting article on health care reform comes this: The poverty of our health-care information is an embarrassment. At the end of each month, we have county-by-county data on unemployment, and we have prompt and detailed data on the price of goods and commodities; we can use these indicators to guide our economic policies. But try to look up information on your community’s medical costs and utilization—or simply try to find out how many people died from heart attacks or pneumonia or surgical complications—and you will discover that the most recent data are at least three years old, if they exist at all, and aren’t broken down to a county level that communities can learn from. It’s like driving a car with a speedometer that tells you only how fast all cars were driving, on average, three years ago.. (via auchmill on Twitter)
2. Gretl: The GNU Regression, Econometrics, and Time-Series Library -- GPLed cross-platform software package for econometric analysis, written in the C programming language. (via Hacker News)
3. 11 Ways to Visualize Changes Over Time (Flowing Data) -- just what it says. (via mattb on Delicious)
4. View Source is Good? Discuss (Alex Russell) -- fantastic post, mandatory reading. View-source was necessary (but not sufficient) to make HTML the dominant application platform of our times. I also hold that it is under attack — not least of all from within — and that losing view-source poses a significant danger to the overall health of the web.

Understanding Social Business - Webcast

The term, "Social Business" has been gaining currency over the past year among influential thinkers such as Stowe Boyd, Jeff Dachis, Peter Kim, and Jeremiah Owyang. At its broadest definition Social Business describes the systemic challenges and new opportunities social technologies present to organizations.

I have been writing for some time that organizations needs to "get" social in ways that go well beyond marketing gimmicks or pushing press releases through Twitter. It is a different approach to doing business.

So I am excited to announce that I will be moderating an O'Reilly panel discussion with Boyd (Principal, The /Messengers), Kim (Managing Director at Dachis Group) and Owyang (Partner, Altimeter Group) on January 14 to discuss:

• What is the definition of Social Business?
• How can Social Business impact strategy, design, technology and customer experience?
• Who are the leading exemplars?

Pew Research asks questions about the Internet in 2020

Will Google Make Us Stupid? Will we live in the cloud or the desktop?

Pew Research, which seems to be interested in just about everything, conducts a "future of the Internet" survey every few years in which they throw outrageously open-ended and provocative questions at a chosen collection of observers in the areas of technology and society. Pew makes participation fun by finding questions so pointed that they make you choke a bit. You start by wondering, "Could I actually answer that?" and then think, "Hey, the whole concept is so absurd that I could say anything without repercussions!" So I participated in their and did it again this week. The Pew report will aggregate the yes/no responses from the people they asked to participate, but I took the exercise as a chance to hammer home my own choices of issues.

(continue reading)

Four short links: 7 January 2010

London Data, SEO Deathspiral, Subversion Search, Entity Extraction APIs

1. London Datastore to Launch -- the Mayor of London will launch a site full of London data. (via Ed Dumbill)
2. Google Destroyed the Web -- It's hard to disagree with the basic contention that SEO aimed at Google's rankings has fucked the web. It's a vicious circle, too: the more fake content sites are created to game Google, the harder it will be for any new web search startup to filter that effluent and deliver meaningful results in competition to Google. This is a grim feedback loop.
3. ReposSearch -- search Subversion repositories.
4. Survey of Entity Extraction APIs -- he describes the qualititative differences in the APIs and their responses, finding that Evri and OpenAlchemy had the best for his needs.

The fate of WIPO, ACTA, and other intellectual property pushes in the international economy

Intellectual property wars are fiercer than ever, although the institutions most affected (including the media) prefer not to talk about them. But we may be in for a pendulum shift.

I recently put out a tweet on this topic and was asked to expand on it. The issues are too big and complex for me to give them a proper treatment here, but I'll throw around a few of them and see whether you think the trend I'm talking about shakes out.

(continue reading)

Four short links: 6 January 2010

Market Forces, Enterprise Fail, Analytics X Prize, Open-Sourced Privacy Subsystem

1. How Visa, Using Card Fees, Dominates a Market -- (NY Times) two interesting lessons here. First, that incentives to create a good system are easily broken when three parties are involved (here Visa sets the fees that merchants pay banks, so it's in Visa's interest to raise those fees as high as possible to encourage more banks to offer Visa cards). Second, that that value-based charging ("regardless of our costs, we'll charge as much as we can without bankrupting or driving away all of you") sounds great when you're doing the charging but isn't so appealing when you're on the paying end. Visa justifies its fees not on the grounds of cost to provide the service, but rather by claiming that their service makes everything more convenient and so people shop more.
2. Doing It Wrong (Tim Bray) -- What I’m writing here is the single most important take-away from my Sun years, and it fits in a sentence: The community of developers whose work you see on the Web, who probably don’t know what ADO or UML or JPA even stand for, deploy better systems at less cost in less time at lower risk than we see in the Enterprise. This is true even when you factor in the greater flexibility and velocity of startups. I've been working with a Big Company and can only agree with this: The point is that that kind of thing simply cannot be built if you start with large formal specifications and fixed-price contracts and change-control procedures and so on. So if your enterprise wants the sort of outcomes we’re seeing on the Web (and a lot more should), you’re going to have to adopt some of the cultures and technologies that got them built.
3. Analytics X Prize -- The Analytics X Prize is an ongoing contest to apply analytics, modeling, and statistics to solve the social problems that affect our cities. It combines the fields of statistics, mathematics, and social science to understand the root causes of dysfunction in our neighborhoods. Understanding these relationships and discovering the most highly correlated variables allows us to deploy our limited resources more effectively and target the variables that will have the greatest positive impact on improvement. The first contest is to predict homicides in Philadelphia. (via mikeloukides on Twitter)
4. Protecting Cloud Secrets with Grendel (Wesabe blog) -- new open source package that implements Wesabe's policies for safe handling of customer data. It uses OpenPGP to store data, and offers access to the encrypted data via an internal (behind-the-firewall) REST service. The data can only be decrypted with the user's password. Hopefully the first of many standard tools and practices for respecting privacy.

Africa's "Gutenberg Moment?"

This post from Publishing Perspectives about publishing in Africa came in over the break, and it's worth a look:

Five years later, [Muhtar] Bakare is still a confident believer in the power of the internet to revolutionize the African publishing industry. “The internet is our own Gutenberg moment,” he told the Oslo audience. “The internet is going to democratize knowledge in Africa.”

As the Web moves to becoming a primarily mobile media, it expands global access to knowledge and information (while obviating the historical geographic barriers around physical markets). Publishers taking a long view should be sure to pay attention to what's happening in Africa and the Middle East. We'll have speakers from both regions at next month's TOC conference.

A Few Thoughts on the Nexus One

There will be many posts focusing on the look, feel, and features of the Nexus One, so I'm going to focus on what Android's latest incarnation says about the competitive landscape - what I've elsewhere called the war for the web. Android vs. iPhone is one important front in that "war."

News from the front: a possible turning point for Android. I've been a huge iPhone fan, but after using the Nexus One for a few weeks, I find so much to like that I'm close to the point where Android might be my first choice. While I may yet go back to my iPhone, I'm conflicted.

The key to the turning point is not how slick the phone is - even though it's thin, fast, bright, and beautiful, with amazing sensor-based capabilities including noise-canceling headphones, automated brightness adjustment based on external light levels, voice-activated search, navigation and data-entry, different "home" screens based on whether it's in your pocket or sitting in car-dock. Nor is it the fact that you can buy unlocked phones without any plan directly from Google, or that you will soon be able to choose plans from Verizon and Vodaphone as well as T-Mobile. The real turning point is Google's commitment to making the Nexus One a web-native device. As Google VP of Product Management Mario Queiroz said in today's press conference, a nexus is a place where multiple worlds meet. "The Nexus One is where the phone meets the web." It's a connected device in a way that is more fundamental than any previous phone.

The biggest pluses of the Nexus One are all around the simplicity and completeness of the cloud integration:

• The Android Market rocks. It's a "one click" experience compared to the iPhone App Store. Find the app, add it directly to the phone. No separate syncing step. And there's more than enough choice there, with more apps being added every day. I found myself having much more fun exploring and adding new apps than I ever had on the iPhone. Payment is also easy - I have a feeling that the Android Market is going to be a major driver for Google Checkout, growing its base and making it a real contender as a first class internet payment system. Not to mention that you buy the phone itself online using Google Checkout.

  I'm delighted by the useful security warnings (now, that's unusual!) that show what system features each app you download will have access to. I also love that the Market shows you how many times the app has been installed, so you can immediately see how popular it is.

• Gmail is so good on the phone that I can, for the first time, imagine being totally without my laptop.

• No need to sync address book and calendar. Everything's always up to date.
• Multi-tasking makes the phone feel much more like a real computer.

• Maps and turn by turn navigation are great, although the speaking voice of the turn by turn is just awful.
• In Android 2.1, Google has speech-enabled every text field on the phone, not just search and navigation. Frankly, speech recognition still doesn't work as well as I would hope, but as I've written previously, when speech recognition isn't happening on the device, but in the cloud, it gets better the more people use it.

• Google Goggles is still a bit rough, but really promising. I understand why it's not pre-loaded on the phone, but think it has real promise as a must-have app, and one that plays to Google's strengths. I believe that image recognition and speech recognition are key to future UI improvements in mobile devices, and I applaud Google's long term commitment to these areas, even though they aren't yet fully baked. And the awe factor when you see someone point a camera at you and have the app say "That's Tim O'Reilly" tells you just how much more a device can do when it is backed by big data and powerful algorithms running on a cloud platform. (Google has kept face recognition out of the production version of Goggles, but I had a full version demoed to me a few months ago, and it was truly a taste of the future.) Augmented reality is coming to the iPhone as well (Layar, the Yelp Monocle, and ShopSavvy being only a few examples), but this is Google's home turf.

• The iPhone was always intuitive for me. The gPhone is definitely a learning experience. But the more familiar I get with it, the happier I am, unlike some devices where you never get over the hurdle, and never feel comfortable or effective.

• Visual Voicemail is a killer app on the iPhone. Going back to having to dial a number to hear voicemail just seems so wrong. I'm assuming that this is our wonderful patent system at work, as otherwise, it's hard to imagine that Google wouldn't be copying this feature.

• It's hard to make a single-touch UI that's as simple and useful as a multi-touch UI. I know multi-touch is coming for Android, but not having it now is a big miss. I love the experience of zooming on the iPhone with a pinch. What's more, the sensitivity of the touch screen on the Nexus One leaves a lot to be desired. Dragging seems to work fine, but some of the button presses aren't recognized unless you press really hard.
• The notification trackball is a nice idea, but I don't think it really adds much to my experience. In fact, there are so many applications that send notifications that if the light is enabled, it's constantly flashing. Future applications may learn better how to use color in notifications.

• I really miss access to my iTunes music collection, which is also where I listen to audiobooks from audible.com. That being said, this omission pushes me back in the direction of cloud music apps like Last.FM and Pandora, though I'm wishing that Rhapsody was available, since I'm already a subscriber via my Sonos home music system. Google has added its own built-in music app, but it has a limited selection, and what's worse, pre-empts the controls on the headset. At least right now, they aren't available to other music applications - pressing the pause button while in Last.FM just starts a competing stream from the Google music app. Unless Google is REALLY serious about getting into the music business, they should give up on their own app and work with third parties to fill this hole.

• Google hasn't done as good a job as I would have expected of integrating photos and videos with Picasa and YouTube. While Google claims one-click YouTube upload, it wasn't immediately obvious to me. In any event, there's a potential liability in Google's tie to its own services. For example, I'd love to be able to auto-sync my photos to Flickr rather than Picasa - it will be interesting to see if Google's definition of open extends to the choice of competing cloud services, or if they will use the device to tie people ever more closely to their own services.

• The lack of some simple features, like the ability to take screenshots, is also annoying. Heck, even to install third-party screenshot apps, you need to root your phone.

(Henry Blodget makes this case in Hey, Apple, Wake Up -- It's Happening Again. On the other hand, Mark Sigal raises a different historical analogy, Novell vs. Microsoft, asking whether Google's release of its own anointed phone might end up blunting adoption by other vendors, while Google takes the eye off its core business. A lot depends on whether Google holds back anything from the platform available to others. At today's press conference, Google emphasized the open platform aspect of Android, so they are trying to address that fear. The model seems to be to work with individual partners to push the ball forward, but to return those innovations to the pool available to all partners.)

Overall, though, it seems to me that Google's experience in delivering cloud-based data-driven applications is aligned with long-term trends in a way that Apple's device-bound heritage is not. Apple is playing catch-up in cloud infrastructure, building its own location services, for instance, but iTunes and the App Store excepted, Apple's cloud experience is limited, especially in the area of algorithmically driven applications, which I believe is so central to the future of computing. Meanwhile, Google has so many data assets, and so much experience in algorithmic applications, that it may be difficult for Apple to compete in the long term.

There's also the matter of cloud-native "killer apps." Apple's email, calendar, and address book show their PC-era roots. They live on the PC and must be synced to the phone. Google's web-native equivalents are always up to date, with syncing happening in real time.

In Apple's favor: software and design patents, which hold the competition at bay in a way that they didn't in the 1980s. Also in Apple's favor, its own killer apps, like iTunes, which is still the gold standard in music, but also the hub for podcasts, audiobooks, and ebooks. Audiobooks and ebooks might make it into the Android Market, but it's hard to imagine the Market becoming the same kind of content hub that iTunes has become.

Also in Apple's favor: Google must make some of its key assets available on the iPhone or cede the real estate to competitors. It would be a major blow, for example, if Bing search or Maps were the default on the iPhone instead of Google. It's easy to imagine an Apple-Microsoft alliance in areas like search, location services, speech recognition, image recognition, and other cutting edge areas that will be a key part of Google's competitive advantage in the future.

Meanwhile, there are key third party apps that can make or break either platform - perhaps not quite as essential as in the days when Adobe's commitment to the Mac before Windows helped give Apple an insuperable lead in the design market, but still significant.

Google needs to aggressively map out a partner ecosystem in areas like music, ebooks, and the like, to make sure that they have a compelling offering to match what's already available on the iPhone.

Meanwhile, Apple needs to either beef up its capability in the kinds of data-backed applications, or partner aggressively with companies with more expertise than they currently have. They also need to re-factor their core applications like iPhoto and iMovie to make them web-native, turning them into a base for collective intelligence. Picasa and iPhoto both sport image recognition, but Apple has to train its algorithms on sample data sets, while Google gets to train Picasa on billions of user images. As Peter Norvig, Google's chief scientist, once said to me, "We don't have better algorithms. We just have more data." Collective intelligence is the secret sauce of Web 2.0, and the future of all computing, and by locking user data into individual devices, Apple cuts itself off from this future. Rather than having MobileMe as a separate revenue add-on, Apple needs to make all of its applications web-connected by default, so that they can learn from all their users.

What we see then is a collision of paradigms, perhaps as profound as the transition between the character-based era of computing and the GUI based era of the Mac and Windows. We're moving from the era in which the device is primary and the web is an add-on, to the era in which a device and its applications are fundamentally dependent on the internet operating system that provides location, speech recognition, image recognition, social network awareness, and other fundamental data services.

We're in for an interesting ride.

P.S. Marshall Kirkpatrick over at ReadWriteWeb reminds us that new FTC guidance requires bloggers who receive free products to disclose that fact. Since the Nexus One didn't go on sale until today, and I mention that I've had it for a few weeks, it should be obvious that I did not buy the phone, but received it from Google. However, they did not ask me to review it. O'Reilly often receives early access to software and hardware products from vendors so that we can plan our publishing and conference programs, and so we can provide feedback about the product. We believe that the FTC guidance is over-broad. It is designed to protect against potentially deceptive paid endorsements, not to prevent the development of third party documentation or other services.

What Company Will Be the eHarmony of Microblogging?

A New York Times article by David Carr rehashing common knowledge on "why Twitter will endure" got me thinking about the ways in which it will not endure, or the ways in which it may endure via which no one will really care about it.

So, what does it mean to "endure"? To stay in business? So what - Lord and Taylor is still in business, but there are so many better stores if you ask me. L&T; is in big trouble in my opinion as it is getting killed on the low end by Target and other retailers, in the middle by Macy's, and on the high end by stores like Neiman Marcus and Nordstrom.

RC Cola has endured. The company has a website and everything. It's owned by an entity called the Cott Corporation, now - I can hardly contain my excitement over that. We always think of Coke and Pepsi when we think of soft drinks, and maybe now we even think of carbonated things like Perrier or some sports drinks. But, still, RC Cola endures.

Classmates.com is still enduring - but when was the last time anyone cared? I'm still somewhat of fan of MySpace for connecting people, though certainly Facebook is better in its functional capacity. And LinkedIn has the business niche going on still. But no, Classmates.com endures. I'm proud of those guys. They're connecting people, one high school classmate I don't care about at a time.

So what does it mean to say that Twitter will endure?

"Endure" has a number of definitions: to undergo without giving in, to regard with tolerance, to continue in the same state, and to remain firm under misfortune without yielding. None of those sound very positive to me. I'm trying to imagine Bill Gates in an early Microsoft meeting with some guys around a table, giving a pitch about the future of the brand: "Thanks for coming, the title of this presentation is: MICROSOFT WILL ENDURE" - inspiring!

I'm not really interested in the question of whether "Twitter will endure" or not. They have $100 million from investors - unless they're burning wads of cash building a replacement for the space shuttle, they will endure for quite a while. So, we have an answer to a question that was borderline stupid to ask in the first place, certainly in a post-Ashton Kutcher post-Oprah twitterverse.

The real question is, what will the future of the microsharing ecosystem look like? The ecosystems of department stores, soft drinks, and social networks have changed drastically over differing time periods. Some businesses still endure in various forms, but there's only room at the top for one big one, one second place, and maybe a few niche players. Will Twitter be #1 or #2? Maybe, maybe not. No one knows.

It's interesting to think about microsharing in the framework of dating websites. Some dating websites try to be a catch-all, like Match.com does; it's a good site that has barely evolved since it started, and they try to appeal to everyone while simultaneously doing nothing special for hardly anyone. Marriage? Match.com Hookups? Match.com Newly divorced? Match.com Old? Young? Match.com

Match.com has about 15 million users last I checked. They will endure. But eHarmony (how can you escape the commericals?) has about 20 million. Why? They're hitting a more marriage-minded, wholesome-dating niche. (Chemistry.com is also in that niche, at about 5 million members.)

On the raunchier side of the equation, AdultFriendFinder.com has about 32 million users, roughly the size of Match and eHarmony combined. Wow.

In principle they will all endure. But who's making money, and who are people talking about the most, and which brands do people trust? I'm not sure I can answer that question for dating websites, but those are certainly the right questions.

So how does Twitter play into this? Well, Twitter is like the Match.com of microsharing - everything to everyone and nothing to no one. But who will be the eHarmony and AdultFriendFinder of microsharing?

It strikes me that while many articles have been written about Microsoft, Google, IBM, and others thinking and plotting about buying Twitter, that that's the wrong ultimate move. The real strong move is to create your own in a big niche that Twitter's ignoring. Take Microsoft for the sake of argument. They use the open source identi.ca (or similar) as a base for creating "microsharing for serious business people" and market it that way, as a free online service. I can see the commericals: "Twitter is for kids. MicroShare is for your business." That's the kind of thing my parents would react to.

On the flip side, why doesn't some edgy youth company like Abercrombie & Fitch or Guess or Forever 21 start a "skanky" version of Twitter for teens to meet other teens and hook up for burgers, drinks, and more? Make it no holds barred, fun, engaging. Maybe you can even pretend to be a vampire or something, and "bite" people you have a crush on. I don't know, whatever's cool these days. And it should be all neon colors or something rad.

Predictions? My guess (1) is that people would rather participate in large niche sites. And my guess (2) is that advertisers would rather advertise there because they know the audience a little better. And my guess (3) is that these niche microsharing sites would provide more relevant information when linked up with Google and Bing search results, and would provide more relevant trending topics and other features to users.

Twitter will probably endure. The question is, will you care?

The Google Android Rollout: Windows or Waterloo?

Watching Google's rollout of Android to date, including this week's announcements about the Google-branded, HTC-built Nexus One phone, I am left with two conflicting thoughts.

The first is that everyone I talk to within Google is supremely confident that the data they are looking at suggests that they are poised to win in the market.

The second is that I am confused. Relative to the 'battle' and 'war' analogy, what is the battle that Google is fighting, and what is the war that they expect to win?

After all, at this stage Android is not in the same league to WIN the potential iPhone buyer because, relative to iPhone, Android lacks on hardware design, developer tools, media libraries, apps momentum, and marketplace functionality.

Yet, based upon RIM's last quarter earnings report, it's not as though Android is taking market share from the Blackberry, either.

My best guess is that Google is REALLY going after the Nokia and Symbian ecosystem, which is fine and logical, as it represents a comparable structure in supporting a broad variety of device form-factors and a multi-carrier approach. Plus, it offers (relatively) easy pickings, as Nokia/Symbian has a dispirited developer base, making it low-hanging fruit.

The only paradox is that to win that audience you can't be competing with the handset guys (i.e., Motorola, HTC, Samsung, LG) in either hard or soft form - i.e., by anointing a preferred device/partner or formally branding and marketing a Google device.

Why? Because a successful platform play demands clear delineation points between the areas where the platform creator is looking to the ecosystem to fill the gap (and, thus the platform provider won't compete with them); where they consider something proprietary to themselves, and thus won't allow a third-party to augment/swap out; and where it's more akin to 'co-opetition' (the platform creator will cooperate, but reserves the right to compete as well).

When You See the Fork in the Road, Take It

In Google's case, they have positioned themselves as the more open alternative to iPhone, and have been very vocal from the get-go (i.e., during the two years that they have been courting handset makers) that they are not getting into the hardware game.

In fact, just two months ago, Andy Rubin, VP of Engineering for Android at Google, scoffed at the notion that Google would "compete with its customers" by releasing its own phone.

"We're not making hardware," Rubin said. "We're enabling other people to build hardware."

Yet here we are, and it appears that Google is indeed materially changing the rules of the game by rolling out a Google-branded phone.

History suggests that when ecosystem partners conclude that the platform creator is competing with its own constituency or using built-in advantages unfairly, they will become less loyal and less dedicated to the platform.

In the Android market, the most likely way this manifests is handset makers more freely making product decisions that are at odds with the 'greater good' of a unified Android platform, thus accelerating the rate of Android platform fragmentation.

To be clear, I am not suggesting that Apple has been a saint in how they've managed their relationships with developers. They haven't, and have been rightfully pilloried for their deafening silence and sometimes-capricious handling of the App Store approval process (in terms of their interaction with third-party developers).

The difference is that with Apple, the ecosystem is making real money, the universality of iPhone/iPod Touch App and Media distribution is compelling, and the monetization workflow is straightforward and just works, so Apple developers cope and deal. Besides, as a developer, you always prefer a unified platform to a more heterogeneous one, right?

Hence, the argument here is that Google watched the rate that the iPhone Platform is evolving and how rapidly consumer and developer mindshare continues to grow, and concluded that 'staying the course' was unpalatable, and decided to do something dramatic about it.

In other words, this move was dictated by what Apple is making happen in the market rather than any pure failing of Android. Nonetheless, it's a telling statement on what Google now believes is the quickest way to get the best possible Android phone out, a statement they appear willing to make even if it results in collateral damage to the Android ecosystem.

Call me a naysayer, as it's certainly contrary to conventional wisdom, but I believe that this move is an indication that Google has misread the market, and now faces a choice between a fragmented Android marketplace or abandoning the core precepts of Android (as an open, hardware vendor-neutral software platform play) in order to go toe-to-toe with Apple in areas that, I would note, Google hasn't proven to be strong at; namely, hardware design, user experience, and developer tools.

Framing this dilemma, MG Siegler of TechCrunch nicely captures one bit of fallout from the imminent Nexus One launch in his excellent piece, 'With Nexus One, Is Google Eating Its Own Dogfood or Its Own Children?':

Google is unveiling the Nexus One just two months (nearly to the day) after the Verizon Droid was released. The Droid, of course, was seen as the Android platform's Messiah by some, and the one phone that could maybe hold a candle to the iPhone. Sales have been good, and the general consensus is that the phone is a winner. But now, just two months later, we have a new Android phone that by just about every account is better than it. In fact, the only real upsides for the Droid over the Nexus One is that it runs on Verizon's network, and that it has a physical keyboard. The Verizon point is certainly a fair one - there's a reason why everyone is clamoring for a Verizon iPhone. But the physical keyboard argument seems moot, as the consensus is that the Droid keyboard is a pretty poor one.

I don't know about you, but I'd be pretty annoyed if I just shelled out my money for a Droid, and locked myself into a 2-year contract (even one with Verizon). It reminds me of when Apple first unveiled the iPhone for $599 then slashed the price just a few months later, leaving all the early-adopters bitter. Apple eventually gave a partial rebate to those buyers, but it still was a curious move. And Google's is arguably worse here, as it's not just about the money, but about the unveiling of a superior piece of hardware so quickly after it put a lot of its own marketing muscle behind the Droid, trying to convince customers that it was the Android phone to buy.

Mind you, this is the same company whose credo is "Do No Evil," and just a week ago delivered a somewhat sanctimonious, self-serving and much-derided manifesto on the Google definition of openness. Daring Fireball's John Gruber commentary was by far the richest: proclaiming, "It's the biggest pile of horseshit I've ever seen from Google."

Fair or unfair, when you emblazon yourself as being more open and less evil than everyone else, as Google has, you put a bit of a target on your back.

Somewhat paradoxically, Apple gets a free pass here, because with Apple, product positioning is all about the products and the user experience, and not about morals and openness.

Everything Old is New Again

The prevailing meme in assessing the battle between Google's Android and Apple's iPhone is that it's a redux of Microsoft Windows v. Apple Macintosh, with the premise being that the company with the broadest base of hardware OEM support will inevitably outflank and usurp the market position of the integrated and more proprietary hardware, software solution provider (read: Apple then and Apple now).

That chapter has yet to be written but I would submit that there is another chapter from tech history that bears re-reading: Novell v. Microsoft.

In 1994, Microsoft was rapidly moving into the driver's seat as the de facto leader of desktop/personal computing, yet many forget how utterly dominant Novell was.

In fact, at one point, 90% of the market for PC-based servers was under its control via its NetWare Network Operating System and surrounding ecosystem of hardware, software, integration and education/training partners.

At that point in time, it was not apocryphal to wonder whether the Network was poised to swallow up the Desktop, or vice versa, in much the same way we ruminate today on whether 'The Cloud' will swallow up Edge-Based computing.

But then something interesting happened. Novell's Ray Noorda, believing that its strategic position gave it a secure foothold from which to establish a beachhead in the desktop environment, opted to take Novell head-on into Microsoft's Office stronghold by rolling out a product suite that included WordPerfect and Quattro Pro, a one-time Excel competitor that had been acquired by Novell from Borland.

When the dust settled, not only had Novell lost the desktop battle badly, but in the process of focusing its forces to fight Microsoft on its home turf, Novell missed the disruptive power of the TCP/IP-based Internet (NetWare was built on a protocol stack known as IPX/SPX), and now, relatively speaking, nobody uses NetWare anymore.

Netting it out: rather than seeing this as a Microsoft v. Apple analog, maybe Google should view this as a Microsoft v. Novell analog, with Google sitting in the Novell position. Either way, the Mobile Wars are shaping up as the juiciest industry battle in years.

Related Posts:

1. Google Android: Inevitability, the Dawn of Mobile and the Missing Leg


2. Open "ish": The meaning of open, according to Google


3. iPhone, the 'Personal' Computer: The Future of the Mobile Web

Recent Posts

• Four short links: 5 January 2010 | by Nat Torkington on January 5, 2010
• Working Together to Create a National Learning Community | by Linda Stone on January 4, 2010
• Skinner Box? There's an App for That | by Jim Stogdill on January 4, 2010
• Four short links: 4 January 2010 | by Nat Torkington on January 4, 2010
• Airline Security and Proportional Response | by Joshua-Michéle Ross on January 1, 2010
• Four short links: 1 January 2010 | by Nat Torkington on January 1, 2010
• Commerce and the Wealth of Nations | by Tim O'Reilly on December 31, 2009
• Four short links: 31 December 2009 | by Nat Torkington on December 31, 2009
• Being online: Conclusion--identity narratives | by Andy Oram on December 30, 2009
• A National Scan Center: A Public Works Project | by Carl Malamud on December 30, 2009
• Four short links: 30 December 2009 | by Nat Torkington on December 30, 2009
• Four short links: 29 December 2009 | by Nat Torkington on December 29, 2009