Subject: Re: Q: Can you build an authentication system on OS?
From: Zimran Ahmed <zimran@creativegood.com>
Date: Tue, 10 Jul 01 01:35:57 -0400

 Tue, 10 Jul 01 01:35:57 -0400

Shiraz wrote:
>> "controlling the data.") 
>
>I'm not sure of it but if we are saying the same thing
>
>then do you agree that how such data can be used
>should
>be regulated by a public license?

how data is used is not regulated by OSS liscences. IANAL, but I am not sure how possible
this is. 
I reread the GPL (http://www.gnu.org/copyleft/gpl.html) and could not find anything
in it that refered to how the data the code acts upon can or cannot be used.

The one legal act that off the top of my head dicates how code and data can be used
is the DMCA, and that is not a software liscense. IANAL, but my understanding is that
it pertains to all digital data, so .NET may fall under it anyway. But, depending on
the *service contract* (not software liscence) that MSFT instigates, consumers may lose
the protection the DMCA might have provided, as those rights are alienable. Legal advice
here would be helpful -- can a *software liscence* dictate what you can do with data?

>> and keep data at the edges of the network, i cannot
>> see how this could 
>> happen.
>
>Here's how. There are probably many ways here is one 
>example. In a traditional database data is still in
>files on the file system. Imagine that each of these
>data files resides on a client PC instead of the
>central server. Now whenever the central database is
>queried it looks up the appropriate "file" on a remote
>PC and gets what it needs.

yes, but in .NET, authentication must come from Redmond servers (where the databases
are *not* distributed). What you're describing here is kind of like the cookies amazon
and other e-retailers use to keep credit card info (kind of), or how Gator can fill
out Web forms. This is precisely what .NET is trying to move users away from by signing
on any windows user to passprt.

Shopping sites etc. can now just use .NET api's to do this instead of building their
own query systems. This is easier for them. Consumers buy a windows box, fill in their
data, and passport is up and working. This is easy for them. Redmond now controls customer
data.

>them. I only care how the data is used. Not where it
>is stored or which pipes it travels through, etc.

and how data is used is beyond the scope of a software liscence like the GPL, or any
other open-source liscense.

>I'm not sure we are talking about the same thing.
>Think about oil pipes. You are saying that if someone
>(Eg: MS) owns designs and develops the pipes and
>therefore they get to choose how the oil flowing
>through them gets used. 
>
>What I'm saying is that it's not their oil and so they
>should not get to decide how if is used. 

Here's a snippet from the .NET Visual Studios Beta EULA (http://beta.visualstudio.net/NonSecuredContent.aspx?ContentID=307)

>          (b)          Recipient agrees to provide reasonable feedback to 
>Microsoft, including but not limited to usability, bug reports and test 
>results, with respect to Product testing. All bug reports, test results 
>and other feedback provided to Microsoft by Recipient shall be the 
>property of Microsoft and may be used by Microsoft for any purpose.  Due 
>to the
>nature of the development work, Microsoft provides no assurance that any 
>specific errors or discrepancies in the Product will be corrected.

depending on MSFT's definition of what constitutes "other feedback", they seem to have
pretty clear ideas about who that data belongs to and the limits of what they can do
with it. Now, I don't want to read too much into a EULA for a beta, but the OS liscenses
as they exist today do not talk about what to do with data (and they probably shouldn't).
But rights to personal information are alienable and can be removed by a EULA.

>And if we we do not like the MS pipes (i.e. they leak)
>or if their usage fees are too high then we can build 
>our own piping infrastructure to carry that oil. The 
>architectural issues deal with where the oil is stored
>and how the pipes are used. I do not care about that. 
>All I care about is how the oil gets used.

In his O'Reilly piece, Clay Shirky asks:
http://www.openp2p.com/pub/a/p2p/2001/05/30/hailstorm.html?page=3
"Can a HailStorm transaction take place without talking to Microsoft owned or licensed
servers?"

His answers are no, no, and maybe no, because

- You cannot use a non-Passport identity within HailStorm 
- You cannot use a non-Microsoft copyrighted schema to broker transactions within HailStorm,
nor can you alter or build on existing schema without Microsoft's permission. 
- Third, developers might not be able to write HailStorm services or clients without
using the Microsoft-extended version of Kerberos. 

Under .NET, Microsoft probably touches (and gets a cut of) all transactions.

>Agreed. But thats exactly the problem. MSFT can do 
>whatever they want with public data because the public
>isnt given any choice. We need to say to the public 
>that if they use this other system their data will be 
>free to them in perpetuity.

I am in support of Microsoft having to compete with the services it offers over .NET.
This will introduce competition to lower price, improve services, and improve privacy
(to the degree users value that.) I am sure that AOL is working very hard to come up
with alternative pipes of its own.

>This is the exact problem a "free data" license would 
>attempt to address.

ahh--here's my question. To the degree I understand existing OSS liscences, they have
much to say about what can be done with the code, and nothing about what can be done
with the data. Moreover, a monopolistic authorization infrastructure that gives customers
little control over what is done with their data can run ontop of OSS with no problems
under .NET. So, it seems that control of personal data is outside the scope of OS, and
certainly is not addressed by stallman's four freedoms.

I am not sure what you mean by a "free data" license. You could put up a service saying
"sign on with us and we will never share your data with anyone else or even look at
it ourselves." But this seems less like a software license and more like a service agreement,
or EULA. In a competitive market, with usability and customer experience being equal,
I can see how this would win customers over from something like .NET. But this alternative
would not have to run on open-source software, and seems beyond the scope of OS.

A consumer friendly response to .NET would need to:
1) compete at a service level with consumers (ubiquity, customer experience, usability,
price)
2) compete at a service level with developers (APIs, ease of use, etc.)
3) compete at a service level with users (e.g. retailers) (cost, ease of implementation,
quality of support etc.)

ideally, it would do these things at an architectural level, but this isn't necessary.
AOL could get by with a centralized db authentication infrastructure.

MSFT's monopoly of the desktop means it automatically does well at 1), .NET seems to
be friendly with 2), and that may be enough to drive 3) (although businesses are right
to be wary of giving so much of their customer relationship to MSFT, especially when
MSFT own competiting business of its own. But hey--no conflict, no interest).

AOL is great at 1), don't know with 2), and don't know with 3).

Hopefully, competition willl drive down prices, improve services, and value security.
But i'm not sure how that involves the GPL, or a "free data" liscense. A service with
strong privacy measures that does poorly on 1, 2, or 3 will struggle.

Tim wrote:
>But we don't yet have a widely used "the public owns this" kind of
>license.  We do need one.  Perhaps Bob Young (of Red Hat fame, and now
>putting most of his energy into the Center for the Public Domain) could
>be encouraged to take up this challenge.

but the data is in no sense public domain. in fact, arguing that individuals own their
ideas is essentially arguing *for* draconian authentication protocols and control points
online. And there's a difference between volunteer databases, where the participants
essentially want their data to remain public domain (i.e. GPL the data), and personal
information where "information owners" want their data to remain private and have strict
authentication measures.

>What we tell others about ourselves, and who owns it, is one of the
>great battlegrounds of the next few decades.  But I don't think it's
>going to be solved by a license.  It's going to take an awake and
>alarmed citizenry that resists the slippery slope, and makes other
>choices about what technologies to adopt.

agreed 100%.

zimran 
**************************
http://www.winterspeak.com