Gabe Wachob

Some of you know that I love music of all sorts, and when it intersects with the net (my other "love") I get excited-squared. So I started a blog about music things and especially people I find online. There's so much good music out there that you won't hear about unless you go looking. 

Today is the day I pledged to a blog about a woman in tech for Ada Lovelace Day. Before I mention who I wanted to blog about, let me explain why I am participating. I'm a dad of a very smart, precocious, and interested 8 year old girl. She loves dolls and art and music, but I've also noticed she really loves one of the two OLPC's I have. 

Summary

It seems abundantly clear to me that officlal Bar Associations can better serve their membership and the public by adopting a new technology which allows attorneys to prove to third parties that they are bar members and in good standing (along with other information). That technology is OpenID (and OpenID Attribute Exchange), and the cost of implementing these technologies are relatively minimal. The benefits to the bar members, the web, and the general public far outweigh these costs and I would therefore propose that the time is now to implement this new technology.

What is OpenID and How Could Attorneys Use It?

OpenID is an emerging standard that allows a user to prove that they own an identity (technically speaking, an identifier) online.  It allows a user to prove to a relying party (such as a social network) that they are associated with an identity at another site or application (the OpenID Provider).

The applicaiton of OpenID to state bar associations should be obvious. An attorney visiting a 3rd party website can prove to that website that a) they are an attorney that is a member of the bar, b) that they are in good standing, and c) that they have special certifications, etc.

This is not a theoretical excercise. Web 2.0 technologies are as much about two-way conversation and contribution. Attorneys will be left behind if they cannot carry their trustable credentials with them.  In addition, sites and applications serving the legal community can become much more scalable and interesting when proof of bar membership is automated,  rather than a manual process. A recent twitter thread demonstrates this issue.

The technical solution is now simple, and based on open standards which are implemented widely in open source software. Implementation of OpenID both on the Provider (bar association) and Relying Party (3rd party service) is relatively easy and well understood. Furthermore, with the proposal I make here, the user experience is relatively straightforward for attorneys (simpler than generic OpenID authentication).

The User Experience Proposal

An attorney wishing to prove, to a 3rd party site,  their membership and status in a bar association has a very simple experience. Instead of prompting the attorney for their typical OpenID identifier, the relying party should only prompt the attorney for the state bar association and membership ID they are claiming. Because there are a relatively few number of bar associations, the relying party could map those two pieces of information to a URL which would be the identifier used in the normal OpenID authentication flow (e.g. http://openid.calbar.ca.gov/<membershipid>). (Alternatively, in the longer term, the construction of the URL might be provided by a third party site/service)

After the attorney enters their bar information, the 3rd party site redirects that user to their bar association, which performs whatever online authentication the bar site normally provides (e.g. username/password). At the end of that authentication, the bar site redirects the user back to the 3rd party site (with some back and forth in the background, invisible to the user). The net result is that user has logged into the bar association site, but proven to the 3rd party site that they are a member of the bar. There's really almost nothing simpler. And this is based almost entirely on technology already written and deployed.

Implementation by the Bar Association

The Bar Association has to do the following:

• Implement the basic OpenID Provider functionality. This means hooking up several new URLs to a library that processes incoming OpenID authentication requests, and minimal changes to the user experience flow for authenticating users during the OpenID flow.
• Implement OpenID attribute exchange for a handful of  "attributes": membership_id, membership_status
• Produce documentation to give members an idea of what is going on. Because of the user-experience enhancement I propose below, end users really don't have to even know they are using OpenID (the use of an identifier other than bar membership ID is not needed)

Assuming the bar association already has a personalized/authenticated site for their attorneys, this functionality is relatively easy to deploy in a variety of server environments.

Implementation by the 3rd Party

The 3rd party has to do the following:

• When asking the user to prove they are an attorney, present them with a prompt that allows them to select which bar association (if more than one) and their bar membership ID (the format of which is probably specific to each bar association). This need not mention OpenID specifically - they are only being prompted for bar association information, not an OpenID URL
• Construct of the OpenID URL from the bar association information given by the user. How that information is built into a OpenID URL is likely to be specific to each bar association. It would be nice (as a followon effort, perhaps?) to have some pattern of construction that makes this process easier to implement for multiple bar associations. But initially, the construction rules need to be hardcoded (something like http://openid.calbar.ca.gov/<membership id>)
• Perform normal OpenID relying party functionality with the URL constructed above.
• Perform attribute exchange with the bar association to get membership and status information. The exact attributes (and identifiers for those attributes) is something that needs to be specified by the bar association - hopefully a standard set of identifiers would emerge (or could be proposed!)
• Display prominently the bar association verification associated with the bar member attorney. By creating an understanding among users that the verification is available, lack of verification associated with a user on the 3rd party site will both enhance the reputation and value of contributions by verified attorney users while also raising awareness about the risks around receiving legal advice and opinions from people who are not bar-accredited.  

The Benefits for All of Us

There's a famous cartoon whose caption is  "On the Internet, nobody knows you are a dog" This is the challenge for professionals online, whose opinion laypeople have to ability to judge. We certainly don't want to be getting legal opinions (even if not specifically in the context of a attorney-client relationship) from dogs, do we? I believe that when attorneys can carry proof of their professional status with them, their contributions will be more valued and they will be given more incentives (reputation, monetary) to contribute to the intellectual commons of the Internet, and provide a better service to the public at large.

We can do this now, without much effort, and the benefits are manifest. What do you think?

ADDENDUM

The Flow

Non-technical  readers may want to skip over this diagram.

There's been some recent announcements (here) about changes to the Twitter API and I thought I'd take this occasion to blog, in one place, the various thoughts I've had about what Twitter should do with their API:

Distinguish between Client Apps and Third Party Apps

Make a distinction between "client apps" and "third party apps" in the REST API so that the access rate caps can be treated differently.  "Client Apps" are apps that run in the domain of the one user whose credentials are being used (ie a desktop app).  These sort of apps generally have no good reason for hitting the API many times a second. "Third party apps"are accessing the API in an unauthenticated manner, or using the credentials of the user (ie a third party site like http://twitter.grader.com). These have a legitimate need for high volume access. 

Why is this distinction important? The answer is that the relationship between the developer and Twitter, Inc is different in the two cases. In the Client App case (such as a desktop app), the developer doesn't really care about high volume access, assuming the user isn't hitting reload an astounding number of times a second. A Third Party app developer, on the other hand, is the party that cares about rate limits. By partitioning these two types of relationships, you can segregate the market of REST API users, and implement different policies for them. You want to encourage both types of developers, but you do so in different ways. The current rate accessing policies, especially after the new caps were announced, are better tuned for Client App developers - so there's really nothing that needs changing for this segment of developers. Its the Third Party App developers, where much of the value of twitter is created, that need to be treated more predictably.

Give the Opportunity for Heavy API Users to Pay

Cap the number of requests to some reasonably large number, but offer tiers of access above that cap for pay.  Along with the increased caps, offer a modest for-pay support program for heavy use third party applications. (something like $20-$100 per month for each level of 10000 requests/hr) The idea here is not to punish heavy users, but rather create an incentive for Twitter to support them better.

Everyone comes out happier that way. If I'm building a business on the service infrastructure of Twitter, I want to know that I've got a relationship that matters to Twitter, my service provider. Whats a better way to build a relationship than a revenue stream! :)

Implement OAuth Already!

Implement OAuth for third party apps and require, as terms of service, that third party apps (as opposed to client apps, see below) do NOT collect username and passwords for users. OAuth is designed exactly for this scenario, and reduces greatly the exposure to illicit username and password capture.

In implementing OAuth, you'll also be requiring that applications (either third party or desktop) are explicitly identified as a party to the REST call interaction. This is a good thing! Instead of applications being anonymous parts of the infrastructure sitting beween you and the user (at least for "reads" in the API), applications can now be identified and managed (on the Twitter side). This presents new opportunities (as if you need them) for reaching out to your developer community and gives you more insite on the usage patterns that specific applications have.

Think of Yourself as Common Carrier - Don't Discriminate

While Twitter is legally far from being a "Common Carrier", act like you are, at least from the perspective of an API provider. While you support tiered levels of service from a support and volume point of view, do NOT offer that level of discrimination for functionality. The key here is that the innovation starts on the long tail - the "big end" of the curve pays for the extra level of volume and support to sustain the service, not to create special functional access only for those who can pay. The little guys using the REST API should be able to be "big guys" simply by participating in the for-pay program when its in their interest, and not as a way to get access to an exclusive club of functionality.

I just liked seeing that in words: President Obama.

There's so much emotion in the people around me. Its unlike anything I've ever seen.

Tomorrow, we get to work. But today, we celebrate.

I'm really happy to see Obama's transition website continue from the earlier campaign site to feature a "Technology Agenda". However, it has one particularly glaring deficiency that concerns me. Even while calling for "reform", the following statement demonstrates a fatal misunderstanding of the role of intellectual property in today's world:

This statement is dangerous because it ignores the real story of the "digital age": the fact that the rise of the Internet can be largely credited to free and open source software that expressly disclaims any notion of property rights. In fact, one could argue that the Internet is built primarily on open source software. Apache, LAMP stacks, low-level TCP/IP networking code, firewall code, all open source.

Without the intellectual commons created by the coders, tool builders, web designers and other enthusiasts who've built the Net, the Internet would look more like a gigantic closed AOL of yesteryear. Tinkering, hacking, and "scratching your own itch" are as important drivers for the open Net as are the billions of dollars of investment in commercial software protected by strong intellectual property.

This language in the Technology agenda would be more accurate if it read:

In fact, most forms of intellectual property are state-created monopolies created around the exploitation of  expressions (copyright), ideas (patents), or brands (trademark). Monopolies in and of themselves are not evil - in fact there are good reasons for some monopolies to exist (for example, so-called 'natural monopolies'). But any policy towards intellectual property should recognize its basis as  a form of monopoly, and should treat intellectual property policy with the same public policy aims as the monopolies of the industrial age. That is, to sustain growth and most effectively meet our  economic (and creative) potential, the rights of IP holders (those who hold state-protected monopolies) should be balanced against factors such as consumer benefit (very broadly defined), and the distortion of normal markets (tying, anti-competitive behavior, etc). The language used in the technology agenda raises concerns that no such balancing would be part of the Obama administration's policy objectives.

I hope I am wrong, and that the actual policies developed by this administration will be more balanced.

I am writing this blog partially as experiment in direct democracy via blogging. In doing so, I'm hoping this new administration is more willing to adapt to public calls for change than the last one. 

In other words, I'm hopeful we can make the change we seek!

[Thanks to Kevin Marks for pointing this text out]

President-elect Barack Obama. I can't put it into words. So I won't for now.

YES WE DID!

If you haven't already voted, and you are an American citizen, please vote tomorrow.

 I support Barack Obama and would ask you to vote for him too.

If you care about equality, fairness, and the foundations of liberty that this country was built on, I would also ask you, as a Californian, to vote no on Prop 8, a heinous proposition that would encode bigotry and hate into the California Constitution by stating that currently legal marriages will no longer be performed simply because they don't fit someone's religiously-based definition of marriage. It wasn't that long ago that marriage between people of different races was illegal. However, it is now hard to fathom how  such discrimination was considered acceptable in civil society. The discrimination behind Prop 8 is no different, and history will judge us harshly if we legalize and enforce that sort of bigotry again. I strongly urge you, for the good of your own personal liberty, and for the protection of our nation's tradition of equality, to vote NO on Prop 8.

Thanks for listening, and please go out and vote.

[UPDATE 10:12PM PDT: Sunlight foundation has the bill marked up in html with public commenting.]

[UPDATE 7:52PM PDT: It looks like a final draft was published, and its somewhat different from the draft I was reviewing below. Most of the comments below stand, even though the page references, and many of the specific references phrases have changed. IN particular, it appears the final draft has more language about an "insurance" program that financial institutions can participate in, in lieu of selling bad mortgages. Most of the oversight and scope of authority language seems to be the same. One notable addition is language on p.90 which calls for the president to impose a way of recovering any losses (after 5 years) from the TARP program. ]

Minutes after the first discussion draft of the "Economic Recovery and Corporate Accountability Act of 2008" was published, I went through and reviewed all 104 pages of it. Here's a coalescing of the Tweets I produced while reading it.

• Here's the bailout bill: http://links.sfgate.com/ZEYS  
• The bill is 102 pages long. Its time to review it in detail. Potential to reshape American economy for a generation.
• I'm on page 7 of the 110 page bill. I'm definitely gonna read every line of this. Its times like this I'm glad I went to law school ;)
• @schnaars What's amazing is the massive power that the Treas. Secty is granted. The choice of prez has very *real* short term impact.  in reply to schnaars
• I think this grants more power to the executive than even the (awful) PATRIOT act. I'm not sure its avoidable, though.
• I really want to ensure is that the transactions the TARP envisions are transparent - there are reporting requirements in there (p17-18)
• hmm, at least 20% of profits from sales of assets are to go 65/35 into Housing Trust Fund, Capital Magnet Fund - what are these? #bailout
• So far (as of page 24), nothing about Secty of Treasury *forcing* mortgage lenders to modify loans to avoid foreclosures #bailout
• Any wiki for comments on the bailout bill? Someone want to htmlize and wikify it? #bailout #tarp
• BTW, the bill proposal is titled "Economic Recovery and Corporate Accountability Act of 2008" #bailout
• The main program in the bailout bill is the "Troubled Assets Relief Program" #bailout #tarp
• Not that it will change it, but could we put a thousand eyeballs to make any bugs shallow in the bailout bill?? #bailout
• Apparently the secty only has power to prevent foreclosures *as an investor* - no special power: .#bailout
• "The Secretary shall request (mortgage loan servicers) to avoid preventable foreclosures, to the greatest extent possible" - p. 24 #bailout
• p37: The Secty shall make available to the public, in electronic form, a description, amounts, and pricing of assets acquired #bailout
• p39: Congress can basically put the brakes on after $350B if they pass a joint resolution- and there's rules about fast tracking it #bailout
• Dammit, @donlemoncnn, when it comes to $700B, there's no such thing as "fine print"!!!
• p44 The GAO also shall audit the program (in addition to the oversight board). #bailout
• p. 54 Wow, the standard for judicial review is "arbitrary". Wow. Wow. Wow. That means almost no judicial review at all. #bailout
• p. 55 Wow, the Secty's authority terminates at the end of 2009, unless extended. Thats awfully short time window. Is that enough? #bailout
• p. 63: Statutory limit on public debt increased to $11.315 Trillion. Whoa. Currently (I think) $8.184 Trillion. Big jump. #bailout
• 65 Some changes in foreclosure rules which I don't understand out of context. #bailout
• p.69 Congressional oversight as well (3rd independent oversight function, afaict) #bailout
• p.74 Some enhancements to the power of regulatory agencies (FDIC in particular) #bailout
• @Ross Like many sunset provisions, it is dual-edged. Keeps it politicized, but also keeps it in check. Probably good idea bcuz of the rush.  in reply to Ross
• p.82 Some stuff about the fed making emergency loans and having to report to Congress about such activities #bailout
• p.86 Title 3 of the act is about budget planning around the TARP (title 2 was defining TARP itself). #bailout
• p.86 Title *2* is the budget-related provisions, Title *1* is the TARP program, and TItle *3* (p 91) is tax implications (of course!) #bailout
• The title 3 tax provisions are complicated. It looks like some stock sales are treated as ordinary, not capital income. Needs revu #bailout
• p.94 The tax provision which limits tax deduction for salaries over $400k, some language about golden parachutes, needs more revu #bailout
• @Radu43 I think its pretty radical, but I'm not sure there's practically a better way. The treasury secty *needs* a lot of discretion.  in reply to Radu43
• p. 102 has text which I *think* extends until 2010 provisions which may exclude from taxable income forgiven debt on a foreclosure #bailout

As I noted, I'm looking for a better place to post these notes, (ie a wiki) where the markup and feedback can more collaboratively edited. Looks like the good folks at Sunlight Foundation are  going to put it up at the Open House Project based on the final draft of the bill (which has been published).

[Update 2008-07-27 9:47PM: These principles are up on a wiki and being edited there]

The OWF is an organization to facilitate community efforts to create technical specifications that conform to the ethos that anyone can use the specification and nobody “owns” the specification or its ideas.

Towards that end, the following principles guide work in the OWF:

• All specifications produced by OWF groups should be clear of IPR encumbrances (patent, copyright, trademark, etc)
• All participants contributing to specifications are acting as individuals, but both organizations and individuals may contribute IPR.
• Anyone can participate in specifications work in any group in the OWF, so as long as they are not disruptive and are active contributors.
• Working groups are free to manage themselves so long as they adhere to OWF Way.
• It is the OWF’s goal to create as large an intellectual playing field for implementers free from IPR constraints as possible. The OWF working groups should make decisions about which IPR contributions to accept with this in mind.
• All specifications should be created in a meritocratic and transparent manner
  • All contributions should be judged on technical merit, and not on the identity of the contributor or their position in the community
  • Specifications efforts need not be democratic, but they should be run on rough consensus, with “running code” having special significance (nod to rough consensus/working code)
• All specification work must be clearly documented with a clear audit trail of IPR contributions
• All specification work must be done under the IPR rules of the OWF
• All OWF groups must operate in a manner which maximizes diverse participation across geography, wealth, language, and participant background. In particular, at a minimum, all decisions in OWF working groups (committees?) must be made in email or other asynchronous electronic means.
• There are no specific guidelines around the type of specification work that can be done in the OWF. However, the work should be technical specifications (ie not advocacy, policy, or other specifications that aren’t implementable in code)
• The OWF believes in maximizing the marketplace of ideas. Thus, the OWF does not make any judgement about the quality or market viability of the work produced in OWF working groups. It is perfectly acceptable for OWF groups to produce two specifications which overlap or compete.
• The OWF does not intend to compete with existing standards bodies, and expects work emerging from the OWF to frequently be input to work in other bodies.