Gabe Wachob

Omar Ahmad, by all accounts, was a popular man, both in his role as mayor of San Carlos, and as a member of the political and tech communities in the Bay Area and beyond. Thats why, in part, so many people are shocked and saddened by his sudden death by heart attack this morning.

When my kids watched a "black man" (actually a man of mixed race, just like my kids) get elected to be president of the United States, their joy and elation went beyond the politics... I really believe they (my kids) felt like they were part of the American community because someone *just like them* was elected by a majority of Americans. Obama was elected based on his credentials, capabilities, intellect, and leadership, and his racial background did not prevent him from being elected to the highest office in the land. My kids, to this day, identify with Obama, and (notably) even draw him and themselves with the same color markers. But when Obama was attacked for "being Muslim" or having an Arabic middle name, I was horrified. Being 'black' was OK, but being Muslim wasn't?

I'm writing this note because I never got to tell Omar that I really appreciated his visible leadership and presence in the community in which I lived in (San Carlos). Omar had one of those funny names. An Arabic name. And he was Muslim... that religion that all the politicians can't help but demonize.

Why is this so personal to me? You see, *my kids* have funny Arabic names (Aliyah Maria, Joshua Sultan). And to the extent they are being raised with any religious upbringing, it is Islam (their mom's religious affiliation).

So maybe I don't have to spell it out, but its really important to say. My kids saw (then council member) Mayor Omar Ahmad, a brown-skinned Muslim man with an Arabic name, leading their home town. Just like with Obama's election, I know they felt part of the community and were given the boost in pride that they could thrive as much as any other kid with any other name, religion, skin color or special feature. They probably don't even notice it explicitly. They may never have mentioned it. But I'm sure, absolutely sure, that my kids are so much better off for having Omar as an unintended role model. Just by being an active, positive and joyful leader of the community, he helped build an environment in which my kids are thriving despite being "different".

Differences should be celebrated and embraced and I can't think of a better example than Mayor Ahmad in San Carlos. But *highlighting* differences is not why we celebrate him. Indeed, I don't think he ever made an issue of his differences. I'm celebrating his service because he was just "one of us" who made space for those who are different in whatever way they are unique. He made a positive impact by being and doing, *not* talking, and his impact will go on beyond his political career, and indeed his life.

Goodbye Omar, I'm sorry I didn't get to tell you this before you left us...

Some of you know that I love music of all sorts, and when it intersects with the net (my other "love") I get excited-squared. So I started a blog about music things and especially people I find online. There's so much good music out there that you won't hear about unless you go looking. 

Today is the day I pledged to a blog about a woman in tech for Ada Lovelace Day. Before I mention who I wanted to blog about, let me explain why I am participating. I'm a dad of a very smart, precocious, and interested 8 year old girl. She loves dolls and art and music, but I've also noticed she really loves one of the two OLPC's I have. 

Summary

It seems abundantly clear to me that officlal Bar Associations can better serve their membership and the public by adopting a new technology which allows attorneys to prove to third parties that they are bar members and in good standing (along with other information). That technology is OpenID (and OpenID Attribute Exchange), and the cost of implementing these technologies are relatively minimal. The benefits to the bar members, the web, and the general public far outweigh these costs and I would therefore propose that the time is now to implement this new technology.

What is OpenID and How Could Attorneys Use It?

OpenID is an emerging standard that allows a user to prove that they own an identity (technically speaking, an identifier) online.  It allows a user to prove to a relying party (such as a social network) that they are associated with an identity at another site or application (the OpenID Provider).

The applicaiton of OpenID to state bar associations should be obvious. An attorney visiting a 3rd party website can prove to that website that a) they are an attorney that is a member of the bar, b) that they are in good standing, and c) that they have special certifications, etc.

This is not a theoretical excercise. Web 2.0 technologies are as much about two-way conversation and contribution. Attorneys will be left behind if they cannot carry their trustable credentials with them.  In addition, sites and applications serving the legal community can become much more scalable and interesting when proof of bar membership is automated,  rather than a manual process. A recent twitter thread demonstrates this issue.

The technical solution is now simple, and based on open standards which are implemented widely in open source software. Implementation of OpenID both on the Provider (bar association) and Relying Party (3rd party service) is relatively easy and well understood. Furthermore, with the proposal I make here, the user experience is relatively straightforward for attorneys (simpler than generic OpenID authentication).

The User Experience Proposal

An attorney wishing to prove, to a 3rd party site,  their membership and status in a bar association has a very simple experience. Instead of prompting the attorney for their typical OpenID identifier, the relying party should only prompt the attorney for the state bar association and membership ID they are claiming. Because there are a relatively few number of bar associations, the relying party could map those two pieces of information to a URL which would be the identifier used in the normal OpenID authentication flow (e.g. http://openid.calbar.ca.gov/<membershipid>). (Alternatively, in the longer term, the construction of the URL might be provided by a third party site/service)

After the attorney enters their bar information, the 3rd party site redirects that user to their bar association, which performs whatever online authentication the bar site normally provides (e.g. username/password). At the end of that authentication, the bar site redirects the user back to the 3rd party site (with some back and forth in the background, invisible to the user). The net result is that user has logged into the bar association site, but proven to the 3rd party site that they are a member of the bar. There's really almost nothing simpler. And this is based almost entirely on technology already written and deployed.

Implementation by the Bar Association

The Bar Association has to do the following:

• Implement the basic OpenID Provider functionality. This means hooking up several new URLs to a library that processes incoming OpenID authentication requests, and minimal changes to the user experience flow for authenticating users during the OpenID flow.
• Implement OpenID attribute exchange for a handful of  "attributes": membership_id, membership_status
• Produce documentation to give members an idea of what is going on. Because of the user-experience enhancement I propose below, end users really don't have to even know they are using OpenID (the use of an identifier other than bar membership ID is not needed)

Assuming the bar association already has a personalized/authenticated site for their attorneys, this functionality is relatively easy to deploy in a variety of server environments.

Implementation by the 3rd Party

The 3rd party has to do the following:

• When asking the user to prove they are an attorney, present them with a prompt that allows them to select which bar association (if more than one) and their bar membership ID (the format of which is probably specific to each bar association). This need not mention OpenID specifically - they are only being prompted for bar association information, not an OpenID URL
• Construct of the OpenID URL from the bar association information given by the user. How that information is built into a OpenID URL is likely to be specific to each bar association. It would be nice (as a followon effort, perhaps?) to have some pattern of construction that makes this process easier to implement for multiple bar associations. But initially, the construction rules need to be hardcoded (something like http://openid.calbar.ca.gov/<membership id>)
• Perform normal OpenID relying party functionality with the URL constructed above.
• Perform attribute exchange with the bar association to get membership and status information. The exact attributes (and identifiers for those attributes) is something that needs to be specified by the bar association - hopefully a standard set of identifiers would emerge (or could be proposed!)
• Display prominently the bar association verification associated with the bar member attorney. By creating an understanding among users that the verification is available, lack of verification associated with a user on the 3rd party site will both enhance the reputation and value of contributions by verified attorney users while also raising awareness about the risks around receiving legal advice and opinions from people who are not bar-accredited.  

The Benefits for All of Us

There's a famous cartoon whose caption is  "On the Internet, nobody knows you are a dog" This is the challenge for professionals online, whose opinion laypeople have to ability to judge. We certainly don't want to be getting legal opinions (even if not specifically in the context of a attorney-client relationship) from dogs, do we? I believe that when attorneys can carry proof of their professional status with them, their contributions will be more valued and they will be given more incentives (reputation, monetary) to contribute to the intellectual commons of the Internet, and provide a better service to the public at large.

We can do this now, without much effort, and the benefits are manifest. What do you think?

ADDENDUM

The Flow

Non-technical  readers may want to skip over this diagram.

There's been some recent announcements (here) about changes to the Twitter API and I thought I'd take this occasion to blog, in one place, the various thoughts I've had about what Twitter should do with their API:

Distinguish between Client Apps and Third Party Apps

Make a distinction between "client apps" and "third party apps" in the REST API so that the access rate caps can be treated differently.  "Client Apps" are apps that run in the domain of the one user whose credentials are being used (ie a desktop app).  These sort of apps generally have no good reason for hitting the API many times a second. "Third party apps"are accessing the API in an unauthenticated manner, or using the credentials of the user (ie a third party site like http://twitter.grader.com). These have a legitimate need for high volume access. 

Why is this distinction important? The answer is that the relationship between the developer and Twitter, Inc is different in the two cases. In the Client App case (such as a desktop app), the developer doesn't really care about high volume access, assuming the user isn't hitting reload an astounding number of times a second. A Third Party app developer, on the other hand, is the party that cares about rate limits. By partitioning these two types of relationships, you can segregate the market of REST API users, and implement different policies for them. You want to encourage both types of developers, but you do so in different ways. The current rate accessing policies, especially after the new caps were announced, are better tuned for Client App developers - so there's really nothing that needs changing for this segment of developers. Its the Third Party App developers, where much of the value of twitter is created, that need to be treated more predictably.

Give the Opportunity for Heavy API Users to Pay

Cap the number of requests to some reasonably large number, but offer tiers of access above that cap for pay.  Along with the increased caps, offer a modest for-pay support program for heavy use third party applications. (something like $20-$100 per month for each level of 10000 requests/hr) The idea here is not to punish heavy users, but rather create an incentive for Twitter to support them better.

Everyone comes out happier that way. If I'm building a business on the service infrastructure of Twitter, I want to know that I've got a relationship that matters to Twitter, my service provider. Whats a better way to build a relationship than a revenue stream! :)

Implement OAuth Already!

Implement OAuth for third party apps and require, as terms of service, that third party apps (as opposed to client apps, see below) do NOT collect username and passwords for users. OAuth is designed exactly for this scenario, and reduces greatly the exposure to illicit username and password capture.

In implementing OAuth, you'll also be requiring that applications (either third party or desktop) are explicitly identified as a party to the REST call interaction. This is a good thing! Instead of applications being anonymous parts of the infrastructure sitting beween you and the user (at least for "reads" in the API), applications can now be identified and managed (on the Twitter side). This presents new opportunities (as if you need them) for reaching out to your developer community and gives you more insite on the usage patterns that specific applications have.

Think of Yourself as Common Carrier - Don't Discriminate

While Twitter is legally far from being a "Common Carrier", act like you are, at least from the perspective of an API provider. While you support tiered levels of service from a support and volume point of view, do NOT offer that level of discrimination for functionality. The key here is that the innovation starts on the long tail - the "big end" of the curve pays for the extra level of volume and support to sustain the service, not to create special functional access only for those who can pay. The little guys using the REST API should be able to be "big guys" simply by participating in the for-pay program when its in their interest, and not as a way to get access to an exclusive club of functionality.

I just liked seeing that in words: President Obama.

There's so much emotion in the people around me. Its unlike anything I've ever seen.

Tomorrow, we get to work. But today, we celebrate.

President-elect Barack Obama. I can't put it into words. So I won't for now.

YES WE DID!