Ironically, the same day I write about how OpenID needs to support emails in order to make itself more accessible to people, Kevin Marks, Scott Kveton, and Chris Messina write about moving to a URL-centric identity. We are usually on the same page but on this I could not disagree more.
Imagine I taped this note to my mailbox (no, not my SMTP mailbox – my real USPS mailbox – you know, that thing outside my house I get sticky NetFlix envelopes in that cost the postal service $61.5M):
You are hereby requested to honor this mailbox TOS, and validate that envelopes come from a known Facebook or LinkedIn friend before putting them in. Failing to do so will put you in violation of my TOS.
Oh wait, there is not black/white listing or TOS for snail mail. Other than don’t send bombs and pay for stamps. You get what people send you. And you know what, except for some dead trees, it seems to be doing its job.
Let’s try this little experiment. Walk to a person near you and tell them your cell phone number. Only say it in groups of 3 digits, 2 digits, and 5 digits. Something like 973-95-46273 (which is my real cell phone in case you are wondering). See what happens. Chances are, if they are Americans they will have no clue what you just said. Yeah, see that puzzled look? Did they just ask if that your social security number? People have habits and patterns and not respecting them usually breaks stuff. For example in Israel, there is no one way to say a phone number. Any grouping works.
If I had to choose a single online identity, it will be my email address. I will use it before my domain name, website, XRI, and OpenID, and I’ve got them all. Why? Because it is what we have worked so hard to educate people for over 30 years. Sure, it didn’t really pick up until the mid 90’s but even that is over 10 years ago. My first business card had my email address with the ‘@’ and ‘.net’ embossed without ink. So at first it looked like just my lowercase name, but a close look showed it was also my email address. This was 1993.
As a user, I want two things, use my email address as my online identity, and make sure I don’t get too much spam to make it useless as a way to reach me. As a geek, I want to solve this by addressing each problem, and inventing as little as possible. First, we need the technology to get from an email address to something that can hold structured data about me. Ok, we can map emails to OpenIDs, we can use XRI resolution with some small adjustment, or we can use one of the many other distributed mapping systems we have in place. Great. Me the user gets to identify myself with my email address and computers in the background use it to discovery everything else I made public about me.
As for spam, well, the solution is definitely not another protocol for asking/granting permissions to contact me. It is not using social networks to limit access to me to my friends. I was recently told by an investor that he can only be contacted via Facebook. To me that is ridiculous. For most people, spam is the emails their friends send them with promises to get money if they forward it to 10 other people. For me spam is getting Facebook and LinkedIn requests from people I met once and talked to for 5 minutes at a conference, or never even met at all. They read my blog and decided we should be “friends”.
My email address has not changed in 15 years. It is public everywhere and I can’t imagine any evil marketing company not having a copy by now. And yet, with the advancement in spam control and the deployment of blacklists for SMTP gateways that disallow such abuse, I get less than 10 junk emails a day, and even those are caught by Outlook. Spam does not bother me, and there are plenty of great tools in place if it does bother you. Just use a gateway that requires people to white-list themselves. We really don’t need any new system, OpenID/OAuth-based or not.
OpenID has the challenge of educating people about what it is, why it is good for them, and how to use it. Just because of some initial technical limitation of the workflow, where URLs made things simple and workable, doesn’t mean humans now need to use URLs. To me the right solution is less technology, not more (i.e. i-names). We have worked hard to educate people about what an email is, and what a web address is, and even what a URL is. Why not monetize on this a little bit before we go confuse everyone all over again.
How we got away with getting people to type ‘http://www.’ before any web address is beyond me. Hey, remember gopher? But just because we got away with it doesn’t make it right. It is wasteful and it is counter intuitive. This is just like developers refusing to use new and shiny development environments and prefer to stay “hardcode” with vi. How is it bad that when I type a class name I get a contextual list of its members? If technology can make things easier, we should use it.
Some will argue that we educated people about emails, and we can do the same with URL identifiers. True. But I am not starting another 15 years of effort. It is simply not necessary. We can turn an email address into anything we want so machines can do smart things, and people can do what they already know how to. And we can prevent that email from being abused by applying existing technology and the law. Two separate problems with two separate solutions.
This is not about being against URL identifiers or XRI. Both are valuable cool technologies which are going to be only more important as we move forward. But just because us geeks can type weird syntax, doesn’t make it user-friendly. This is where we lose the interest and support of all those people we claim to be trying to help “free”.