Microformats and decentralized online currencies

Most people are probably aware of the announcement by Google (following Yahoo’s announcement) that they would be supporting microformats.

What is really interesting to me is what this means for online currencies.

If you look at an hReview, what it is fundamentally is a declaration of positive (or negative) experience measured as a number betwen 1.0 and 5.0 about an item, which someone publishes on the Web anywhere he/she wants. An aggregator like Google in turns aggregates it and computes an average of the rating. The reviewer does not need the authorization of the reviewed item to publish the review.

That name typically includes a link (URL), which can be viewed as one of the identifiers of the reviewed items on the Web. It might be their own homepage for a restaurant, or it might be a description of the item on a review Web site such as Yelp (here the Yelp URI of a thai restaurant where I live).

In the payment world, there is already a payment application that allows you to donate/pay money without the other person having registered, it’s Tipjoy. The way it works is that you donate to URLs on the Web. Just like an hReview, the recipient does not have to be registered with TipJoy for others to tip them. If and when they eventually register they can claim their money by inserting a tipjoy tag with their username in the HTML of their Web page. Twollars followed a similar process but with Twitter names instead of Web URLs, but Twitter names are also URLs…

So the general pattern of Twollars,  TipJoy and hReview is that you give or review a URL.

This could work for a really open monetary architecture:

  • People would write somewhere on the Web (typically a Web space they own) an hReview-like statement that they give a number of units of currency to someone else. For instance: <span class=”hPay”><span class=”give”>Given</span><span class=”amount”> <span class=”value”>20</span> <span class=”currency” title=”us.ca.sf.bh”>BH$</span> to <a class=”to fn url” href=”http://www.yelp.com/biz/blue-elephant-thai-san-francisco”>Blue Elephant restaurant</a></span class=”hPay”> (Note that they could write it manually, but most likely, they will use a form that will generate it for them).
  • An aggregator would find this statement, either by crawling the Web, or if they are blogged via a RSS ping. The aggregator will typically compute balances (positive and negative). In a mutual credit model, people’s balances would be allowed to be negative, but in a traditional government-issued currency, they would not, they’d have to borrow it at interest.
  • Receivers may claim some of the URLs through a similar process than the one used by TipJoy.
  • Users may publish back their balances via a widget on their Web site.

What’s great with this model is that anyone can start playing, even create their own currency, very easily.

More importantly, you can have several accounting services tracking hPay statements and computing balances. You don’t need an account at a bank, your Web site is your bank account. What the accounting service does is simply authenticating that you own the space where you published transactions, and keeping tabs.

There are several issues:

  • Currency creation: Where do we register new currencies so that accounting services can distinguish different currencies? The ISO 4217 code is too limited to support millions of currencies. We need something like I used above: “us.ca.sf.bh”, which would allow new currencies to be easily created out of existing ones simply through forking.
  • Currency rules: different currencies have different rules. Some will allow negative balances of any amount, some won’t allow anything below zero, some will allow some negative balances or positive balances with limits (ex. 5,000). These rules must be encoded in a formal language, published to accounting services and participants and associated with the name of the currency. Eric Harris-Braun and Arthur Brock have already explored this topic extensively.
  • Refusal: how does a recipient refuses a given currency amount? (another currency rule BTW) this assumes that the recipient can be notified that their URL was mentioned. This is essentially a linkback.
  • Security, in particular:
    • Authentication: how do we make sure that statements posted indeed come from the person owning the resource.
    • Authorization/Privacy: how to we ensure that not all transactions I make are public, but available only those I transact with and possibly as few as possible trusted reputable intermediaries. OAuth could be useful here if the resources can be easily segmented and tokens can be issued to groups at once.
    • Non-repudiation/Tracability: how do we prevent the effect of people deleting hPay statements.
    • etc.

Quite a lot to think about. Some of these items will be the topic of future posts.

Mint.com: a perfect banking use case for OAuth

Mint.com provides a free service, which is able with your authorization, to connect to your bank(s), retrieve your bank account information and all your transactions and provide value-add services with the data. In particular, it allows you to see where you money is spent and give you hints at how you could save money. I personally think it is a superbly designed UI to the user data held at banks, which shows how much value there is to unlock, and also how much startups can be so much more efficient at delivering innovating services than banks themselves sometimes. Yodlee, a partner of Mint.com, was a dot com era example of this and Mint.com might be their Web 2.0 equivalent.

One problem is: Mint.com requires you to provide your actual username and password to the online banking service provided by your bank, which you use not just to view transactions, but also to make payments, transfers, etc.This approach has several drawbacks. One is that the user can be legitimately concerned about what would happen if this information would get compromised. Right now, Mint.com reassures its customers by saying: “We don’t store your info, Yodlee does”.

Another problem is that every time your online banking username or password changes, Mint.com stops working until you reconfigure it:

Mint.com screenshot showing: wrong username/password

Not very convenient. Add to this the fact that you can’t have any guarantee of what happens to your username/password when you want to terminate your relationship with Mint.com/Yodlee, and you may feel like you won’t use this application for now.

An implementation of OAuth protocol between Yodlee/Mint.com, the user and the bank can solve these problems at once, and would certainly further drive user adoption.

OAuth is self-described as a protocol for “secure API authentication”, but a better way to put it is that OAuth is a way for users to grant controlled access to their data hosted at online service A to another online service B. To use the car metaphor, if your data at online service A was a car, and online service B was the valet parking person, OAuth would be the way for the valet parking person to ask you for your car’s valet key, with which he can only drive a few miles and can’t open the trunk, and the way for you to give him the key. In security jargon, OAuth allows to delegate capabilities on your data to other applications, in the form of signed tokens, i.e. authorizations to do specific things with specific data that you sign with your identity. The beauty of it is: because these capabilities are signed by you, it can be presented by online service B to access your data at online service A without you having to provide your identity credentials (username/password typically) to online service B.

Coming back to the Mint.com/Yodlee use case, here is how it would work:

  • The user would go to Mint.com to request access to his data at the bank.
  • Mint.com would request his bank a token for a specific capability, for instance, retrieving transaction data
  • Upon receiving this request token, Mint.com would redirect the user to the bank’s token authorization page.
  • The user then authorizes the token (If he is not already logged in, he would do that first)
  • Mint.com can then substitutes the request token with the access token, and access the user’s data as they requested and as the user authorized, until the token is invalidated or expires.

Here are the benefits of OAuth for the user in this use case:

  • Mint.com/Yodlee never know the username/password used to log in at the bank.
  • When the user changes his username/password, Mint.com/Yodlee can still retrieves transaction data
  • When the user decides to terminate the relationship with Mint.com/Yodlee, he knows they don’t have is username/password and he knows that they can’t access his data anymore.
  • When you don’t want to use Mint.com/Yodlee anymore, you can simply invalidate

The big question is: how much work would be involved at banks and Yodlee to support OAuth, and in particular, what would they have to change?

What business model for decentralized social networks? decrypting Matt Mullenweg’s recent keynote

Decentralized social networks seem to be the talk of the town these days (in tech circles at least). Blogger Robert Scoble has given attention and created a minor scandal of a Facebook policy that forbids the use of scripts to extract data from Facebook Web pages (Note: Facebook just recently allowed accounts to be closed). Around the same time project DiSo has started with the goal to build a decentralized version of Facebook based on the open source WordPress personal publishing platform, and workgroup DataPortability.org has kicked off to define best practices to make personal data easily movable, reusable, remixable, etc. across Web services. Just two days ago at his Northern Voice 2008 keynote, Matt Mullenweg, creator of WordPress, seemed to be almost hinting at what his company was up to with their recent $29.5M round of funding: a better, open-source alternative to closed social systems like Facebook that would use social filters to bring more relevant content.

Matt Mullenweb at Northern Voice 2008

As I mentioned in my previous post on business platforms of Web companies, one key aspect of these business platforms is that “they retain control over who gets to see the information and how”. Having a point of mediation is an essential part of online capitalism. Without it, there is no point of value extraction and no big business.

The natural question then is: if so many techies are excited about the inevitable advent of decentralized and portable social networks and related personal data, and if that means essentially that there is little point of control anymore for these Websites, how are businesses going to make big money out of this?

If we put aside the ad-based revenue model that Matt M. does not seem to keen on, as well as the “pro account” business model that would expand on some existing commercially available pro services, as well as the usual ways of making money with open source, here are two models that I think could work:

  • Relevancy services: This is would be an expansion of services such as Akismet, WordPress’ spam filtering service, which is currently free for personal use. Matt insisted strongly in his keynote how content relevancy (i.e. no spam) is really what users value, and how spam from bad users is what kills social systems. Perhaps a high-quality filtering system that would combine the Akismet filter and a social filter (a filter based on your social graph) is something people would be ready to pay for.
  • The ring tone business model. This model consists in deriving transaction fees from digital goods sold on WordPress.com, such as themes and widgets. Because WordPress.com knows which blogs use which themes and widgets, this would be easily done there. It may be a bit harder for users of the WordPress open source software itself. This would be the equivalent of the ringtone business. Matt Mullenweg revealed himself that “People want their online presence to be an expression of themselves and in that regards, being able to customize the design is critical”. Matt even compared a blog as a locker, which are typically heavily personalized.

This list does not mean to be exhaustive, but seeks only to start a discussion on a subject that is getting more and more relevant. I would be curious to see what others think.

Thoughts on some 24C3 sessions

24C3 is the 24th Chaos Communication Congress, a 4-day conference I got to know reading this post at the always awesome We make money not art. All sessions were videotaped and are available to download.

Things are changing faster than we can die I can count every star in the heavens above but I have no heart I can't fall in love…

I absolutely recommend the presentation given by Drew Endy on DNA programming. In a nutshell, Drew views DNA as an evolved program in some poorly documented machine language and shares his experience reverse-engineering this program, synthesizing DNA and uploading it to a cell i.e. “hacking biology”.

The session Paparazzi – The free autopilot is about how anyone can build a cheap version of the $1M UAV/drones monitoring everyone of us 24/7. Quite interesting for anyone with an interest in aviation. The cool thing is that the drone is literally remotely controlled via an open source software you can find here. You can assign a flight plan to the drone and it will follow it. The platform is packed with sensors that allow remote control and capture of data (videos, pictures). I hope these guys talk with the OpenStreetMap people: how could would it be to use this platform to capture views from the sky at a much higher resolution than satellites can provide.

I also watched the session Hacking ideologies, part 2: Open Source, a capitalist movement. There were a few shocking comments in there, but I was glad to get a refresher on the nature of capitalism from the very sharp Dmytri Kleiner:

“Capitalism is not so much about creating money or wealth. What creates wealth is work. Capitalism is about making money from other’s people work. It isn’t about money creation but about money extraction. […] The kind of information that capitalism is interested about is information that increased productive capacity. More productivity is more money to extract. The kind of information that capitalism is not interested about is information that is not about increased productivity or information that questions the system or information about the nature of capitalism. […] P2P offers no point of mediation where value can be captured, but at the same time p2p has to be financed by some wealth accumulation.”

This last point particularly resonated with me since I’m a big believer of decentralized social networks. I’m curious to see how a promising project like the DiSo project will resolve this chicken/egg problem: to finance a decentralized system, you need accumulated wealth, but to attract accumulated wealth you need a point of mediation where you can extract value, which you don’t have in a decentralized system.

One way may simply be some form of public funding. After all, if we didn’t have ARPA, we would probably all be surfing AOLNet or MSNNet these days.

Anyway, this conference is clearly politically incorrect in many ways but is awesome and I recommend everyone to watch some of these sessions!