Diaspora website redesign, now with more info about the project

Here's the question I'm left with which has no answer on the site: how will a distributed social network keep my private data private?<p>I understand how one can build secure communications. That part is easy. So, I have a Diaspora account with "Awesomea" and you have a Diaspora account with "Crapula". It's easy to have communications between Awesomea and Crapula be secure. However, when you visit your Crapula page, you want to see my updates which means that Crapula needs to be able to decrypt my updates. Even if you have a different key for each user (ala public key encryption), for wide adoption the service providers (in this case, Awesomea and Crapula) need to be able to encrypt and decrypt that information (which means they hold the keys).<p>So, if I friend you and you're using Crapula, I need to trust both you and Crapula that you won't do bad things with my data.<p>Part of this is that the Diaspora project doesn't seem to have any technical information. They have lofty goals like, "you own your social graph, you have access to your information however you want, whenever you want, and you have full control of your online identity." However, they have scant information on how they plan to accomplish that. They say they're using GPG, but are they going to have a browser plugin with locally stored keys to decrypt the information? That's the only way I can see this being secure. If you're storing your key with Crapula and it's decrypting my information, it can store is as well as show it to you.<p>Even if the design is to use locally stored keys, what's to stop a provider from offering a "better" (better, in this case, means easier for non-tech-inclined users) Diaspora-compatible server which stores them on the server? And then I have to audit my friend requests to see how their server has set up security?<p>It's kinda like handing a friend a classified document and a photocopier. You tell them "please don't copy this" and they probably won't. But in this case you're handing that classified document to Crapula and saying "pass this along to my friend and don't copy it along the way". Yes, Facebook has that ability too, but it's one company that has a reputation to defend (to an extent) as well as a legal presence in the United States (which is good for me as a US citizen) and by posting in the first place I'm trusting them with that data. With Diaspora, I could start getting friend requests from all sorts of services run by people a lot shadier than the Facebook folk and I now have to deal with dozens of privacy policies rather than one.<p>BTW, this is probably the comment that I would most like to be proved wrong on. I want distributed, secure social networking that puts me in control of my data. It's just that I don't see how it works and the Diaspora website doesn't have any information on it either. If someone here knows how this will work, I'd love it! It's an exciting prospect, but I feel like it's the same as DRM: if people can read it/see it/hear it, it can be copied. Likewise, if a service provider is printing it on screen for one of their users, they can store it. If anyone has technical information on how this works, it would be really awesome!

Let's just focus on one thing that many people are used to: the news feed.<p>Say I want to find out what all my friends are up to lately. Since this information doesn't live in a (more or less) central place any more like it used to on Facebook, I need to go out and contact each node (in an encrypted, secure way) that my friends run/pay to host on an ISP and ask them, what they're up to lately. That information then gets merged by my local node (that I presumably access to view a news stream) and displayed to me.<p>Isn't that more than a bit inefficient? Hundreds of friends, means hundreds of connections going out, to grab friend updates, each with encryption overhead. And all those nodes have to be up and running of course.<p>OK, so let's assume your own node is smart enough to cache these updates. Maybe it even gets updates pushed to it when my friends update, so it's not constantly polling all of them in search for updates. That means if my friend withdraws permission to see their updates, I still have access to their cached info local to my own node.<p>So perhaps there's also a push update system that handles revocation. You remove permissions and send another message to those affected to forget your info. But what if I run a modified node that chooses to ignore this information? The whole thing is open source and anyone can tinker with their node code. Say I friend a malicious entity, decide I don't like them anymore, and take back their access. It could be too late.<p>See, this is the kind of technical detail I was hoping for. Real life examples and a vague outline of how they're going to tackle them.

I've been particularly impressed with their amazing ability to avoid mentioning any details about the projects implementation.<p>The following is a list of features the future might bring (if I understand the project page correctly: <a href="http://www.joindiaspora.com/project.html" rel="nofollow">http://www.joindiaspora.com/project.html</a>)<p><i>OpenID</i><p>I assume this is the standard they will use for authentication? What about this encryption business? Do they intend to modify the OpenID protocol to do some sort of challenge/reponse step and exchange keys?<p><i>Voice-over IP</i><p>I'm at a loss for what this means or how it is important to the project. Are they implementing a specific protocol, using a particular libary, or are they going to attempt rolling their own system?<p><i>Distributed Encrypted Backups</i><p>Backups of what? Distributed why? How?<p><i>Instant Messaging protocol</i><p>There are a plethora of existing protocols they could use. Since they haven't specified a particular one, does it mean they haven't decided which one to use yet? Are they planning to build their own "encrypted" protocol? Magic?<p><i>UDP integration</i><p>Whoa. Integration. With UDP? Mind-blowing. I'm assuming that they'll be building the broad-casting bits of the P2P architecture on UDP. It's what most distributed, encrypted P2P networks do.<p>Oh right, there are already dozens of them and have been for years. I guess these kids are just too young to remember:<p>- <a href="http://en.wikipedia.org/wiki/WASTE" rel="nofollow">http://en.wikipedia.org/wiki/WASTE</a> - - <a href="http://office.microsoft.com/en-us/groove/default.aspx" rel="nofollow">http://office.microsoft.com/en-us/groove/default.aspx</a> (before it got bought by MS and turned into corporate turf) - soulseek, gnutella, freenet, etc.<p>Wonder how they're planning to break that extra 10x

<i>We are 140-character ideas. We are the pictures of your cat. We are blog posts about the economy. We are the collective knowledge that is Wikipedia. The internet is a canvas – of which, we paint broad and fine strokes of our lives with. It is a forward extension of our physical lives; a meta-self comprised of ones and zeros. We are all that is digital: If we weren’t, the internet wouldn’t either.</i><p>sounds like pr-speak.

What people here might really wanna know it's that the <i>source code</i> will be released <i>under AGPL</i> (you must let your users download the source of the program they're running).<p>In my opinion for boosting commercial adoption, a MIT license is truly needed. I know it's not in their interest to do so (they plan to build a wordpress.com-like hosting).

The Diaspora guys have missed the problem completely: the issues are not technical ones - the major problems here have been solved.<p>The issue is UX: Nobody - and certainly not Facebook - has come up with an effective interface that allows us to manage our interactions online with the fidelity that we want. And I doubt that these four kids are going to come up with a spell-binding piece of design that does this. They seem to be Ruby programmers, and certainly not designers - graphical, UX or otherwise if one is to judge by their website.<p>Far deeper analysis of the problem is needed that the reactionary "Facebook are arseholes, they're acting like a big corporation". The details of how we create multiple online publics[1] for ourselves, how we relate to them, and understand them is key to building any sort of infrastructure to manage those publics. The Diaspora guys seem to be treating this as purely a technical problem, when it most certainly is not.<p>[1] It's the other side of the coin to having multiple online identities, but to me, makes a bit more sense as a conceptual model for what we're dealing with.

Wouldn't it suck if you were some kid with a lot of ambition, and some huge ideas, who tried to bite off more than he or she could handle, all while the world watched and encouraged you? Wouldn't it suck if you felt a real obligation to see through to some half-baked idea you came up with in your early 20s?<p>I have sympathy for the Diaspora guys, I think if it went unnoticed and unfunded it could be a great learning project for some young coders, even if it didn't achieve practical success. Instead, it'll likely be (already is) a public embarrassment.<p>If I could give the Diaspora guys one bit of advice, I'd say this, don't take this too seriously; treat it like a fun summer project. The last thing you want to be is the next freenet (no offense Freenet guys, awesome concept, but it never really caught on).

The complete lack of technical information is dumbfounding.

Your $200,000 at work.

seems like they're already slipping on their promises and they haven't even started development yet: <a href="http://twitter.com/joindiaspora/status/14146589639" rel="nofollow">http://twitter.com/joindiaspora/status/14146589639</a><p>what are they spending all their time doing?

Doesn't render well on iPhone. And do they not own the -join.com?

how did they go from having a nice visual &#38; simple logo <a href="http://www.facebook.com/album.php?profile=1&#38;id=118635234836351#!/photo.php?pid=147415&#38;id=118635234836351" rel="nofollow">http://www.facebook.com/album.php?profile=1&#38;id=118635234...</a><p>to having this horribly designed website?<p>They likely didn't even need to use the money they have to get a half decent design.<p>This is not instilling much confidence in these guys.

The typography is pretty bizarre.

I'm perfectly okay with them being fairly scarce with information until they have something built.<p>They surely have high caliber advisers at this point. The peanut gallery probably wouldn't be all that helpful as they try to lay the first foundations.<p>Once there's something complete to react to and build on, they'll release the code.

If the project takes off and has mainstream adoption I couldn't wait to see a MIT licensed django clone.

As if they needed another blow to their already tenuous credibility, the site doesn't even validate.<p><a href="http://validator.w3.org/check?uri=http%3A%2F%2Fwww.joindiaspora.com" rel="nofollow">http://validator.w3.org/check?uri=http%3A%2F%2Fwww.joindiasp...</a><p>I have zero confidence in this group.

It took me a few seconds to realize the CSS had completely loaded.

well at least we know they have 200k to spend on a good designer now :)