Recovered from the Wayback Machine.
Six Apart has released its pre-launch’ FAQ about TypeKey, and everything I expected about the service has been confirmed. I have no doubts that when MT 3.0 releases, we’ll see masses of people rush to enable TypeKey in their weblogs so they rest assured at night that only the proper sort of comments need appear when they are not there to maintain the necessary vigilance to protect their weblogging homes from dastardly introducers.
Discussing the issues of registration and centralization, comment spam prevention, centralization and performance, privacy, baby squirrels, and social issues, in turn:
Registration and centralization
If you want comment registration with Movable Type or TypePad, you will have to use TypeKey. As the FAQ says, if we want comment registration without TypeKey, then we’ll have to …build our own authentication system. The problem with building authentication, as with any other sercurity aspect of an application, is that it needs to be designed and incorporated right from the start; an addon registration system for a tool built to use something else is not something I want to contemplate having to maintain as Movable Type goes through new variations, open APIs or not.
If Movable Type were open source, I could understand this. And before you point out the nature of Perl, open code is not open source.
The reasons for having a centralized registration system, frankly, don’t make a lot of sense. Six Apart states that:
TypeKey takes care of the hassle of running an authentication service: building the service itself; keeping it running; dealing with users who have forgotten their username or password; verifying the email address of new users; etc. All of these tasks are managed for you by TypeKey.
I imagine if you’re a weblog that gets hundreds of new commenters a day, having a service take care of authenticating an email address would be valuable. Now, those of you who get hundreds of new commenters a day, raise your hand?
Other than that, the aspects of registration that Six Apart mention for TypeKey are built into other products, quite simply, and this includes WordPress and a host of other weblogging tools. The commenter may on occasion have to give an answer to a question to recover a password; or if the tool doesn’t provide an automated registration recovery procedure (which it should, that’s not difficult to add in), we may have to reset a person’s password manually for them, but frankly, people using software that manages registration locally has been around on the Web since it was not much beyond a twinkle in Tim Berners-Lee’s eye.
(And an added benefit with local registration – break into a local system, and you compromise one weblog or site; break into a global system, and you compromise everyone’s.)
As for managing multiple usernames and passwords form weblog to weblog, well, please. We use our email addresses for each username, and we use the same password at each, or a variation of a password based on the weblog name and our naming scheme. Not as secure to use same password? Well, sure, but we’re not talking about our bank accounts here – we’re just talking about comment systems and keeping comment spammers out.
Comment spam prevention
Authentication and registration is not a infalliable solution to comment spammers. Just think of the new offshore possibilities – hire people in countries to sign up for email addresses, get authenticated in the TypeKey system, place innocuous comments at sites until they’re allowed in, and then one fine night – blitz ‘em!
No comment registration system, TypeKey or otherwise, will be able to deliberately keep out all spammers. Fortunately Movable Type does have better comment management, with being able to delete comments by name, IP address, and URL, and this is good, this is something we have been asking for. However, I also see no evidence that throttles have been incorporated into the code to prevent trackback and comment DoS (Denial of Service) attacks, so this will continue to be a problem, even with Movable Type 3.0. Unless we hack the code, and the thought of having to hack the code before the product is even out is just too much at this point.
By the way, what about trackback?
Centralization and performance
Having a centralized registration system for a centralized weblogging tool makes sense. After all the weblog posts, comment builds, and every other aspect of the weblog is managed centrally, why not the comment registration? But there is no good technical reason for going with a centralized service for what are distributed weblogs. There are probably good commercial reasons, but none from a technical or even individual user’s point of view.
We who went to Movable Type or other product that we host on our own servers did so specifically because we did NOT want to have any form of dependency on a centralized system. We did so, for the most part, because we have been burned on either performance or access because of the centralization and scaling problems. TypeKey is no different, and in some ways, potentially worse than any of the other centralized tools that we use.
Think of it– for web sites that use centralized comment registration, every comment has to be authenticated with TypeKey. Now think about how many comments are being written at any moment in time?
Six Apart mentions the performance aspect of TypeKey, saying:
We are committed to offering a solution that has as little customer-facing downtime as possible. Of course, we can never guarantee 100% uptime. It’s in Six Apart’s best interest to keep TypeKey up and functioning and to keep our users happy. In the case of downtime, there will be fall-back options in place to help guarantee a fairly seamless commenting process. That means downtime of the TypeKey service would not necessarily mean that spammers and abusive comments could get through nor that commenters would not be able to comment. We’ll have more information about how this will work nearer to the release.
Which frankly tells me they haven’t worked through a solution on this aspect yet, and that doesn’t bode well for the use of this service.
When building a new web-enabled application with any of the clients I had when I was a technical architect, the first aspect we would build into the system was security. You have to build security from the ground up. It must be incorporated into the very design of the product, from its first conceptualization, it can never be an ‘add-on’. Added security never works as efficiently, or as effectively as security integrated deeply with the product.
Mark Pilgrim came out with a weakly satirical rant making fun of what several of us have had to say about TypeKey (after first making disparaging ethnocentric comments about our writing to our weblogs during the ‘weekends’ based on his own interpretation of same; in an international environment, no less)– including Six Apart’s own announcement of Movable Type 3.0.
(I can see, in all seriousness, why Mark would make fun of us for spending time talking about this. After all, it’s just technology. Why get worked up over technology? We never get worked up over technology such as RSS and Atom and RDF and the Semantic Web, that sort of thing.)
The only technical aspect I can pull out of his writing to address is that he lists several centralized systems that he believes do scale well and serve the community, and it’s true these have managed to scale and are useful, but each and every one has failed when I’ve tried to access it at least once a week.
Blogdex was inaccessible off and on this weekend, and Technorati was hard to access last night, and I couldn’t access Bloglines two or thee times last week, and I got some kind of odd error with Radio comments a couple of weeks ago, too, and, well, the list goes on. The problem with centralized systems is not that they fail completely and breakdown permanently; it’s that they behave oddly or inconsistently, or poorly under load.
Time out. Ever get a time out when accessing a centralized system?
But the thing with Technorati or Blogdex or Bloglines (I haven’t used Feedster) is that I’m not dependent on them to write to my weblog, or for my commenters to respond, or for my pages to be accessed. Only my own system resources, or the Internet in general between my server and each of us can impact on this. With TypeKey, though, that’s changed.
Now, not only we’ll we have to write out blog posts in Notepad or some other local application to prevent losing them when we can’t access our hosted or remote weblogging applications; we’ll have to do the same with comments, too.
(Though I imagine that Six Apart will create a caching subsystem that will cache authenticated comments for publishing when the TypeKey system is accessible again – you’ll just have to wait for the remote system to continue your discussion is all.)
Why would we go through all the hassle to have a distributed application if we’re going to tie into a centralized authentication system? Might as well go to TypePad for the rest of our weblogging needs.
(But I don’t want Mark to go away not thinking that we’re not appreciative of his efforts. As he said in one weblog comment: what’s the fuss? After all it’s just a public announcement of a new technology? Sure, I can agree with that – and Atom is just another alpha release of yet another syndication format. No big deal.)
Privacy
I have no doubts that Six Apart won’t publish my personal information, just as I have no doubts that they won’t do something with the aggregate data. All that juicy information about which sites getting how many comments; and then there’s plenty of ego-stroking aspects to the application. If we think that we’re too fixated on buzzsheets such as Technorati 100, wait until we see what can be done with comments.
I’m not particularly concerned about the system being hacked into to get my individual information, though I imagine email spammers will attempt to do so to farm all of the email addresses contained in the system. However, from a security stand point, this is a bright red target in a field of beige – I have no doubts that crackers will be at that system to crack just so they can flood our comments with a crapflood of bogus comments, using our login information, as they use our IP addresses as proxy for their attacks today.
And won’t that be a hell of a mess to clean up?
Baby Squirrels
Aside from these specific technical issues, one other issue I have is the trust releationship we have have established with Ben and Mena Trott, our friends and neighbors, being carried over into our dealings with Six Apart, the company.
It’s important to remember when judging whether to buy into the use of TypeKey for your site is that Six Apart is no longer ‘Ben and Mena’. It is an international company, with international investors and multiple employees, and business concerns that influence the company’s direction. This isn’t to knock that Six Apart has become successful – more power to the company! This is to make a point that we can no longer judge the use of any product, even the ‘free’ ones, from Six Apart, as if they are given to us by Ben and Mena, sitting in their apartments, writing the code in their spare time.
I have heard some good and valid defenses of TypeKey from sites who plan on using it, or some other form of comment registration and authentication because of the nature of topics covered at their sites. These people can attract all sorts of racist and bigoted people, and they want to ensure that if a person is going to make comments such as these, they can at least be authenticated to an email address.
But much of the pushback against those of us raising technical and social concerns has been based on a personalization of the technology and the Six Apart company.
In the MeFil thread on TypeKey, one person wrote:
SixApart is the Apple of the blog world–they take the time during development to make robust, stable apps (TypePad and MT are both solid, and both spreading like wildfire as a result) and they do it with enough style and digital sex appeal to make it consistently-appealing (if not downright Pavlovian) to the crucial early adopter set.
So naturally, let the chorus of haters begin.
Just so long as the haters are Typekey-authenticated, of course.
Another wrote:
Really, who can argue that a centralized, secured, open registration system for weblogs is better than distributing a registation system into thousands of individual weblogs that never update their software? It just doesn’t make sense. Think of all the fun customer support issues that could arise from handing loud bloggers a complicated registation system. Besides, everyone loves typing their information into weblogs over and over again.
Of course, it’s not like there blogging systems out there that are focused on small closed communtities. Well, there’s livejournal, but they don’t meet my exact needs either. I mean, why should I have to switch blogging software or do any work when Six Apart should be reading my mind and meeting my needs exactly for free.
Don’t they realize that the people that read my site are so dumb that though they can use a computer, check email, and surf the web, there is no possible way they could remember a username and password. No other website makes people remember a username and password!
What is this world coming to when companies try to plan ahead and think broadly instead of catering to the loudest whiner? Egads, you’d think that I’m not the most important person in the world.
Why the sarcasm? Why the issues of hatred?
The problem is that we can’t discuss this from a technical perspective because we’re talking “Ben and Mena” here, and there are a lot of complicated factors in work. There’s Six Apart’s support for Atom when others have supported RSS; there’s the fact that Ben and Mena are, were, are webloggers just like the rest of us; that they provided Movable TYpe for free, and did start out by coding in their home, in their spare time; there’s the fact that a lot of people have met Ben and Mena, and like them, and I’m sure they are very nice, and personable.
But Six Apart is not ‘Ben and Mena”. Being critical of TypeKey is not attacking Ben and Mena. And choosing to use TypeKey should not be based on trusting Ben And Mena.
Personalizing the Tech: the social in social software
It’s not surprising that a personalization of the TypeKey has entered our discussions. The thing with social software, such as weblogging software, is that personalization will always be one of the factors in its design, no matter how much we try to ‘de-personalize’ the tech.
With TypeKey enabled at a weblog for all comments, either you register with this centralized service, or you don’t comment. But if we have good comment management and good throttles enabled to prevent comment spam, why would we use comment registration such as TypeKey? I’ve read that it’s to prevent comment spammers, but we know with current workarounds that we don’t need registration to manage comment spammers.
From what I’m hearing, now, that’s not the issue for registration. People are talking about filtering out ‘negative’ comments, and commenters who say ‘hateful’ things. The Six Apart FAQ talks about this:
Now Alice goes to Carol’s weblog. Carol also allows comments by registered users only. Alice signs in using her existing TypeKey account and posts a comment to Carol’s weblog, which goes into Carol’s moderation queue, because this is Alice’s first comment on his weblog.
But Alice hates Carol, so she left a nasty comment! Carol receives the comment via email, doesn’t like the tone of it. So she logs into Movable Type and bans Alice from posting comments to his weblog.
Damn, folks, but nasty is relative. Since the beginning of this year I have been labeled as vicous, nasty, rude, negative, and about everything you can think of. Not because I’m using names, or even personal attacks, but because I have used a specific tone of voice, or an abrupt way of speaking; I have used sarcasm and satire in responding; I have said negative things about what a person has written. Recently, a tone was even implied because I used the person’s last name, rather than their first to address them!
(As a personal aside, am I getting tired of passive aggressive types chastizing my behavior, as if they were Mom or Dad, and I the wayward child? You god damn right I’m getting tired of it. More on this in a later writing.)
Now any comment registration system will keep me out of a weblog, and TypeKey is no different than a local system. I’m not making a statement against TypeKey, now, as much as I am against comment registration; against a growing trend that I’m seeing within the weblogging world to put up barriers and filters around our spaces so that we may control not only what’s discussed within our writing, but within the comments we attach to our spaces.
Combine this with never linking to contrary viewpoints, or disparging same based on some group affiliation or at the behest of some A-lister who we’re sucking up to, and eventually we can still the voices and if we’re successful enough, the people speaking will lose heart and just go away and leave us alone.
Is this where we want to go with this brave new world?
Never say never
In my one weblogging post, I deliberately used a provocative title of “Patriot Act of Weblogging” to discuss TypeKey, and I received criticism for this, as I expcted. However, for the most part, the reason why I used this title seems to have been lost.
In my opinion, the Patriot Act was an overcompensation based on fear and a reaction to being attacked. Through it our freedoms have been curtailed, though many people feel that the added security is worth it. To me, TypeKey is based on the same principles, though of course the similarities between events are far, far different. There is no horrible and sudden loss of life, and no frightening and insiduous curtailment of civil rights, and my use of this term should be, rightfully, called on because of this.
There is a hint, though, of the same overcompensation – a reaction against being ‘attacked’, a pulling in of our heads, like the turtle into its shell, an all or nothing to both events that when I first read the TypeKey announcement, my initial reaction was that it was the Patriot Act of weblogging.
(All or nothing. Hmmm. Sounds like a good title for an essay on communication and barriers, doesn’t it?)
TypeKey is all or nothing. Not using TypeKey in my weblog doesn’t end TypeKey’s influence on me. I said I would never register with TypeKey, which means never commenting at TypeKey enabled sites. Never say never, the saying goes, but for me, never means just that – never.
Feel free to TypeKey protect your comment systems and know that I for one will not be commenting there, and perhaps that makes you even happier about TypeKey. Of course, I’ve also instigated lively discussions in your comments at times, or about your posts, but that’s beside the point. The important thing is that you have complete and utter control over who says what in your space, and that’s all that matters.
Be nice, or be gone
Be nice, or be gone someone said to me recently.
Odd thing, weblogs and comments. We say to each other, “Our weblogs are our homes and we should be able to control what’s said in them”. Yet, they aren’t our homes, are they? You don’t keep your door open for anyone to just walk in to your home, do you? Weblogs are published online supposedly because we want a broader audience for our thoughts and writing then just our friends and family.
They aren’t really our ‘homes’, and the analogy fails in so many ways, but they are our spaces, so we have a right to control them and hold people who comment accountable, don’t we?
But who holds us accountable? I’ve seen again and again, the weblogger write the most inflammatory material in an essay, and when you respond to the tone they set in their writing, or to their responses to your earlier comments, you’re told to be nice, or be gone.
We say, commenters should be held accountable for what they say. I say, but then, who holds the weblogger accountable?
Be nice, or be gone.
I guess I and all the other troublesome, negative, critical, contrary, rude, nasty, vicious, and dissenting voices that you see as graffiti on the wall will be gone, and though we can write in our own weblogs, we’ll never be part of the conversations. Free to speak, true; but not to be part of a discussion; on the outside looking in through the window at the party, trying to be heard through the thick panes. After a while though, shouting in the street gets discouraging and disheartening, and perhaps some day we’ll just be gone for good.
Just think, though: when we’re gone, you won’t need TypeKey. That’s great, isn’t it?