Friday, 19 June 2009

this blog is going on vacation

Well, J and I are going on vacation. We'll be away for nearly six weeks, and while we're sad enough to take a computer with us I'm not planning on tweeting or posting unless we happen across something remarkable.

The last few years or so it's been my habit to wish everyone a happy Inca new year, which neatly bypasses the winter/summer solstice question. Well this year, we'll be on a plane when 5517 comes round, but if we can we'll be raising a glass.

Happy 5517!

Thursday, 18 June 2009

Social media and Iran

Like many in the geek trade, part of me has been professionally fascinated by the impact of social media in the events in Iran. Certainly this has been a developing meme, since the disturbances in late 2006 in France that the social media, blogs, twitter, facebook, flickr and the rest have been more effective in getting the message out than the traditional media and news gathering organisations.

Here in Australia, our own publicly funded ABC has rolled over and taken to relaying tweets and flickr images since its journalists were asked to leave Iran.

And it is certainly fascinating how the social media ecology has come together, so that someone with access to the internet, a $100 camera and a $400 netbook can post images and messages from the frontline. Add a $300 video camera, etc etc.

And this is where I start to feel unease. I have never been to Iran, but I have the impression that it is not unlike Turkey in a demographic sense. Large relatively westernised cities with more secular attitudes, a large and poor rural religiously observant population, and a problem with large numbers of peasants moving from the poor countryside to the cities, in the case of Turkey the informal settlements (I was going to write shanty towns but many are more developed than that) that ring Istanbul and in the case of Teheran the poor areas of south Teheran.

Now these people have a right to be heard. We see this in Turkey with the rise of more islamic and less secular political parties. We saw this in Iran, where while the media liked to show pictures and interview attractive english speaking people prior to the election, they also showed pictures of the poor of south Teheran lining up to vote.

These people are also poor, less educated, less likely to have internet access, or the $100 camera, the netbook or whatever. And there is a risk here. We see the demonstrations againts the election result. We do not see the reactions, the attitudes of those who supported Ahmedinajad, and many undoubtedly did.

The consequence being that we cannot truly tell what the majority think. Traditional news media may have been able to tell us, but now they've been banned we can only guess what these people think, and to what extent they want change.

Sunday, 14 June 2009

an orthodox wiki

here we are on the verge of one trip overseas and we're already thinking of another trip, perhaps to Turkey, Syria, Jordan and to Egypt to see St Catherine's Monastery and to indulge our fascinations for Roman and Byzantine history (me) and the medieval (J).

So a week before we jet off to Europe we're already planning our next trip built out of the things we didn't manage this time.

In the course of sketching the bones of a trip I happened across the Orthodox Wiki. And whatever you feel about orthodox christianity it's an example of really creative and an innovative use of technology - not bad for a 1500 year old tradition ... (and I shouldn't be surprised. The Greek Orthodox church has done some innovative work on access control with their archives, and the Russian Orthodox Church had a web presence as early as 1997)

Wednesday, 10 June 2009

Academic networking ...

I was reading Christy Tucker's latest blog post about Sakai 3 in which he makes the following comment:

Social networks now are either about content (flickr, delicious) or people (Facebook, LinkedIn).

Academic networking: friends isn’t enough
Content and activity-based–reading the same articles, taking the same classes

which is probably a pretty good categorisation. The problem remains however it's not just friends, it's builidng in tools in academic networking that allow students to protect their identity should they wish to do, and that doesn't seem to be quite there. Listening to the session itself is a little more illuminating but the concept is that people want to know what other people on the course are doing, reading, sharing etc. And this bring us to obfuscation.

Sharing content is fine if people want to share it out. So someone who finds a video of Zimbardo talking about the Stanford prison experiment YouTube and posts it to a course forum is fine. No needs to know who they are as the system knows that.

The real problem is when people explicitly want to know what other people are doing, and that's where consent comes in. And this makes for a slightly more sophisticated version of sharing.

Push sharing, as I do with the 'interesting links' thing is fine, just as posting to a website is fine as the user makes a concsious decision to do so.

Imposed sharing where someone's activity is revealed by default is not. And that's the nub.

It's the difference between seeing 'Sherry's doing this' to 'Sherry has posted a link'. In other words revealing participation requires consent.


Facebook, which had the merit of obfuscating people's profile pages to keep things unguessable if you wanted to keep it that way is offering human memorable profile names. While they claim that this will not have implications for people's privacy settings it does mean that their profile names are guessable, which in part is the problem we've been grappling with obfuscating students LMS profiles ...

Saturday, 6 June 2009

Friday, 5 June 2009

Social networking and the LMS

Sometime ago I blogged about the privacy aspects of the more social learning management systems. And as you would expect, suddenly it has come back to bite us.

Currently our LMS is outsourced, but authentication is provided via our LDAP server to which we allow limited secure access by the LMS provider, and only allow them access to student_id, human_name and course_code_list. (This is not quite true - the truth is more complex and messier, as it always is). Student_id is an alphanumeric string that is allocated on the basis of when a student is accepted for a course, and is not readily guessable - no ties to initials, year of entry etc., and is used to log in to systems. In other words, pretty well obfuscated. Course_list is kind of fundamental to the operation of the LMS. Human_name is exactly that, what you are known as.

The problem resolves to the disclosure of Human_name to people you might not want to disclose your name to, much as on a social networking site or role playing game you might not wish to disclose either your identity or aspects of your identity.

Our crude solution to the anonymization problem is to create a new attribute Pseudo_human_name, which we populate with a random string and provide students a 'reveal' facility to allow them to go to our identity management portal where they could click a box to say that they wish to reveal their names. Pseudo_human_name would then be set equal to Human_name. The LMS provider of course has to change so that they enumerate Pseudo_human_name, and we deny them access to Human_name.

As I say crude, but it has the effect of not disclosing information outside of the systems we control that our users don't want disclosed. (And also a good demonstration of the need to keep control of identity management, even if users do seem to behave sensibly on the whole)

Long term we'd like to stop exposing our LDAP servers and use shibboleth and provide a user driven attribute disclosure solution built around Autograph, given that Shib is designed to solve this problem it seems a better solution, and one that's more extensible for more difficult problems ....

Monday, 1 June 2009

Outsourcing email and identity provision

Once upon a time I ruminated about universities outsourcing email, and certainly as far as student email goes it seems to be close to a no-brainer. After all if they don't like/use the service you provide why not give them the service they do want (or not).

However I always had a vague unease about the whole process. Not about the mechanics, but about the process. The same goes for the argument about why bother to provide email at all.

And now, since happening across another post on outsourcing email I know why I felt this unease. The problem is not email, it's identity management.

Increasingly we live in a world based around federated identity, or more accurately services such as Webassign, which are reliant on federated identity, ie the ability of institutions to assert that a certain identifiable individual is associated with that institution. And often its the student email address that is used to identify the individual using whatever technology we use.

Now the interesting thing about outsourcing email is that we segue into using windows live id, OpenID or whatever as an alternative identity federation service, for no other reason that it lets users of our systems access these shiny useful extras such as google docs or blogger, and we don't have to host it ourselves.

And ever so slightly we've begun to lose control of being able to make the assertion that X is associated with Y institution and is thus entitled to Z where Z can be anything from LMS access, using the print system, online access to specialist digital content ...

blogs and listservs

been a bit of a theme this week what with being blocked due to too high a volume of posts and then having my test blog pinged for being a spam blog due to its repetitive nature (which of course is what happens on listservs when people reply to messages and include the preceding messages in a thread). Anyway the test blog is gone now.

It's also been a very useful exercise. Always good to experiment rather than just speculate.

I think I've proved to my own satisfaction that pushing the contents of low volume lists out to rss feeds is a valid way of getting information across

  1. Human Factors: depending on the blog aggregator used the occasional appearanace of a low volume blog is more likely to be read than an adminsitrative email that can be lost in a slew of other messages
  2. Ease of distribution: other than getting people to actively subscribe to the feed there is very little administrative overhead - certainly far less than in managing a traditional listserv
  3. Lurkers: this mechanism peple who wish to lurk, or who only wish to follow do so, again without an adminsitrative overhead
While my experiment of sending out interesting links via twitter is also valid, the 140 character limit is a bit of a limitation, an having people click on a link to get the whole truth is a bit less in the face than is perhaps desirable for outage notices and the like. That said, sending out alerts any and every way possible is probably a good thing ...