It’s come to the point that I was asked to explain what I consider necessary prerequisites for an open, free, sustainable approach towards what is often called “The Cloud” or also “Software as a Service” (SaaS).
To be honest, it took some time for me to make up my mind on the matter, and I considered many of the inputs that I’ve seen so far, in particular the Franklin Street Statement on Freedom and Network Services to be good enough for some time.
Clearly I’m sympathetic to the fundamental ideas behind Diaspora, ownCloud and so on. In fact, I myself am currently dedicating my life to the creation of a solution that should empower users to take control over some of their most central data – email, calendar, address books, tasks, see “The Kolab Story” – and thus to provide one puzzle piece to this picture.
So yes, I have developed an opinion by now and obviously I see attempts at “openwashing” such as “Open Surface” by Microsoft to be falling dramatically short on several accounts.
So what do I think constitutes a socially acceptable and sustainable approach to “Cloud Computing” or “SaaS”?
I think it may be simpler than what I initially thought. There are two primary points that now seem most relevant to me:
Right to restrict
Users must be able to restrict access to their own data, especially by their service provider. Participating in social networks, or enjoying the convenience of having your data available at all times should never have to come at the price of giving up privacy. So users must be given a choice to restrict access to their data as much as they consider necessary or desirable, from fellow users, and their provider. Similarly, they should never lose the right in their data simply because they use a certain service.
Freedom to leave, but not lose
Users must be able to switch between providers, or even to host their own data, if they so choose. And they must be able to do so without losing their network.
They should still enjoy the same level of interconnectivity and not be penalized for having switched providers in the form of having to convince all their contacts and friends to switch, as well.
Software such as StatusNet which is powering Identi.ca allows to set up your own instance – this is a step in the right direction.
From these follow a couple of necessary conclusions to get to this point:
Free Software necessary, but not sufficient
Free Software is a necessary, but not a sufficient condition. Without the software being Free Software, the Freedom to leave, but not lose is exceedingly hard to implement. So in my view the GNU Affero General Public License (AGPL) is strongly preferred, followed by the GNU General Public License (GPL) Version 3, but ultimately any Free Software license will do. Implicitly therefore I am also not adverse to allowing companies to differentiate themselves to some level on code, as long as that does not violate the principles above.
Decentralized & Federated
In order to allow switching without losing the network, any software in this context should be designed federated and decentralized, based on protocols that allow such interconnectivity as well as re-discovering users that have moved.
In order to facilitate the connection of services and providers, as well as allow for innovation and differentiation, a certain level of freedom to experiment is necessary. So software and services should provide truly Open Standards with ongoing interoperability work through plug-fests and automated test suites which give some indication on how well which services actually interoperate.
Transparent Privacy Policies
In order to have control over data, users first need to understand what they are (or are not) allowing the provider to do, which is typically not the case. Most users have never read the 20 page privacy statements which are written in ways that make telephone books seem an entertaining read. So we need a way to simplify this.
A set of standardized privacy policies, maybe with a simple visualization approach similar to what Creative Commons came up with, would be a very useful step forward here.
No change of policy without explicit consent
And naturally it should be illegal to change privacy policies on users without their explicit consent. They need to know what is changing, and how, and what will be the resulting level of privacy they enjoy – in the same clear, transparent and understandable manner.
Because much of this is fuzzy in the sense of being open to interpretation and evaluation, these will require monitoring, either through existing consumer protection bodies, through antitrust or standardisation groups, an existing or new NGO dedicated to this work, or something else. Off the top of my head I cannot think of a body that has both the mandate and competency to fulfil such a task.
So while I have some ideas, I obviously still don’t have all the answers.