WEBVTT

00:00.000 --> 00:11.080
Okay, so for the last talk of the day, we will hear Juliana that we'll talk about

00:11.080 --> 00:16.440
consent-based secure collaboration with spurtly goblins object capabilities.

00:16.440 --> 00:17.440
Yes.

00:17.440 --> 00:23.800
So, hello, everyone, as was just explained, my name is Juliana, I work at the Spritly Network

00:23.800 --> 00:25.560
Community Institute.

00:25.560 --> 00:31.240
We are working on the next generation of the social web and my colleagues, Jessica Talon

00:31.240 --> 00:35.480
and David Thompson, we'll have talks about our core technologies, goblins and hoot tomorrow.

00:35.480 --> 00:39.760
There will be a QR code at the end of the talk, you can get the links to their talks.

00:39.760 --> 00:44.880
But I'm talking about what I see as the biggest problem with collaborative and social

00:44.880 --> 00:52.800
software systems today and how I think we can build better ones using, in fact, technologies

00:52.800 --> 00:55.120
that we're working on.

00:55.120 --> 01:14.400
So I didn't expect to have something in my hand and I'm messing up the talk.

01:14.400 --> 01:17.880
So can you still hear me, okay?

01:17.880 --> 01:23.560
So I feel that we build a lot of social and collaborative systems that are not based

01:23.560 --> 01:24.560
on consent.

01:24.560 --> 01:28.920
And I think that this is because historically, asynchronous communication didn't really

01:28.920 --> 01:30.840
have the option of privacy, right?

01:30.840 --> 01:35.120
We had mail and then later we had telegraph, telephone, radio, and you could have basic

01:35.120 --> 01:37.720
encryption, but you couldn't have anything like we have now.

01:37.720 --> 01:41.920
You didn't have centralized storage of messages, right, so that you could choose who

01:41.920 --> 01:43.400
you wanted to see things.

01:43.400 --> 01:49.120
And this sort of just became encoded in our society that we just assume that our communications

01:49.120 --> 01:53.080
and our interactions will have to be public, they have to be out of our control, right?

01:53.080 --> 02:00.520
And this hasn't been helped, let me make sure I don't mess this up again.

02:00.520 --> 02:04.560
By the fact that big companies perpetuate this, right?

02:04.560 --> 02:08.280
They sort of inherited these perceptions and they've just continued to run with them.

02:08.280 --> 02:12.200
So we have Facebook and Twitter, which are big social platforms, right?

02:12.200 --> 02:20.840
And they benefit from these systems of organization because, well, frankly, they profit

02:20.840 --> 02:24.160
off of them because they turn user data into a commodity.

02:24.160 --> 02:28.960
And so you have examples of post-serving, public by default, all of this.

02:28.960 --> 02:35.000
And because it's profitable, they're disincentivized from protecting user agency, user data.

02:35.000 --> 02:39.200
And even when they do have protections in place, these protections can be ignored and

02:39.200 --> 02:41.520
they can be abused by the people working there.

02:41.520 --> 02:45.840
So one example I find, particularly disconcerting, is Tesla.

02:45.840 --> 02:50.400
Tesla records everything that happens inside their cars to train their self-driving.

02:50.400 --> 02:55.240
And we've heard anecdotes of Tesla employees watching videos of Tesla drivers doing embarrassing

02:55.240 --> 02:59.680
things, laughing at them, which, you know, kind of sucks.

02:59.680 --> 03:04.200
And similarly, governments aren't really incentivized to protect user data either.

03:04.200 --> 03:09.600
And user agency because they may have legitimate uses for this data, right?

03:09.600 --> 03:12.920
As this information, that sort of thing, or they might be abusive governments.

03:12.920 --> 03:17.560
We are standing in the EU, which has pretty good privacy and data protections, but I'm

03:17.560 --> 03:22.440
from the US, but we don't have very good privacy and data protections.

03:22.440 --> 03:28.840
And a few years ago, it was revealed that the NSA and US allies for that matter are collecting

03:28.840 --> 03:31.840
a huge amount of information about humanity.

03:31.840 --> 03:36.800
And again, even with protections in place, humans can violate those protections.

03:36.800 --> 03:42.760
And we have Edward Snowden shared stories of his co-workers contracting for the NSA using

03:42.760 --> 03:50.000
NSA surveillance data to stalk their access, which is, again, deeply disconcerting.

03:50.000 --> 03:52.040
So what do we do?

03:52.040 --> 03:56.600
And I think what we do is we build systems based first and foremost on consent.

03:56.600 --> 04:00.400
And in order to understand what consent is, we have to understand what it's not.

04:00.400 --> 04:02.000
It is not unclear communication.

04:02.000 --> 04:06.760
If you sign up for Facebook, you're asked to agree to a term of, in terms of

04:06.800 --> 04:10.920
service, which is a long document with legal jargon in it, it doesn't make sense.

04:10.920 --> 04:15.960
Or, once you're on the platform, you might need to opt out of things, because you're

04:15.960 --> 04:19.520
posted public by default, because Facebook can sell all this information about you by

04:19.520 --> 04:20.880
default.

04:20.880 --> 04:22.480
And this is stigmatized, right?

04:22.480 --> 04:27.320
So to revert slightly to the political context, there's this saying, if you have

04:27.320 --> 04:31.040
nothing to hide, you have nothing to fear, right?

04:31.040 --> 04:35.520
And even if you feel that these conditions are too honest, and you don't want to use

04:35.520 --> 04:39.280
these platforms, you might not actually have a meaningful choice not to, because of

04:39.280 --> 04:43.040
network effects or social pressures.

04:43.040 --> 04:44.200
Your friends are all in Facebook.

04:44.200 --> 04:47.320
How are you going to stay in touch with them if you don't use Facebook, right?

04:47.320 --> 04:53.800
If I'm sound like I'm picking on Facebook, it's probably because it's really bad.

04:53.800 --> 04:55.200
But what is consent?

04:55.200 --> 04:58.600
First and foremost, it's informed, right?

04:58.600 --> 05:02.800
You're transparent about the context of the interactions.

05:02.800 --> 05:06.480
You're transparent about potential consequences, and it's really granted.

05:06.480 --> 05:08.680
It's actively chosen, right?

05:08.680 --> 05:14.280
We assume in a truly consent-based system, we assume no by default, and then you choose

05:14.280 --> 05:16.080
to give a yes.

05:16.080 --> 05:18.520
And even when you do give that yes, it can be taken back.

05:18.520 --> 05:20.200
You can say no at any time.

05:20.200 --> 05:22.880
That's very important to consent.

05:22.880 --> 05:32.720
And I think that the object capability paradigm encodes as much of a model of health

05:32.720 --> 05:36.640
the consent as can be encoded in a technical system.

05:36.640 --> 05:41.240
It's a relatively complex paradigm, where it seems to be at first at least.

05:41.240 --> 05:43.520
So I'll try to summarize it quickly.

05:43.520 --> 05:47.880
The basic idea is it provides both security and concurrency.

05:47.880 --> 05:52.120
I'll be focusing on the security, but I'll mention concurrency a little bit at the end.

05:52.120 --> 05:55.200
And it centers around capabilities.

05:55.200 --> 05:59.120
Capabilities are actively granted, and they can be revoked as I'll show you.

05:59.120 --> 06:02.760
And as I have there, it can model consent as far as consent can be modeled.

06:02.760 --> 06:07.480
If you're a PL theory person, it is related to the actor model, which I find, I personally

06:07.480 --> 06:11.520
find a useful analogy, and so I'll probably be talking about things in terms of actors

06:11.520 --> 06:12.520
here.

06:12.520 --> 06:19.120
So we have our objects, and they are actors, and that they can receive messages.

06:19.120 --> 06:23.280
And in response to a message, they can create a new actor, and thereby obtain a reference

06:23.280 --> 06:28.360
to that actor, where they can send a message, which can include a reference to another actor.

06:28.360 --> 06:33.240
Or they can change their behavior in response to future messages.

06:33.240 --> 06:38.000
And capabilities are just at the programming language level at least, which is the level

06:38.000 --> 06:40.200
I'm most familiar with through Goblins.

06:40.200 --> 06:44.480
They're just references, you know, pointers if you want to go down that level of a level.

06:44.480 --> 06:50.240
And so here we see a user object with a reference, a capability on the object Gary, and

06:50.240 --> 06:54.880
we see the user object sending the message Alice to which Gary responds, hello Alice, my name

06:54.880 --> 06:56.680
is Gary.

06:56.680 --> 07:01.880
These diagrams are from our heart of sprightly white paper, they're describing code.

07:01.880 --> 07:05.240
They're not perfect for the things I'm going to be talking about, so I'll try to explain

07:05.240 --> 07:08.640
as best as I can.

07:08.640 --> 07:10.280
Capabilities can be limited, right?

07:10.280 --> 07:15.320
So in the context of consent, you can consent to a specific thing and not, you know, all

07:15.320 --> 07:19.120
of your posts being publicly available as another example.

07:19.120 --> 07:23.640
And so here this demonstrates some code, it's a procedure that spawns two objects,

07:23.640 --> 07:28.120
log in an admin, that have different capabilities on a collection of posts.

07:28.120 --> 07:34.560
The blog can read them, but not write them, the admin can write them, but not read them.

07:34.560 --> 07:35.560
And they can be revoked.

07:35.560 --> 07:38.920
So this diagrams relatively complex, you can ignore most of it.

07:38.920 --> 07:44.040
What's important is that we have the Robert object that has a reference to a, or a capability

07:44.040 --> 07:47.480
on a proxy to the admin object.

07:47.480 --> 07:51.240
And we have Lauren over here on the left hand side, who's paying attention to everything

07:51.240 --> 07:57.560
Robert does, because the proxy is telling about it, and Lauren can choose to revoke Robert's

07:57.560 --> 08:01.640
access to the admin object through the proxy, which in this diagram has happened, you see

08:01.640 --> 08:07.640
the little, I don't know how to describe this very well, the little switch that's up, right?

08:07.640 --> 08:12.000
And so in conclusion, I think that Ocaps models consent really well.

08:12.000 --> 08:17.680
You have the necessity of explicitly granting a capability, because by default, you have

08:17.680 --> 08:23.600
no capabilities, and you can choose exactly which aspects of an object's abilities.

08:23.600 --> 08:29.040
You want to grant capabilities on, and so it's granular, just like consent in real life,

08:29.040 --> 08:35.680
which allows you to build trust and empower collaboration, because you probably won't

08:35.680 --> 08:39.160
meet a stranger and invite them to spend the night at your house.

08:39.160 --> 08:41.760
You'd probably go out to coffee or something first.

08:41.760 --> 08:45.880
You can invite them to your house if you want, nothing wrong with that.

08:45.880 --> 08:50.400
I'm just very anxious person, so what do we actually do?

08:50.400 --> 08:54.040
How do we build consent into our systems?

08:54.040 --> 08:59.160
If you agree with my analysis and my proposed solutions, the first thing that I'm going

08:59.160 --> 09:02.400
to advocate is using the Ocaps in protocol.

09:02.400 --> 09:07.560
So it stands for the object capability network protocol, and it allows Ocaps systems to talk

09:07.560 --> 09:10.720
to each other over arbitrary network boundaries.

09:10.720 --> 09:14.520
And this goes back to the concurrency I was talking about earlier, so you can learn more

09:14.520 --> 09:19.640
about this at Ocapsand.org or the GitHub page that I have linked there as well.

09:19.640 --> 09:24.160
And the action items here are to join the standards group, get involved in talking about

09:24.160 --> 09:29.580
what you want or need out of this sort of system, and the big one really is to implement

09:29.580 --> 09:35.840
Ocaps and we especially need implementations in strongly typed languages, because in

09:35.840 --> 09:41.640
spitely we use a Gile scheme, which is a dynamic language, and then the other big implementation

09:41.640 --> 09:45.640
is in JavaScript, which is also dynamically typed.

09:45.640 --> 09:51.080
You can also implement all of Ocaps if you want, so these links are kind of the literature

09:51.080 --> 09:52.160
on Ocaps.

09:52.160 --> 09:57.760
You write.org is preserving the knowledge of the e-programming language, which was the

09:57.760 --> 10:01.760
first full modern Ocaps programming language.

10:01.760 --> 10:05.320
And the longer link is to our Heart of Spritely White Paper.

10:05.320 --> 10:10.000
You go to Spritely.institute press goblins, and then click Heart of Spritely, you can get

10:10.000 --> 10:14.960
that as well, which is where the diagrams are from.

10:14.960 --> 10:17.080
And you can also support us.

10:17.080 --> 10:22.480
We're currently running a donor campaign, so I'm obligated to say, I'm not actually obligated

10:22.480 --> 10:28.000
to say, but I do want to say, that's my boss.

10:28.000 --> 10:31.240
You can go to Spritely.institute slash donate and give us money, and you can also write

10:31.240 --> 10:33.120
software using goblins.

10:33.120 --> 10:37.640
You can run it on the web with our boot compiler, which is a scheme to Web Assembly compiler,

10:37.640 --> 10:41.360
and we really want this because we need to know what people actually want to build with

10:41.360 --> 10:47.000
these tools, and what trouble they're having building those things, so that we can provide

10:47.000 --> 10:49.560
the best tools possible.

10:49.560 --> 10:52.040
And you can tell other people about this stuff, right?

10:52.040 --> 10:59.520
In fact, your friends and loved ones as a book title puts it, and yeah, so that's that.

10:59.520 --> 11:00.520
Thank you, everyone.

11:00.520 --> 11:02.080
Thanks to the organizers of this Devroom.

11:02.080 --> 11:06.720
If you want to see the rest of Spritely's talks tomorrow, you can scan that QR code to

11:06.720 --> 11:07.720
get our blog.

11:07.720 --> 11:08.720
Stop it.

11:08.720 --> 11:09.720
Thank you.

11:09.720 --> 11:14.720
Thank you.

11:14.720 --> 11:21.280
So we have the last couple minutes of the day, if you have any questions.

11:21.280 --> 11:25.080
Oh, no.

11:25.080 --> 11:26.080
Everybody is tired.

11:26.080 --> 11:27.080
I guess.

11:27.080 --> 11:40.760
So, that's the hookup model of collaboration makes sense for managing access to, let's

11:40.760 --> 11:47.240
say, branches on a Git repository, and maybe more fine-grained access than, and so things

11:47.240 --> 11:48.240
like that.

11:48.240 --> 11:51.880
So, I don't see why not.

11:51.960 --> 11:59.200
You could, you'd have to design the sort of level above, because Git is not designed

11:59.200 --> 12:03.520
from an Ocaps perspective, you would need to design an interface sort of on top of it

12:03.520 --> 12:08.640
to manage access in an Ocaps friendly way.

12:08.640 --> 12:10.400
But there's no reason you couldn't.

12:10.400 --> 12:11.400
Yeah.

12:11.400 --> 12:13.400
Thank you.

12:13.400 --> 12:14.400
Yeah.

12:14.400 --> 12:15.400
Hi.

12:16.400 --> 12:27.600
I'm thinking about fatigue and giving consent in a very fine-grained way, do you have

12:27.600 --> 12:30.200
any thoughts about that?

12:30.200 --> 12:35.360
That's a good question that I should probably have foreseen a little bit.

12:35.360 --> 12:37.560
Do you have any thoughts on this, Christine?

12:37.560 --> 12:39.520
Well, I don't know.

12:40.440 --> 12:48.080
I think one of the things that's important about Sprite Lee's goblins is that the consent

12:48.080 --> 12:56.160
flow is actually fairly natural, and then it's a flows from the code and the interface

12:56.160 --> 12:58.640
abstractions that you end up having.

12:58.640 --> 13:02.200
So, there's two ways that you can think about this from a code perspective.

13:02.200 --> 13:05.680
It doesn't end up being really honest to keep passing things around, because it's the same

13:05.680 --> 13:10.040
way that you program every day is basically passing around arguments to functions.

13:10.040 --> 13:14.840
That's exactly how the capability consent approach works.

13:14.840 --> 13:21.280
The second one is that we're very interested in something called secure user interfaces.

13:21.280 --> 13:26.920
There's a wonderful paper about this called Not One Click for Security by Ellen Carp

13:26.920 --> 13:33.200
and some other of his colleagues, and he kind of shows how one of the big things that

13:33.200 --> 13:39.760
they show with the capability based UI paradigm is that it kind of flows out of the natural

13:39.760 --> 13:42.760
actions that the user is expressing that they intend to do.

13:42.760 --> 13:45.680
And one of the big complaints that they ended up having at the end of it was that it uses

13:45.680 --> 13:47.880
for, like, well, where's the security?

13:47.880 --> 13:51.440
And the problem was that they expected to be inconvenienced, right?

13:51.440 --> 13:56.320
They expected to be bothered for a whole bunch of things, whereas, you know, one great example

13:56.320 --> 14:02.320
of this, which you're probably already familiar with today, is in your browser, you

14:02.320 --> 14:12.320
can upload a file.

14:12.320 --> 14:16.000
So in your browser, you can probably upload a file, right, to a web page.

14:16.000 --> 14:21.800
But the web page can't download every file from your computer, it can't take anything

14:21.800 --> 14:22.800
at once.

14:22.800 --> 14:27.800
And that's because there's a consent-based flow there when you click browse, it has something

14:27.800 --> 14:32.040
called a power box in capability literature.

14:32.040 --> 14:38.400
The web, the file browser, has the ability to get a capability to that specific file.

14:38.400 --> 14:42.960
So when the user selects that actually has a natural flow to be able to hand it to the

14:42.960 --> 14:46.640
web page, and the web page didn't have that, and it just feels so natural users don't

14:46.640 --> 14:50.600
really think about the fact that they're granting consent in that scenario, but it's very,

14:50.600 --> 14:52.120
the very thing that they're doing.

14:52.120 --> 14:57.000
And so it turns out that a lot of these consent flows, they're very similar to how people

14:57.040 --> 15:04.000
interact with each other as human beings, where they consent actually flows out of the interactions.

15:04.000 --> 15:06.000
Thank you.

15:06.000 --> 15:09.000
Thank you.

15:09.000 --> 15:14.000
So any last question we have about 20 seconds?

15:14.000 --> 15:15.000
No.

15:15.000 --> 15:17.000
Great.

15:17.000 --> 15:19.000
Then thank you very much.

15:19.000 --> 15:20.000
Thank you all.