As we strive towards to enabling Trustworthy Computing I was thinking recently about how trustworthy blogs are as a new communication medium. For reasons blogs.msdn.com readers can discover on their own I’ll call it “The moo Effect” that stirred an internal discussion amongst MS bloggers on the subject. Skipping to the chase I propose that blogs are not currently a trustworthy medium. In most implementations blogs suffer from the same problems that have plagued technologies such as e-mail, forums, and newsgroups. There are also new problems that have been creeping up as well. At this stage of software development maturity, it is incredibly important to not leave secure computing out of the picture when you are developing a new form of social computing interaction. Doing so will lead to the prevention of more mainstream adoption. Here is my breakdown of the problems.
SPAM: I’m sure there have been a lot of discussions on the topic, but the open nature of most blog comment entry systems enable spam without recourse. To date the effects of this exposure have been limited. I have seen only a few blogs with ads for porn sites posted in the comments along with generic statements like “I love what you have to say, visit my site and …”. Now imagine a world where bloging and blog reading starts to impact a measurable percentage of internet users and the government starts cracking down on telemarketing and e-mail spam. These “Advertisers” aren’t going to simply give up and go home. They are going to look for new markets to pollute and we are going to give them a great one at this rate.
Trustworthy Information: Every blogger loves seeing what interesting google searches lead hapless web travelers to their blogs. To use myself as a small example: If you search for “jimmy fund red sox” (no quotes) in google you are likely to see my blog occupy a spot in the top ten simply because of this post and way the social network created by blogs fools the search engine. In this case I believe I’ve polluted the search results with information that is not what the person was looking for. I can’t imagine the countless “innocent” searches that must land tons of non-technical web travelers to the world of Scoble. Let alone their reactions once they get there. This one is a double edged of course, since I do think it’s potentially helpful that when someone has a question about “devenv.xml” they will most likely find my entry that details how this file is used by VS.NET. Regardless of whether or not this is a problem with blogs or with the search engines the end public perception could be “Damn, I landed on another one of those stupid online geek diary sites that didn’t help me.”
Identity: How do I know person X is really person X in all cases with the aggregation and redistribution of countless XML feeds now moving around the web. I haven’t read about it yet, but it wouldn’t be that hard to steal someone’s blogging identity and redistribute their feeds with alternate content. It would be much easier than spoofing and IP address and harder to verify you’ve made a mistake than simply misspelling a URL in your web browser. How do you know you are reading the true Scoble feed? When I searched to subscribe it seemed there were certainly more than one location offering this content and, as a user, I could have picked the wrong one.
Anonymous Cowards: The term was made famous by Slashdot as far as I can tell. At least there I can filter out these people and they are appropriately branded. :-) Currently anyone can leave a comment in my blog without being verified at any level. Some would argue that the anonymity enables commentary by those that may not have otherwise shared their useful views. I would call for both. I do want to encourage ease of use in order to gain feedback, but I don’t want a world where someone can spam a bunch of blogs with offensive remarks that add no value under the protection of anonymity or potentially pretending to be someone else to harm their reputation. Which leads me to…
Reputation: How do I know I can trust information coming from person X? This is really no different than the problem of knowing whether or not you can trust information from web site Y. However, with the new (much needed) move towards simpler publishing mechanisms that blogging represents it enables even more people to create misleading content without moderation. Of course the argument could be “If you don’t like it don’t subscribe and subscribe to sources you trust”. But how do I make sure I can find the good stuff? What posts are the best ones to read? There is no agreed upon content/user rating system that you might find in most new web forum implementations.
I’m sure there are other problems that security experts could point out that need addressing, but these where the ones that have been on my mind today that I wanted to share. Please don’t read this as an article against blogging. I love what the phenomenon has enabled me and thousands of others to do. I just know that the world is setting expected security standards higher every day and not paying attention to these problems now will only set us up for the same problems we’ve seen historically with every other ground breaking communications enabling technology that went too long without a care for security. And this time users won’t accept simply “Hey look at this new thing is cool” without asking “is it trustworthy?”.