GregHowley.com

A Decentralized Social Network

December 12, 2019 - -

This morning, I read an article on BoingBoing about Twitter's pronouncement that they'd like to move towards a more decentralized and protocol-based platform for social media. I've been following Cory Doctorow for years. His ideas nearly always resonate with me, and his insightful takes on technology have impressed many in the tech community.

If the above sounds like gibberish to you, if you're not entirely what protocols over platforms really means, let me try to explain a bit. Today, the centralized social media platforms like Twitter, or the even-more-closed Facebook have you create an account with them. They hold your account information, and their servers store every post you've ever made and every picture you upload. Imagine for a minute if you could instead host your own social media.

At first, the idea seems absurd. If I'm hosting all my own stuff (like I do at GregHowley.com) then how can it even be social media? How could I friend people or share content if it's not on Facebook or Twitter? I'll tell you how.

Imagine that a new protocol is devised. I'll call it osmp, or Open Social Media Protocol. You get a tool which helps you install a key file on your server. You can either use your own server, as I would at GregHowley.com, or you can sign up on an existing social media platform like Twitter. There would be no central repository for usernames, and so the best way to get a unique identity would probably be with a combination of hosting server and username. An email address would work for uniqueness, but it stands the chance to fail at being future-proof. Who knows if traditional email will exist in the mainstream come 2040 or 2060.

When your account is created, what it's really doing is generating for you a public and private key. If you don't know what public/private key encryption is, I can give you no better explanation than the one I've torn from Cory Doctorow's excellent book Little Brother.

In public key crypto, each user gets two keys. They're long strings of mathematical gibberish, and they have an almost magic property. Whatever you scramble with one key, the other will unlock, and vice-versa. What's more, they're the only keys that can do this -- if you can unscramble a message with one key, you know it was scrambled with the other (and vice-versa).

So you take either one of these keys (it doesn't matter which one) and you just publish it. You make it a total non-secret. You want anyone in the world to know what it is. For obvious reasons, they call this your "public key."

The other key, you hide in the darkest reaches of your mind. You protect it with your life. You never let anyone ever know what it is. That's called your "private key." (Duh.)

Now say you're a spy and you want to talk with your bosses. Their public key is known by everyone. Your public key is known by everyone. No one knows your private key but you. No one knows their private key but them.

You want to send them a message. First, you encrypt it with your private key. You could just send that message along, and it would work pretty well, since they would know when the message arrived that it came from you. How? Because if they can decrypt it with your public key, it can only have been encrypted with your private key. This is the equivalent of putting your seal or signature on the bottom of a message. It says, "I wrote this, and no one else. No one could have tampered with it or changed it."

Unfortunately, this won't actually keep your message a secret. That's because your public key is really well known (it has to be, or you'll be limited to sending messages to those few people who have your public key). Anyone who intercepts the message can read it. They can't change it and make it seem like it came from you, but if you don't want people to know what you're saying, you need a better solution.

So instead of just encrypting the message with your private key, you also encrypt it with your boss's public key. Now it's been locked twice. The first lock -- the boss's public key -- only comes off when combined with your boss's private key. The second lock -- your private key -- only comes off with your public key. When your bosses receive the message, they unlock it with both keys and now they know for sure that: a) you wrote it and b) only they can read it.

So your self-hosted (or Twitter-hosted) publicly-available social media file is there for everyone to read, and includes your public key. The location of that file is your account, and includes all your public account information. But if anything is sent to you privately, it's encrypted with your public key, and you can only read it with your private key, which only you have.

Any posts you make are stored on your own server, (or Twitter-hosted) and can be read by whomever they're intended for. If it's a private group chat, then you'd have to store multiple copies, each encrypted with the public keys of whomever is in the chat. This allows for odd vulnerabilities and abuses like sending a message in a group chat and having different recipients receive different info, but these are issues that the programmers hammering out the protocol will need to figure out.

If an open standard for social media does come to be, it could be excellent. We could have me posting something on this site, and someone else responding directly via twitter. I could use my own self-hosted social media to follow pictures posted on Facebook, debate commentary from Twitter, and I could respond to it all without even having an account on any of those sites.