Standardized legal documents for technical specifications may not seem like the sexiest thing in the the world - but this is actually pretty exciting news. Developments like this could be a key part of the foundation that online service providers need to move forward on a long list of great ideas for ways to serve their users.

People come up with crazy ideas for making the web work better all the time. This agreement aims to provide an easy way to make it safe to implement those ideas. The companies participating have spent large amounts of time and money negotiating the agreement, now anyone can take advantage of the fruits of that labor at no cost.

Existing specifications that will be placed under the Open Web Foundation Agreement, per the announcement today, include:

• Syndicated media delivery spec Media RSS (currently controlled by Yahoo!)


• Secure 3rd party authentication spec OAuth Core and Wrap (from Facebook, Google, Yahoo! and Microsoft)


• Real-time feed protocol PubSubHubbub (Google)


• Comment aggregation protocol Salmon (Google)


• Web Slice Format (Microsoft)


• And several others.

Users are required to give TrueSwitch (through a Gmail interface) the username and password for the old account, then import can take a few hours or days. I pulled in contacts from an old Hotmail account and am now waiting to have them arrive in my Gmail contacts list.

Dear Internet, please offer features like this at every website. The ability to pull in contacts and data from one service provider to another is the dream of data portability. It enables users to try new services, prevents them from being locked-in to old ones, promotes competition between service providers and generally makes the world a better place.

Not all Gmail users can see the new Import feature but over the next few weeks that will probably change.

As of today, several bloggers have reported seeing this new feature, which allows users to grab all their Google Docs and batch export them as a zip file. Files can be exported in a number of formats, including Microsoft Office and Open Office formats. Users can also choose to export only certain types of docs, e.g., spreadsheets and slide decks only.

If a user is particularly pressed for time or has a larger chunk of data to export, he can also choose to navigate away and receive an email when the export is finished.

Unfortunately, any folders a user may have created or data related to authorship or shared documents do not seem to be included once documents are exported.

Called the Data Liberation Front, the project team said in a Google blog post today that it has "liberated" more than half of the major Google services. "In the upcoming months," writes project lead Brian Fitzpatrick, "we also plan to liberate Google Sites and Google Docs (batch-export)."

Making sure the door isn't locked if users choose to leave a service is a required, if less exciting, part of the data portability movement. Just as important as a bulk dump of user data is the option for users to easily and securely port data online from service to service for immediate personalization based on past activity at a legacy site. Google is a market leader in that kind of data portability as well.

The information on DataLiberation.org does not include instructions for deleting your data from Google's servers. The project is taking suggestions for acts of liberation on a Google Moderator page and is publishing updates on Twitter.

Much like the original premise of Ning, Social Beans simplifies the creation of community websites.  However, since it is a portable format, a Social Beans site is not locked in to a single provider. In addition to the Grou.ps platform, the 0.1 version works with MediaWiki and WordPress. A Drupal plugin is also expected for October 2009. 

At this point, Social Beans is extremely experimental and while it's an interesting concept, the group's fate lies in 2 simple questions: Is it an easy enough template for non-technical users to adopt it? And perhaps more importantly, will developers build engines to run it? Let us know your thoughts in the comments below.

Author and consultant Doc Searls writes in a post memorializing Givotovsky that "Every encounter with Nick was engaging and mind-sharpening." London entrepreneur, Ian Henderson, offers the following quote from Givotovsky, exemplifying his contribution to the digital rights conversation.

There are indeed technologists fully qualified to architect the infrastructure to enable a better, more equitable, reciprocal, transparent and accountable digital realm, and they have to a large extent already built the tools and system. Now, the application of that prospective infrastructure to systems and services with the potential to change "the digital deal" from the user-centric perspective is what's needed, and I hope, what's next.

Going forward, the formulation, creation and assertion of binding identity rights agreements in the context of "leverage", that in turn drives change enabled in the market by market forces, is the most pragmatic, short path to something better than a-shrug-a-click-and-a-sigh privacy statements.

It's exactly the implementation of such use cases to which I think the most beneficial and productive (though not always the most immediately profitable) effort can, and should be devoted. We all need a better, fairer, more accountable and credible digital deal. If we are to be "digital citizens" should we not also know the real "digital deal"?

Givotovsky leaves behind a wife and two children.

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too.

The Nature of The Problem

The problem was a vulnerability to something called a "Session Fixation Attack." The gist of it is this. Services supporting OAuth let their users pull data into other websites for reuse around the web. In order to do this securely, the 3rd party site has to ask the original site for permission. This might be a new little website asking permission to import your Gmail contacts or to post to Twitter through their site instead of Twitter.com. OAuth was born from the work that Flickr did to create a secure way that other applications could be granted permission to access your photos for printing, editing or posting elsewhere.

The problem arose if an attacker could convince you to complete their request for account permission with your login. At the end of the process they would have access to your account.

Hammer-Lahav explains how this works in detail and offers flow charts in his blog post explaining the technical nature of the problem. For another explanation of this kind of attack see Mitja Kolsek's paper titled Session Fixation Vulnerability in
Web-based Applications (PDF), which was published in 2002. In other words, this is not a new problem - it was just newly discovered to be an OAuth vulnerability.

How It All Went Down

Eran Hammer-Lahav was at FOOCamp when he realized this was a problem that extended far beyond Twitter's implementation. All 30 companies currently offering OAuth were vulnerable. MySpace, Yammer, PhotoBucket. Google, Netflix, Yahoo. Millions of peoples' accounts were at some risk.

If OAuth was software, a fix could be implemented and pushed out to everyone who was using it. But it's not, it's just a standard-based specification implemented out in the wild and no one party is in charge of it. Someone had to do something though, and they had to do it fast.

The first thing Hammer-Lahav decided to do was call up Alex Payne, API lead at Twitter. Though Twitter had done everything right, it was a particular Twitter implementation that revealed the whole problem and it had only been out for a few days. (We thought it a big enough deal that we wrote a whole post about that implementation.)

Twitter shut down the OAuth option for login within 30 seconds of his phone call, Hammer-Lahav says. They did it without explanation, because they were asked to keep quiet about the security problem for one week - in order for all the providers to get a chance to respond before the security problem went public and could be exploited.

Developers cried out that Twitter was shutting down technology essential to their business without warning - and not for the first time. Robin Wauters wrote a post on TechCrunch channeling developer anger over the shut-off. (Lest we imply too much criticism we'll note that we've written very similar stories ourselves.)

Twitter was widely criticized - and they kept their mouth shut, saying only that it was a temporary problem that would soon be resolved. "I can't stress enough how noble Twitter's behavior was yesterday," Hammer-Lahav told us. "Twitter bashing is a sport now and it's a sport that sells ads. Techcrunch wasn't aware of the security threat but it put Twitter in a position where if they were going to talk about it then they would put other companies at risk. We told Twitter that it was going to go public so do your own PR management and they did a good job. The emails sent by other providers to Twitter thanking them for taking that hit have been amazing."

After contacting Twitter, Hammer-Lahav started emailing all 30 companies listed as OAuth providers with Chris Messina's help. Half of them had representatives at FOOCamp, the event he was calling from. He explained the problem to them as he was able to reach people and asked them not to discuss it until next Thursday, one week later. He knew it would be a difficult secret to keep with so many parties involved, including the frustrated developers trying access all of those companies' OAuth APIs.

"At first it took me half an hour to explain the problem," he says. "By the next day I had the explanation down to 30 seconds." Within 12 hours the group discussing the problem knew there was no simple solution - it could require changes by OAuth providers and outside applications that consume OAuth permission in order for everything working again.

The group of OAuth providers formed an email list to discuss the problem and fifty people from 30 companies joined in. Deciding to focus on communicating with the initial service providers was a decision that had to be made. "You have to triage the parties involved," Hammer-Lahav says. Providers needed extra time to deal with the problem because they couldn't just plug the hole or pull the plug easily; FireEagle, for example, only has an OAuth API - there's no other way for the service to function.

OAuth is being advanced by a decentralized community of developers and other parties, but Eran Hammer-Lahav has been its most visible advocate. He's gained years of experience in the trenches fighting for a variety of open standards. He talked to every OAuth provider on the list and volunteered to act as the Community Threat Response Contact. Yahoo, his employer, told him to take as much time and do whatever he needed to deal with the problem. The company put Allen Tom in charge of Yahoo's response and donated Hammer-Lahav's paid time to the community effort. "If I was working for a different company this might not have been possible," he says. "Yahoo! had a whole team of people managing their own response to the situation."

All thirty companies sprung into action to neutralize the security risk and prepare their respective technical responses. Mashery co-founder Clay Loveless and team pushed back other work to pull all nighters and others pitched in as well. Everyone was an equal participant in working together, from single person startups to multibillion dollar companies. "Yahoo and Google put engineers on the line helping people with small startups to review solutions they were going to deploy," Hammer-Lahav says. "Usually the big guys figure it out amongst themselves and leave everyone else to their own devices. This felt like a real community. There was no liability because it was casual advice. Security people are expensive. Some startups don't even have in-house engineers, they are entirely outsourced."

One by one many of the providers shut down their APIs and one by one they implemented solutions.

By Wednesday, one day before the self-imposed period of silence was over, there had to be a lot of pressure built up behind the scenes. Alex Payne, the man in charge of the Twitter API and a guy who is much less grumpy than you'd probably be if you had his job, started getting visibly frustrated. "The view from under this bus is really something," he said on Twitter. "Nobody in the tech press has bothered to contact me for comment on the OAuth issue. Why bother with facts when speculation drives clicks?"

Just after noon on Wednesday, CNet's Caroline McCarthy reported that Twitter and others had pulled OAuth support because of a security problem in the spec. "In the interest of online safety," she wrote, "CNET News has chosen not to make the details of the security hole public." McCarthy was at FOOCamp as well and may have heard about the security issue then, but decided to more or less respect the wishes of the developer community and hold off writing about the issue at all until just before the deadline lifted. If that was the case then she both won accolades from involved parties for her discretion and got a lot of pageviews for jumping deftly on the story after the threat had mostly passed but before others wrote about it.

Minutes after the real story was out, Twitter posted about it on the company blog. Then the official OAuth blog posted about it, linking to McCarthy's post and publicly thanking Twitter for taking all the heat for days. Chris Messina worked fast to update the site and co-ordinate the community response. Then API service provider Mashery, the company that powers OAuth APIs for Netflix and many other companies, posted about it on its blog, assuring customers that the problem was small and under control and thanking Twitter as well. Finally Dave Winer, a web forefather and hardcore Twitter critic, made a post on his blog urging people to lay off Twitter and appreciate the way they were communicating with people about a number of intersecting and difficult technical problems.

One day later, one week after the community responding to the OAuth threat called for a week of silence to come up with a solution - Twitter announced that its OAuth API was back.

That was yesterday and by today almost all of the 30 OAuth providers have OAuth back up and running. There are two different long-term solutions in the works that are being debated on the email list as we speak. Hammer-Lahav says he expects a revised draft of the spec will be ready next week.

And that's how a decentralized community solved a security threat in an open identity spec, quickly. One company (Twitter) took a risk at implementing a new technology advocated by an employee of another company (Yahoo's Hammer-Lahav), then an engineer at yet another company found the beginning of the security hole, then news of the whole problem was sent out to contacts on a Wiki, an email list was formed, companies donated their employees' valuable time to aid in the effort, everyone more or less kept their mouths shut (including the unfairly criticized Twitter) and then everyone worked together to find a solution just in time. I think that's a pretty cool story.

Lessons for the Future

Hammer-Lahav took the lead in responding to this crisis and says he did it with the future of crisis response in open web communities in mind. Creating a template now for the future is only so possible, though. "In a year this same approach isn't going to work because too many businesses are going to depend on the providers," he says. "If we don't find a way to deal with this in the future then companies will remain very cautious about relying on multiple data sources." He says that people want to create a database listing all the parties involved in technologies like this, but prioritizing who gets talked to first will depend on the nature of the threat.

Finally, Hammer-Lahav says that more companies need to empower more employees to step up and take leadership in this kind of situation. The combination of technical, people and process skills is rare but those people need to be found. "It's not sufficient to have only Chris Messina and I as the two people who can do this," he told us. "We need other companies to step up and say there are people in their organization that can support the community. Yahoo said 'you're going to go do this for the community for as long as it takes,' Yahoo was paying me to manage the community threat in a way that was not purely in their self interest."

Can open communities advocating for an open web respond quickly and effectively to inevitable security issues? It sounds easier said than done, but for now we've got at least one very interesting story that says it is possible.

Called Portable Contacts, the technical spec offers a standard, interoperable way for social networks to serve up your friends lists to anyone you give permission to access them. This should allow application developers to innovate on top of your social connections much more efficiently.

we're seeing major Internet companies making contacts APIs available, such as Google's GData Contacts API, Yahoo's Address Book API, and Microsoft's Live Contacts API (with more to come). Not surprisingly though, each of these APIs is unique and proprietary. We believe this creates the ideal conditions for developing a common, open spec that everyone can benefit from.

Why is This Important?

The social web works best when it's truly social. New applications that use social sharing can be much more useful when new users can port in their existing network of friends and see who they know is already using a site. That's much better than starting cold.

These types of standardized approaches to passing that data are secure (that's good) and allow developers to write code once to use all the supporting sources of data. You've heard the old illustration about railroads? When all the railroads in the US accepted a standard size of rail, all the trains were able to travel much farther than ever before. That's where we're headed with all this information on the web. When we give it standard methods of transport, it can go further and do more than ever before.

That's a pretty big deal and it's fantastic that Google has moved to support the Portable Contacts standard. Hopefully sometime soon everyone will and then we'll wonder what took the web so long to enable social interoperability.

If it did, that could be a real game changer. We'd love to introduce our smart and sassy readers to each other here and then see them be friends on social networks, mobile sites and all around the web. Just a pipe dream? That's what a brand new identity provider called Cliqset aims to make possible. We believe it's the first identity provider of its type that allows 3rd parties to change user profile information, not just read it.

Cliqset uses the OAuth data standard to do all this, so it doesn't even have to ask for your password to the networks you want to connect.

Who's using Cliqset so far? Unfortunately, the geeks behind Cliqset don't do a very good job explaining what they do and they don't have any examples other than their own site today at launch.

That could change soon, though. The company has released a variety of code libraries for developers to drop Cliqset support into their applications. At launch there are Java, iPhone and .net for Windows Mobile libraries. A PHP library is forthcoming. All the libraries will be open sourced and posted to Google Code.

Facebook Connect lets 3rd parties publish updates to a user's activity stream, but that's about it. We asked a number of hardcore identity geeks whether they had seen anything quite like Cliqset before and no one had. There are OpenID and related specifications aiming to accomplish just this, but nothing in the wild yet, according to the OpenID Foundation and Six Apart's David Recordon.

Recordon is a little concerned about seeing another company release an API to accomplish what Cliqset aims to do. "At first glance, it seems like Cliqset is leaning in the correct direction with their support of OAuth for APIs and OpenID for sign in, but are still creating their own APIs - ala Facebook Connect - when dealing with profiles and activities," he told us. "This is both yet another validation of the work by the wider DiSo community and opportunity to finalize the Portable Contacts and Activity Streams specifications for broad adoption on the social web."

We asked Cliqset specifically about Facebook Connect, whether it wasn't in the company's interest to implement a Read/Write capability in its identity system as well. They said they believed it was but that they expected the giant social network to take much longer to implement this key feature. By offering iPhone and Windows Mobile libraries right out of the gate, we think Cliqset could move quickly in the mobile world as well.

Unfortunately, the company isn't doing a terribly good job of explaining its fundamental value proposition so far. We're not the first site to cover Cliqset today (see PC World's coverage for example) and everyone else is writing up the company as just one more cross-site identity provider. There's more than that going on here, but we'll see if this startup with what it calls "the most robust APIs you'll find anywhere" is able to make the market headway that its innovative vision seems to warrant.

This morning the highly effective nonpartisan Sunlight Foundation launched a new microsite called Our Open Government List, where anyone can make suggestions for government transparency and all of us can vote on our favorite ideas. It's like Digg for steps to open up public data.

Anyone can submit ideas or vote on those already submitted; no account creation is required. Click on the titles and you can post and read comments on the idea.

What's in the lead so far? The number one vote getter this morning has been to create a "Digital deposit of government information to libraries." APIs and bulk data access, and metadata standards are also getting a lot of votes. Voting has just begun, though, so now is a great time to jump over to the site and have your voice be heard.

The Sunlight Foundation is a very respected organization and we're sure that the results of the voting will be seen by the Obama administration. The group is co-producing a sold-out Barcamp called TransparencyCamp in D.C. this weekend, and we hope they'll see some key Obama staffers there. So head on over to Our Open Government List and put in your two cents!

If you like ideas like this, you should check out the UK's Show Us a Better Way, a mashup contest to fund developer use of public data.

We don't know who the country's first CTO will be yet (there are rumors) but whoever it is should have plenty of great publicly generated ideas to consider as soon as he or she takes office. Given the delay in the appointment, we imagine the CTO will appreciate the Sunlight Foundation's help in meeting the 120 day deadline for transparency suggestions.

So far it's just a vision, albeit a pretty specific one, but we expect to see something like this on the market very soon. Is it what you want? Now is a good time to share your thoughts on the subject.

Marc Canter believes that the "dashboard" is the best metaphor to manage all this activity through. Millions of people are already familiar with this basic idea, having used My.Yahoo, iGoogle, Netvibes, Pageflakes, Jive Software or other services like this. (We like dashboards here at ReadWriteWeb a lot and recommend checking out this post on traits of a successful dashboard for tips on setting one up for yourself.)

Your DiSO dashboard might serve as a new interface for your blog, your social networking account, or be a stand alone service itself. The parts of your dashboard that you made public would be discoverable and viewable by other people. What would it bring together for you to access all in one place? This is the meat of Canter's proposal. (Update: Actually, Canter stopped by in comments below to clarify that it's the outline structure of these data collected in a dashboard that's really the meat of his proposal. He says he's working on an editor to edit such outlines, in fact. See his comment below for clarification.)

• Your status and availability, see and change these from your dashboard.
• Widgets and gadgets for doing various things, just like people add to dashboards now.
• Your incoming subscriptions (RSS, friends' new media published, perhaps some email).
• Your published media and content going out, manageable in the dashboard. Not just blog posts, microblogging messages and media - this could include your comments from around the web, reviews you've posted of products, testimonials people have written about you, music playlists - you name it.
• Access controls to all your content, determine what's public, what's private, what's viewable by friends, family, co-workers or members of another group. This is a very important part of the distributed social networking vision.
• Your various accounts and identification. Think of this as a virtual wallet, though Canter makes no mention of commercial activities we can assume that payment methods like your PayPal balance or online banking updates would ideally be included in your private dashboard.
• Your "social graph" aggregated. See all your contact lists in one place, including links to the dashboards and various social networking accounts that each contact has given you permission to view. Ask from your dashboard for permission to connect with those contacts in new places.

DiSo Dashboard Outline

View SlideShare presentation or Upload your own. (tags: outline diso)

The idea is that the DiSO Dashboard would be a place to read, write, manage, make discoverable, connect and normalize the data for all your activities around the web. The data standards aren't figured out yet, but major social networking vendors are meeting now to work them out.

How would it look? What would be surfaced to users at various levels of the interface? We hope that vendors make that highly customizable but default settings are something that needs to be figured out.

What do you think? Would you like a dashboard like this? What else would you like in it? Speak up now, these services could be a big part of your experience on the web soon and they are being planned and built as we speak.

That's only going to be more true in the future, so if you'd like to have a say in how it all goes down - now's the time to get involved. The OpenID Foundation is one of the leading organizations in the new standards world and it's having its first ever election of community board members this month. Nominations close Monday and the voting begins on Wednesday.

Individuals will have to pay a $25 Foundation membership fee in order to vote, but this author just paid his and is looking forward to pulling the virtual voter's lever. Nominees so far are listed below.

What Are the Issues?

OpenID usability, getting major players to respect incoming OpenID and not just authenticate their own users elsewhere with OpenID, the personal data payload that travels with OpenID and many other difficult questions remain unanswered, despite all the progress the Foundation and other organizations have made in the last year.

A year ago this week we wrote a post saying that OpenID was in serious trouble. One year later, the situation seems to have improved quite a lot. That's thanks not just to the work of the OpenID Foundation, but they deserve a large part of the credit.

The protocol is far from out of the woods, though, and so this election is going to be an important one.

Who's Been Nominated?

So far twelve people have been nominated. Once you register as a Foundation member, you can see the nominees and their position statements. More nominations will likely occur before this weekend is over. Seven of the following twelve total number of people nominated by Monday will get positions on the board. Here's who's been nominated so far.

Johannes Ernst - founder and CEO of startup Netmesh
David Recordon - is from SixApart and is one of the most publicly visible members of the OpenID community
Mike Kirkwood - CEO of iPhone-centric medical patient data service Polka
Eric Sachs - Product Manager at Google
Snorri Giorgetti - OpenID Foundation's European Representative
Eran Hammer-Lahav - Open Web Evangelist at Yahoo! and OAuth lover
Allen Tom - Architect, Yahoo! Membership
Scott Kveton - Current OpenID Foundation Chair and VP Open Platforms at Vidoop
Nat Sakimura - Identity tech wonk from Japan
Brian Kissel - CEO of JanRain, makers of MyOpenID.com
John Bradley - OpenID security wonk
Martin Atkins - an OpenSocial and identity developer

Which seven of those people do you want driving the future of the OpenID Foundation? Register as a member, read their policy statements and you can have your hopes for this important technology paradigm recognized.

Amit Agarwal has been keeping a close eye on Friend Connect since it was announced and he assumes that the service could go live pretty soon. Just last week, Google published a new YouTube video geared towards users and now the support site for Friend Connect is available as well.

Google Profiles Meets MyBlogLog

Lately, Google has started to put a lot more emphasis on its own user profiles, and Friend Connect makes good use of them. Once you join a Friend Connect enabled site, other users will be able to see information from your profile, though you can set your privacy settings to disallow others from seeing your profile pages as well. In many ways, this is quite similar to MyBlogLog.

It's Social, But is it Open?

When Friend Connect was first announced, we were concerned about the direction Google was taking with this implementation of the OpenSocial standards. Also, as we noted in our earlier posts, the Friend Connect apps are displayed in an iframe, which is basically a separate web page inside another web page. Because of this, these apps are black boxes that live on your site, but don't allow the site owners to really leverage the data from these apps on their own sites.

It is interesting to note that the latest Google video about Friend Connect still prominently features Facebook as a supported service, even though Facebook has decided to eschew OpenSocial in favor of its own platform. The help pages for Friend Connect don't feature a list of supported services yet.

Benefits

There are, however, also some clear benefits to using Friend Connect. Through this service, a site owner might be able to create more user loyalty and enthusiastic readers can evangelize your site by publishing their activity on it to their own social network. Visitors will also be able to invite their friends on social networks to join your site.

In an early press release about Friend Connect, Google stated that this initiative was about helping the 'long tail' of sites to become more social. While we might worry about  some of the details of Google's implementation, this by itself is a worthy cause, and it will be interesting to see how site owners will implement Friend Connect once it becomes publically available.

Online money management service Wesabe and the UK newspaper giant The Telegraph have entered a partnership to offer co-branded tools on the Telegraph website. It's a daring move, we can't help but admire it. We can't help but wonder how users will feel about it too, though.

We like this idea and it's clear that many people want to use online services to monitor and manage their finances. There's no doubt that many of the Telegraph's tens of millions of monthly visitors wouldn't have found out about Wesabe any other way. It does sound like a great convenience, as the company says, to be able to manage money in the same place that you get your news.

We suspect that there will be richer integration of Wesabe into Telegraph pages in the future. We can imagine, for example, news recommendations based on a reader's investment history. Something like the recent LinkedIn/NYTimes partnership.

Still, we wonder how comfortable people will be with this particular choice of partners.

Do You Want the Newspaper to Have a Direct Line to Your Finances?

Privacy is a touchy concern and it's generally assumed that personal finances are one of the most private matters in peoples' lives. None the less, online personal finance services like Wesabe and competitor Mint are growing fast. The value they are able to add on top of existing banking options online is substantial, though there may not be a big barrier to entry if established banks decide to offer similar features.

Partnership options are always interesting, and technology plays in finance are often fascinating - but the newspaper? We're not sure that an institution founded on the premise that it tells everyone everything is really the best choice to do personal finance through.

We like the idea of newspapers working with data (see what The Guardian is doing), but not necessarily our personal financial data - even if it is worked with in anonymous aggregate. Are we alone in that thinking? We doubt it.

What about readers? Are you comfortable, excited even, with the prospect of doing personal finance through your local newspaper? We suspect our readers are disproportionately uninterested in such things as you are more likely to know about these services independently. Still, isn't there something a little crazy about this?

Readers interested in learning more about this sector should check out our recent podcast edition of ReadWriteTalk on the topic, with executives from Wesabe, Mint and Tip'd as guests.

As MySpace develops, so develop the next generation of mainstream web users and thus the web at large. Whether you're a MySpace user or not, it's worthwhile to keep an eye on what the company is doing - especially in terms of user experience.

Fully aware that major changes often cause a major backlash, MySpace has made Profile 2.0 fully opt-in and is saving a copy of their Profile 1.0 of any users who switch, for 90 days. That's smart.

These changes are important. Granular privacy controls on MySpace can help raise the expectations of mainstream users for increasing sophistication regarding privacy in particular and control over their data in general. That means we can all hope for increased vendor support for user control over data - the excuse that mainstream users don't care may not hold up much longer.

W3C standards compliance is good news because a standards compliant web is a web where site rendering doesn't stand in the way of economies of scale for developers. If your code for displaying, rendering, searching or otherwise interacting with websites isn't going to work across all sites - that's a major disincentive for large-scale innovation. W3C compliance is nearly complete for the new MySpace profiles and that's great news.

Though MySpace doesn't get the respect that Facebook does, we still believe that from MySpace is the social networking leader in a number of important ways. Granular privacy controls, for example, Facebook? We'd like that.