What's Missing in Web 2.0?


	4.0/5.0 (2 votes total)
	Rate:

Gabor Cselle
May 30, 2006

Gabor Cselle

Gabor Cselle is a CS student at ETH Zurich in Switzerland. His main interests are distributed systems, web and mobile applications, as well as the science and art of usability.

http://www.gaborcselle.com

Gabor Cselle has written 1 articles for WebKnowHow.

View all articles by Gabor Cselle...

I'm sitting in the New York Café in Budapest, Hungary. It recently got redone after being in a sorry state since 1956, when it had a run-in with a Russian tank. It happens to be just two blocks from the college where my dad used to teach, so I remember walking by it when I was a little kid. Back then, it looked unceremonious. Now, with all the shiny gold plating everywhere, this place looks opulent and luxurious, if not a bit over-the-top. A smart girl once remarked that I have the tendency for big-picture philosophizing when surrounded by luxury, so here we go.

In 1995, Netscape offered the vision that one day, everything will run inside the browser. The operating system would be just another layer of computer architecture. The golden copy of your files would reside on central servers. Your word processor, spreadsheet application, and e-mail client would all be displayed inside a window with a meteor shower animation in the top-right corner.

Well, that didn't happen. Microsoft bulldozed Netscape and for a while, blue e's and rotating globes are still everywhere. But the vision is still alive.

Moving applications and data to the network makes a lot of sense. For storage, Google and Amazon can offer higher reliability at lower cost than home-brewed solutions. In fact, consumers often completely forget to backup their data. For applications, Firefox is available for all popular operating systems, and may easily become a popular application platform with some massaging. Imagine being able to log on with any computer in the world and having your data and favorite applications instantly available, just like you have it at home.

We're not there yet. The Web 2.0 boom introduced many applications that were formerly desktop-only territory: Google Calendar, GMail Chats, Kiko, Writely, Pixoh, and DabbleDB come to mind. But imagine spending an entire workday using only your browser, without any desktop applications. For anyone who uses more than just e-mail, that day would be a very unproductive one.

I believe that before web applications can truly make the desktop obsolete, we need to solve two important problems. Both might seem a bit surprising at first. Even though Javascript is a mess, neither of these points concerns building better AJAX UIs or frameworks to write them. (It's pretty obvious that client-side scripting could greatly profit from cleaner, more cross-compatible features, but there are people more qualified than me to discuss that.)

One of my pet problems is engineering, not science; the second is science, not engineering:

Offline Access
Encrypted, searchable storage

Problem 1: Offline Access

We won't be able to cover the entire planet with always-on Internet access. We need a simple, standardized way to run web-based applications offline.

Earlier this year in Mountain View, I saw huge boxes on lampposts, designed to cover the area with WiFi. This is a great idea for populated areas, but don't extrapolate too far: Even if these boxes were a lot smaller and had much higher range, even if UMTS became free and universally available, even if Connexion receivers were reduced to the size of cell phones – even then, we wouldn't be able to cover the entire planet with Internet access. There will always be a long, dark train tunnel that will spoil the master plan. [1] On top of that, I doubt all this infrastructure could be provided for free, and my tolerance for paying $6/hour for spotty T-Mobile Hotspot reception is low.

An online application becomes completely useless the moment you lose connection. That's why we need to find a way to make online applications work offline.

This isn't the first time I complain about this. In a previous post titled "How do we solve the offline problem?", I described the technical challenges and options.

Today, it seems to me like the most natural way to do this is via a mechanism similar to extensions in Firefox. [2] First, take a browser you can run on any platform, then add a mechanism to easily create applications that perform three things:

Caching: keep a copy of your online data locally.
Presentation: Display the UI in the browser, either by faking it or by actually running an application server locally.
Synchronizing online and offline data.

In essence, you would want to re-create the presentation logic of web applications offline, in the browser. I have to admit that this is a very ambitious goal: You can't just take your server code and distribute it to clients: They may not be able to run it in their environment and you may not be too enthusiastic about giving out your server-side source code, however obfuscated it may be.

Creating offline-enabled web applications will take a lot of work. But without an offline option, web apps will never overtake Microsoft Office.

Problem 2: Encrypted, Searchable Storage

We need to devise a scheme where we can store encrypted data remotely, with the ability to quickly and efficiently search it.

Search is a killer feature. The power you gain from being able to search your own data as quickly as you can search the web is immense. The more data you have, the more useful search becomes.

Recently, there has been a proliferation of new online storage providers, and there are rumors that even Google wants to get in the game pretty soon. For a list of current players, check out this comparison chart ( http://www.flickr.com/photo_zoom.gne?id=93730415&size=o ). Some of them, like Omnidrive, offer encrypted files, but some aren't even truly secure from a cryptographic perspective: XOR-ring data with the user password doesn't really help.

The key point is this: Many users won't completely trust their storage provider, and won't store the golden copy of their files online, unless they're really, positively sure it's encrypted, and no one else can read it. As an extra benefit of encryption, the storage provider won't even be able to hand data over to the DOJ for their 'statistical evaluations about children accessing pornography.'

That's why encryption should be default. It should take place on the client side, and storage providers should never even see user data in plaintext. [3]

Storing all files in an encrypted manner has a huge drawback. The storage provider won't be able to index and search them anymore. Unless, of course, you found a way to encrypt data but still be able to search it, without losing security. And that's exactly what we need.

Obviously, I'm not the first person to think of this problem, and there's plenty of research on this topic. For example, there's this paper by Song et al. titled "Practical Techniques for Searches on Encrypted Data" ( http://www.ece.cmu.edu/%7Edawnsong/papers/se.pdf ). You can safely skip to Section 5.4, where they discuss building indexes. Their solution is relatively simple, but requires two round-trips to the server and the storage provider is still able to learn some information about the documents from the user's access patterns. But that seems tolerable.

Two side notes: Any client software for accessing encrypted software would need to be open source, at least in the core parts. With a closed-source client, how would your users know you're not really sending along your encryption key? Also, while it looks like I'm talking exclusively about online storage, this also applies to all data stored in a web application. Wouldn't it be great if Google Calendar didn't know the plaintext of your appointments but sent you an encrypted record which is then decrypted and rendered in your browser?

My opinion is that encryption should be standard in any kind of online storage solution. Without search, however, online storage is useless.

Conclusions

My speculation is that the current crop of web developers will at first resist solving problem 1, because they're too much in love with their server. Also, someone needs to come up with a good example solution that everyone else can copy - much like GMail and Google Maps first came up with neat uses of AJAX. This may be very hard, as it may require hacking deep inside the browser.

As for online storage, I believe it is an important problem. But will users appreciate this functionality? Not before the media makes a huge story out of teenagers hacking into some celebrity's online picture collection, or Chinese students getting arrested at a dissident meeting they had entered in Yahoo Calendar. With some public awareness for the issue, I think people will flock to the provider offering encryption, and they'll be happy to see a search box.

--

Acknowledgements
Thanks to Markus Egli and Bálint Miklós for reviewing drafts of this.

--

Footnotes
[1] I guess only someone who lives in Switzerland would come up with a train tunnel as the primary example.
[2] Dear readers, if you have an idea about how this can be done with current Firefox extensions or other, existing technologies, let me know.
[3] A successful online storage solution needs far more than encryption, the most important aspect being extremely good desktop integration. Also, with any encrypted storage solution, we'd need to train the user to keep offline backups of his encryption key: Without the key, all his data is lost.