Wednesday, June 17, 2009

Google Wave - how do I secure your document when it's the cloud?

A few days ago I got a change to sit down and watch the entire hour of the Google IO video on the early release of Google Wave. If you haven't watched it, here it is (suggestion, do it offer lunch, it's long but worth the watch). If you don't feel like watching, here's a link to the product team's blog posting. To summarize, Wave is a collaborative real time editing environment (think Wiki meets subethaedit meets IRC meets CVS) delivered via the browser (assuming yours supports HTML5). I can invite people in to a wavelet (a document or object on Wave) and we can work together. As a collaboration tool, this takes sharepoint out behind the woodshed. What really interested me was the part about federated wave servers - in a nutshell, Google wants to make Wave as popular as email and expects (or hopes) that organizations will setup their own wave servers, so they're open licensing/sourcing the whole stack, protocol and concept. The interaction between the federated servers is just too cool to watch - little chunks of document flying all over the place - being digitally signed, delivered over encrypted channels, synching perfectly so everyone can see the same thing at the same time. It got me thinking, what happens if my employer has a wave server and I have a wave server at home (or use Google's Wave product):
  • Can I invite my home account into the document I'm working on at work and continue editing when I get home?
  • The document will now be in two places (sync'd in glorious real-time)
  • What happens if I quit/get fired - how does my employer remove that document from my Wave server?

...and then there's the normal stuff, like to companies working together, sharing information and all the ownership/security issues that come with it.

Now granted, we're probably no worse off with email now (I can email work documents to my gmail account at will), but with a powerful tool like Wave, the sharing becomes continuous and real-time; the corporate firewall becomes a fine mesh and my documents are quite literally everywhere. DRM's a nice answer (assuming it can be implemented), but it's somewhat antithetical to an open protocol and assumes that all participants honour the rights management request. Besides, DRM has never been very granular (its atomic tends to be the document or the song) and simple deletion seems wrong when it's a collaborative document between multiple participants. Maybe the best we can for is legal agreements plus an honour driven deletion system that works along the lines of:
  • Party A asks Party B to drop all content generated by Party A
  • Party B walks the current wavelet tree structure and nukes anything added by Party A
  • Party B reports back to Party A on what it deleted
  • Party A reminds Party B of it's legal obligations (pre-negotiated) and disappears in a puff of smoke
The two interesting properties are of an open rights management protocol are:
  • Healable data - Party B is now free to use the remaining elements of the wavelet (the stuff it provided) to rebuild the document with its own content (as much as you'd like, you can't scrub the human mind, the ultimate anti-drm tool)
  • Granular information protection - I can't actually stop stuff from going out, but at least I know where it lives and can demonstrate I took reasonable steps (short of seizing the other parties wave server) to protect my content.
One of the things an open rights management system presupposes (at least to me) is this notion of automatically negotiated (legal) agreements and policies between federated wave servers about how they will behave.


  1. Hi. I'm one of Google's Wave developers.

    I think you've described the situation quite well, including the analogy with email.

    We were envisaging a basic mechanism where certain Waves would be marked as "Sensitive" or "Confidential", and the corporation's federation gateway would not allow those waves to be shared with remote servers, or perhaps only to certain trusted servers. The honor-driven deletion system you propose is an interesting extension to that for waves that the corporation does allow out.

  2. thanks Alan

    does that imply that external collaboration on sensitive documents is blocked completely or will be driven through the web interface rather than across the XMPP back channel?