Mixing degrees of publicness in HTTP

At the Data Sharing Workshop the other day, we had a discussion about how to combine OAuth and Feeds, which I was reminded of by Tim Bray's discussion of Adriana and Alec's VRM proposal today.
The session was tersely summarized here, but let me recap the problem.

When you are browsing the web, you often encounter pages that show different things depending on who you are, such as blog, wikis, webmail or even banking sites. They do this by getting you to log in, and then using a client-side cookie to save you the bother of doing that every time. When you want to give a site access to another one's data (for example when letting Flickr check your Google Contacts for friends), you need to give it a URL to look things up at.

The easy case is public data - then the site can just fetch it, or use a service that caches public data from several places, like the Social Graph API. This is like a normal webpage, which is the same for everyone, returning a HTTP 200 response with the data.

The other common case is where the data is private. OAuth is a great way for you to delegate access to a web service for someone else, which is done by returning an HTTP 401 response with a WWW-Authenticate: OAuth header showing that authentication is needed. If the fetching site sends a valid Authorization header, it can have access to the data.

The tricky case is where there is useful data that can be returned to anyone with a 200, but additional information could be supplied to a caller with authentication (think of this like the social network case, where friends get to see your home phone number and address, but strangers just get your hometown). In this case, returning a 401 would be incorrect,as there is useful data there.

What struck me was that in this case, the server could return a 200, but include a WWW-Authenticate: OAuth header to indicate that more information is available if you authenticate correctly. This seems the minimal change that could support this duality, and much easier than requiring and signalling separate authenticated and unauthenticated endpoints through a HTML-level discovery model, or, worse, adding a new response to HTTP. What I'd like to know from people with deeper HTTP experience than me is whether this is viable, and is it likely to be benign for existing clients — will they choke on a 200 with a WWW-Authenticate header?

HTTP does have a 203 response meaning Non-Authoritative Data, but I suspect returning that is more likely to have side effects.

Digital publics, Conversations and Twitter

Last week, I left the Web 2.0 conference to listen to Mimi Ito, danah boyd and their colleagues talk about their research on Digital Publics.

Now if you haven't been paying attention, that plural of 'public' there may throw you. Surely things are either 'public' or 'private'? As danah explains:

Just as context is destabilized through networked publics, so is the meaning of public and private. What I learned from talked to teens is that they are living in a world where things are "public by default, private when necessary." Teens see public acts amongst peers as being key to status. Writing a public message to someone on their wall is a way of validating them amongst their peers. Likewise, teens make choices to go private to avoid humiliating one of their friends.

Yet, their idea of public is not about all people across all space and all time. They want publics of peers, not publics where creeps and parents lurk.

Bly Lauritano-Werner (17, Maine):

My mom always uses the excuse about the internet being 'public' when she defends herself. It's not like I do anything to be ashamed of, but a girl needs her privacy. I do online journals so I can communicate with my friends. Not so my mother could catch up on the latest gossip of my life.

Properties of technology have complicated what it means to be in public. We are all used to being in publics that don't include all people across all space and all time. Many of us grew up gossiping with friends out in public and stopping the moment that an adult walks over. This isn't possible when things are persistent. And it's really hard to be public to all peers and just keep certain people out. So teens are learning how to negotiate a world where the very meaning of public and private have changed. Again, this is a good thing. They're going to need these skills in the future.

The day before, at Web2Open, I had heard something similar in the Troll Whispering session. Christy Canida explained that when someone posts something trollish or otherwise dubious on her site, they get put in a state where only they can see their posts, but no-one else can (except Christy and the other conversation monitors). This damps down the flame responses until Christy and co have time to review, and maybe release them, but in their view the post is on the site, but no-one is responding.

This varying view of the web, depending on who you are, seems odd at first, but it is in fact a recognition in code of what actually exists in human attention. We don't all read the same web, we see our own reflections in what we seek through searches or filtered by our homophily-led reading.

Which is where Twitter comes in. Like Jeff, I've been twittering more than blogging recently, and while immediacy is part of it, a far stronger thing is that I have a sense of public there - a public of people I choose to follow and who chose to follow me. Everyone who uses Twitter sees a different, semi-overlapping public, which maps closer to our individual idea of the digital public we are speaking to, and listening to; one that maps more closely what the socialogist and theorists have been describing for a while.