Openness and the OAuth Legal Dance 2
I’m sitting at the OAuth Summit held at Yahoo in Santa Clara. We’ve had a brief discussion about the IPR policy negotiation process that has been going on in the background between a few core OAuth people and legal departments in various large companies (most notably Yahoo, Google and Microsoft).
Briefly the IPR policy allows employees at large companies to collaborate on the standard while promising to not sue anyone who uses their companies Intellectual Property through use of the standard. So basically Yahoo can’t come sue anyone using OAuth for using some patented algorithm they submitted to OAuth.
The IPR policy is important and good work. That said the current second revision of this is essentially a secret document that will be presented signed, sealed and delivered to us b-list members of the community in a week or twos time.
The community created the OAuth Non-Assertion Covenant and Author’s Contribution License which all the original OAuth spec signers have signed with the exception of Yahoo.
Eran told us today that apparently Yahoo stalled the process in their legal department as they needed a more detailed agreement. This is fine and great feedback, however these comments should somehow be made public so we the community also can follow it and make comments.
I realize that most developers don’t want to follow this, however it is important that it is transparent and googlable. I suggest a OAuth-legal group, the same way OpenID does or a continuation of the existing IPR License on Agree2 which does offer comments, versioning and a full transparent audit trail.
One comment I was given was that we should let lawyers talk with lawyers. I have to call bullshit on that. These kinds of things are way too important to be left in the hand of lawyers without any kind of external oversight.
Gabe has been doing a great job representing us (the OAuth community), however there are lots of people with opinion on this who would like to follow it and voice occasional opinions. Those of us who are building businesses around OAuth based services need to feel comfortable that we aren’t going to be screwed by some indecipherable legalese in the future. More important if there are disputes in the future the negotiation trail is key for solving them.
The final comment I heard is that large companies like Yahoo and Microsoft don’t want to make it public that they are negotiating this. I’m sorry that is even greater bullshit, thats pre-cluetrain, pre internet thought.
Get with the program. Yahoo has more to loose by not using OAuth than us in the OAuth community have to loose by them not joining us. I’m sorry if thats the way it’s done, I don’t care. This is not the world of industrial age negotiation in smoke filled private lounges. You guys are all internet companies for god sake.
OAuth is about open transparent simple standards for creating a infrastructure thats open to all of us and not just Google, Yahoo and Microsoft. Any negotiations behind it should be too.
Update July 2nd, 2008 Here is the latest version of the OAuth Non-Assertion Covenant and Author’s Contribution License For OAuth Specification 1.0
Create, negotiate and accept legally binding contracts for free with our Agree2 service.
It wont hold up in court 5
Rafe Needleman wrote a review of Agree2 today: Agree2 creates binding legal documents that won’t hold up in court
I am proud of his comments about the technical aspects of the site, however the title about the legal documents that not hold up in court I find problematic. That said, I am really glad Rafe brought this up. There are plenty of myths and misunderstandings about this.
Technically, I have no beef with the service. I think it’s pretty cool, actually. But although I’m not a lawyer and even though I hate trying to decipher legal agreements when I need to, the service’s tacit encouragement to create my own non-lawyer-approved agreements scares the bejeezus out of me. Sure, I could write an agreement between me and someone I’m hiring to re-wire my house. And if the contractor I’m working with were new, he or she might even sign it. But it would still, probably, be a crappy agreement. A court might agree that the electronic edits and signatures were binding, but that doesn’t mean the agreement would be legally sound. Certainly it wouldn’t be complete.
I object to the title
Saying that Agree2 agreements don’t hold up in court is like saying agreements written in Microsoft Word, don’t hold up in court.
Agree2 is a media and a framework for you to write agreements. We take care of all phases of the contract from drafting, versioning, inviting and legal binding acceptance from the parties. We provide evidence as Rafe points out in a very easy to use manner and allow you to come back and find your contracts in the same place 2 years later.
We hope to foster a community of people to share contract templates. People have already been doing this for many years, informally emailing word documents around.
Due to California law, we can not take an active part in analyzing the contract text. However we try to provide as many tools as possible for this to be easy for you and your advisors to do.
The OAuth standards group recently used Agree2 to create their OAuth Non-Assertion Covenant and Author’s Contribution License. This has been signed by amongst others Digg, Twitter, Google and AOL. I am sure Google’s legal department would not allow them to use Agree2, if they found a problem with it.
Contracts are not between your lawyers, they are between the parties
A common misunderstanding about contracts is that they have to be scary legal documents written by lawyers.
First of all a contract is not the document itself. It is the concept of an agreement the two parties have. The written contract is a handy document that writes down the terms of the agreement in such a way that there aren’t misunderstandings of each parties duties.
We perform contracts everyday. Many of them through our actions like ordering a meal in a restaurant others written like signing a credit card slip or accepting a user agreement.
Generally speaking it is a good idea to write contracts into a document to avoid disputes in the future. This is the whole reason behind writing a contract down. Avoiding disputes. If a dispute should happen in the future this document is used by a dispute resolution institution such as arbitrators or courts.
Opaque legalese is all about fear and power
When I have had to sign long contracts in the past, I can be pretty certain that the person giving me the contract doesn’t understand it one bit. They expect that I don’t understand it either. These contracts still serve their purpose, by keeping us both too frightened to cause a dispute.
That said disputes still happen, and they happen mostly because there is some disagreement between the parties about what The Party of the First Part or some such legalese foolishness actually means. (See more)
Courts are used to standard legalese terms, that is true. There are complex hidden meanings between these. However they are also perfectly able to understand plain English. More importantly if you write your contract in Plain English yourself you are probably less likely to end up in court in the first place, because you and the other party both understand your duties under the contract.
Lawyers are needed for many things
There are definitely cases where you want to bring in lawyers. I think it’s definitely a good idea for large complex contracts. Please do NOT write up a term sheet for a large investment yourself. However in most cases it is a good idea to write the meat of the contract yourself and then have a lawyer go over it. You can then use this a private (or public) template within Agree2 and have the best of both worlds.
However it doesn’t make any sense whatsoever to have pay $400ph for a lawyer to go over a contract worth $500 to you. If you are doing this repeatedly have him go over your template.
Many contracts that should be documented end up being agreed over a phone or in a brief email instead to avoid the hassle of form documents and lawyers. Agree2 gives you a much better option than either.
We are planning a feature in the future where you can give lawyers access to review your contracts and templates.
Government requirements
Most contracts can and should be simple. There are however a few types of contracts where complexity is mandated by law. In particular apartment leases and employment contracts, where just about every state/country have specific legal requirements.
More reading
I have written extensively on this before Contracts are relationships with strings attached, Pragmatic Contract Law for entrepreneurs and Understanding and Preparing for Jurisdictions
Wikipedia on Contracts is also a great resource. Finally talk to your lawyer. Also remember that I am not a lawyer myself.
Create a Software Development Agreement with our free web service Agree2
A review of FireEagle's OAuth UI 2
FireEagle is Yahoo’s great new location web service which was recently launched into beta.
This review will not cover the API. A great little intro for this can be found in Interfacing a Rails App to Fire Eagle by Kamal.
I have previously written tutorial on writing OAuth Clients in Ruby or Turning your Rails site into an OAuth Provider. So I won’t go over any code here.
This is strictly about the user interface of FireEagle OAuth implementation. The FireEagle team Tom, Seth and Rabble have done an excellent job thinking about the UI and how it affects the security and privacy.
Which is great as most of the rest of us involved in OAuth have been worrying more about standards and implementations than usability. In reality Usability is one of those very important things that the security world tends to forget. So let’s learn from FireEagle’s example.
Registering your application
Firstly you need to make the sale to the application developers. FireEagle does this well. They let us know that FireEagle is nothing without the developer. More important they explain clearly the two main use cases for application developers.
We at Agree2 have a couple of interesting uses for this, so we’ll go ahead and register.
The registration is pretty clear. There are both security details and also information for including your application in their Application Gallery in the future
Of particular note are these settings which are one of the hints that the team have really thought about how OAuth integrates in their application.
Asking the developer what it is they need permission to do, allows FireEagle to ask the correct questions to the user later on.
Finally the application provides all the details to the developer of their consumer keys and secrets. Nothing particularly new here, however they do automatically create an AccessToken for the developer which is a pretty nice innovation that I also recently implemented (stole) into Agree2.
I am assuming that this AccessToken is basically the same as if I went and created an AccessToken manually. Anyone know if this has different rights?
Update Seth from the FireEagle team wrote me to say:
It does indeed have different rights. The access token provided on that page is a “general purpose access token”, which allows clients access to the ‘lookup’, ‘recent’, and ‘within’ methods (and not ‘user’ and ‘update’, as it doesn’t correspond to a user). Conceptually, this token is used for queries done “on behalf of the application” rather than “on behalf of the user”.
Anyway it’s pretty easy to plug this into your application using any number of libraries for just about any language out there.
End user Token Authorization
This is what happens when a Client Application asks a user to authorize them access to their data in FireEagle. A user would be redirected by the Client Application to this screen.
It is great the way it provides a very clear UI explaining the user without too much text exactly what it is they are giving them access to. FireEagle has a really neat way of describing various degrees of precision in sharing your location such as “exact location” or “my current neighborhood”. See below for the full list.
For a simple app like FireEagle it is possible to provide such a concise interface. We are still trying to figure out exactly what we should do in Agree2, as there are lots of potential ways this could be done.
Managing your tokens
Allowing users to manage their tokens is equally important. It provides a list of applications you have issued tokens to. As well as a plain English explanation of the permissions you have given them.
Editing your settings allows you to change permissions for the application.
Privacy in General
While this hasn’t got anything to do with OAuth in itself. Their general privacy settings are also very important. You can really see how the team has thought about Privacy here.
There is a prominent “Hide Me” button, which allows you to instantly “duck” out of site. Think of it like a mute button for FireEagle. This isn’t necessarily useful in all applications, but have a look at your own application if you can’t implement something like this. I assume technically speaking it disables all your AccessTokens until you enable them again.
It is also quick and easy to get rid of your location trail. For an application like FireEagle containing potentially delicate data, this is very important.
Another important aspect is that they automatically implement a timeout functionality. So if you forgot all about FireEagle it will automatically switch off your token’s access at an expiry date unless you specifically renew them.
All in all FireEagle is a great example of implementing OAuth completely into the Application but also on how to think of privacy in a way that I haven’t seen before in web applications.
We’re thinking how we can do just a good job in Agree2. Hopefully the FireEagle team aren’t to upset if we borrow and extend some of the new UI patterns they have come up with.
Create a simple NDA with zero legalese in no time at all and for free at our service Agree2.
Contracts are relationships (with strings attached)
As promised I’ve posted Contracts are relationships as the first in a new series of posts about contracts on the Extra Eagle Blog
One of the biggest mistakes people make about contracts are that they are documents. It is an easy mistake to make. After all large parts of the legal profession have been feeding us this story for at least a century even though they all learn otherwise in their first class of Contract Law 101 in law school. read more
Create a Software Development Agreement with our free web service Agree2
Agree2 nearly ready 2
When we launched the Agree2 beta back in March we were kind of impatient to get it live and going. Agree2 is our site for collaborating, writing, negotiating and accepting contracts.
We did some pretty unique things in that we went back to the basics of contract law to rediscover the real meaning of what a contract is. The core of Agree2 is pretty much based on traditional common law (implemented on Ruby on Rails of course).
However early feed back was really quite uninspiring for us and we realized that we needed to create major changes in the underlying usability to not just be based on legal concepts, but also bring the contract back to be something done between human beings like it always was before the day and age of Microsoft Word legal templates.
You know it can be kind of painful to start a major usability rewrite. Particular since we’re bootstrapping, but now 6 months later (we are funded by our own consulting work so we normally can’t work full time on Agree2) we are really pleased and so (thank God!!!) are our initial users.
We think it’s ready to start kicking some MS Word legal templates ass and in a big way. Feedback from early testers has been almost universally positive.
Anyway we are now back, if you’re already registered try logging in again at Agree2. If you already signed up for our beta keep an eye in your mailbox for your first Agreement in Agree2 our User Agreement (yes we eat our own dog food). If you would like to try it out go to Agree2 and register yourself.
Read more on our Extra Eagle Blog about what we’re doing with Agree2.
I will start posting new contracted related articles to the Extra Eagle Blog so make sure you add it to your feed reader. For my older articles my small business legal blogging archive will still of course be available.
Create, negotiate and accept legally binding contracts for free with our Agree2 service.
