Mitschrift Medientage München: "Digitaler Kiosk"

Session-Beschreibung:

Um journalistische Qualitätsprodukte im Netz zu monetarisieren, setzen deutsche Verlage zurzeit vor allem auf den "Digitalen Kiosk". Rechtliche Rahmenbedingungen für den Wettbewerb gibt es bislang praktisch keine: Kioskanbieter können Verlagen die Konditionen vorgeben, zu denen diese ihre Produkte online verkaufen dürfen. Das Panel geht der Frage nach, ob das derzeitige Verfahren mit Blick auf einen chancengleichen und diskriminierungsfreien Zugang zu den Vertriebsplattformen so in Ordnung ist, oder ob ein fairer Wettbewerb einen rechtlichen Rahmen braucht. Hinterfragt wird zudem, warum deutsche Verlage keine einheitliche Strategie mit einer gemeinsamen Plattform verfolgen, um der internationalen Konkurrenz Paroli zu bieten.

• Dr. Matthias Knothe, Leiter Stabsstelle Medienpolitik, Staatskanzlei Schleswig-Holstein, Kiel
• A. von Reibnitz, Geschäftsführer Anzeigen und Digitale Medien, Verband Deutscher Zeitschriftenverleger (VDZ), Berlin
• Bernhard Ribbrock, External Manager Project PagePlace, Deutsche Telekom, Darmstadt
• Dirk Specht, Leiter Business Development Elektronische Medien, Frankfurter Allgemeine Zeitung, Frankfurt
• Christoph Keese, Konzerngeschäftsführer Public Affairs, Axel Springer, Berlin (iKiosk)
• Dr. Bernhard Mischke, Geschäftsführer pubbles, Hamburg

MODERATION

• Prof. Dr. Florian Stadel, Journalist, Stadel Medienberatung, Höhenkirchen-Siegertsbrunn

Wettbewerb ohne Regeln und Strategie

Einführung Prof. Dr. Florian Stadel

• traditionelle Erlösmodelle erodieren
• Kunden unterstützen Abos und Co nicht länger
• wandern ins Internet ab
• Dort gibt es für Qualitätsjournalismus keine Möglichkeiten der Monetarisierung?
• Oder doch? iPad und Co gibt es doch. Digitale Kioske wurden auch hier ins Netz gestellt.
• Tut es das oder müssen Verlage sich andere Erlösmodelle ausdenken?

Keynote von Dirk Specht

• vor 1 Jahr gab es Artikel zu digitaler Disruption unter Schirmherrschaft von Eric Schmidt
• schreiben nichts über öknonomischen Veränderungen, nur Kommunikationsverhalten
• Internet ist Kommunikation und Vernetzung, bilden neue Netzwerke, erlauben Networking in bestehenden. Etablierte Publikationskonzepte funktionieren nicht mehr. Kommunikationsarchitekturen ändern sich ständeig
• umfassende Auswirkungen auf Politik, Gesellschaft usw.
• nicht begrenzt auf Medienindustrie. Disruption von ganzen Märkten
• Damit betrifft es aber Marktsäulen von Verlagshäuser
• Disruption des Medienmarktes ist ganz offensichtlich
• Kernleistung journalistische Inhalte zu vermarkten, ist nicht mehr so wie bisher möglich
• Wenden sich daher den Leser/Nutzer-Märkten zu.
• Werden Kioske das lösen können?
• Eric Schmidt nannte das den 1. Akt, wieviele Akte es geben wird, wissen wir nicht.
• Es entstehen neue Ökosysteme. Die neuen Systeme sind sehr integrierte Plattformen, Beispiel Facebook und Apple.
• Verlage kämpfen im Wettbewerk mit ihren statischen Internetpräsenzen. Sie versuchen Kioske danebenzustellen. Währenddessen treiben die Betreiber von Informationsportalen die Disruption aber weiter voran.
• Die neuen Plattformen sind für alle Inhalte da. Können wir uns da unter K wie Kiosk danebenstellen oder müssen wir uns integrieren.
• Es gibt keine digitalen Biotope, auch K wie Kiosk kann kein Biotop sein.
• Abwehrstrategien sind seines Erachtens nicht möglich, Aussitzen auch nicht. Märkte verändern sich von aussen.
• Wir haben es in Zukunft mit wenigen grossen Intermediären zu tun.
• Ganz neue Situation, auch neue Herausforderung an Gesetzgeber
• Ist heutige wettbewerbsrechtliche Form die richtige? Sind wenige starke Anbieter die Norm, sollte das die Norm sein?
• Wie kann man Intermediäre so regulieren, dass diese selbst einen funktionierenden Markt erzeugen?
• "Wenn Du nicht gewinnen kannst, so kämpfe nicht". Dies soll eine Absage sein an eine Strategie, die zwangsläufig zum Untergang führt.

an Mischke: Wie viel ist von Anfangseuphorie bei Pubbles geblieben?

• Haben spannende Marken geholt
• noch nicht die Breite, die man sich wünschen würde, aber entwickelt sich positiv
• Markt entwickelt sich langsamer, als wir denken, aber er entwickelt sich
• Der ein oder andere Player ist in den Markt eingestiegen

Zu Monetarisierung:

• über Zahlen sprechen wir grundsätzelich nicht, wie alle in der Branche.
• entwickeln sich aber prächtig, geben demnächst dazu noch eine Mitteilung raus
• pubbles kann sich dann noch stärker und besser entwickeln.

an Keese: Verkaufszahlen Springer sind ja gut. "Apple wird die 30% nicht ewig halten können" war vor einem Jahr. Hat ja nicht funktioniert. Haben Sie kapituliert in Richtung Apple?

• Apple nimmt nach wie vor 30%.
• Aussage war aber nicht kurzfristig, sondern durch Wettbewerb wird Preisbewegung entstehen und die ist auch entstanden.
• Google OnePass z.B. nur 10%
• Amazon musste sich jetzt auch mit Marktsituation anfreunden, suchen daher auch in der Spanne ihr Heil. Das ist schonmal so richtig und gut.
• Abseits der US-Märkte sehen wir eine breite Konditionenspanne.
• Ist doch schon was erreicht worden

an Keese: Bei iKiosk ist ja relaunch geplant. Auch andere Publikationen ausser Springer sollen ja reinkommen. Aber warum ist das alles nur PDF? Ist das nicht eine Nische und Zug fährt in eine andere Richtung

• Das ist auch der Unterschied zu pubbles, der multidimensional arbeitet.
• Wir glauben, dass der PDF-Markt vollständig unterbewertet ist oder war.
• Es stellt sich heraus, dass PDFs beim Nutzer ganz anders wahrgenommen werden. Sie haben ein Anfang und ein Ende. Man kann sehr leicht durch sie durchnavigieren, kann sie überall gut lesen, sogar ohne Vergößerung. Und mit Vergrößerung ist das noch besser. Und mit unserer Vergrößerungsfunktion kann man das dann ganz prima lesen.
• Nutzern ist egal, welches Format die haben. Wichtig ist, dass man eine Geschichte mit Text und Bild erzählt. Man kann Geschichten opulent erzählen können, vor allem im Boulevard. Keine Restriktionen mehr wie vor DTP.
• Genau das bildet das PDF ab, diese neue Kultur und deswegen ist es populär.
• Läuft wirklich gut.
• Statisch ist auch nicht schlimm, Kunden wollen auch gern mal ne ganze Zeitung herunterladen und dann z.B. in Urlaub mitnehmen.
• Aber irgendwann kommt HTML5

irgendwas an Telekom, wird das ausgeweitet?

• natürlich, wollen weitere Verlage für sie gewinnen
• wollen Vollsortimenter werden

an Reibnitz: Macht die klein-klein-Strategie der deutschen Verlage hier Sinn gegenüber z.B. Apple?

• Wettbewerb ist gut, je mehr es gibt, desto besser für Nutzer
• wesentliche Voraussetzung für digitale Vertriebsstellen ist nicht nur das Sortiment. Wichtig ist eine direkte Anbindung an ein Endgerät und Integration. Sehen wir bei Apple und sicher auch bei Amazon.
• Auch andere Hersteller bieten nun Tablets an und werden dann auch Kioske integrieren.
• BILD soll z.B. vorinstalliert bei Samsung kommen.

Springer ist ja sehr zurückhaltend, was die Einstellung von fremden Titeln anbelangt. Warum?

• Wichtige strategische Frage.
• Will nochmal an Medientagen vor 1 Jahr erinner. Damals gab es nur Apple und da hiess es, dass man sich einem solchen Monopol nicht ausliefern kann. Ist ja jetzt passiert, Apple ist nicht mehr allein.
• Man zieht natürlich damit Kundenaufmerksamkeit auf den Kiosk, damit muss man aber umgehen
• Es hat sich aber inzwischen eine gewisse Entspanntheit am Markt gezeigt. Was uns wichtig ist, sind die Konditionen. Sie hätten es z.B. gerne zwischen 20% oder irgendwo zwischen 20-30%.

Mischke: Aus pubbles-Sicht kann man nicht nachvollziehen, dass es nur ein paar Verlage sind. Sind mit vielen in Gesprächen. Frühe Phase des Marktes, Konditionen werden nicht von heute auf morgen ausgehandelt.

Für Kunden stellt es sich klein-klein dar und er kann noch kein Vollsortiment der deutschen Presse beziehen, das wird sich aber ändern.

Ist nicht der Kunde, der es erkennen sollte? Muss der mit x Kiosken umgehen? Ist der Markt an einer anderen Stelle vielleicht schon nicht mehr an dieser Stelle?

Ribbrock: Natürlich erwartet der Kunde das. Auch die Einzelapps ist vielleicht nicht das, was der Kunde sich wünscht.

Verlage müssen offener und zielstrebiger werden.

Sieht PDF auch als super Medium, ist standardisiert. Im Unterschied zu interaktiven Formaten. Es gibt ein grosses Portfolio.

Wieso ist PagePlaces nicht vorinstalliert ausgeliefert?

• man will auf vielen unterschiedlichen Endgeräten zur Verfügung stehen. Geht ja auch auf iOS und Android
• Vorinstallationen werden kommen. Das ist mehr als sinnvoll.

an Specht: Sind sie überzeugt?

• Ich fühle mich bestätigt in meiner Keynote, denn Diskussion geht an der Wirklichkeit vorbei.
• wir können nicht kleine Portale gegen grosse Stellen. Klein/klein nicht sinnvoll
• Auch Nutzer ist nicht genug berücksichtigt.
• kleine Systeme können daher nicht bestehen.
• These: Wir werden von diesen Angeboten viele nicht mehr sehen in 1-2 Jahren. Oder irrelevant
• Ergebnis stimmt ihn nicht zufrieden.

Knothe:

• sieht den Bedarf für neue Regelung noch nicht, fordert ja keiner der Anbieter.
• Die Plattformen haben anscheinend genug Sonne und sehen den Mähdrescher noch nicht um die Ecke kommen.
• Die müssen mir sagen, was sie denn brauchen.
• Wird der Markt von wenigen dicht gemacht?
• Habe 2 Plätze: national und international. Der nationale Markt scheint plural zu sein, da sehe ich keinen Grund zu handeln.
• Habe ich einen internationalen Markt? Sieht das nicht so, auch der Kunde sagt ihm nicht, dass er sich eingeengt fühlt.

Macht es Sinn, viele unvollständige Kioske hinzustellen? Ist ja auch in analoger Welt nicht so.

Knothe:

• Ein Kiosk bietet ja nicht automatisch alles an. z.B. nicht Kieler Nachrichten in Köln.
• Das wird per Nachfrage gesteuert.
• Kann man daher nicht über einen Kamm scheren
• Natürlich wäre es schön für ihn, wenn es nur eine Plattform gäbe.
• zu Apple: Wir bräuchten ja dann auch eine weltweite Regulierung, ist das jemals umsetzbar?
• Ich reguliere nicht, wenn ich nicht regulieren muss
• Sieht im Moment keinen Bedarf dazu. Gibt ja auch Regelungen. Aber im Moment ist kein deutscher Anbieter marktbeherrschend. Auch international nicht.

Keese: Will Apple und Google noch erwähnen.

• Apple wollte Regeln im App-Store massiv verschärfen
• Haben sich um Dialog mit Apple bemüht. War nicht einfach
• was Apple nachher eingeführt hat, ist deutlich anders als vorher geplant.
• Beispiel: Wir brauchen einen Hintergrund-Push, das wollte aber Apple nicht. Aber im neuen Newsstand wird es nun möglich sein. Da hat man uns zugehört.
• Dann die Frage nach Rabatten, dass man es nie billiger verkaufen durfte als im Appstore. Damit konnte man keine Bündel mehr machen. Apple hat das eingesehen und haben die Regeln modifiziert.

Google:

• Gibt Beschwerde gegen Google wegen Shopping-Suche. Sucht man z.B. nach EOS, dann findet man zunächst die Suchergebnisse der Google Shopping-Suche, aber nicht die der deutschen Produkt-Suchmaschinen. Also marktbeherrschende Stellung und daher Beschwerde. Hier würden Suchergebnisse unzulässigerweise nach oben geschoben.

Reibnitz: Was man regulieren könnte: Pressefreiheit. Kioske haben Macht.. (hab ich nicht verstanden wirklich)

Specht: Die grossen Player sind keine Kiosk-Betreiber. Wir geben an die unsere Kundenkontakte ab, wir können keine Kundenströme lenken. Die Player sind aber keine Inhalteanbieter, die sind an Werbung interessiert, das ist für sie viel interessanter.

Wir müssen daher in diese Ökosysteme ganz anders einsteigen.

Das ist die Rolle eines Intermediärs, der sich zwischen Kunde und Anbieter setzt und den Markt verändert. Was anderes als ein reiner Kiosk.

Keese: Wer meinen Inhalt haben möchte, muss dafür bezahlen (zu aggregiertem freien Content).

Schlussrunde:

Keese: Uns treibt mehr Blogs um, z.B. Huffington Post oder Mashable. Die sind alle größer als die Washington Post. Auch TechCrunch. Das machen die alle beängstigend gut und wenn man ehrlich ist, besser als die traditionellen Medien.

Manche Publikationen haben sich das zu eigen gemacht. Teilweise haben die bis zu 25 Leute, die daran arbeiten. Hier arbeiten Content-Erzeuger und Aggregatoren zusammen (hab ich nicht verstanden. Wenn man Community hat, ist doch Aggregator egal. Haben ja auch alle RSS-Feeds).

Da sind wir auch entspannte und fröhliche Weise paranoid (hab ich auch nicht verstanden).

EuroPython 2010: The Guardian Content API and Guardian Open Platform (live blog)

Speaker: Michael Brunton-Spall from The Guardian

What this is about: It's sort of the antithesis of the Times Paywall, it is an API to let you get the content.

Who are we?

We make the guardian newspaper, the guardian web page, mobile application, iPad app and more.

The Guardian is run by a non-profit trust instead of shareholders. This means that for developing an app you don't have to justify why it's good for the company but you can instead say that it's good for global journalism.

Open Platform

"... is a chasmic leap into the future. ... work of simplistic beauty... It makes all the major competitors look timid..."

Tom Watson, MP

Example use of the API: http://guardian.gyford.com

You can even put ads around the articles but has to keep the ads which are included in the body from the API. He can keep the revenue of his own ads. It's the easiest model to use.

You can also analyze e.g. swear word used over time.

He is looking for interesting scientific stuff the python community might do, e.g. semantic analysis etc. They have a big dataset but not the time, some of you might have time but not the dataset, so it's a win-win.

3 Tiers of access

 

• Keyless
  • free access to headlines, data, tags and meta data
  • no key required
• Approved
  • Through http://guardian.mashry.com
  • http://content.guardianapis.com which has content negotiation build in, e.g. text/html will redirect you to a GUI, application/json will return JSON
  • you can search for tags and then based on the tags search for e.g. "python" and tag="technology/technology" so you don't find Monty Python
  • you have two links in the records: one to the web site and one to the api to get to the item details
  • there are metadata fields you can ask for: headline, trailText, shortURL, byline etc. More fields will be added.
  • you can also ask for tags and there is a whole ontology on tags with type.
  • python article e.g. has tags technology/technology, technology/blog, tone/blog (type="tone"), type/article (type="type"). Michael wants to write an article describing the ontology
  • With a key you get back more information, e.g. the body with the HTML version of the article. They include ads you are not supposed to take out (so you have to display the ads embedded but can put your own ads around it)
• Bespoke
  • custom solutions for licensing and integrating rich applications. Talk to us.

Content API is only one part of the open platform

Data Blog

They have data journalists who research data. They put graphics of this data in the paper but they now also are collecting all the data in raw format. They setup the data blog where they put up a new data set every day. They show it as nice graphics but you can also download the raw data. Shows example of the Doctor Who statistics. Data is in Google Docs.

They also have a flickr group and people can upload their own visualization to that flickr group. It's called "guardiandatastore".

World Government Data

At http://www.guardian.co.uk/world-government-data they wrote a bunch of scrapers which sucks in all the titles of the data sets in order to make finding all the global open data. Shows example to search for "parking" (fines etc.)

COINS

UK Government released the spending data of each department. They released it in quite interesting ways with a big training manual. It was entirely based on screenshots. Unfortunately the app itself was developed under an NDA which means that all the screenshots had to be removed which rendered it useless.

Guardian then took the raw data which put it into SOLR and the postgres and created an app around it.

http://coins.guardian.co.uk/

You can also download it again as CSV in order to encourage people to do interesting things with it.

Guardian trying to push these things as they don't have the manpower to do it all themselves. It's a kind of out-sourcing.

Politics API

In the runup to the election they wanted to get more data on politics available.  They have a system called Aristotle and contains data about people of political interests, not only MPs. In the API you can look at all the parties and then get more information about the party with a list of all the MPs with data about them, e.g. if they are incumbunt, contact details.

You can also get data about individual constituencies, e.g. turnout percentage, when results were declared, etc.

Then there is a list of the elections with data about them with information about who won, from which party they are, who the MP was previously, if somebody got more or less votes than last time.

It also contains data about person who fought for MPs.

The source of the data is The Guardian, done by the journalists. They actively maintain that database. For the data blog the source is always given otherwise it's probably Guardian.

Microapps

Most interesting things for web developers. That's what they use internally for developing apps on GAE, EC2 etc.
They way it works is to use dedicated slots of the guardian web page with information which URL will fill what slots.
There is an internal cache which sucks in data from somebody's microapp and merges it into the main page.

E.g. in the sidebar there might be the Zeitgeist app running which is not provided by the CMS. That app highlights most interesting articles. This is all running on App Engine. It uses the content API and receives email reports from the analytics system.

The Cache Control header controls the guardian internal cache. So you decide how much traffic you get from the guardian.

One problem you have with GAE is that you have the 30s limit on a request. So you don't call e.g. twitter directly but uses task queues.

Twitter

The Guardian has a twitter application which shows tweets from their journalists which is related to stories. Again runs on App Engine.
It aggregates lists with certain tags.

Open Source

http://github.com/bruntonspall/ has some examples of GAE apps.

(this is a live blogged and might not be completely correct. Corrections are welcome!)

EuroPython 2010: Real Time Website in Python (live blog)

Speaker: Henrik Vendelbo

Henrik was giving an introduction to Tornado.

Web User Scenarios

• RSS reader flagged/read/fav/...
• show current status/price for a number of products
• Ask the server to process an image
• Routing chat between webapps

Means: lots of small requests to the server instead of big requests
This is a different type of traffic you see on the server. Each request not big but a lot of them. You need to react quickly.

Server Startup

Multi sub domain, auto-reloading process

shows example of tornado code doing it django like.

ioloop = tornado.ioloop.IOLoop.instance()
for n in structure.SITES:
    site = structure.SITES[n]
    if site['package'] in ("tornado", "mediaserver"):
        server = HTTPServer(Application(urls, site, uiloop=ioloop))
        server.listen(site['port'])
...

Handle Request / Server Response

• basic tornado style, using regexp for matching routes
• see http://tornadoweb.org/
• Delayed Responses are doable via callbacks, e.g. on_response()

http://github.com/thepian

(this is a live blog article, corrections are welcome)

EuroPython 2010: (Real World) TDD on App Engine

Mistakes Made and Lessons Learned

by Adewale Oshineye

Stuff he is working on:

• JaikuEngine: http://code.google.com/p/jaikuengine/
  
• FeedParse:
  
• Streamer: http://github.com/adewale/streamer
  

TDD is hard

... especially on App Engine. But why is that?

simple things suddenly became hard because it runs on the AppEngine. Leads to not testing stuff.

Models are Active Records

• Models have a life cycle (transient to persistent)
• Tests need data store (running them in the developer SDK means to run them in a website, not that good. Running in production is also not feasible)
• keys are usually auto generated

Platform and Services

• Systems service are opaque. When you want to test them, then you have this giant service you have to test against.
• The development environment isn't an exact mirror of production environment. Classic Example: Resources spread across different machines

What did I do?

Example: Porting Jaiku to AppEngine which was one of the first apps for appengine.

• They did mock-up the UI, create web pages first
• then write handlers

Then:

• Realisation
• Regret
• Refactor but this is dangerous without tests

Then

• Add tests
• Extract testable classes
• Add more tests

But example problem: I create an account, wait two years and something breaks. Hard to test.

What should you do?

First: Read 2 books: "Getting real" and "Growing  Object-Oriented Software, Guided By Tests"

Exploitation

• Vertical slice for each feature. How the UI looks like etc. Do mockups etc. and test with that
• Write functional tests at WSGI level
• Sketch out handlers
• write unit tests
• write domain classes
  
• Passing unit tests
• passing functional tests
• red-green-refactor
• UI does the right thing
• Repeat for next feature
• Driving it all the way down from the UI to domain classes
  

Ways and means

• Find good testing framework
• nosegae and gae-testbed
• patches itself into GAE to check queues etc.?
• learn how to use stubs for the various platform services
• learn how to cycle between functional and unit tests

Heuristics

• Domain objects don't have to be model objects, they can be normal objects
  
• Use simple factories for model objects because creating model objects becomes more complicated over time. Factories reduce the chances of errors
• If in doubt write a test
• Testability requires work
• If it's hard to test it's probably broken
• Some things can only be understood in production
• End-to-end is further than you think
• even if you take this into account

Links

• gae-testbed: http://github.com/jgeewax/gaetestbed/
• nose-gae: http://code.google.com/p/nose-gae/
• node: http://code.google.com/p/python-nose/
• Webtest: http://pythonpaste.org/webtest

Examples can be found in Streamer code: http://github.com/adewale/streamer

(this is a live blog post and might be incorrect. Corrections are welcome though)

EuroPython 2010: Creating a HTML5 document with Bruce Lawson (live blog notes)

Bruce Lawson from Opera was giving a nice tutorial on HTML5 at EuroPython 2010 in Birmingham. Here are the main remarks and parts of the document he created.

• doctype: <doctype html>
• research showed top 20 class names including header, sidebar, footer, nav etc.
• case doesn't matter because browser never cared
• charset: <meta charset=utf-8>
• language: <html lang=en> but you don't need html necessarily
• you don't need to close tags, you don't need quites
• browsers never cared, validators did
• you don't need body, html, head but you can.
• new element: <header> which corresponds to a header
  • header is not just for page headers but can also be used inside e.g. articles.
  • same for nav elements
• new element: <nav> which is for a list of links which make up a navigation
• you don't need to close the <li> elements
• <div> is still your friend for creating blocks which have no other element name like header
• new element: <article> for things which make sense in itself, like a product or newspaper article.
• new element <time> which marks up a time. Browser can then do clever things with it, same as search engines.
• new element <footer> for footer information as you usually would put in a <div id="footer"> element
• the new elements are not block elements per default because browsers do not understand these new elements yet, you have to do this in CSS. 
• you don't need the type anymore in a <style> tag because what else could it be?
• the way to make IE apply CSS to new elements is using javascript
• lot new stuff in CSS3
• new forms, right now nasty to code, labels, validation etc. thus new forms
  
  • builtin form validation
  • <input id=f-name required name=f-name autofocus>
  • <input type="email" name="email" id=f-email>
  • checks on submit
  • <input type="date"> creates a builtin date picker
  • <input type="range" min="100" max=200> gives you a slider
  • <input type="number" min=100 max=200 step=10> gives you a spinner
  • this is in Opera 9, some of this in webkit, firefox is building it right now, not in IE9 developer preview so far
• Video: It's important because it brings hackability to video, it's in the browser, you can access it pixel by pixel, manipulate it etc.
  • <video src=turkish.ogv> shows first frame of video
  • <video src=turkish.ogv autoplay> (is evil though)
  • <video controls=controls ...> gives you start/stop, scrubber, audio control with accessibility
  • uses ogg-theora as video codec and ogg-vorbis as audio
  • Works in Chrome, Opera and Firefox
  • in Safari you don't see the video because Apple does not like OGG, you have to use H.264
  • solution: <video controls><source src=turkish.ogv type=video/ogg><source src=turkish.mp4 type=video/mp4></video>
  • but: bug in iPad makes it only show the first source element
  • IE does not work , you can put markup inbetween the video element, e.g. a download link or a youtube embed.
  • btw, embed was never valid in HTML but is in HTML5.
  • you cannot do DRM with video elements, then you need flash. Same for mic/camera, then you need flash
  • you can style the video element with CSS
  • a video is not a black box anymore
  • there is also an API for using the controls.
    • video.paused
    • video.pause()
    • video.play()
    • ...
• Is there a multiple file upload?
  • yes, with multiple attributes
• What about XHTML2.0 and xforms?
  • They were mere great, philosophical specs but  did not resemble any practical uses.
  • e.g. xforms too complicated for people
  • HTML5 codifies common practices and tries to be bw compatible
  • e.g. drag'n'drop API is evil but it works now!
  • MS also invented quite a lot, Apple, too
  • no need to reverse engineer when it's a standard. Then you can see what you need to implement.
• Is HTML5 actually a standard now or is it still in progress?
  • some say it will be in perpetual development
  • some bits are completely unimplemented right now, e.g. menu element
  • a lot of this stuff is implemented now
  • spec is designed to be finished in 2012, because of the 20.000 test cases which need to get written
  • the spec isn't finished but in W3C standards a spec is only finished once it's implemented in 2 implementations
• When can we do form validation for real on the web as you need JS fallback right now
  • right. in IE most types default to type=text. so you need JS code
  • otherwise, no idea, look at IE6 which refuses to die.
  • there are several JS shims for dealing with that and fake stuff like websockets, input types
  • there is also modernizr for feature detection
• Is there regexp for inputs?
  • yes, type="pattern" and you can use the JS regexp stuff
• What about i18n of error messages?
  • Defaults to local language of browser
  • as nearly always in HTML5: you can override it with script
  • cannot speak for other browsers than opera but assumes so

   

HTML5 example document

<html lang="en">
<head>
<meta charset=utf-8>
<title>Hi mum</title>
<style>
    header, footer, article, section { display: block;}
    nav {width: 29%; float: left}
    div {width: 60%; float: right; color: blue}
    ....

   
   
</style>
<script>
    // for IE
    document.createElement("article");
    document.createElement("footer");
    document.createElement("header");
    document.createElement("nav");


</script>
</head>
<body>
<header>
<h1>Hello</h1>
</header>
<nav>
<ul>
<li>Link 1</li>
<li>Link 2</li>
</ul>
</nav>

<div>
<article>
    <header>
        <h2>My lovely day</h2>
        published on <time datetime=2010-07-20>Today</time>
    </header>
    <p>Article 1</p>
</article>
<article>
    <p>Article 2</p>
</article>
</div>

<footer>&copy; by me, 2010</footer>

</body>
</html>

EuroPython 2010: Open Data & coding data.gov.uk (live blog)

Talk by David Read, Open Knowledge Foundation

The talk is about Open Data and especially the UK governments website on it.

Open Data

• Accessible
• Allowed to use and republish
• Without restriction
• We can build and build...

"Data is expensive to create"
             "But think of the mutual benefits of it being open" (distributes the costs)

Example

• Science: UEA criticised for " culture of withholding information".
• Geo Data: Open Streat Map and Mappa Mercia (e.g. Bus routes)
• Public Data: ASBOrometer, Treasury Coins data, etc.

Linking Data

Example from Hans Rosling, who linked two data sets in his TED talk. Link between country having money and health situation.
This cannot be done with data being closed.

Tim Berners-Lee topic was always about how to link data.  You can spot trends, add value to society etc.

It's becoming easier and easier with this open data to take these data sets and derive new results from it. E.g. is there a relationship between the birthplace of a football player and how well he plays? Shows example.

Main point about opening up your data: You might not have the best idea but somebody else might have.

Opening Gov Data

• Transparency -> Effectiveness
• Labour and Conservatives agree (!)
• with Cambridge economists:
• Making gov data sets public will bring a 6bn boost to UK economy
• That counters the argument that it costs to create that data
  
• (we have paid for it...)

Open Data and Open Software

• Zero cost
• Good performance
• Principles: Many hands make light work / natural selection / wisdom of crowd / on shoulders of giants

Infrastructure

An attempt to map open source terms to open data terms

	Software	Data
License	GPL	PDDL, ODbL, ODC-By (OKF 2007-) http://isitopendata.org (OKF 2009-)
Modules / Linking	Lib, egg	Spreadsheet, database, RDF/OWL
Human Discovery		CKAN (OKF 2008-)
Automatic Distribution	apt-get, CPAN, easy_install	CKAN, datapkg (OKF 2008-)
Hosting	Sourceforge, pyPI, bitbucket	archive.org, http://knowledgeforge.org
Community	freshmeat	data.gov.uk email list closest?

Open Knowledge Foundation

Aim: promote Open Knowledge
Founded 2004 as a non-profit org
...

CKAN

• underpins data.gov
• "Comprehensive Knowledge Archive Network" ... well ... a fancy data catalogue
• ...
  
• http://ckan.net
• 1283 registered packages available
• shows example from australia: How much rubbish is collected on streets etc.
• is a wiki underneath
• data is revisioned because of spam
• statistics: from 2007 to 2010, big peak with ca. 500 packages when australia added data a couple of weeks ago

Data Model

• Tag (name)
• Group (name, title, description)
• Data Package (name, title, version, url, ...)
• Resource (url, format, ...)

API

• REST
• GET /api/rest/package
• GET /api/rest/package/coins-data
• datapkg
• datapkg index-add file:///...
• datapkg update
• datapkg search "military spending"
• datapkg install military-norm
• ...

CKAN communities

Europe: Austria, Hungary, Germany, Italy, Finland, ... (e.g. http://de.ckan.net)

Sharing metadata

How to share packages between countries?
Metadata is shared across country CKANs

There also is some manual updates between e.g. no.ckan.net and data.gov.no (= moderation)

Architecture

Pylons frontend, drupal frontend

formalalchems, repoze.who

blinker, carrot, pyamqp

sqlalchemy

...

data.gov.uk

• Gordon Brown invited TBL for exciting digital plans
• David Cameron supportive
• Rub by Cabinet Office, aided by The National Archives
• Raw Data Now, then improve and link
• COI team produce Drupal frontend with OKFN producing CKAN back-end
• homepage: http://data.gov.uk/data
• from official launch with 2000 packages now over 3600 (launch: jan 2010)
• good motivation for departments: Show how much data other departments have been provided
• Other stats: Update frequency, last updated, number of downloads, license
• License: Nevertheless the open data license on the about page applies (I think?)
• Geographic coverage
• Geographic granularity etc

Measuring success

• hard to measure
• Stats: users, number of datasets, per department, big wins: Ordnance Survey, Coins, top public salaries
• Creation of visualizations, apps, linked data, new stories, companies - 6bn pounds
• CKAN - similar goals

Where can we improve? (Questions)

• Make it easier to find things (there is a JSON output of all the data but not well advertised)
• Wouldn't making links impose additional requirements on the data, e.g. it being in XML etc.
• Linked Data is hard to do, slow project
• need vocabularies and develop them
• separate team working on schools data etc. they all have SPARQL endpoints
• low hanging fruit first
• pressure is put on the departments to go from CSV to linked data
• keep pushing us for it!
• Do you see this culture of openness to continue? What will happen if people can find out that gov programs do not work, do they still want to give data out then?
• Giving data out if always scary for governments
• Hard process to change thinking
• For now: Let them be embarrassed and a transparent government might get better!
• Do you get feeds now automatically? Do you have to ask for them?
  
• The offices and departments put data on the website, not the programming team
• But good questions about feeds: You might want to listen to the RSS feed on the data.gov.uk website to learn about more data sets
• What's going on in other countries?
  
• I hear lots and lots and lots from EU countries
• there are governments talking to us
• But it's also scary for governments
• but there is also a massive move in governments maybe due to Obama and the freedom for information act
• the cat cannot be put back into the bag

Software Learnings

• Pylons - flexible, organised, powerful to customize
• Formalchemy -tough to get beyond basics but really neat, flexible and powerful
• PIP, virtualenv, nose - use happily
• Drupal interfacing - Drupal modules rely on internal model

CKAN futures

• More metadata fields and guidance / control
• INSPIRE geographic bounding boxes
• Improve navigating datasets - to help linking data
• Improving RDF catalog
• Keep goal of supporting automated linking data
• Suggestions please!

Project Learnings

• Open source, trac, email discussions
• Good for gettign feedback and people involved
• Slightly worrying
• Easy to get flooded with requests
• Easy to criticize - high load on launch
• Civil servants surprosingly happy to open data
  

(this is a live blog and things might be wrong in here, but please give feedback and corrections!)

EIC2010: Improving the Security and Usability of OpenID

Speaker: Ariel Gordon

• 1 Billion registered OpenID accounts
• 9 million websites utilizing OpenID
• US Gov and Facebook major adoption drivers

Needed Improvements

OpenID does not yet adequately address several key problems, thus preventing widespread adoption

Simplicity and consistency of a common OpenID solution still evades us

• Every OpenID logon popup is different
• URLs are confusing to users
• Poor guidance and docs for the protocol. No relying party to hold up as a best practice for others to emulate
• JanRain’s RPX service has custom code for every major OP because the services that they provide are inconsistent and not discoverable.

Not an end to end solution

• Poor mobile phones support… 70% of the Japanese market
• During a customer support call, how can the user identify?

“NASCAR” user experience

Clicking on logos is better than typing URLs… but has led to convoluted user interfaces.

RP needs to guess  what identities you might have… which only works for large OPs. You’d better be on that list! Small providers have no chance.

Poor experience when using vast majority of OPs, even worse for smaller ones e.g. MyCompany.com

 

Security Issues of current version of OpenID

Shows the fun communications open id theft demo which works via a proxy.

This even works for sites with security seals and OTP based auth.

That’s a serious problem.

The main problem is the redirection taking place.

Summary of Usability and Security issues

Basic OpenID UX requires remembering URLs

NASCAR experience easier but only for big OPS, doesn’t scale

Phishing easy to do.

 

An Active Client for OpenID

• A collaborative effort between MS, Plax, Facebook, Google, Yahoo, Deutsche Telekom, JanRain, Azigo
• An incubation effort for the past year
• Assist the suer with his logon experience to make OpenID more usable and safer
• Allows me to beings the identities I actually have to the site
• remembers my identities
• Supervises identity interactions from me

 

Shows an example of the active client at Plaxo (add ?test.selector=1)

The active client is an optional part of the experience! If you don’t have an Active Client installed then the normal OpenID flow will be used.

They are using a CardSpace based client to be that active client. For InformationCards you need cards though.

When I click on the OpenID login, a selector will popup and ask me to choose an account from the list of all of my accounts (OpenIDs).

If you go there a second time, then the selectors has this prefilled.

EIC 2010: National ID Card – Privacy by Design

Speaker: Andreas Reisen, Innenministerium Deutschland (Federal Ministry of the Interior, Germany)

He is one of the driving forces behind the NPA (Neuer Personalausweis).

 

He showed newspaper articles debating the new national ID but they have been from 1983. The back then new ID card was much debated then already because it was machine readable. In the end they were successful and with the UK together they introduced it.

What they learned: You cannot introduce something like this without a discussion about it beforehand.

Privacy by Design:

Privacy as the default, Proactive not reactive, privacy embedded into design.

German ID card fulfils all of these requirements.

charasteristic which are not typical for an ID card:

1. Card Access Number (CAN). Introduced a new security mechanism. You can get access cia the CAN but only in government context

2. CAN is also used to prevent citizens from DOS attacks. Because card is contactless (RFID). If you send three times the wrong PIN via RFID, it’s blocked. To prevent DOS you can only enter the PIN the third time with the CAN. usually nobody will have this access number.

3. The logo on the back: To get authorization to read from the identity card by third parties they can show that they are allowed to by showing this logo on the company website.

Residence Permit Cards will soon have the same capabilities.

Key facts of the New German ID card

All visual identity card functions remain preserved

Proximity Card Interface (ISO 14443) for biometrics

Based on the electronic passport (ICAO compliant)

Optional qualified electronic signatures can be ordered from third parties

 

Where do you see that privacy in the focus?

Services you want to give data to first need to identify themselves.

Then the citizen can choose to select which data should be shared with this service. This can only be shared with the requesting service by crypto means.

Crypto makes sure that data cannot be altered on the chip, that no eavesdropping is happening. Biometrics are never shared on the net but only via local interactions.

How does it work?

1. Service Provider need an authorization certificate from the Government. Part of that is what data it is allowed to read.
2. This will be shown to the citizen and the citizen can then further narrow the data down.
3. It is confirmed by entering a PIN

What is different from other projects in the world?

It is based on PKI but the identifier is not the public key but the data you transmit. That means that the channel and communication is protected by PKI (DH) but then the authentication itself is done via that Public Key but the data you exchange.

That means you get the Name, DOB, address etc. via this secure channel and you know it’s coming from ID card X and the data is guaranteed by the government. They don’t rely on PKI for means of identification.

Keys are only used for 3 months per ID card. This is completely different than e.g. SSL. On the SP side you can be sure that the data is trustworthy as it’s issued by the federal government.

Data fields for Auth

Mandatory: Blocking attributes, validity statement

The rest of the data is secured like described above.

The card can also generate a card specific service identifier, no crosschecking is possible with this (“pseudonym”). (but only one pseudonym per service as I heard).

 

Benefits

SP can veridy the identity of the person

served by federal guaranteed data (!!)

AuthN mechanism is useful for many apps in diffferent fields

Even new services can be offered which were not possible before (e.g. contracts req sigs)

New functions as “age verificartion” and “address verficiation”

Manageable integration effort

and mroe

 

How to offer Services with Support of the eID function?

Service Providers

• have to apply for an authorization certficate at low costs
• have to integrate an eID server at the local site or via a remote service offered …

IT Security Kit

Till the end of 2011 more than 1 milion card readers (conform to the eCard-API specification) shall be available for German citizens to

promote the use of eCards and their electronic functions

…

 

(this transcript might not be correct but any corrections are welcome)

EIC2010 – 5 Quick Wins to Leverage Your Existing Identity Infrastructure Through Convergence (Martin Kuppinger)

Why to look at Quick Win potential?

• Pressure on IT budgets
• Missing creditibility of IT to deliver on IT projects – success has to be visible
• Politics
• Small steps are better to control

There might be a price to pay:

Pro: Less Risk, Smaller projects, smaller investments

Contra: Risk of Strategic non-alignment (e.g. data leak protection via blocking USB keys.. not really dealing with the problem but the symptoms), Interfaces and Integration (complexity of single system is high with low number of provisioning system, integration complexity is high with many systems but the single system then is easy. Where to find the right poinz?)

1. Add Access Governance

• Approach: Focus on attestation and recertification
• Value: Improved Auditing, Risk Mitigation
• Strategy: Full access, Governance, integrated Enterprise/IT GRC
• Risk: Too IT-Focused

2. Add PAM (Privileged Access Management)

• Approach: Deploy a PAM solution
• Value: Risk Mitigation, Policy Compliance
• Strategy: Beyond PAM to “integrated PAM”, PAM as part of “informatino security”
• Risk: Non-integrated solution, point solution which leaves too many leaks

3. Virtualize Identites (virtual directory services)

• Approach: Build a virtual identity infrastructure by deploying Virtual Directory Services
• Value: Standardized Security, reduced cost (one API to program against), Risk Mitigation, Policy Compliance (esp. with german data protection laws)
• Strategy: Next-gen Authz concepts (Beyond RBAC to AbAC),Application Security Infrastructure (no hard-coded security anymore)
• Risk: Acceptance

4. Re-use Strong Authentication by Intrudicing Versatility

• Approach: Implement versatile authenticatoin technology (I can plugin any auth system also per use case)
• Value: Re-use of expensive string AuthN (purchase, operations – somebody has lost his token etc.), Risk Mitigation
• Strategy: Standardized AuthN and AuthZ layers – AuthN/AuthZ strategy, physcial/logical cnovergence
• Risk: Politics (too many players), market maturity

5. Consider distributed approaches

• Approach: Use more than one provisioning (you need more flexible systems. Not rip and replace but easier integration)
• Value: Reduced complexity
• Strategy: GRC as control and policy layer for multiple provisioning implementations
• Risk: Integration, Consistent Policies

 

more Quick Wins:

• Organizational Optimization (Focus on the defined break-point between IAM and system-level management. Ensure consistency of operational management)
• Convergence  (Data Governance and Access Governance, Physical and Logical, …)
• Avoidance of Misinvestments (Build a strategy)

 

Discussion

Is it really easy to implement?

Depends on the alternatives, some stuff is relatively easy to implement as it sits on top. Of course it’s not plug and play.

EIC 2010: Kim Cameron on Minimal Disclosure

Federated Discovery meets Minimal Disclosure

Mortal enemies or soul mates?

Good and bad news: He never spoke about this yet.

 

Claims in the enterprise are a done deal!

Of course there are some details, e.g. how you deploy them etc. But in general it’s an irreversable process. We need to go across platforms and applications and enterprises (in the cloud).

The way we do this is via the claims metasystem.

The standards are widely accepted, a lot of interop testing, all of the industry support claims.

Microsoft ADFS 2.0 will be released tomorrow! Many deployments under way in private enterprises and government (will be part of Active Directory)

We can say that claims as being counted on as being part of the infrastructure.

The next version Sharepoint also moved on to a claims based infrastructure. You do not need to define combinations of permissions and people. Instead you have a claim picker.

The power of claims will do the rest

Cloud and Claims

Clouds project claims into the forefront. You cannot do cloud without claims.

You cannot do this without federated directory though. Make it work across platforms and devices, across applications and between individual enterprises and the cloud.

We need a directory metasystems which works everywhere. We need a shared datamodel, protocols and so on.

Before it’s being able to work in this different scales without administered each scale, it needs to be administered via policies.

We need simple APIs integrated with the developer platform

He does not want to say that we need a single API like LDAP, that was a mistake.

Federated interscalar directory

Use Case: Cell Phone to Enterprise Directory

All employees and their phone numbers available when phone is unlocked (but no other information). But we need selection and not the whole thing.

Peers all reports and management chain available on the phone, including titles, relationship, phone and email. But it all needs to be synced, not only exported once!

Phone aware of service access points for it’s owner’s servcie (e.g. location servies, unified communication). So not only people.

 

Use Case: Departmental Directory to Enterprise Directory

Department directory kept up to date with information on employees

Authoritative within the department for Sales Contacts and automatically kept up to date through subscriptions to the contacts directory

Contact Phone numbers replicated to employee cell phones but disappear if phone is lost or employee leaves.

Use Case: Cell Phone to Cloud Directory

All my contacts – regardless of whcih social network we share – are available and stay upü to date on my cell phone

I can create personal groups crossing enterprise and social networking boundaries which are available in unified ciommunications, phone, mail, etc.

Use Case: Email running in the cloud

Use Case: Cloud based spam filter

They only want to outsource spam but not email. But for this usually you have to outsource all group memberships.

There is no need for that in case we have the right directory structure. Use federation at the minimal level!

Use Case: Merger and acquisition

Use Case: Change of role or identifier

I can change role or even identifier and retain access to previous resources if that is permitted by policy (eleminate the pain currently felt in moving from one domain to another)

Use case: Complex queries

Use the queries possible on databases but use them on directories

Use Case: New applications don’t threaten old ones

Use Case: Application Developer portability

Run an app either on cloud or locally, there should be no difference

Use Case: Every applicaton developer can use the directory

We have a strange protocol right now which only 2000 people in the world understand. we need to have more up-to-date approach to program to the directory. We need applications which are able to run in multiple directories.

Federated directory requirements

New features and data models required!

Support for Relationships (e.g. NOT simply a hierarchy model)

…

They tried to create a new schema which all people in MS could agree on. No easy task.

He wants to show this schema to the industry and get feedback.

 

Evolving Active Directroy

It will clamp on AD, it is not a replacement like ADFS does today

 

Implications on privacy and data protection

Person’s need to traverse contexts vs. Person’s need for “contextual separation”.

Is privacy a blocker for future directory development

 

Minimal Disclosure Mechanism

Example: Alice wants to prove that she is over 21 but she does not want to give out more information.

With this system she can take that statement and “block out” all the other information in the token. She can also convert the dob into an age. This is sent to the RP which only gets this information.

 

Minimal Disclosure Scenarios

You disclose only what’s necessary for a transaction.

Example: I lost birth cert but have my eID card.

The RP can ask: Give me your name, DOB and address. In this case this is still minimal disclosure.

Another example: I am going to a dating site and want to know if somebody really is of the age they say.

Once again I am going to make a claim but do not give my name away at first. The information is just gender, >21 is true.

All other information is again cryptographically blocked from view for the RP.

 

What protection mechanisms can be used by Federated Directory?

We need to institute the right to be forgotten.

How can the requirements be enforced? Only legally.

Call to action: Begin discussion on what the next generation data model can look like and whether it is something which can be standardized.

Question: Is this a replacement of LDAP?

Answer: Time goes on but LDAP will also not go away. Infrastructure we have stays. As he explained it might be the underlying technology.

(this transcript might not be correct, any corrections are welcome!)