Web without accounts

On in Articles, Development by Krzysztof Rusnarczyk

Do you really know how many accounts you have and do you care about this? We're using many online platforms, e-commerce websites, social media services. Most of them have accounts, but are they always necessary?

As I'm growing older I'm becoming more and more conscious of privacy. Who has my data? Who uses it and how? Do online platforms share or sell my private information? If yes, with whom?

Do you know how many accounts you have?

We've heard a lot about bad practices in top companies and how they illegally share data without our knowledge. That's why I've recently started thinking about all the accounts I have and tried to list them. It turned out I have more than 90 accounts and these are the ones I remember. This made me very reserved about creating an account before starting to use any company services.

But do we really need so many accounts? In my opinion the answer is no. There are many online services and many e-commerce websites that don't need accounts at all, yet they still force us to create one. I love websites that understand that accounts are not obligation and they offer me an option to buy or view content without registering. They understand that there are casual users and heavy users.

Ironically when website lets me do actions without registering, it's more likely, that I'll use it later and maybe start using it regularly and become heavy user. We don't need account for every single operation. At least let me try before forcing me to register.

Why do websites force us to make accounts? The answer is simple. They want our data to make more money. They want to send us newsletters and advertisements. They want to know our behaviours so that they offer us more precise products, ads and content. They want to communicate with us. Some of us may like it. Some not. The problem here is that you cannot know if someday in the future your private data will be used for wrong purposes or will leak.

The current model

From the very beginning accounts have been our identification, our gate to data that we created, chose, liked or managed. This is very obvious and seems natural.

diag_1.png

This is how it looks right now. Account is your representation. If you authorize, the website knows who you are and shows data that is connected to your account in database via foreign keys.

Privacy in the current model

In the current model all the data you create when using and viewing website stays in website database. Website owner has access to everything and knows all of your behaviours. Company can use it anyway it wants. Neither you nor law protecting institutions know the database structure and data collected in company database.

New model

I think it's time to mess a little. I think it's time for new account model. Look at the diagram below.

diag_2.png

This is what I want, but for some time didn't know how to achieve it. This model is pretty much just viewing the website without account, but with the ability to store our data, our favourites, our choices. Of course all of the data cannot be stored on server. I think you know where I'm going with this. ;)

Yes. Let the browser be your face. Let the browser store your data. Let it be your identification. This way website doesn't know any of your personal information. Owners may loose some data they use for marketing, but they gain your trust (as far as I know it's also a very important factor in marketing ;)). In my model you're the owner of all the data you created. From my point of view this is a very fair perspective.

Below I present you few main points of my proposition (remember that it's just a concept):

  1. Website database doesn't have any accounts.
  2. There are also no foreign keys pointing to owner of the data created.
  3. Data in database is loose. You cannot know the creator. So even when someone steals the data it's not containing any personal information.
  4. Every ids of records created by anonymous user are stored locally in his browser. The storage type is the developer's decision (localStorage, IndexedDB).
  5. Data stored in browser is ciphered. Only the server knows how to decipher it. The technology used to cipher is developer's decision. The more advanced the better.
  6. You can create authorization mechanisms that will decipher local data — we cannot forget that browser can be used by many users. The mechanism can be hybrid (server+local) or just local.

These are first and main points I created. It still needs some of R&D work but it's already possible to implement. Feel free to tweak it and share with others.

Problems I see right now

The model is not perfect. There are some restrictions and problems I already see:

  1. Clearing browser data will remove everything. You'll lost connection to everything you created.
  2. Authentication mechanism that work only locally may be omitted. Generating and checking hash keys work better on server.
  3. Browser storage is limited.
  4. The model works only for websites that do not present data in context of its owner.
  5. The model won't work for websites that need actual authentication to authorize access for specific views or actions.

But it's private. ;)

It's still a matter of trust

Even if a company implements the model, it still may be just a marketing move. Let's say someone implements the model and brags about it. Can we trust it? Well, not really. It may still collect private data and doesn't even inform us about it. Till the mentality won't change, nothing change.

That's where free software and open source come in handy. If the code is publicly available we can be sure that website doesn't collect data. So FLOSS + the model I'm proposing here is an ideal situation.

Let me know what you think about the new account model I'm proposing here. Feel free to share it, expand it and build upon it. Cheers!

Article published under CC BY SA license.