Visit this page in your browser 

Like Bing’s great multimedia search?  Did you know other companies are innovating in the multimedia search space?

Today Photobucket announced their own way to push the boundaries of visual search. They combined a killer user experience (based on Silverlight) with one of the most popular sharing behaviors on the web – instant messaging.

 Try it now at http://photobucket.com/visualsearch

Consumers are able to easily share pictures they find via Photobucket with their friends on Windows Live Messenger no matter where they are signed in (Messenger on Windows, Mac, or Mobile devices).

The Windows Live Messenger Web Toolkit UI Controls provides a skinable and flexible way to interact with the 320+ million people who use Windows Live Messenger monthly. The UI controls can be easily integrated (see Interactive SDK) in web sites and makes a lot of the heavy lifting (coding JavaScript) only required if you want a fully custom experience.

<msgr:contact-list word-wheel-enabled="true" sort-mode="status" hide-offline-contacts="true"></msgr:contact-list>

Sharing via Instant Messaging

Lots of web sites today allow sharing via activity streams/feeds, recently I did some analysis into the differences between sharing via Streams and sharing via instant messaging. Check it out.

Below are screens of the experience from consent to sharing

Sharing a photo with my friends

The friend I shared it with gets this experience

Getting people to your website is critical (D’uh!). New people. Old people. A constant flow of sharing and content discovery is required to succeed. Recently I’ve been thinking a lot about two complementary user acquisition/engagement techniques: sharing via the stream (passive) and instant messaging (active) (I don’t cover email which is another huge topic).

Which one has the biggest impact on your web site? In this post I review the typical relationships between people and drill into each of these flavors as ways to generate qualified referrals.

An example of where these could be used together is MapMyRun: when I complete a run I like to get my time etc. posted into my twitter so all my followers can see. I usually also send an instant message to my friends who run and talk about the course, time and perhaps organize a run. This drives awareness for MapMyRun and allows people to click through to see the details.

Caring about sharing is good business

User generated actions which are syndicated to other sites/services can have a big impact on user acquisition and engagement. By allowing users on one site to share their actions with another service, the reach of people who see (awareness) and take interest (acquisition) is increased.

Ego powered friending frenzies don’t encourage influence

The better you know someone, the more likely you are to do what they suggest. When it comes to sharing content/actions online with other people, the sharer is asking the recipient(s) to do something (usually click through to see the detail).

As a result, some services encourage ego powered friending frenzies. The result is very loose relationships between people you barely know, don’t really care about, and who haven’t earned your trust. If these one of these pseudo friends asks you to do something you take it with a grain of salt.

My experience is: the friends I form relationships with in many different contexts make me behave differently. For example a friend I instant message with is different to someone I’ve friended in a social network, which is different to someone who’s commented on my blog etc.

If you are a celebrity and you have a TON of followers, writing something to your stream is very powerful. If you aren’t Ashton but have a ridiculous number of friends, do they care about your entries or are they noise?

Call me anytime, I actually know you

The people who connect with my over instant messaging are generally less in number and long time friends, not just acquaintances (in most cases, not all). Allowing a person to see when I’m online/offline and giving them the ability to get my attention anytime is convenient, but more importantly it means I trust them.

As a result, the behaviors that happen over instant messaging are generally self-regulating. If I always send a message to someone and they never respond, I’m likely to stop. If I send a message to someone and they’re always engaged (click through etc.) I’m likely to do it more often. Where there is a will there is a way, abuse is something you need to deal with: don’t be afraid to ignore (like screening a call) or block if required.

Floating down the stream (passive)

Most web sites which have a desire for viral user acquisition have the ability to publish to a stream. This piece of content is then made visible to the large number of people that I’m friends with (or are following me) in other experiences on the site, or in experiences managed by other services. Writing to the stream is an untargeted shotgun style broadcast.

When something is written to a stream it allows many people to see the content in an ambient manner. For people to connect with the content, they need to be in the right place at the right time and have strong filtering skills to separate the wheat from the chaff.

It’s temporal. Streams constantly move, when I wake up in the morning I scroll back a few hours in my stream to see what’s happening, I don’t rewind the actions back to the last thing I viewed.

A benefit of writing something to the stream is that the content is archived. If the stream is searchable it’s easy to see trends and find historical information. If I respect someone a lot and think they share great content I can easily view the things they’ve been doing in one place.

Sharing via instant messaging (active)

When I find something interesting I think one of my friends would care about, I usually have a friend (or a small) group of people in mind. Instant gratification comes with my Generation Y’ness – I share something with the people I know is available and cared about it to discuss with me.

This type of interaction can be delivered via instant messaging.

• Who is online right now? (presence)
• Are they likely to respond? (my knowledge)
• Sending them the link
• Sending some commentary and discussing

When you receive an instant message because of the deeper relationship between the participants the natural behavior is to respond. If for some reason you don’t want to respond you can always “screen” the conversation (similar to a phone call from someone you are avoiding).

Make the discussion real-time, natural and persisted

The conversations I have in instant messenger related to content are verbose and often lead down many different paths. With the caveat of being clearly made aware of what is happening: imagine being able to capture these rich real-time discussions and store them with the original content. The content of the discussions could be searched and read by others. Friend-feed is part of the way there in terms of real-time conversations, but the interaction is somewhat unnatural for the hundreds of millions of people who have instant messaging applications on their computers.

Summary

Sharing content is a weapon in the battle for user attention. There are many different ways of sharing content, all are complementary.

• Publishing to a stream/feed allows me to share this with many of my friends/acquaintances on another service but is untargeted and facilitates ambient discovery of content.
• Sending content via instant messenger is very focused to people who I believe will care about the content and facilitates active discovery of content.

If you want to plug into the largest IM network in the world, check out the Windows Live Messenger Web Toolkit (interactive SDK) and watch this space for real world implementations.

There is a weird mix of pros and cons when it comes to requiring pre-registration of API keys (where you go to a developer portal and identify yourself, agree to terms of service, etc).

Ever since Joseph Smarr and co. laid out the tangible dream of Portable Contacts: “you should be able to walk up to any web site, and tell them where your contacts are stored, and they should just go and fetch them” I’ve been wondering exactly how this will be achieved in reality when most service providers require pre-registration for their use of APIs.

A great solution requires good technology and workable business/compliance terms.

After a person responds to the question: Where are your contacts? with www.randomsocialnetwork.com the API and delegation endpoints are discovered using XRDS-Simple. This is very cool, the service provider can move the endpoints around and it won’t break relying parties.

With the ability for relying parties to dynamically discover new service providers, this makes it near impossible to require pre-registration of API keys/consumer keys.

At the Internet Identity Workshop #8 this week I proposed a session unconference style (by sticking a piece of paper to the wall) and to my surprise a big group of awesome people showed up. Representatives from big companies (Microsoft, Google, Yahoo!, MySpace and Facebook) and other smaller companies were there.

In the session we talked through the problem and talked through 3 scenarios for further investigation:

1. 4th parties and widgets (e.g. JS-Kit, DISQUS) – a developer needs to configure the widget with API keys. The developer is present at the keyboard.
2. Unattended registration with services – an end-user essentially introduces the third party to the service and no developer is “present at the keyboard”
3. Data rights – when consuming data from any third party you need to know what is allowed with that data to in compliance with their terms of service.

Below is the notes from the session with some additional commentary/notes

We broke the session down into the following sections:

1. What are the benefits of pre-registration
2. What is the current pain
3. Who is already looking at automatic registration of API keys
4. What are the solutions
5. How will this be abused
6. Moving forward

What are the benefits of pre-registration?

There are many reasons for the service provider why pre-registration is great. I break these down into 3 areas: protecting the business, protecting against evil and providing value added services

Protecting the business : Accountability / Business Model

When a developer calls an API there is a certain level of accountability which the developer needs to agree to. This is usually done via Terms of Service acceptance and providing contact details.

I am not a lawyer, but as far as I can tell, most companies require an explicit developer action (E.g. clicking a tick box) to show agreement with the terms of service.

The service provider needs to have contact details for the developer to reach out to them. This could be things such as notifying customers of API updates, notifying of updates or even capacity planning (and removing throttling upper limits). In my opinion, using the tech-support contact information on the domain is unreasonable.

Protecting from evil: Reducing Abuse / Spammers

Opening any type of resource for programmatic access opens the door for abuse. By requiring developers to go through a manual step (and perhaps even completing a CAPTCHA/Human Interactive Proof) this drastically reduces the ability for nefarious actors to create hundreds (or thousands) of evil sites which “fly below the radar” of normal abuse detection.

This abuse could range from spamming to business model bypassing.

Providing value added services (different strokes for different folks)

Not everyone who calls API needs to be treated the same. Once you know a developer is a real person (i.e. not a bot) a smoother user interface (less warnings) may be presented to end users; access to additional “offers” / pieces of functionality can be accessed.

Providing analytics back to the developer on the number of end users who have granted permission to your application, or combining that with anonymous demographics on the audience can be invaluable to developers.

What is the pain being felt today?

Pain is relative.

Starting with the customer (end-user), the pain is: I want to be able to get to my data no matter where it is, even if the two services don’t have a pre-existing relationship.

For the developer pre-registration is sometimes challenging because:

• Development/QA/Production environments often require different API keys, and managing the deployment process is often difficult.
• If your service consumes data from 10 address book services, 5 photo storage services, 3 status services this is time consuming to onboard each different website (this requires a big assumption that protocols are standardized and the code is reusable for each type of service).
• For 4th party scenarios, the developers are often forced into the API key equivalent of the Password Anti-Pattern, where API keys are often copied and pasted into a third party service.
• The identities which are used for API key registration are essentially “service accounts” but are often just the developer’s real production account.
• Proving you own the domain by putting something in the root of the domain is challenging.
• Developing behind the firewall and creating “fake” fully qualified domain names reduces developer productivity.
• The barrier to entry for developers who just want to “kick the tires” is higher.

For services (which expose APIs):

• Getting wide spread usage of APIs can be limited due to the requirement for manual provisioning.

Who is already looking at automatic registration of API keys

No one today has the perfect solution.

Facebook are the closest for the 4th party scenario. Luke Shepard outlines the scenario where a developer is configuring a 4th party service/widget and pop’s a new window to Facebook (using their real identity) and the API keys are emitted to the screen. The developer then copies and pastes the keys back into the 4th party.

Ari Steinberg from Facebook talked about an interesting concept where all of these “programmatically created API Keys/App IDs” are grouped under a parent application ID. The scenario he outlined was there are some apps which allow you to create quizzes. The users may just want to block all quizzes from the same “manufacturer” even though they have different API keys.

Apparently there are a few other solutions which are somewhat close to working but we didn’t drill deep into them;

• OAuth discovery draft 1 apparently had provisions for similar functionality but this was removed from later drafts.
• Open ID / OAuth hybrid had some similar functionality

Google has a few solutions for non-provisioned OAuth : anonymous/anonymous which allowed for developers to use the APIs without pre-registration and was keyed off the domain.

What are the solutions discussed

Beyond what Facebook already has (which was agreed as the most promising for the 4th party scenario) we discussed a few more things to be investigated when provisioning is required.

The notion of providing a lightweight unprotected function (API) which requests pre-defined information (domain, email address, etc.) and returns an API key seemed like the most straight forward approach.

Interestingly, the bulk of talk about solutions was to provide a tiered approach for developers. Where if you have not been provisioned the user experience has more disclaimers and the number of calls to the API could be throttled until the developer “claims” the application. Perhaps this could be done by emailing the developer an “upsell” and they go to a web site to claim their application, or prove ownership of the domain.

Chris Messina had a really interesting point of view: instead of locking down the system, you have liberal access and when some type of abuse occurs the system could be self healing. e.g. an app deletes all of a user’s data, the user can log in and click rollback.

Aside from the technical work of “how do API keys get provisioned” the overall business issue of machine readable terms of services is a big complex problem. The position I asserted is this work should be driven by the DataPortability working group and some other people mentioned www.sciencecommons.org and www.opendefinition.org.

The outcomes/moving forward

For the 3 problem spaces the following plans set:

1. 4th parties and widgets
   • Setup and email thread with Facebook / Google and Plaxo to diff on this more
   • Monitor Facebook’s progress as they are close to having a solution and provide feedback
   • Enumerate all of the use cases and post to a wiki/blog
2. Unattended registration with services
   • Plaxo will drive this with Google (Eric Sachs) as the main requirement is coming from Portable Contacts.
   • Enumerate all of the use cases and post to a wiki/blog
3. Data rights
• The Data Portability group should keep on working on this.

I’m currently in Denver at GlueCon and I needed to dial into my team meeting where most people are in Seattle, and Jared is in Hamburg – being able to read body language etc. is super important.

When someone else starts talking the camera auto switches.

I love this stuff!

If you want to know how to integrate Windows Live Messenger into your web app to access over 325M+ users, and you can be in San Francisco on May 27th, register for our Hackathon.

To learn more about the Messenger Web Toolkit see dev.live.com/messenger or blogs.msdn.com/messenger.

Also – try our interactive SDK for the Messenger Web Toolkit.

A couple of weeks ago we shipped an update to Windows Live which made it possible for people to share the things they do around the web with the people they know in Windows Live (including Messenger and Hotmail).

Here are some of the sites you can add:

Check out this video I made showing the new features.

Eran Hammer-Lahav just posed about Twitter’s new “Sign in with Twitter” (documentation) functionality which is powered by OAuth (not Open ID).

It is quite a neat solution, you can both authenticate into a site and grant them permission for them to party on your twitter account

If you are interested in OAuth or Open ID (or the OAuth+OpenID Hybrid) read the post and check out the comments.

Someone tried this with Windows Live ID Del Auth

This reminded me of when I recently saw a customer using the Windows Live ID Delegated Authentication SDK to capture a address book, user’s profile and a static identifier for the user.

It was interesting because they chose to use DelAuth instead of Live ID Web Auth for the authentication mechanism. This meant that instead of using the unique user id (per application) the site was using the CID/LID which is a public identifier for the user (not their Live ID) – the customer had used DelAuth for something we never intended it would be used for.

Moreover, the user experience was a little funky:

• When a user lands on consent.live.com they are granting permission for an application to access their data. We think this is a pretty serious action. Currently DelAuth requires that you have entered your password in the last 15 minutes (i.e. you can’t use cached credentials via the Sign In Assistant which is installed on hundreds of millions of PCs).  This meant you couldn’t be silently or one click signed in.
• DelAuth cannot be co branded (Web Authentication can be). By customization I mean the relying party’s colors/logos etc. (similar to the www.xbox.com sign in).

What does the Sign In with Twitter look like

Below are screenshots of signing in with Twitter (they offer both traditional forms based auth and signing in with Twitter via OAuth).

I authenticated to twitter about an hour ago and got this screen (2nd is if I'm not authenticated)

And after I am in I see my picture, name and actions i can do.

Difference between Twitter’s OAuth implementation and Windows Live ID Delegated Auth

You may notice a difference here between the twitter consent screen and Microsoft’s consent screen:

• When using DelAuth from Microsoft the third party is required to provide a privacy statement
• we provide the choice of duration of delegation
• on a per offer basis we may provide per item ACL’ing of which items are shared
• a link to the screen where users can revoke permissions from apps

Luke Shepard posted about avoiding Open ID Nascar and detecting the user’s provider.

I was pitching something like to Luke, Wei and Joseph Smarr at the Open ID UX summit (without all the Open ID details).

I think there are going to be about 10 providers which people actually want to sign in with; but you can't show 10 choices.

Sniff out the ones the user has ever signed into via a JSON request or an image size hack.

Then you could also surface the "why use this provider" in an iframe (i.e. if you are visiting the WSJ and it shows):

• You are a user of Facebook (3 of your friends are on the site, post stuff to your wall)
• you are a user of MySpace (0 of your friends are on the site)
• you are a user of LinkedIn (12 friends are on the site, share stuff with your professional network)
• You can click to show way more places of where your stuff is stored.

You think this is interesting?: should i document it a bit more?

Lets say you have 1 computer with 1 screen. You watch a ton of video content (like 24 on Hulu). You like to watch full screen but don't want to miss IM conversations or other stuff. Why not integrate the IM straight into the video player with a subtle glow. That is what Ed from SharpLogic has done.

---

Ed at SharpLogic is one of my heroes. He is a pleasure to work with and always goes the extra mile (debugging stuff at 4AM with you over email or IM!).

Chris (a PM for the Windows Live Messenger Web Toolkit) convinced Ed to write a guest post about how he built his rocking video/event system with IM capabilities.

Check out the post here and their site here.

Snipped from the post:

We’ve actually done this with Boost Events, a SharpLogic venture. Boost Events is a set of software and services designed to deliver great experiences for conferences. Our Silverlight UI integrates Windows Live Messenger so users can collaborate via IM while watching sessions, as well as being able to recommend sessions to each other.

In the screenshots below, two users have logged into Messenger from http://events.boostweb20.com/Events/MIX09. To recommend a session to another user, the first user drags that session’s tile onto an IM conversation. The recommendation is serialized and sent over the Messenger channel as an “application message”, which is deserialized and treated specially by the application to expose its own functionality. Messenger provides the underlying channel for messages, so there is no impact on our servers. Application messages are treated like other messages in the system, except that they’re not surfaced as text IMs since they’re intended to be transparent to all clients except those that expect them.

TechCrunch just posted about a neat implementation by Fluid for using the Facebook network as an IM backend (I wasn’t aware of an IM API from Facebook).

Its a cool scenario, and it highlights one of the scenarios enabled by the Windows Live Messenger Web Toolkit we recently announced.

The one big difference I see is, even when Windows Live Messenger users aren’t on a web site they can be reached. The intersection of your friends who are on a specific website (I.e. Facebook) to chat with is always going to be low.

Luckily the Windows Live Messenger is installed on hundreds of millions of desktops, mobile devices, etc. so people can be reached anywhere.

Ever wonder what people are doing when they aren’t on your website? That’s right, they are in Windows Live Messenger.

Check out the Channel9 Interview with KeijiK where he outlines how you can plug into an audience of 320 million+ people in a unique way – via the Windows Live Messenger Web Toolkit.

Hey, Angus Logan here, I'm at Web 2.0 Expo in San Francisco - there is a great vibe and lots of action. I've been spending time with and learning a ton from some of the open stack crew, Joseph Smarr, David Recordon, and Chris Messina. We've been talking about the technology, adoption, and when Microsoft (we) will roll our preview Open ID and Portable Contacts endpoints into production (nothing to announce right now).

Microsoft is a proponent of open standards through our work in the Open ID foundation and the Open Web Foundation. As these open specifications continue to mature, services such as RPX are great because they provide a stepping stone for developers.

I’m excited to see the announcement that RPX now consumes Windows Live IDs.

RPX delivers both user experience for identity provider selection and a translation layer between many proprietary and standardized protocols used by identity/resource providers.

End-users can spend their time in so many places on the web. The battle for attention is harder than ever. The downside of having limitless choice is the tax of signing in and telling websites about yourself. RPX makes it possible to sign in using one of the many identities a person already has - this includes authentication and profile information (first name, last name, etc.)

Web site owners just need to go to www.rpxnow.com and create an account. As end user data is being shared you need to create a Windows Live App ID and you tell RPX the details of your app ID and specify a privacy statement. You can also use the authentication page co-branding to make the experience somewhat smoother for your end-users. After this you implement some UI on your website, and you should see higher end-user satisfaction and conversion for signing in and profile information.

The Live Services APIs used are Windows Live ID Web Authentication and the Windows Live Contact API. Web Authentication is one of the options third parties have for becoming a relying party of the Windows Live ID identity provider/Microsoft federation gateway. It is built using standard web technologies and techniques such as browser based redirects/form posts.  The Windows Live Contact API in this case is being used as a profile API as it exposes the "owner record" of the Windows Live user. To gain permission to the profile & address book Windows Live ID Delegated Authentication (DelAuth) was used. DelAuth provides a few unique controls for users to select certain objects to be shared, and the duration of the access.

Below are some screenshots from www.ladygaga.com which uses RPX:

(Windows Live ID, sign in and delegation stuff you've all seen before)

One of the pieces of feedback we got from the launch of the Web Bar was “give me some pre-defined themes so I can make the end-user experience smooth”.

Steve Gordon the development lead on the Web Toolkit heard you and has posted a few basic themes and explained how you can build them yourself.

Since the Web Bar and all of the UI Controls are constructed using HTML and CSS, web sites have complete control over how the controls appear to the user. With this flexibility, there is a wide range of customizations that a web site can do, ranging from simply changing the font color, to providing a completely custom experience akin to some of the creations you might find on the CSS Zen Garden.

Check out his post.

We had a whopping 8 sessions about identity/safety, messaging and the Live Framework at MIX - below are links to all of the sessions about Live Services which you can view online.

Overview of Sessions

Messaging / Presence : On Wednesday we announced the Windows Live Messenger Web Toolkit which is a set of controls and libraries that enable you to connect Windows Live Messenger users and their friends with users of your Web site.

• Keiji Kanazawa gave an overview of the Windows Live Messenger Web Toolkit
• Chris Parker showed 5 of the top scenarios we identified for a site to become more social & sticky being enabled via the Windows Live Messenger Web Toolkit.
• Angus’s pick! Jordan Snyder from Effective UI shared her experiences in integrating the Windows Live Messenger Web Toolkit into a slick Silverlight application for a major photo sharing website (more news coming soon.)

Identity & Safety : Microsoft are in a unique position to be running one of the largest services in the world, with over 500 million people signing in every month.

• Jorgen Thelin gave an overview of the different aspects of the Live Identity Service and how we are making it available for web developers, companies which sell solutions and also organizations which want to adopt cloud services.
• Angus’s favorite :: John Scarrow talks about the things you need to think about when running a massive high scale service in terms of people abusing your service. “the terrorists are no longer in their camps in the desert, they are moving into apartment buildings (i.e. your website)”

Live Framework – we unveiled the Live Framework at PDC and have been working away taking feedback, hardening and evolving it.

• Ori Amiga gave an overview of the Live Framework all up
• Arash Ghanaie-Sichanie went deep on what meshifying a web app really means
• Angus’s pick! Gregory Renard from Wygwam had the most fun session and showed a great new tool the Live Framework Explorer for Visual Studio.

Full list of sessions with links

Identity & Safety

Protecting Online Identities

Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.