Why atprotocol?

Posted 2024-07-17 09:00 ‐ 8 min read

Several years ago, I started building an event system on top of ActivityPub¹. Ultimately, that project never matured and went into the elephant graveyard of abandoned GitHub projects. By then, I had contributed to Mastodon², created an ActivityPub server implementation³, and been involved in protocol discussions. I felt very comfortable with the protocol and was optimistic about its future.

When Bluesky came along, I was intrigued. The ActivityPub⁴, Activity Streams⁵, and Activity Streams Vocabulary⁵ specs demonstrate a flexible and dynamic protocol. Applications like Pixelfed have documented mature additions7, allowing applications to use what they know and ignore what they don't when extending the spec. With JSON-LD, mixing and matching objects and attributes and making your own is relatively easy.

Where I have been burned is data portability.

At the end of the day, when you sign up for Mastodon and start posting, your content lives on the server you signed up with. That server generates cryptographic keys used to sign your content. The privacy model is also enforced using that same cryptography. You know that you can trust an incoming request to give it your "private" content because it is signed with the key of a user you've explicitly given permission and established trust.

If you want to migrate to another server, there is a process for it⁶. Unfortunately, the process is a shallow copy with significant caveats. First, you create a new account with new keys on the destination server, export content from the old server if your old ActivityPub server implements it, and then import content into the new server if your new ActivityPub server implements it.

There are a lot of things that can happen along the way:

You may be trying to salvage your account from an offline server. In this case, everything you had is effectively lost, as the server is the source of truth. Any account reconstruction would be from sources that may not be trustworthy.
You may be trying to migrate your account from a server that is now hostile. For various reasons, some good and some not, the server has locked you out, and your data is being held hostage. Without the server facilitating the migration process, you're stuck.
You may be trying to migrate between servers that can't translate the data correctly. If the destination server is older, newer, or has different extensions than the origin server, content may not export and import correctly, leaving you partially migrated.

Those are all very real scenarios. Anyone who has spent considerable time on the internet has encountered them in some form or fashion. The one that sticks out the most and is the motivation for Smoke Signal is the website Upcoming, but it isn't alone in contributing to the problem.

Upcoming.org

Almost twenty years ago, I worked at Yahoo in the "social search" group, primarily on del.icio.us. I regularly used Upcoming to find events and participate in communities. In 2013-ish, that changed when Yahoo decided to shut it down.

Several years later, in 2017, it was brought back to life with the hope that it would have an archive of old content. Money was raised and work inspired, but the excitement faded, and updates became fewer and further apart.

The last major update was on June 19th, 2023, to fix issues with sign-in because it was directly tied to Twitter.

What were the lessons learned?

Websites come and go. Sometimes, you see it coming; other times, you don't. You don't always have time to act.
The community invested considerable time, effort, and energy, so much so that years later, a non-trivial amount of money was raised to find a way to provide an archive.
Locking authentication to one vendor, specifically Twitter, was a good idea at the time, but see rule 1. Twitter, as it was, is effectively dead and is now hostile to an open web.

Meetup

Another web 2.0 story is Meetup. Meetup started as a way to create communities, emphasizing group events. In 2017, WeWork acquired Meetup. There are a lot of really good articles about WeWork, and I encourage readers to look for them. Ultimately, the purchase of meetup.com by WeWork was devastating to its communities, and their business decisions drove people away.

Earlier this year, meetup.com was purchased by Bending Spoons. That same company purchased Evernote back in 2002. I think both of them have suffered from the corporate product death cycle for a while, and I'm hoping that the new owners bring them back to their roots and establish strong communities again.

What were the lessons learned?

Websites come and go. Sometimes, you're too close to it to recognize the slow decline and death of a product.
The product is only a part of creating and sustaining communities, but communities are essential to products.

Facebook

I can't count on one hand the number of people who keep their Facebook accounts active because "I use it for events." As an organizer and community leader, I find Facebook essential for bringing awareness to regular and ad hoc events. It was the number one source of new people to our events, only second to meetup.com. This was true back in 2018, and it's still true in 2024.

Everyone knows that on Facebook, you are the product. Your data and identity is a commodity that they are making money off of. The Facebook platform and adjacent products are major sources of stress and unwellness⁷.

Yet, people feel that they can't leave because the platform is seen as essential to the health and success of their communities and circles. Meta has invested huge amounts of money into creating a walled garden that holds you, your data, and your communities captive.

What are the lessons learned?

Platforms and ecosystems that prevent you from leaving have good marketing and bad intentions.
The cost of leaving systems is manipulated to be prohibitively high.

Conclusion

It all boils down to data portability. The Atprotocol spec documents identity⁸ and data⁹ portability, and the open source reference implementations demonstrate its power and usefulness.

Smoke Signal exists because of all of those lessons learned:

You own your identity. You sign in with your handle that resolves to whatever PDS you use. The underlying DID that your handle resolves to is the source of truth for your identity. If you want to move your DID from one PDS to another, you can. If you want to use a custom domain to change the display name, you can do so.
Your PDS is the source of truth of your data. Smoke Signal is an Application¹⁰ that interacts with your PDS on your behalf with the authentication that you provide to create and manage events and RSVPs. If Smoke Signal ever shuts down, changes ownership, or becomes a place you don't want to be associated with, you can stop using it without losing everything you and your community have created.
If you move and migrate your data, the same data can be verified cryptographically in the new place because of how atprotocol implementations sign identities and content. The underlying distributed identity and event didn't change; it was just the application used to view it.

Some of these are hot takes. Let's talk about it: @ngerakines.me

https://github.com/ngerakines/apevents

https://github.com/mastodon/mastodon/blob/main/AUTHORS.md

https://gitlab.com/ngerakines/tavern

⁴

https://www.w3.org/TR/activitypub/

⁵

https://www.w3.org/TR/activitystreams-core/

¹¹

https://www.w3.org/TR/activitystreams-vocabulary/

¹²

https://pixelfed.github.io/docs-next/spec/ActivityPub.html