Solid protocol restores digital agency
13 comments
·July 24, 2025benreesman
rockskon
So your response is....
Schneier's solution is bad and violent revolution is most likely the answer?
It's difficult to really parse your reply.
refulgentis
This really captures something important about how power operates across different eras you're drawing from some heavy hitting historical precedents.
I'm curious about the full sweep of political philosophy (Magna Carta through UDHR), it feels like it has something to inform us about people problems vs. technical problems.
That final image about seasons changing is quite evocative, really drives home the cyclical nature of these power struggles. A technical standard cannot prevent blood shorn for man's freedom.
benreesman
Very kind of you to say, though I can't take credit for any of the ideas: they're all a lot older than I am.
Important to keep them in circulation in my view.
QuaidCarloB
@"nutrition data" Could be done with grocery purchases specific receipt, might need to co-ordinate with visa or another point of purchase service (and the store's grocery list data which may vary) to do so. etc
FrancoisBosun
In the article, it is mentioned that « we can grant temporary access to cardiac-related data » (paraphrased). This is where it gets difficult: how am I to know that some data is cardiac-related or not? Is it important to share my thyroid levels or not? This is a very difficult problem. I wouldn’t know what to share for medical history.
vintermann
The requester would know what to request.
ydlr
I really don't get why I would want this. I like that the data that brokers have is fragmented, inconsistent, and out of date. That is the only thing preserving even a tiny bit of privacy.
A system like solid would absolutely be abused by police. It would be a windfall for data brokers and social scoring systems.
No thank you.
klabb3
I don’t know the details about Solid, but I think one interpretation is:
One of your personal devices is a server. The (only meaningful) difference of the server node is that it is always online, and it’s reachable. This unlocks a lot of use cases - one of them is to be able to receive messages from other people when you’re offline. Another one is to run sync infra for your own apps. Think eg note taking- and calendar apps which you want to have sync with your laptop & phone. This currently requires the vendor to distribute their apps as services, even if it’s only your own data. If you control the server, these things can happen without relying on vendor services (you only need their software).
In this context, your criticism is similar to that of hardware vendors like Apple. Can they snoop on your phone? Privacy is not binary: you could run a Solid instance on a device you control (your own hardware), or self hosted on eg Hetzner, or (for the majority), by a managed hosting company. The latter is how consumer products like Google Photos or iCloud already works – except now you separate the vendor from the operator to change the incentive structure.
fiddlerwoaroof
Well, as I remember, the thing about solid is it’s a protocol. So, if you don’t trust one vendor, you can trust another vendor or implementation without losing interoperability. So it goes the opposite direction of consolidation because it allows arbitrary storage services to be used transparently by arbitrary services in a secure fashion.
endgame
They said that about OpenID and now you have the choice of ~three bigtech ID providers.
deathanatos
…Google, …and? Who are the other two?
Maybe you're thinking like Facebook, but AIUI, login with Facebook is proprietary. The problem there isn't the protocol, it's that companies are massive. If anything OIDC lowers the barrier to entry, assuming RPs properly support it (which is a huge if, but if these were 3 proprietary protocols instead of 1 standard one, there would have never been a chance…)
deathanatos
Let's take this as a specific example of the general complaint lodged:
> Let’s take healthcare as an example. The current system forces patients to spread pieces of their medical history across countless proprietary databases controlled by insurance companies, hospital networks, and electronic health record vendors.
If by "system", you mean the available technical standards, they in no way force that. If by "system" you mean capitalism … then perhaps, but an additional technical standard is not going to fix that. People build systems the way they build them because of barriers such as the unwillingness of other players to share data, the lack of technical knowledge of those implementing the systems, and the technical but-non-standards-related barriers of having disparate entities sharing infrastructure (e.g., what if someone sends too much load, if the system housing the data is down, etc.).
> Patients frustratingly become a patchwork rather than a person, because they often can’t access their own complete medical history, let alone correct mistakes.
(IANAL.) This is one of those problems already solved de jure, but not de facto. By law, you have the right to access your own medical history, and with minor caveats, the right to correct mistakes in your data; not being able either of those is a violation of HIPAA.
Enforce the regulation, is what I'd say would be needed in that specific case, but good luck with that, of course. But that's the problem: even if Solid were amazing, did everything you ever wanted, what would cause industry to ever adopt it?
There's also HITECH, but it's vaguer, AIUI.
(HIPAA is about the only federal privacy law we've got; outside of that, I agree more firmly. Esp. the right to correct mistakes in other industries is practically non-existent. The end result of the argument above is still the same, though.)
I agree w/ Schneier, people need better control over their data. But I think that's a regulatory/legal problem, not a technical one. And that is the problem: the Dems are, at best, weak on privacy law and consumer protections, and the GOP is outright against it; worse, rulings like the striking of Chevron Deference are going to make enforcing existing laws hard enough.
It's nice when a technical solution exists for a people problem, but as much respect as I have for both Sir Berners-Lee and Schneier, I don't think this is one of those instances.
The rights of individuals come into conflict with the interests powerful organizations precisely at the points in which the great documents deem it necessary to enumerate them as rights: this is by construction.
Whether you are reading the Bill of Rights or the Universal Declaration of Human Rights (or in a sense, the Magna Carts) the themes are around personal sovereignty, presumption of innocence, ownership and disposal of property, freedom from surveillance and coercion and other abuses of power. This is because absent such norms and their enforcement by principled leaders, the powerful in general find it in their interests to infringe the rights of the less powerful.
We are at such a moment today: the consolidation of power in the hands of unaccountable organizations and the capture of institutions by the unprincipled has met an explosion of activity and possibility in the digital realm, but it is not unique to it.
This is usually solved by violence, sometimes blessedly by negotiation, but it is always solved: once the wishes of ever smaller in number choke out the hope and dignity of the ever larger in number to sufficient degree: change happens as surely as winter turns to spring.