Web Services Edge Cuts Both Ways

FTC spyware suit highlights need for standards-backed protection against abuse.

Perhaps Im getting too good at seeing the glass as one-tenth empty, instead of nine-tenths full—but Im wondering, you see, what someone might pour into that remaining empty space. Web services technologies offer exceptional power for crafting enterprise IT architectures, but I sometimes wonder if they have what it takes to survive out there on the street: There are plenty of people with their own ideas for what to add as a final unwelcome ingredient to the services cocktail.

My suspicion in these matters is long-standing. It goes back to when Microsoft was still talking about Windows DNA about four and a half years ago, which was the first time that I heard someone describe a specific, service-for-sale vision of what was then called, at least by Microsoft, the "programmable Web."

The service in question was the calculation, hypothetically, of sales tax on Net-based transactions. Rather than having every Internet retailer maintain its own map of myriad sales tax districts and rates, this imagined service would take the locations of seller and buyer, and the dollar amount of the transaction, and would return an accurate determination of what taxes were due to whom.

Yes, I know that Internet-based transactions are at present exempt from most taxes, but that cant last forever. The service Ive just described would be, at some point, worth having—but call me nasty and suspicious, because the first thought that went through my head was, "What a scam." Buyers of this service would be feeding the provider a real-time stream of data on whos buying stuff, in terms of locations if not individual names, and how much those customers are spending—and they would be paying for the privilege of divulging that valuable market intelligence. Nice work if you can get it.

What brings this memory to mind is the FTCs first filing, last week, of a lawsuit seeking court blockage of spyware operations. If you think the spyware problem is out of hand already, just wait until theres a far richer ecosystem of Web services message traffic on which to feed. Weve barely begun to suffer. In the present case, were talking about the actual uninvited installation of unwanted software on peoples machines, and yet its still possible for a reasonable person to contend that no law is actually being broken: How much harder will it be, I wonder, to protect users privacy interests in their stream-of-service messages that are traversing public network links?

The question isnt just sitting there, waiting for a disappointing answer: Its being addressed, in particular, by the multilayered protections defined by WS-Security 1.1. Its essential that this and other protections stay abreast of the growing mischief-making potential of interacting services, as we leave the benign era of trying to prove that the technology can work and enter a more challenging era: one in which people want it to work in their own competitive interest.

One way or another, developers will take advantage of all the effort thats being invested in making targets of opportunity ever larger, with ever more bandwidth available to be used for good or for ill.

Tell me what other unwanted ingredients might wind up in the services glass at peter_coffee@ziffdavis.com.

To read more Peter Coffee, subscribe to eWEEK magazine.


Check out eWEEK.coms Web Services Center for the latest news, reviews and analysis in Web services.