(2023-11-03) Berjon Web Tiles

Robin Berjon: Web Tiles. Trust has been the defining constraint on the Web's evolution towards more powerful, more applicative capabilities

App stores shift the trust around: apps get more powerful capabilities but there is a review and enforcement bottleneck at the store level which is load bearing for trust. This can open up more powerful capabilities but at the cost of producing a chokepoint for control, rent extraction, and self-serving policies.

Meaningful digital systems cannot work without trust (users would face excessive direct harm and abandon ship) and that trust must be anchored somewhere. Thinking about this issue from an architectural standpoint, we need to keep in mind that we liberate more of the Web's power when we increase trust than when we add new features.

Offloading trust to the user is not a promising option either. Fifteen years of W3C workshops on permissions and consent on the Web (and many other similar efforts) have succeeded in only one thing: establishing that permissions and consent are not a promising avenue

Permissions are not just bad for security, they're also a bad user interface because they reduce a person's sense of agency.

Asking people to approve access that they know they don't fully understand and that they couldn't monitor even if they did understand it does not empower them.

To make matters worse, the Web's trust model is anchored in the same-origin security policy. While this provides a relatively natural boundary for user agents to reason about, it makes it difficult to compose Web services safely

A powerful way to improve the Web platform is to provide new primitives

As a placeholder name, I am calling this new primitive a Web Tile. A tile is a set of content-addressed Web resources that, once loaded, cannot communicate further with the network

Tiles make it possible to grant a Web context access to more powerful capabilities — and notably to a person's private data

One of the key relationships that Bernhard Seefeld proposes to invert in Inverting three key relationships in computing (which you should read) is that "Services come to the data (instead of data going to services)." This is powerful and can be made safe. One way to implement such a model is with sandboxed code (e.g. WASM that is constrained to certain operations, with some wonderful magic like IPVM) and that should be part of the toolbox, but many services also require — and in fact might primarily be — a UI.

Tiles are local-first and location agnostic

Tiles are multi-device from the get-go

Tiles are designed to be composable

Given that tiles are a primitive that can already make itself useful, it can also be gradually complemented with a number of key APIs and with a specific client-side composition mechanism that makes it easy for tiles to work with one another to create sophisticated, user-centric experiences

The biggest challenge is in browser UI: the tab centric model is a poor fit for applications and an even worse fit for composability

there are multiple implementation of the idea, with growing interest

which I am unifying here under the broad label of "tiles".

In April 2023, at IPFS Thing, Fabrice Desré from Capyloon (video), Ian Preston from Peergos (video), and yours truly from Protocol Labs (video, mentioning it in passing, referring to quick-and-dirty skunkworks prototyping on the idea) all presented the same idea.

We concluded the conference with a workshop to iterate on the idea that also involved the folks from Fission who are working on IPVM (video).

What's A Tile

A tile is a DAG-CBOR of metadata and content, available over content-addressed protocols

Composing Tiles: Wishes/Intents/Activities

we focus on dynamically linking tasks together to create a seamless flow of interactions

The existing technology matching this approach is Web Intents.

inspired by Android Intents.

I am shamelessly recycling from a proposal I made almost ten years ago as part of the Web Intents work.

A wish is a verb applied to a type of thing

More involved interactions can be required when the wish is not about a simple request/response action

Differences from Previous Proposals

Without attempting to compare tiles with all previous approaches (there have been many), it is useful to describe what sets tiles apart. Three things are worth teasing apart here

First, the key primitive underlying tiles is a strong sandboxing model that limits the extraction of data much more severely than prior proposals

Second, these properties have positive consequences. The sign of a good Web primitive is that it may not do much on its own but when composed with others things start happening.

Finally, this primitive has desirable philosophical implications. By moving composition from the server to the client, with loose joints that empower people to easily choose how they wish to compose services, this system significantly increases user agency

Arguably the biggest lift with tiles is in user interface: they probably do not work in a classic tabbed browser UI and we probably shouldn't try to make that happen. While it is key for the Web to rely on the notion of user agents, there is nothing to say that the current UI paradigm is right.