As if social media wasn't already, well, social enough, a relatively new open protocol for securely sharing information between web sites, called OAuth, has received a major boost for broad adoption. Developed collectively by a variety of web giants and independent experts, every party involved has signed a covenant not to sue anyone who uses OAuth in a product.

Until OAuth, there wasn't much of a standard for allowing websites to exchange information or users to move their data from one site to another. The tools that sites like LinkedIn and Twitter have employed for sniffing your Gmail contacts for friends who may already use their services often require entering your Google credentials into a non-Google site. While many of these sites may arguably be trustworthy, a number of efforts collectively called "data portability initiatives" have launched to solve the problems of how to let users move their data between services, and grant secure access in the process.

OAuth is just such an initiative, and it has had the developmental backing of individuals and employees of companies like Google, AOL, Yahoo, Twitter, Pownce, Six Apart, Blaine Cook (formerly of Twitter, now at Yahoo), and Mark Atwood. Conceived in November 2006 with a 1.0 draft formalized nearly a year later, OAuth has been incorporated very recently by a handful of companies, with Google contributing to the movement by adding OAuth to all of its APIs last month. Yahoo also incorporated OAuth this month for the launch of Fire Eagle, its location-aware data arbitration service for social applications and services.

The OAuth protocol works by providing secure tools for one site (referred to as a "Consumer") to make a secure request to another site (called the "Service Provider") for a specific set of data without ever requiring the user to hand over their name and password. "While OpenID is all about using a single identity to sign into many sites," OAuth's site explains, "OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts)." With such a widely supported protocol like OAuth gaining steam, it isn't hard to imagine a not-too-distant web where users can more securely allow Facebook to pull one's collection of Flickr photos tagged with "party," or Brightkite to scan one's Gmail contacts for friends who may be in the neighborhood. These kinds of data exchanges can be highly granular, customized by the user, and revoked at any time.

That hasn't been possible previously, though, as Eran Hammer-Lahav, one of OAuth's frequent contributors, explains on his blog: "The problem is that in order to implement specifications, the developer usually has to write code that uses some existing patents. It is practically impossible," Hammer-Lahav continues, "to know which patents are involved, but at a minimum, the developers need to know that the people who wrote the specification are not going to sue them."

Thankfully, a signed covenant to not sue over OAuth implementations is exactly what all of OAuth's contributors have provided. Exhibited in the new License section of the OAuth 1.0 specification, OAuth has been sanctioned for use by any developer or company, which opens the doors for a lot more secure data access and portability.