Sunday, May 20, 2012

On video blogging - not

Because Verilab is spread over a chunk of the western hemisphere, getting regular news and status updates out to the teams can be a challenge. I've tried various methods, one in particular being short videos. I create them using Camtasia, which lets me capture not only my video and audio, but also screen activity like a PowerPoint or Keynote presentation, or maybe just the movement of the mouse across a spreadsheet as I describe the numbers. After minimal editing (I usually do the whole 10 minutes or so in one "take"), I export it to an mp4 file and then  upload it to our business Google Video area within our Google Apps account. Usually the videos are made visible for everyone in the company, and there's an easy default setting to allow that. But on the occasions where I'm addressing only one or two folk, that's easily done too. So far, so good.

But more recently I thought it would be useful to have those videos displayed in the context of a blog. The two big advantages of that are:
  1. It would let me include text and other media (like photos)
  2. It would allow the team to comment on what I was saying and ask questions
Another little advantage is that a blog provides an easy feed mechanism (e.g. RSS) so that the team can know when there's something to see. I know they hang on my every word and can't wait to see the next excitement installment of "Tommy Does Excel".

Of course in theory all of the above can already be done, given that the hardest port -- hosting the video -- is covered by Google Video. I could simply email the team when a new video was ready, and use that email for any text message or photos. And then they could reply to that email as a form of comment stream. But anyone who has frequented the "blogosphere", as either a blogger or a commenter, will know that an important component in determining whether or not you will participate is "friction". That is, all the little, even tiny obstructions that get between you and your thoughts being immortalized in text. There's too much to discus on that topic to fit here so all I'll say is that patched-together combinations of emails, hosted videos (that are linked from but not embedded in the emails), and so on all constitute too much friction.

So I've decided what I want is a decent company-internal-use-only video blogging setup that meets the following criteria:
  1. As easy to use, as an author or commenter or reader, as Blogger, or Wordpress, or Typepad, etc.
  2. Able to host videos of between 5 and 20 minutes duration, and to have those embedded within blog posts
  3. Uses EITHER one of our existing company authentication mechanisms OR a "stand-alone" authentication mechanism wherein the user is not required to create an account on some web service somewhere
  4. Allows for user-by-user authentication
Well, to cut a long story short, I failed. I simply cannot find, certainly among the widely available platforms, any combination of services to do the above. Here, for anyone wanting to avoid blind alleys, were the prime contenders and why they failed.

Wordpress hosted on wordpress.com

Wordpress is blogging software. But to use it, you need a place to run it and on which to keep the blogs themselves. One option for that is wordpress.com. On its own, this fails 2 -- wordpress.com won't host videos. But that could have been solved using the not-too-expensive videopress.com plugin. But the real problem was 3, authentication. Wordpress blogs do allow you to restrict access to certain users but the authentication credentials -- the information you provide, usually a username or email and a password, to tell wordpress.com who you are -- are the username and password of a wordpress.com account. In other words, to restrict my wordpress.com blog to be readable only by my team I'd have had to lock the whole thing down, and then open it up to my team based on each of them having their own wordpress.com account. That's a fail.

Wordpress hosted on our own machines

This is similar to the above in that it would use Wordpress software, but we'd install it on our own machines. Point 1 passed. Crucially, we all already have authentication credentials for that (because we use our company machines for a lot of other stuff), so this passes points 3 and 4. But the problem is hosting the videos, Point 2. We realized that in fact we didn't actually need videopress.com because we already have a hosting solution -- Google Video for Business (i.e. within our overall Google Apps setup). All we have to do then is figure out how to embed those Google Video videos in wordpress posts. And can we figure that out? Nope. The Google Videos provide the necessary HTML snippet to share the video. And we even tested that that HTML worked by embedding it within a Blogger blog and a Typepad blog; both worked fine. But after several days of hacking, we can't get Wordpress to embed the video.  Of course this leaves as a loose end the option of self-hosted Wordpress combined with the videopress.com plugin.  I may revisit that, but I don't hold out much hope for getting that to work easily when we've not managed to get Google Video embedding to work. I've no doubt we'd get there eventually, but getting a video blog is not the only thing we have to do with our time, and there comes a point when it makes sense to take the loss and move on. So, another fail.

MovableType hosted on typepad.com

Analogous to Wordpress, MovableType is blogging software; and analogous to wordpress.com is typepad.com, a hosting service. And in some ways this is the most promising of all. MT on typepad.com handles embedding of the Google Videos fine. Authentication to *watch* those videos is achieved via our already-in-use Google Apps authentication. So all we need is something to restrict access to the blog itself (otherwise while unwelcome visitors may not be able to see the videos, they would be able to see everything else). And in fact, typepad.com has precisely that -- you can simply password a blog. Yay! So it's passing criterion 3. The problem is criterion 4. Because the protection mechanism is a simple password *for the blog* (i.e. it is not authenticating on a per user basis), if someone leaves the company, I'd have to change the password for everyone. And in fact it would probably be wise to be changing the password every few months anyway, even if no one left, just to cover password "leakage" into the wider world. Fail! :-(

OK, but then I had a bit of a Homer Simpson "Doh!" moment. I've noted that we already have the video hosting part of the solution -- Google Video, part of our overall Google Apps setup. But in fact, we now also have that for the blogging engine too; Blogger, now owned by Google, is now (and has been for some time) available within Google Apps too. So:

Blogger under Google Apps

Well at first glance this looks perfect. Authentication is going to be the same as for the rest of Google Apps. Hosting of the video is also Google Apps. And embedding works (I tried it). I think we have a winner. Yeah, if only. To understand the problem it's necessary to understand that while Blogger is owned by Google and the service is now included within Google Apps, it is not -- unlike Gmail, Calendar, Video, and so on -- a core Google Apps service. In theory, all that means is you don't get support for it from Google. But in practice the fact that Blogger is somehow less part of the Google Apps family has made itself known via a nasty little hole in Blogger authentication. Basically, what happened was this. After checking that the core functionality -- blogging, video embedding -- worked, and that the security appeared to do what I expected, I then enabled all my team to read the blog. That's done within the Blogger dashboard and the result is that each user receives an email containing a link that they need to click to accept the invitation. Once that's done, they can then read my blog, and watch the embedded videos, providing their browser is authenticated with their Google Apps credentials.

The problem appeared when the Blogger invites were accepted by a few of my users who also have personal gmail accounts. It turns out that if someone is reading the invitation email and accepts the invitation while in a browser that is also authenticated for (i.e. logged in to) their personal google account, then although the invitation may have been sent to <persons-name-at-verilab>@verilab.com, it gets accepted by <persons-name-at-gmail>@gmail.com. Worse, Blogger takes that acceptance as valid! In fact, if I, the inviter, look back at the list of people to whom I've given blog-reading permissions, the entry corresponding to that person has changed -- from <persons-name-at-verilab>@verilab.com to <persons-name-at-gmail>@gmail.com. Failalamadingdong!

The only point in Blogger's favour here is that at least I -- the Blog owner -- get an email with subject "Your invitation was accepted using a different email address" and highlighting who the user in question is. But at that point, all I can do is remove their personal gmail from the list, re-insert them under their company address, and try again. Unfortunately if they again accept under a multiply-authenticated browser, the same thing will happen again.

Now, one of my users did argue that maybe Google were doing The Right Thing here. I invited Fred, and Google is permitting Fred access. OK I invited Fred@here.com and they're permitting Fred@there.com, but they know (not sure how, but they do) that those are one and the same Fred, so they're not being unreasonable. I have two problems with that.

First, from my point of view, Fred@here.com and Fred@there.com should be regarded as two different people from a security point of view. The reason is that it's conceivable that a person would apply different levels of "security in use" to their personal email versus their work email. For example, someone may share their personal email credentials with a family member, but not do the same with their work email. 

Second, even if I did allow for Blogger seeing two Freds as being the same, Google Video does not see that. So while either Fred@here.com or Fred@there.com would be able to read the blog, only Fred@here.com would be able to see the embedded videos.

Conclusion

Well, the conclusion is, it can't be done. Of course, clearly it can -- all of the bits and pieces are out there waiting to be bolted together. But the same could be said about plain old text-only blogging in the days before blogging machinery. But blogging didn't take off until someone bolted together those blogging machines. So today, for your average small company, even your very technically able small company, getting a company-internal-use-only video blogging setup working may be more bother than it's worth.

But make no mistake, it's worth something. If I'm the only person who'd use this kind of thing, then I fully expect to be ignored and to see nothing change. But if there are enough of me out there (and YouTube, Google Video itself, and even wee curiosities like ConnectNote, suggest that there's all kind of demand for video comms bubbling under the surface), then it looks like an opportunity for some college-dormed entrepreneur or other. When you've got it up and running, I'll be your first user.