Writing up user stories of how a user (Alice) interact with closed social networks, we should try and see how we can build similar scenarios in a distributed environment.
Please keep this high-level: no data format or protocol should be mentioned, but rather how Alice would interact with tools or services that would implement this format or that protocol.
Highlight the motivations and incentives that would drive the user to take such or such action.
- 1 Simple Social Web Scenarios
- 2 Identity-based Bidirectional closed social network
- 3 Privacy and Context
- 3.1 Intransitivity of Policies Applied to Social Network Data
- 3.2 Inferences on location based contextual data
- 3.3 Data Protection ?
- 3.4 Removing Data or Changing Data permission
- 3.5 Document Takedowns? Propagators
Simple Social Web Scenarios
Drag and Drop
Associating information about a person, a group, a company for it to be consumed by some program - be it a thick client or browser based - should be as easy as dragging the page about that person or group onto the program. Eg: tagging a picture as one in which someone appears should be as easy as dragging that person from an address book, or their home page onto the photo.
Linking to a remote friend
Alice is on social network A. Joe a friend of hers, is on Social Network B. Alice wants to add Joe to her list of friends. She drags the home page of Joe on SN B, to her friends list, and Joe appears as her friend. SN A and B need have no prior knowledge of each other. Alice did not need to create an account on SN B.
Using a web service should not involve password or account name creation
Arriving at a new web service (a cloud service making it possible to play Go, for example) should not require having to enter a domain specific user name or password. The user should just have to select the personality he wishes to present the site or what type of access that site can have to his information. In a couple of clicks the site should then be able to be personalise the site with the users logo, picture, friends, ... -- depending on what information the user and his friends make available. Social applications should work seamlessly across the cloud.
Distributed Group Access Control
Alice on SN A, Joe on SN B, and many others are working on a W3C project. The members of this group are listed on a W3C page, generated by a mailing list perhaps or in some other way. They would like to work with a very nice wiki tool provided by some third party. Alice creates an account for the group there by dragging the W3C member page on the admin section of the wiki asking who should have access to the wiki. Having done this all members of the wiki get access to the page. If members get added to the W3C project page, they get immediate access to the third party wiki. If some get removed, they loose their access rights.
Distributed Family Access Control
Alice on SN A has two children, and 3 siblings. She published photos on that site, but she would only like her family to view those pictures (how deep the family tree goes should be something she can decide). Of course her parents and sisters are on completely different SN. Nobody should have to become a member of SN A in order to view the pictures.
Alice has been receiving invitations from a number of her relations to join Cabal, a trendy social network. When she got an invitation from Bob, she finally decided she would join it; she follows the link from Bob's invitation to sign up.
She gets on a Web page that asks a number of personal information about herself, including her name, email address, a nickname, a password. The form gives an indication of what information will be shared, and with whom.
She submits the form, and is asked to wait for a message to be sent to her email address thereby confirming she really owns that email address.
After a few minutes, she receives the message, follows the link, included there, and thus activates her account.
As a next step in her registration process, she is asked to give more detailed information about herself; after having looked at Bob's profile, she decides she would share the same types of information he did, and ends up adding a few more peices that she thinks will make her look interesting.
As she adds more information, she gets positive feedback from the user interface.
Once she is satisfied with the content and look of her profile page, she starts exploring the social network in more depth; she tries some of the applications and services that it offers, and starts adding personal content that she wants to share with her relations: photos, videos, text.
While she already has a few relations known by the network, she is having so much fun and she's so happy she can share content so easily that she decides to add many more relations to her personal network, as also incited by the system.
To do so, she's offered to search for new contacts by name, email address, and a set of other personal details that Cabal asks systematically to its users. She is also offered to upload her personal electronic addressbook - but she isn't quite sure what this is, or how she would do that -, and to look for her relations she might already have collected through her web-based email providers, and on a selection of other social networks.
As she has an account on such a web-based email provider, she decides to try that option, and is asked to enter her login and password to that service, with some assurance that this information will only be used once and only to access her addressbook.
After a bit of processing, she gets back a page listing her email contacts: one list shows the ones that are already members of Cabal, and a second list shows the ones that are not members yet.
She can pick the persons in the first list that she would like to add to her network, and is offered to send email invitations to the others.
She selects people in both lists based on her current expectations of whom she would like to share her profile and content with, and submits the form.
Over time, a number of these people confirm that they want to establish a relation with her on Cabal; she can see at any time which of her invitations have not been responded to.
Alice is now using Cabal on a regular basis: she loves the fact that she can see in her dashboard updates from all of her network, although she is sometimes a bit overwhelmed by the number of updates that Clark sends; Cabal offers her settings to reduce the visibility of Clark's updates.
Alice really likes the fact that her friends and family can comment on the pictures she's uploading, although she wishes that Don hadn't marked her in a picture he uploaded as that was rather embarrassing.
Alice has started to create three groups in her now rather long list of relations, to help her manage who gets to see what, but more often that not, she doesn't really know how to restrict access to the updates and content she's providing; she's a bit annoyed that she can only control some part of her virtual image.
Too Many Channels
Micro-blogging services bring simple broadcast media to many people for the first time. People now have a very large set of possible communication methods ('channels'), including email, instant messaging, wiki, blogs, and now micro-blogging. Different channels might be more appropriate for conveying different messages. One large problem that people face is keeping their communication together as regards separate channels, and merging channels when a single channel is more appropriate.
For example, in the middle of a sequence of related communications it is sometimes necessary or helpful to change communication channel, for example to allow confidential data to be discussed or to diffuse tensions in public forums. However, since channels are captured in a particular network, the question of when and how to cause the change in channel to happen, and how to leave enough of a trail to be able to tie the whole communication back together for people who are able to see all of it, or to indicate what happened to people who don't see all of the conversation.
For example, imagine Matthieu. He is having a conversation with his good friend Francesca using the popular micro-blogging tool MicroMessage over his mobile phone. However, the messages move from a simple complaint about lack of wireless access in the city Matthieu lives in to an idea for business. Of course, Matthieu wants to keep to further develop this idea, but it's getting too complicated to express in 140 characters and it would be far better to do so over a more secure medium, such as encrypted e-mail. Furthermore, news of the idea should be spread to his some of his previous business partners using BusinessNet social networking site, who Matthieu would like to contact, and he would like to forward and collate the previous conversation he had with Francesca.
In order to do this, he switches his micro-blogged messages to encrypted e-mail, since Francesca and Matthieu both use the same identity technology across micro-blogging and his e-mail contact address book. Furthermore, he can then invite his friends at the BusinessNet social networking site into the encrypted e-mail conversation since the same identity technology is also used by BusinessNet. Furthermore, since MicroMessage supports a standard-based message framework, he can easily consolidate it and import easily into e-mail and social networking sites like BusinessNet.
Communication and records of communication SHOULD be able to seamlessly move between various social web services.
Identity Consolidation and Storage
A single user may want to control their own data from social networking sites, and would like to aggregate their data, and store a local copy, even if the data is distributed amongst several sites. For example, the user may want to copy data from a social networking site to their mobile phone address book and their local e-mail address contact book. The intended effect is that the user can use a single-sign in technology to aggregate their information across multiple web-sites, and back this valuable personal data up somewhere.
Andy has been around on the Web since its near inception. He has several web-sites, from work and even web-sites from previous jobs that has not been deleted, and belongs to a few different social networking and micro-blogging sites. Andy's oldest web-site, with very outdated phone and date information, comes up first in the results when using a search engine. Andy would like a single site that he controls to be the centre of all his social information. Currently he does it by maintaining feeds, but some of his sites don't support feeds. However, some of the data he would like on his site, such as his favorite books and interests, he would also like to retrieve from various social networking sites. His hope is that due to all the links from his social data on the Web, his personally-run site can reach the top, and even exceed, the old work site in terms of search results.
Luckily, thanks to SocialAggregator technology, standards-compliant social networking and micro-blogging site data from Andy can all be consolidated, and then downloaded using an easy-to-use interface to his hard-drive, where it is stored using some standard data-format. Then, he can upload this data automatically to his private site after running it through some transformation that converts his aggregated social data into hypertext. He can even automate this process so it runs once an hour.
(From Eduserv Digital Identity Workshop, special thanks to Andy Powell)
Users SHOULD be able to download and easily re-use their own data
For some people, maintaining some kind of separation between personal, public and work-based and other identities is desirable. Current social web sties currently enable a hybridization of previously separate identities. Furthermore, fictitious and pseudonymous identities can be useful and should be supported. However, many current tools, especially micro-blooging tools, collapses our identities into one single identity, with no inherent separation between work-based messages and personal messages.
For example, assume we are talking about Kavita, a university student studying abroad. She has a number of different identities. For example, she has a school identity, where is she would like to communicate with classmates and professors about academic affairs. However, she also would like to talk with some class-mates, as well as university friends about parties and gossip. She would ideally like to her parents and professors not to know about parties and gossip, but instead emphasize her considerable academic achievements. Furthermore, she has two hobbies that require separate identities. Kavita, a large fan of medieval role-playing games, has a fictional identity as "Koyote" that she uses in online role-playing games, as well as a non-digital medieval re-enactment society known as Society for Creative Anachronism. She would like to keep this identity separate, as she knows many friends purely from her medieval re-enactment, but thinks others of her friends, family, and professors would think that these hobbies are silly. Lastly, she volunteers doing support for immigrants and those facing possible deportation in the country she lives in. In particular, she organizes against detention centres and raids on the houses of immigrants. She wants to be very careful and secure about this identity, as she is afraid it could be used against her by anti-immigration activists. However, many of her friends and parents know that she is involved in this kind of activity.
Does she have to maintain separate identities, and separate profiles, for each social networking site she uses? Luckily, she uses the single SocialAggregator platform, that allows her to manage all her profiles securely. Since her friends are spread out over multiple Social Web services, she ties each of them to their identity using some identity aggregation technology. She then creates a number of identities for her self, including: friends, university, family, activism, and medieval-fantasy. She aggregates all of them together as separate profiles of a unique identifier except activism, which she wants to keep very separate and as anonymous as possible, although SocialAggregator allows her to check multiple unique identifiers, including anonymous ones like her activist one, using some secure technology. Kavita can then check all of identities using a single login-in and message checking software. She then can use a way to define "groups" on SocialAggregator that allow her family and professors and her friends permission to check on her university activities, but keeps certain photos and posts private to her friends, depending on whether or not they are her "normal" friends or her friends she has through medieval role-playing. She then keeps her activist identity separate and unconnected to herself.
(From Eduserv Digital Identity Workshop) Users SHOULD be able to create different identities, including anonymous identities, for different groups of people yet manage them securely and privately.
Privacy and Context
There is no privacy in isolation. Privacy and Context go hand in hand. If you are alone on a deserted island, there is no notion of privacy. Privacy starts when there is an observer.
Intransitivity of Policies Applied to Social Network Data
Alice, Bob and Charlie are users of a popular social networking site. Alice and Charlie both know Bob, but they do not know each other. In other words, the friend relationships among these three are as follows:
Alice <--friend--> Bob
Bob <--friend--> Charlie
#privacy #policies #conflict_detection #provenance
Atomic Pattern Deliverable
Social Network privacy policies should be transitive.
Current social networking platforms implement very rudimentary data usage policies. These mostly focuses on the immediate individuals concerned and do not have much consideration about the data transfer beyond them. Policy conflicts are also not properly handled.
If the policies applied to social networking data are made to be transitive, we can make sure that everybody's rights to privacy and that individual's data usage rules will be preserved.
There is no practical implementation that handles this kind of transitive policy preservation mechanism right now.
However, there have been some research in to this subject which may of some use. See: Data Purpose Algebra in particular.
This mechanism can be used in a social networking environment for sharing:
- personal data on a person's profile
- photo albums and videos that apply to an individual and shared among a limited number of people
- status updates, news stories or any other kinds of feeds
Inferences on location based contextual data
Alice is using an applicationˆ on her social networking site that uploads her GPS trace logs gathered during the day. She is doing this as part of a community based study to monitor pollution levels in cities. These trace logs indicate where she has been and the duration of her stay at a particular location nicely laid out on a map. Suppose, Bob, Alice's boss, is in Alice's social network. He looks at these GPS trace logs out of curiosity, and notices that Alice usually takes very long lunch breaks and goes outside of her designated work area quite regularly. Bob uses this information in a job performance review, and does not give Alice a good review.
ˆ For an example application that allows users to upload their GPS traces to Facebook see: PEIR (Personal Environmental Impact Report).
Atomic Pattern Deliverable
Individuals should be able to express what purpose their location based data should be and shouldn't be used to guard them from adverse consequences based on their data.
There are many applications that enable users to share their location based data with their friends. These location based data logs reveal where the individual has been making it possible infer things other than what the user originally intended to use the data for. By explicitly stating what they intend this data for, the users can hopefully guard them against any adverse consequences.
Users can protect themselves against any adverse consequences of exposing their personal data.
This is not an enforcement mechanism. Someone can still claim that he/she did not use these location based data in deriving some decision.
A related mechanism is used in the Respect My Privacy Facebook Application to clearly convey the purposes the user profile information can be used for.
Data Protection ?
Alice is not a member of a given walled-garden social network and Bob tags her in an image from an event they were both at. Given that Alice finds out about this image, through word of mouth or by whatever means, should she be able to ask for her depiction to be removed?
If she somehow manages to confirm that indeed it was a picture of her, should she be able to get it removed ? Should a social networking site X, uphold Alice's wish, which may be different to that of Bob, X's client? And more generally should Alice be informed about what Data about her is held within social network X, given that she is not a member?
Removing Data or Changing Data permission
@@once released, it is released for ever. No way to remove traces.@@
Document Takedowns? Propagators
@@discussion on May 20, telconf@@
from danbri: "if some chunk of social web data about me happens on site x, then flows to y and z ... and then i tell site x to take it down and they do, ... how can site x communicate this to y and z...?"
"the push/pull aspect is part technology or protocol (even if non-computery) ... but the user story i think should be mostly at the level "Hey, i took this off the Web here ,... why is it still on the Web here here and here...." (without trying to specify some kind of impossibly complete DRM-for-people-data)"
from danbri: anecdotally via Marc Canter, Facebook's Connect system has some facilities in this direction. Details are probably in their wiki - help needed on finding them!...
Alice's social networking site pulls in her latest tweet and updates her status message on the site based on that. One day, at a company board meeting, she inadvertently leaks out some confidential data in a tweet. She realizes her mistake and deletes her tweet immediately. But by the time she logs in to her social networking site to remove this status update, a good number of her friends has already seen this update.
See also: A humorous set of tweets which people wouldn't have written if they realized current and potential employers might read them.
Atomic Pattern Deliverable
All the CRUD operations on social networking data should propagate to the interlinked sites.
Social networking sites are interlinked in very complex ways. The support for data flow is mainly focussed on create and update operations only. To give a consistent view of the user's state delete should also be propagated.
Changes on one site will automatically propagate to the other sites where it needs to be changed automatically. This relieves the user having to remember where it might have propagated to, and remove it manually.
(I don't see any flaws here!)
(Please add if you know of any)