Warning:
This wiki has been archived and is now read-only.
UserStories
Writing up user stories of how a user (Alice) interact with closed social networks, we should try and see how we can build similar scenarios in a distributed environment.
Please keep this high-level: no data format or protocol should be mentioned, but rather how Alice would interact with tools or services that would implement this format or that protocol.
Highlight the motivations and incentives that would drive the user to take such or such action.
Contents
- 1 Lexicon
- 2 List of Possible Actors
- 3 List of Possible Access Contexts & their Preconditions
- 4 Template
- 5 Portability and Provenance
- 5.1 Re-Use Your Data
- 5.2 Drag and Drop
- 5.3 Establishing a connection across social networks
- 5.4 Managing relationships across social networks
- 5.5 Finding a connection across social networks
- 5.6 Adding new features to Social Networks
- 5.7 Tracking Sources
- 5.8 Anonymous Information
- 5.9 Removing Data or Changing Data permission
- 5.10 Last Will For Online Content & Account
- 5.11 Shills Posting False Information to Dilute the Truth
- 5.12 Social Web for Business Intelligence
- 6 CRUD Operations on Social Data
- 7 Privacy and Context
- 7.1 Multiple Identities
- 7.2 Using a web service should not involve password or account name creation
- 7.3 Distributed Group Access Control
- 7.4 Distributed Family Access Control
- 7.5 Intransitivity of Policies Applied to Social Network Data
- 7.6 Hidden Friendship Relations
- 7.7 Virtual Private Organization
- 7.8 Inferences on location based contextual data
- 7.9 Data Protection
- 7.10 Current Location as a Direction
- 8 Groups
Lexicon
Social Network or Social Application - an application running somewhere (on a server, on the desktop, in '"the cloud"', etc...) which stores information about a user and allows them to connect and share with others.
Connection - a basic link between people, not necessarily embellished with a relationship and can also be asymmetric (e.g. a follow type relationship) or symmetric.
Relationship - a connection which has been embellished with additional meaning, e.g friend, family, co-worker.
List of Possible Actors
Please re-use characters with similar characteristics across user stories. The first six are general-purpose characters without any distinguishing traits, the remaining 18 should be used to exhibit disabilities, or differences in age, culture, ethnic background, etc.
Feel free to use and create a story here containing sufficient background information for any character name you'd like to use.
Alice
general-purpose character.
Bob
general-purpose character.
Carol
general-purpose character.
Dave
general-purpose character.
Eve
general-purpose character.
François
general-purpose character.
George
Henri
Isaac
Justin
Kurt
Boss of Alice, Bob, Carol, Dave, Eve or François.
Laura
a university student studying abroad
Mallory
Oscar
Pat
Quentin
Roger
Steve
Trent
Developer working for a social network service used by another actor in a story.
Ursula
Victor
Walter
Xavier
Yuki
Zoe
List of Possible Access Contexts & their Preconditions
Desktop
The user has access to a machine on which he/she:
- can freely install software as standalone applications, in-browser applications, widgets or otherwise;
- the machine has unlimited computational power, storage capacity, and uninterrupted, high-bandwidth, low-cost, and potentially secure Internet connectivity;
- keyboard and mouse are used as input devices and a large user display is available;
- the desktop machine typically supports multiple accounts and may be used by several members of a household or business;
- it is not continuously attached to the user which is described in the use case.
Mobile
The user has access to a machine on which he/she can:
- run restricted applications in a browser (which do not always comply with W3C MWI guidelines) or as sandboxed applications;
- in addition to the social network use case, the device may be used (designed) for telephony and SMS as well and provides an integrated software infrastructure for calendar and contact management;
- the machine has limited computational power, limited storage, intermittent, low-bandwidth, typically tariffed/pay as you go, and potentially secure Internet connectivity;
- when using an IP-based service between this user and another user or service provider there may one or more mobile network operators whose infrastructures and policies may including transcoding web pages, filtering for age-appropriate content, and blocking of certain Web services;
- the user inputs through a restricted keyboard, with gestures or via a touch screen;
- the output device is highly variable ranging from a small, low-resolution screen to a pico-projector or sound / vibration alarm;
- through embedded sensors, the device can relate itself, the user, and the environment to one another, and makes the readings such as, potentially, location, temperature, pollution, activity, proximity of other users or devices available to the application layer;
- the mobile machine is typically engineered to suit a single user who is carrying the device continuously.
Template
Goal
Summary
Actors
- Alice
- Bob
- Zoe
Preconditions
Triggers
Basic course of events
- Find idea.
- Implement it.
- ???
- Profit!
- There is no step 5.
Alternative paths (optional)
Post-conditions
Business rules
Author and date
Further References (optional)
Portability and Provenance
Social data and widgets on the Web should be able to move between different social networks. Furthermore, social data should have some provenance information available so that it can be tracked as it moves across social networks. Furthermore, users always have control over when they publish information but the ability to remove content is much less clear. Some of the following use-cases deal with content clearance.
Re-Use Your Data
Goal Users SHOULD be able to download and easily re-use their own data
Summary A single user may want to control their own data from social networking sites, and would like to aggregate their data, and store a local copy, even if the data is distributed amongst several sites. For example, the user may want to copy data from a social networking site to their mobile phone address book and their local e-mail address contact book. The intended effect is that the user can use a single-sign in technology to aggregate their information across multiple web-sites, and back this valuable personal data up somewhere.
Actors
- Alice
Preconditions
- Alice has been around on the Web since its near inception.
- She has several web-sites, from work and even web-sites from previous jobs that has not been deleted, and belongs to a few different social networking and micro-blogging sites.
- Alice's oldest web-site, with very outdated phone and date information, comes up first in the results when using a search engine.
- Alice would like a single site that she controls to be the centre of all his social information. Currently she does it by maintaining feeds, but some of her sites don't support feeds. However, some of the data she would like on her site, such as her favorite books and interests, she would also like to retrieve from various social networking sites. Her hope is that due to all the links from her social data on the Web, her personally-run site can reach the top, and even exceed, the old work site in terms of search results.
Triggers
Basic course of events
- Luckily, thanks to SocialAggregator technology, standards-compliant social networking and micro-blogging site data from Alice can all be consolidated, and then downloaded using an easy-to-use interface to her hard-drive, where it is stored using some standard data-format.
- Then, she can upload this data automatically to her private site after running it through some transformation that converts his aggregated social data into hypertext.
Alternative paths
- She can even automate this process so it runs once an hour.
Post-conditions
Business rules
Author and date (From Eduserv Digital Identity Workshop, special thanks to Andy Powell)
Drag and Drop
[3 November 2009 TPAC f2f: should be merged with "re-use your data"]
Goal Associating information about a person, a group, a company for it to be consumed by some program - be it a thick client or browser based - should be as easy as dragging the page about that person or group onto the program.
Summary
Actors
- Alice
Preconditions
Trigger
- Dragging an element onto another.
Basic course of events
- Tagging a picture as one in which someone appears should be as easy as dragging that person from an address book, or their home page onto the photo.
Alternative paths
Post-conditions
- The picture is effectively tagged with the friend.
Business rules
Author and date
Establishing a connection across social networks
Goal Alice wants to add Joe to her list of contacts, across social network providers.
Summary
Actors
- Alice, user of Social Network A (Person)
- Joe, user of Social Network B (Person)
- Social Network A (System)
- Social Network B (System)
Preconditions
- Alice and Joe are not connected yet
- Social Network A and B need have no prior knowledge of each other
- Joe is not on SN A
- Alice is not on SN B
Triggers
Basic course of events
- Alice somehow has an identifier for Joe's profile on SN B
- Alice requests (through SN A) to make a connection to Joe [somehow] on SN B
- Joe is informed by SN B that Alice is requesting a connection
- SN A provides access to relevant information (which may not be public) to Joe (possibly via SN B) about Alice's profile
- Joe approves the connection request on SN B [not necessary in the case of a twitter-like connection]
- Joe appears as Alice's connection on SN A
- Alice appears as Joe's connection in SN B
Alternative paths
- Alternative path 1: Joe appears as Alice's connection SN A but Alice does not appear as Joe's connection on SN B [more like the Twitter type of connection]
- Alternative path 2: Alice requests (on SN B) to make a connection to Joe; Alice provides SN B with her identity on SN A; SN A asks Alice for a confirmation if she is making the request; Alice confirms; Joe appears as Alice's connection on SN A
- Alternative path 3: SN B doesn't directly participate in the request but is informed after the fact by crawling publicly available information (e.g. FOAF profiles)
- Alternative path 4: Joe rejects Alice's request
- Alternative path 5: A "relationship" is also specified as part of the connection, refer to next use case...
[ creation of a connection - especially in the case of asymetric connections - could be implicit - e.g. based on sharing data ]
Post-conditions
- SN A and SN B both think Alice and Joe are connected to each other
- Alternative path 1: SN A & B both know that Alice is connect to Joe
- Joe knows Alice's identifier on SN A
Business rules
Author and date
Misc
- There are many different kinds of connection based on the types / definition of connection in SN A vs. SN B. In this case, Social Network B would impose its rules on establishing that connection.
- A connection request is not like following an RSS feed - in this case, SN B must be involved.
- [does Alice needs to accept SN B's terms and conditions?]
DanBri's story about asymmetric relationships on Orkut should be noted
We should use relationships.
Managing relationships across social networks
[created in TPAC f2f - 3 November 2009]
Goal
Once a connection is established, this connection can be categorised in different ways including allowing for negotiation and agreement between parties on these categories.
Summary Categories can include membership to groups, the "this is me" relationship, family, friend, classmates, colleagues, co-workers, pets, etc...
Actors
- Alice, user of Social Network A.
- Bob, user of Social Network B.
Preconditions
- Alice has established a connection to Bob
- Bob has a reciprocal connection to Alice
Triggers
Basic course of events
- Alice categorizes her connection to Bob [e.g. Bob is a "frend of" Alice]
- Alice chooses to ask Bob to confirm this categorization
- Bob is informed of this categorization request and can choose to confirm it
- Bob confirms the categorization
Alternative paths
- Bob can initiate the request as well (the reverse of the above)
- Bob can ignore, deny, or offer an alternate version of events
- Bob can "politely block" Alice's request [appears to Alice that Bob as accepted but actually not] - [polite blocking in SIP: RFC 3856, RFC 2779]
- Bob can block Alice and Alice cannot re-request
- Bob can choose to unblock Alice
Post-conditions
- Alice and Bob are friends
Business rules
Author and date
Misc
- We should use relationships.
- These relationships once established should be exportable as lists / groups
- Multiple relationships can exist on top of a connection
Finding a connection across social networks
[Created at TPAC f2f]
Goal
Allow one person to find or otherwise discover (e.g. through suggestions) other people
Summary
Actors
- Alice on SN A
- Bob on SN B
- Alice is also a user of a friend suggestion finder application service C [e.g. Mr. Tweet]
Preconditions
- Alice and Bob are not connected
Triggers
Basic course of events
- Alice receives a notification from service C that Bob is someone she may want to connect with
- [see "establish a relationship"]
Alternative paths
Post-conditions
Business rules
Author and date
Misc
Adding new features to Social Networks
Goal
Summary Developers should be able to expose existing data in new and interesting ways. But at the same time, people should be made aware of how their data is being used, and updated when this changes.
Actors
- Alice
- Trent
Preconditions
- Alice is always on the move, and keeps her TwitSpace profile updated with her location so that her friends know where she is.
- She is happy for this information to be displayed on her public profile, because only her own friends ever bother looking at her profile.
Triggers
- Trent is a developer for TwitSpace Inc and writes a new feature for the website which plots all TwitSpace users on a map of the world, allowing the map to be zoomed in on any location and show the TwitSpace users (with links to their profiles) who are there.
Basic course of events
Alternative paths
- The takedown issue is related, as Alice may want to remove her location data from TwitSpace.
Post-conditions
- While Alice's location data was publicly available before, its discoverability has been increased, which Alice is not happy about.
Business rules
Author and date
Tracking Sources
Goal To find the original source of a meme or piece of information.
Summary Alice is a witness as a key piece of news unfolds. She posts a message about it on her microblog. Two of Alice's subscribers, Bob and Carol think that this information is of global importance so repost it. Many of their subscribers also repost the message, it finding its way onto other social networks too.
Zoe receives this information on a microblog she subscribes to, but isn't sure whether to believe it. She would like to track the message back to its original source to find out how believable it is by assessing that source's expertise on the matter, and possible biases.
Actors
- Alice
- Bob
- Carol
- Zoe
- others
Preconditions In this example, Alice and the other nodes in the chain to Zoe have not opted to enable any privacy settings that would block this tracking.
Trigger
Basic course of events
Alternative paths
Post-conditions
Business rules
Author and date Toby Inkster based on a story on danbri's blog.
Anonymous Information
Goal To provide information without being the attributed source or “whistle blower”.
Summary Alice takes her child to the doctor for a cold. The doctor recommends a routine test. Later, Alice discovers the routine test was not so routine after all, as it was to rule out the possibility swine flu, a recent epidemic. Alice feels that the doctor misrepresented the test, and wants to share this with her friends, but is reluctant to do so, since casting the doctor in a negative light can have repercussions in her care at a later time.
Actors
- Alice
Preconditions
- A user feels important information should be shared, but is reluctant to share if the information is attributed to them.
Trigger
Basic course of events
- Information is supplied to a network of individuals.
- The source of the information is not readily discernible.
Alternative paths
- Individuals are allowed to contact an anonymous information source.
Post-conditions
- Information is made available to a network of people without the exact source of that information being made apparent.
Business rules
Author and date
- Ronald P. Reck
- Oshani Seneviratne
Removing Data or Changing Data permission
[can delete - TPAC]
Goal
Summary @@once released, it is released for ever. No way to remove traces.@@
Actors
Preconditions
Triggers
Basic course of events
Alternative paths
Post-conditions
Business rules
Author and date
Last Will For Online Content & Account
[This one should probably be deleted - DKA]
Goal The user should be in control of what content he created should be deleted when he dies.
Summary There is currently no easy solution to the question of what should happen to a user's content following their death. Currently the user's content is valid forever. It might be hard, if not impossible, for surviving dependants to delete the person's accounts or particular pieces of online content. This is a technical reality, to say nothing of the emotional difficulty of deciding what to keep and what to delete. It would be helpful if the user could define what should happen to his/her account and/or particular content in this situation: in effect a 'will for online content.'
Actors
- Bob
Preconditions
- Bob creates content online
- Bob defines what content should remain available and what should be deleted in the event of his death
- Bob may also define a whole account to be deleted in this case
Triggers
- The hosts of Bob's content are notified about Bob's death by some authority, perhaps one named by Bob before his death.
Basic course of events
Alternative paths (optional)
Post-conditions
- All affected accounts and content are deleted
- All third parties that replicated or cached affected content are notified about the expiry and to delete it
Business rules
Author and date Alex Korth (Jul-09)
Shills Posting False Information to Dilute the Truth
[Is this related to the idea of verified profiles - could there be a role for a 3rd party profile verification service to increase trust in the social web?]
Goal
To determine the veracity behind information posted in a social network.
Summary Bob is interested in making a purchase over the Internet but reads several scathing comments about the vendor and the product. These scathing comments are followed by several generic favorable comments posted in rapid succession that rate the vendor and product highly. He suspects the favorable comments are posted by the vendor themself and wishes he had more information about the people who posted comments.
Actors
- Bob
Preconditions
- Wanting better insight into the quality of information posted in public.
Triggers
- Wanting to determine if any of the posters of information are creditable.
Basic course of events
- Bob wants something
- Bob finds the item he wants available through a source.
- Bob finds conflicting information representing diametrically different opinions.
- Bob seeks to understand what information is creditable.
Alternative paths (optional)
Post-conditions
Business rules
Author and date Ronald P. Reck (Aug-09)
Social Web for Business Intelligence
Goal
Enable Social Networking in enterprises and the interoperability between internal applications and public applications.
Summary
Recently, online communities of interest have emerged and started to build directories of references in their domains of interest at an impressive speed and with very agile responses to changes in these domains. One of the forces of the tools enabling these communities is their ability to turn usually passive users into active participants and producers. The diversity and the mass of users are used to tackle the diversity and the mass of information sources. Monitoring, market, science and technological changes is a vital ability of today's organizations, yet the growing diversity of sources to track in each domain of interest remains a challenge for any organization. Organizations actively look for "weak signals" and value-adding information and knowledge and try to manage networks of experts in their field of excellence. Therefore there is a growing interest in importing the tools and practices that made the success of these online communities inside corporate information systems. Organizations and communities leverage Social Networking to improve communication internally and externally, to help find people with the required skills and initiate and manage collaborations. This clearly cannot be achieved within Social Networks that are data silos.
Actors
- Alice, works at Company Zoe
- Kurt is the boss of Zoe
- François is a chemist at Kemics
- Zoe, is a company that produces small zoo like animals
- Kemics, is a chemistry lab
Preconditions
Social web apps are interoperable.
Triggers
Basic course of events
- Kurt follows several business sites and news places using an aggregator of multiple interaction channels used by these communities of interest. Although these feeds come from very different sources and by very different means (IRC, IM, micro-blogging, SN, etc.) they are tagged using a common framework and shared references and therefore he was able to customize the notifications very precisely. This morning he was interested to learn that the research lab Kemics announced a new bio-plastic that never gets dirty.
- Kurt selects the topic of bio-plastics and asks the internal social network of his company Zoe to identify experts in the domain. Analyzing the expert network and public online networks, the search engine is able to identify Alice, a chemist specialized in plastics and who did her internship at Kemics.
- Kurt sends a message asking her to evaluate opportunities on this new subject. The message is routed to her according to her status and availability: the system chooses SMS since she is down to the lab, her mobile in the pocket.
- Alice didn’t know a new plastic was released by Kemics but she uses here mobile access to a social network to poke François, her former adviser at Kemics. She also requests a digest of the latest publications and patents of Kemics related to bio-plastics that gets delivered to here by e-mails a few minutes later.
- Back to her office, reading the report, Alice identifies several experts and through François she gets introduced to them regardless of the social network sites their communities are using. She is able to exchange a few questions with them and setup a meeting at Zoe’s headquarters cross-checking her agenda, their agendas and the one of Kurt.
- Before the meeting Alice compiles extracts of the reports and her discussions with the experts on an online document only visible to the participants of the meeting; parts of the documents use internal sources and are only visible to her and Kurt.
- Reading through the report Kurt is able to trace the sources of every part and also identify a boss at Kemics he would like to be introduced to; he leaves a personal reminder about that only visible to him on the agenda of the meeting.
- The meeting goes well and everyone is able to contribute to the shared document using different credentials. Contacts, events and project opportunities are exchanged. It is the start of a fruitful collaboration between Zoe Corps and Kemics Labs.
Alternative paths
- many are imaginable
Post-conditions
A new community of interest is born and reified between members of Zoe and Kemics.
Business rules
Author and date
Fabien Gandon, 28/08/2009
Further References
CRUD Operations on Social Data
Goal All the CRUD operations on social networking data should propagate to the interlinked sites.
Summary Social networking sites are interlinked in very complex ways. The support for data flow is mainly focussed on create and update operations only. To give a consistent view of the user's state delete should also be propagated. Changes on one site will automatically propagate to the other sites where it needs to be changed automatically. This relieves the user having to remember where it might have propagated to, and remove it manually.
Actors
Preconditions
Triggers
Basic course of events
Alternative paths
Post-conditions
Business rules
Author and date
Mis-tweeting the news
Goal
After mistakenly propagating false news items, a user wants to retract.
Summary
Actors
Bob on SN A and SN B
Preconditions
Triggers
Basic course of events
- Bob mis-hears a piece of news
- Bob posts this to SN A
- This is propagated to SN B
- Bob realizes his mistake
- Bob deletes the news from SN A
- Deletion is propagated to SN B
Alternative paths
Post-conditions
Business rules
Author and date
messaging across inter-social network
Goal
Allow user of one social network to "mention" a user in another social network.
Summary
Actors
- Alice on SN A
- Bob in SN B
Preconditions
Triggers
Basic course of events
- Bob creates an "update" on SN B of the form "@alice said 'blah'" but Alice is identified as Alice in SN A
Alternative paths
Post-conditions
Business rules
Author and date
Document Takedowns
Goal
The user should have the option of defining an end date for the availability of the content s/he creates, and in the case where his/her information flows from one site to another, the originating site should make sure that all the previous actions in propagating the social data is undone.
Summary
Alice's social networking site pulls in her latest tweet and updates her status message on the site based on that. One day, at a company board meeting, she inadvertently leaks out some confidential data in a tweet. She realizes her mistake and deletes her tweet immediately. But by the time she logs in to her social networking site to remove this status update, a good number of her friends has already seen this update.
Actors
- Alice
- Bob
Preconditions
Alice has contributed some social data on social networking site X.
Triggers
Alice issues a takedown notice to site X.
Basic course of events
If site X has communicated Alice's social data to site Y and site Z, then site X should make sure once Alice's data are altered (modified/deleted), it should be reflected in the other sites that site X propagated that data to.
Alternative paths
Editors Note: Integrating the Forget About This in 10 Years user story to this.
An alternative path of this use case is to set a TTL (Time To Live) value for the social data. The user should have the option of defining an end date for the availability of the content s/he creates.
In the course of normal life, the human brain forgets details in order to filter outdated and sometimes increasingly irrelevant information. This protects us from being faced with embarrassing things we did in the past, perhaps at a time when we exhibited very different personalities than we do today. This is not adequately modeled in our online representations. There should be a way to automatically have content cleared after a defined period of time.
For example consider the following set of events:
- Alice defines the default availability period for some social data she made available on site X as 10 years.
- For this period of time, her friend Bob and whoever else to whom she has granted access, can view her data, make comments etc.
- After 10 years have passed, the data is automatically taken offline and is not available anymore. The data has lost visibility to search engines, (if it was public in the first place).
Post-conditions
- The social data Alice exposed on site x is no longer available anymore to Bob or anybody else on site X, site Y, or site Z.
Business rules
Author and date
- Oshani Seneviratne (Sep-09)
- Alex Korth (Jul-09)
Privacy and Context
Privacy and context are about how users, developers, and organizations can limit access to data on social data. This requires some notion of digital identity, and then using some kind of access-control over that digital identity and data produced by that digital identity. Thus, it requires data be portable and have some provenance.
Note that there is no privacy in isolation. Privacy and Context go hand in hand. If you are alone on a deserted island, there is no notion of privacy. Privacy starts when there is an observer.
Multiple Identities
Goal Users SHOULD be able to create different identities, including anonymous identities, for different groups of people yet manage them securely and privately.
Summary For some people, maintaining some kind of separation between personal, public and work-based and other identities is desirable. Current social web sties currently enable a hybridization of previously separate identities. Furthermore, fictitious and pseudonymous identities can be useful and should be supported. However, many current tools, especially micro-blooging tools, collapses our identities into one single identity, with no inherent separation between work-based messages and personal messages.
Actors
- Laura
Preconditions
- Laura has a number of different identities. For example, she has a school identity, where is she would like to communicate with classmates and professors about academic affairs.
- However, she also would like to talk with some class-mates, as well as university friends about parties and gossip. She would ideally like to her parents and professors not to know about parties and gossip, but instead emphasize her considerable academic achievements.
- Furthermore, she has two hobbies that require separate identities. Laura, a large fan of medieval role-playing games, has a fictional identity as "Koyote" that she uses in online role-playing games, as well as a non-digital medieval re-enactment society known as Society for Creative Anachronism.
- She would like to keep this identity separate, as she knows many friends purely from her medieval re-enactment, but thinks others of her friends, family, and professors would think that these hobbies are silly. Lastly, she volunteers doing support for immigrants and those facing possible deportation in the country she lives in. In particular, she organizes against detention centres and raids on the houses of immigrants.
- She wants to be very careful and secure about this identity, as she is afraid it could be used against her by anti-immigration activists. However, many of her friends and parents know that she is involved in this kind of activity.
Triggers
Basic course of events Does she have to maintain separate identities, and separate profiles, for each social networking site she uses? Luckily, she uses the single SocialAggregator platform, that allows her to manage all her profiles securely. Since her friends are spread out over multiple Social Web services, she ties each of them to their identity using some identity aggregation technology. She then creates a number of identities for her self, including: friends, university, family, activism, and medieval-fantasy. She aggregates all of them together as separate profiles of a unique identifier except activism, which she wants to keep very separate and as anonymous as possible, although SocialAggregator allows her to check multiple unique identifiers, including anonymous ones like her activist one, using some secure technology. Laura can then check all of identities using a single login-in and message checking software. She then can use a way to define "groups" on SocialAggregator that allow her family and professors and her friends permission to check on her university activities, but keeps certain photos and posts private to her friends, depending on whether or not they are her "normal" friends or her friends she has through medieval role-playing.
Alternative paths
Post-conditions She then keeps her activist identity separate and unconnected to herself.
Business rules
Author and date (From Eduserv Digital Identity Workshop)
Using a web service should not involve password or account name creation
Goal Using a web service should not involve password or account name creation
Summary Arriving at a new web service (a cloud service making it possible to play Go, for example) should not require having to enter a domain specific user name or password. The user should just have to select the personality he wishes to present the site or what type of access that site can have to his information. In a couple of clicks the site should then be able to be personalise the site with the users logo, picture, friends, ... -- depending on what information the user and his friends make available. Social applications should work seamlessly across the cloud.
Actors
- Alice
Preconditions
Triggers
Basic course of events
Alternative paths
Post-conditions
Business rules
Author and date
Distributed Group Access Control
Goal Alice and Bob, users of two different social networks would like to work with a very nice wiki tool provided by some third party.
Summary
Actors
- Alice, user of Social Network A.
- Bob, user of Social Network B.
Preconditions
- Alice on SN A, Bob on SN B, and many others are working on a W3C project.
- The members of this group are listed on a W3C page, generated by a mailing list perhaps or in some other way.
Triggers Alice creates an account for the group there by dragging the W3C member page on the admin section of the wiki asking who should have access to the wiki.
Basic course of events Having done this all members of the wiki get access to the page.
Alternative paths
Post-conditions
- If members get added to the W3C project page, they get immediate access to the third party wiki.
- If some get removed, they loose their access rights.
Business rules
Author and date
Distributed Family Access Control
Goals
- Limit resource access to family only.
- Nobody should have to become a member of a specific Social Network in order to view the pictures posted by a family member.
Summary Alice on SN A has two children, and 3 siblings. She published photos on that site, but she would only like her family to view those pictures (how deep the family tree goes should be something she can decide). Of course her parents and sisters are on completely different SN.
Actors
- Alice
- Two children of Alice
- Three siblings of Alice
Preconditions
- Alice has some photo published on Social Network A.
Triggers
Basic course of events
Alternative paths
Post-conditions
Business rules
Author and date
Intransitivity of Policies Applied to Social Network Data
Goal Social Network privacy policies should be transitive.
Summary Current social networking platforms implement very rudimentary data usage policies. These mostly focuses on the immediate individuals concerned and do not have much consideration about the data transfer beyond them. Policy conflicts are also not properly handled. If the policies applied to social networking data are made to be transitive, we can make sure that everybody's rights to privacy and that individual's data usage rules will be preserved. There is no practical implementation that handles this kind of transitive policy preservation mechanism right now.
Actors
- Alice
- Bob
- Charlie
Preconditions
- Alice, Bob and Charlie are users of a popular social networking site.
- Alice and Charlie both know Bob, but they do not know each other.
- Assume that all three of them have specified a privacy policy saying that the data on their social network profile can only be viewed and used by their friends only. For the sake of clarity, assume that "use" means to "republish the data for the benefit of that individual only".
Triggers
- Bob uses some data from Alice by republishing it on his profile without thinking about any consequences.
Basic course of events
- Since Bob is in Alice's friend network he can use anything that Alice posts on her profile without violating Alice's policy.
- The social networking platform will also allow this action as it complies with the immediate privacy policy. However, if Charlie uses this data which appears on Bob's profile (which is originally from Alice), that would violate Alice's policy.
- Unfortunately, the social networking platform will allow the data usage as it does not have any knowledge of any previous privacy policies applied to this particular data item.
Alternative paths
- There has been some research in to this subject which may of some use.
See: Data Purpose Algebra in particular.
- This mechanism can be used in a social networking environment for sharing:
- personal data on a person's profile
- photo albums and videos that apply to an individual and shared among a limited number of people
- status updates, news stories or any other kinds of feeds
- A study done by ACLU on Facebook quizzes revealed that when somebody takes a quiz/installs any other Facebook app, it not only compromises her privacy, but that of her friends as well.
Post-conditions
Business rules
Author and date Oshani Seneviratne - 08th July 2009
Hidden Friendship Relations
Goal Users want to hide contacts from their public list of friends selectively and reliably.
Summary Friendship relations are base functionality in online social networks [1]. They have a positive privacy impact as they can be used for basic rôle-based access control and support trust properties. However, they also have negative privacy impact since milieu information propagates along friendship links. Selective hiding of friends reconciles these properties but poses engineering challenges.
Actors
- Alice
- Bob
- Kurt, all three members of the same social network
Preconditions
- Friendship relations are enforced to be symmetric (A is a friend of B ⇔ B is a friend of A).
- Alice and Bob are friends.
- Both of them have public lists of friends (aka buddy lists, confirmed contacts).
- Alice realises Bob has been involved in dodgy activities (binge drinking, propaganda, copyright infringements, terrorism). She is ashamed of their friendship but cancelling it is not an option as she would lose access to Bob's photo album.
- Alice makes her entire list of friends public.
Post-conditions
- Kurt wants to learn the trustworthiness of Alice. He therefore plans to examine her online peers. Unfortunately, Alice has hidden her list of friends.
- Kurt crawls the social network and finds Bob. In his list of friends, he discovers Alice.
- Since friendship links are enforced to be symmetric, Kurt learns that Alice is a friend of Bob.
- Alice finds herself unable to keep her link to Bob private.
Business rules
- Reliable relationship hiding is incompatible with users' ability for unilateral disclosure [2].
- Privacy properties such as marking an item private need to propagate along the social graph to ensure reliable secrecy.
Author and date Sören Preibusch (2009-08-26)
References
Virtual Private Organization
Goal
- Set up a temporal social networking infrastructure
- Companies involved does not disclosure any internal information, even regarding their internal organization or research interest to other companies in collaboration/competition.
Summary
Actors
- Alice
- Bob
- Zoe
Preconditions
The organizations involved want to use collaborative and social web applications but
Triggers
A collaborative project between different organizations where people coming from different organization, possible competitors in other fields, need to share information in a collaborative and social way.
Basic course of events
- There is a common temporal project between different organizations
- wants to use collaborative applications outside from the companies firewalls.
- They dont want to allow other organization people to use their network and servers.
- We set up a social network with the meta-information provided by all the participants.
- Collaborate and share on base of the meta-information exposed by each organization.
- The collaborative system provide some identities (open-id) that are used by the participants to interact over web 2.0 applications over internet without any fear from breaking the company security policy.
- when the collaboration finish the social network is tear down.
Alternative paths (optional)
Post-conditions
Business rules
Author and date
Joaquín Salvachúa (Jul-09)
Inferences on location based contextual data
Goal Individuals should be able to express what purpose their location based data should be and shouldn't be used to guard them from adverse consequences based on their data.
Summary There are many applications that enable users to share their location based data with their friends. These location based data logs reveal where the individual has been making it possible infer things other than what the user originally intended to use the data for. By explicitly stating what they intend this data for, the users can hopefully guard them against any adverse consequences. Users can protect themselves against any adverse consequences of exposing their personal data. This is not an enforcement mechanism. Someone can still claim that he/she did not use these location based data in deriving some decision.
Actors
- Alice
- Kurt
Preconditions
Triggers
Basic course of events
- Alice is using an applicationˆ on her social networking site that uploads her GPS trace logs gathered during the day.
- She is doing this as part of a community based study to monitor pollution levels in cities.
- These trace logs indicate where she has been and the duration of her stay at a particular location nicely laid out on a map.
- Suppose, Kurt, Alice's boss, is in Alice's social network. He looks at these GPS trace logs out of curiosity, and notices that Alice usually takes very long lunch breaks and goes outside of her designated work area quite regularly.
Alternative paths
Post-conditions
- Kurt uses this information in a job performance review, and does not give Alice a good review.
Business rules
Author and date
Oshani Seneviratne - 08th July 2009
Further References
- For an example application that allows users to upload their GPS traces to Facebook see:
PEIR (Personal Environmental Impact Report).
- A related mechanism is used in the Respect My Privacy Facebook Application to clearly convey the purposes the user profile information can be used for.
Data Protection
Goal
Summary
Actors
- Alice
Preconditions
Triggers
Basic course of events
Alice is not a member of a given walled-garden social network and Bob tags her in an image from an event they were both at. Given that Alice finds out about this image, through word of mouth or by whatever means, should she be able to ask for her depiction to be removed?
If she somehow manages to confirm that indeed it was a picture of her, should she be able to get it removed ? Should a social networking site X, uphold Alice's wish, which may be different to that of Bob, X's client? And more generally should Alice be informed about what Data about her is held within social network X, given that she is not a member?
Alternative paths
Post-conditions
Business rules
Author and date
Current Location as a Direction
Goal
Individuals should be able to express their current location not only as a spot in place, but as a direction as well.
Summary
In many Social Web sites, users can declare their current location (e.g. Paris, New York). This can be useful for their friends to localize them. When a user posts some content (e.g. a microblogging post) the location can serve to enable better understanding of the content in the context of the current location. However most services limit the declaration of location on a particular spot in space (a latitude-longitude couple) and in some cases what is relevant is not the exact spot but the direction of the user's movement. Like in situations where user is on a train to a certain destination; where the exact spot where he/she is at the time of posting some content might be far less relevant than his/her direction of movement. On the other hand, when users are on the go; their direction of movement might be available on train/bus/plane ticket selling websites. Users should be able to import this information in other applications and integrate it in their daily experiences.
Actors
- Alice
Preconditions
- Alice is on a train
- She is equiped with a mobile device capable of detecting her location
Triggers
Basic course of events
- Alice has bought a train ticket (Paris-Nice) on a ticket selling website
- While traveling she is using a microblogging application that is capable of gathering and sharing location information. The application also has access to Alice's tickets information from the ticket selling website.
- After writing a micrbolgging post her application offers her to publish her location in different forms like: current spot (latitude, longitude) where the train is at that time; or direction ( from Paris to Nice).
- According to the nature of the microblogging post content Alice chooses the most appropriate way to disclose her location
Alternative paths
- The microblogging application might have obtained the information about the direction from Alice's calendar as well, provided that she has previously entered the trip data in her (mobile or Web-based) calendar.
Post-conditions
Business rules
Author and date
Milan Stankovic & Jelena Jovanovic - 01 September 2009
Further References