Yes, I’m satisfied. (see: Choice and Consent, Proximity and Locality, and Templates. Three birds with one stone. Some users might want a white list instead of a black list, but I won’t begrudge Facebook this point.)

Almost. The news feed is still curiously noncooperative, but assuming visibility on the news feed is inherited from visibility in the profile, this shouldn’t be a problem. This ambiguity is a result of lacking proper Notice of proximity of effect. LinkedIn’s “View my profile as others see it” button could still be useful for Facebook’s news feed. There are also still a number of items, such as status updates, that are absent from the news feed configuration.

I’ve been making some observations about a BitTorrent community that’s having a lot of troubles getting off the ground. They have a 30:1 seeder:leecher ratio, which they wear like a badge. Everybody’s giving, no one’s taking. That’s good right?

Not really. I think the administrators are oblivious to what’s actually going on. This ratio makes it incredibly difficult for new users (i.e. poor people) to get started. On communities where the ratio is more balanced, you can usually start out by leeching popular content and seeding it back to the rest of the community. With such a high ratio of seeders, you have to compete with every other member of the community, which makes it impossible. In a given day, with the most highly active torrent, you can expect to have uploaded a total of 1MB–maybe.

A user’s best bet is to hunt down a smallish torrent that has more leechers than seeders. As I’ve said, these don’t really exist. There are a few out there, but most of them are extraordinarily large (> 12GB) which is too much of a risk. This particular service introduces ratio requirements at around 5GB. One idea would be to start leeching one of these larger torrents and then stop a smaller amount in, only seeding. I don’t know the nitty gritty details of how BitTorrent works, so I’m not sure if (besides availability) there are any biases in which chunks are chosen for uploading (such as order within the file), but assuming it’s uniformly random, if you only have a small percentage of the actual file, the probability that someone actually needs something from you is quite low. I haven’t had any success with this at all.

So occasionally the administrators will throw “free leech” torrents out there to stimulate things. Other communities have tried entire weeks of free leeching on all content. This helps a bit, because it temporarily stimulates the economy, but if the underlying model isn’t sustainable, these aren’t going to help matters much. No new member wants to wait for the next free leech, and since the rate of new users coming into the site is rather low, once everyone has the free content, no one’s going to be left to download it. You’ve just momentarily given a boost to people’s ratios. It doesn’t help much. It’s like tax rebates. No–I take that back: it’s like printing money.

The real problem that I see is hoarding. Most people in the community, in the face of rather draconian ratio requirements, will hoard their ratio as much as possible. Since the ratio of the community (ignoring free leech) is a closed system, this causes a great imbalance that can blow up over time. The net ratio of the entire community is constant at 1.0 (ignoring free leech), so your best bet is going to be evenly distributing everyone’s individual ratio to 1.0. A little socialist, I admit, but that’s what’s going to make things work best. There needs to be a motivation for hoarders to spend their ratio.

The easiest way I’ve thought of doing this is to make ratio a depleting resource for the individual. Use It or Lose It. To keep it a closed system, and to better benefit the community, hoarders’ KB uploaded will be slowly redistributed evenly to the community over time. Similar to an income tax. Different from an income tax, however, this has serious advantages both for the hoarder and everyone else. Rather than punishing hoarding, you’re actually encouraging activity. By requiring that people continually try to maintain a 1.0 ratio, you’re encouraging people to increase their total uploads and downloads, which will allow them to download larger content in the future without having to worry about changes to their ratio. Older members of the community are still valued for their past contributions in that their ratio is more or less invulnerable, but new members are still supported by a thriving community.

There are other benefits to this. By encouraging people to actively download, you’re also ensuring the wide distribution of less-than-popular content, which helps support the long tail of community interests.

It’s a shame that some people have allergies, clogging up their abilities to experience the full extent of Spring. It’s like their body’s way of limiting how much they can transfer their consciousness into their surroundings. It’s a stopgap.

The age of widespread participatory media is continually undergoing definition and situation into society. Many of these outlets for expression and communication are only at the tip of the iceberg in terms of user base, though. Although the number is quite significant, why is it that only one third of teens using the Internet are actively sharing content? What are the teens who are producing content but not sharing it doing with their work? What about adults? These numbers may be enough to make social web companies see financial success, but in terms of bringing about a new age of media production and consumption, there is still a long way to go.

Almost every single milestone in Facebook’s expansion of its userbase has been the result of an outcry amongst its users. Within Facebook, several user groups were organised to protest the decision of expanding its services to high school students. Similarly, but to an even greater extent, Facebook’s decision to allow anyone to create an account, regardless of affiliation, still remains a hot issue. Facebook’s business model had two other large milestones in 2007. In May, Facebook released its API that allows third-party developers to access personal details of users and create applications embedded within the Facebook site. In November, Facebook introduced a new targeted advertising model that includes Beacon, a system that shares purchases made by users at participating third party sites with their friends. Initially, Beacon was an opt-out service, requiring a confusing, explicit opt-out process for every service.

One might ask: who’s in charge of these decisions at Facebook? Why is it that every major change in Facebook is met with such tremendous backlash? In the case of Beacon, Zuckerberg himself had to issue a public apology. One guess might be that this behaviour is one of the natural growing pains of developing new modes of media distribution and communication. Another hypothesis, which I’ve attempted to confirm in my previous posts, is that there are fundamental design flaws of the current state of the social web that are preventing major, rapid innovation.

Privacy is one of many issues that is holding the social web back and preventing it from realising its true potential. At one extreme, there are still people who don’t like having any information about themselves available on the Internet. We need to cater to larger audiences.

It’s all about letting users reduce and alter the large space of what they think the product is doing. When you don’t give users immediate, clear feedback that tells them what you’re doing and when you don’t allow users to choose how they want their information distributed, you’re going to be met with an enormous, resilient possibility space that is going to not only scare users away, but frustrate them to no end.

Privacy is important. Communicating privacy is important. This isn’t an issue that we need to just let someone else figure out for us, and even if it were, we aren’t giving anyone the tools to do so. If we don’t allow people to choose how they want to be seen on the web, we’re never going to be able to have any kind of dialog about privacy.

And that’s the end of my rant.

As an example of the danger of large possibility spaces in content use by social web tools, I mentioned that Facebook has several different points of privacy configuration across multiple, predefined user groups. There exist several ways that these possibility spaces can be reduced. One method is through user-generated privacy templates.

As mentioned with respect to proximity and locality, there are some social web services that allow users to define custom user groups to whom certain settings apply. For example, in LiveJournal, a user is able to create groups from a list of all his or her friends and use these as the target of limited-access posts. In Pownce, the same is possible for defining recipients of microblog entries. In this way, users can specify, for example, that they wish certain information to be visible to their coworkers, certain information to be visible to their immediate family, and so forth. There is no need for people to explicitly define their relationships with their friends in terms that the system can understand (as in Facebook), but they are able to use these templates in the future. Templates get past the necessity of requiring explicit user consent for every action taken, as consent to publish to certain users in implicit in their previous definition of the user group, which is presumably given some unique identifier that the user can remember, e.g. “coworkers” or “family.”

Facebook recently added contact templates, but so far they see pretty limited use across the site. As opposed to privacy, they seem to be used to simplify tasks such as inviting friends to events.

The only downside to these contact templates is that they have to be constantly maintained. When a user has many publishing groups with heavy overlap, this can become problematic. However, the benefit gained from avoiding the uncertainty associated with the all-or-none decisions of predefined, high-level user groups such as those in Facebook far outweighs this. If these templates are introduced into the tool properly, they don’t need to be cumbersome for the user. Facebook already provides a great implementation of this maintenance through allowing users to specify relationship types when they add a new friend. Unfortunately, these relationship types are predefined (rather arbitrarily) and not integrated into the functionality of the system in any significant way. The list of relationship types may as well be removed now that the Facebook has added custom user groups. About the only place they see use is in the timeline view that shows when you met certain people, which I’m not sure anyone actually uses.

Behavioural Templates.

Another possibility for templates is a behaviour template. There are many cases when users simply don’t want to publish particular types of content to anyone at all. Similarly, there are cases when users don’t want to be informed about certain content published by others. These types of decisions can be simplified through behavioural templates. For example, some members of social networks may be more interested in forging business relationships than they are in keeping in touch with friends. Allowing for these differences in preferences to be stored in behavioural templates can help the user develop a conceptual model of the system that is more consonant with how it will actually behave. Of course, it’s necessary to develop notice into any system with templates–a user should always know exactly what effect the template is having on his or her communication preferences. Integrating template selection directly into the methods used to choose communication preferences is a safe way to ensure users will understand exactly what these present templates mean.

Then again, a theme of developing new technologies is that they will always be used in ways the developer didn’t foresee. With predefined behavioural templates, the possibilities for use cases and applications of a tool are limited. This limitation can be overcome somewhat either through close personal monitoring of trends in user activity or by learning the templates computationally (what are those aspects of users’ preferences that most discriminate between different sets of users?) Any computational solution will introduce certain threats to user trust, however, as the templates will, by definition, not be reliable. Even if the template only changes user preferences when a user updates them, one still risks confusing users with changing definitions.

OK, so I’ll wrap up this disorganised rant in my next post.

In situations of security breaches, for example, there should be some recourse someone can take that is specific to security breaches to clean up any unwanted damages. Low level design decisions such as keeping detailed records of changes to a user’s information (analogous to version history) can help designers and support staff build these mechanisms into a tool’s framework. Although issues of notice prevent a user from knowing whether or not his recourse is actually effectual, Facebook provides the ability to selectively remove listings from the mini-feed as recourse for mistakenly publicising actions. In some cases, recourse and notice could even be implemented in such a way as to allow user to undo unwanted communications by notifying them if the recipients of their messages have received anything and allowing users to “unsend” messages if the recipients have not (a feature common to many groupware solutions.)

Although access and recourse do work well as fail-safes, they should be integrated into any design regardless of whether or not they are deemed necessary by failure in any of the other principles of privacy awareness. Simply giving users the ability to correct potential misuse of their information can be key to gaining their trust and allowing them to have a richer, more comfortable experience.

So that’s the last principle I’ll mention. Next, I’ll talk about templates, which can be a great way of abstracting away many of the scope and practicality issues involved in the last few posts.

On the contrary, however, a decision about anonymity should be present as early as the initial conceptualisation of any social tool. Often, to reap the rewards of the web, disclosure of identity is not at all necessary. MySpace is able to perform as a successful social network without requiring users to identify who they truly are and anonymous blogging has been the boon of teenagers across the globe.

In fact, anonymity can often be expanded even further. In some situations, it’s not necessary to even associate information with a unique identifier for the person to whom the information belongs. Oftentimes it’s not even necessary to have a social design for a tool to work. Google News, for example, performs collaborative filtering to suggest news items to users based on the news read by other users who are most similar to them. Nowhere is there a necessity for a reader to identify a particular suggestion with a source with or without an anonymous identifier (in fact, the suggestion usually comes from a combination of a multitude of sources), but the user is still able to leverage the structure of the community to his or her benefit.

Of course, it’s oftentimes desirable to link an explicit identity with a user. In some cases, we even want to have a user disclose his or her real identity, as this can require a certain level of commitment from the user. In the case of social networks, Facebook and LinkedIn have been forerunners in this regard. Facebook benefits from attempting to require users to give their real names in that the tool maps real world networks of friends, which helps emphasise its existence as a communication medium that can augment unmediated relationships. LinkedIn, of course, bases its entire functionality off the disclosure of professional information, as it is a site made for the formation of new business relationships. With this requirement comes a great deal of responsibility, however, as a service not only has the capability of allowing a user to sully some of the relationships about which he or she most cares, but also raises questions about how information is being used by the company collecting it. After all, the reasoning for Facebook being based around real names is convincing, but could there be ulterior motives? There are certainly many conspiracy theories hovering around both Facebook and MySpace, but users have no recourse to assuage those fears in Facebook’s case.

Finally, it should be noted that anonymous identifiers are not always an end-all-be-all solution to having a fool-proof social web design, either. While they do provide a recourse for users who make mistakes or are confused about the operation of the service, they only do so inasmuch as the user does not define himself in terms of his new identity. In cases where anonymous identities see long-term use (such as the case of internet monikers, online forums, or gaming communities and virtual worlds), it would not be intellectually honest to assume that these relationships are any less important to a user than those which are not mediated by the social web. Even though members of these communities are not necessarily at risk of injuring their relationship with the law, employers, or their basic human needs, the social bonds created between anonymous users ought still be protected, unless the users enter into the relationships with the understanding that they will not be.

I’ll talk a bit about Access and Recourse next: what do we do when these guidelines break down?

Apart from having separate passwords for every possible activity on a site, there aren’t many options that can enforce fool-proof security. Instead, it’s necessary to design a tool in such a way that these security breaches will have minimal impart or not need to occur. One way to limit the impact and occurence of security threats is to simply make users’ data completely available and actions so benign as to eliminate the desire to access another’s account or personal information. Obviously, this isn’t much of an option, so another option might be the other extreme, which is to design a lack of security into the user experience.

In The Transparent Society, David Brin makes the bold claim that reciprocal transparency amongst individuals will create situations where both the act of maintaining privacy and the act of invading one’s privacy will be public knowledge, leveling the playing field and resulting in a more trusting society across the board. By having a social framework that enforces equal transparency, he argues, privacy can be maintained through a system of mutual trust. (I’ll talk about this a little more later in a general post about whether or not we should even care about privacy.)

Similar to Brin’s idea of reciprocal transparency, we can have reciprocal insecurity–by allowing everyone to have access to modify and have access to everyone else’s data, and by having proper notice and a detailed history of this activity, we eliminate the problem at its source. To some extent, this is the case in wikis, such as Wikipedia. By introducing accountability into the mix, Wikipedia is able to create a collaborative online community that has a natural system of checks and balances. Of course, this system is not by any means fool-proof and is heavily influenced by the amount of activity that any given page sees, but this is an assumption that readers of Wikipedia either have or should be given. However, since Wikipedia still features user accounts for accountability, there’s still motivation to gain access to someone’s account for illegitimate purposes.

There’s no perfect solution to security in design, but at least we shouldn’t ever entertain or spread the idea that our systems can be completely secure. Boasting of security may be desirable for marketing purposes, but it hurts the market at large as security breaches continue to invalidate our claims.

Different services require different types of security, as they involve the use of different kinds of data, some of which are less personal or identifying than others. I’ll talk about this spectrum of Anonymity and Pseudonymity next.

A key feature behind the social web (and the web in general) is that it allows for large leaps in both proximity and locality, so we wouldn’t want to assume that these two concepts should be limiting. Rather, they should be understood in terms of other privacy aware principles, and be used clues for finding deeper problems. Going back to Beacon, Facebook faced problems with surprising all their users’ notions of the capabilities of the web. Proximity and locality are concepts that can be used to predict these surprises. Most importantly, the locality of the information should never be unknown, but should always be communicated through proper notice, preferably before any action is taken.

There are some services that implement custom locality for users, such as those that allows people to create custom friends groups (e.g. LiveJournal, Pownce). Revisiting choice, direct manipulation of locality by users is an extremely powerful way of providing them with notice of the destinations of their information.

Next will be “Adequate Security.”