The privacy of "everyone"

[Daniel E. Renfer]

Hello OSW folk,

For those of you that don't know, I've been spending the past few months
working on my independent implementation of the OSW protocols using
Clojure and Tigase. One of the differences between my application and
the standard osw-openfire-plugin implementation is that I include an
integrated HTTP server. What this offers, that the current
implementation does not is the ability to serve published posts as HTML
pages and Atom feeds even to non-authenticated users.

This has brought up the question of the expectations of privacy with the
current implementation. Up to this point, communicating over the OSW
network has felt like a private little group. You know the people that
are subscribing to you and you didn't expect anyone other than your
followers to ever see that post. This means that people have undoubtedly
said things meant for their followers that they never expected to be
made available to the world at large. (and especially not Google)

These posts were never private, they've always been (last 20, at least)
available to any user with an XMPP account and a client capable of
sending raw XMPP stanzas, (not to mention full OSW clients) but the
privacy through obscurity of a OSW network vs the wide open nature of a
web page and (eventually) full integration with OStatus is quite a
different matter.

So I guess my question to my fellow OSW users is: Have you been
operating under the assumption that your posts were limited to your
current subscribers? Would you be offended if a cached copy of your
(everyone) posts appeared in the public inbox list of one of your
subscribers?

Diana mentioned needing a new level of privacy to differentiate between
"public" and "public to my network". There is also the concern about
legacy posts. Diana advocated the current status of "everyone" being
defined as "public to my network" and "public" meaning "public". I have
argued that "everyone" translates to me as public, and that there needs
to be a sort of meta-group for "subscribers".

For reference, here is what the current ACL rules look like:

<acl-rule xmlns="http://onesocialweb.org/spec/1.0/">
<acl-action
permission="http://onesocialweb.org/spec/1.0/acl/permission/grant">http://onesocialweb.org/spec/1.0/acl/action/view</acl-action>
<acl-subject type="http://onesocialweb.org/spec/1.0/acl/subject/everyone"/>
</acl-rule>

What are your guys' thoughts? I think easy access to posts and
integration with OStatus servers is going to be vital, but I understand
the desire to keep some of the historical posts private. (I am, in
general, pro-living publicly)

Alas, I don't have comments working, but the post that started this can
be seen here (if running):
http://beta.jiksnu.com/notice/urn:uuid:83d366ed-6f5e-4f48-8fa4-51316cf3f39a

[Julien]

Interstingly enough, we had this discussion with Diana Cheng last week. Basically, we interpreted everyone as 'anyone'.

--
Julien Genestoux

Sent from phone, please pardon brevity and typos.

[Diana Cheng]

I think the most important question rather than the label itself, is
what people feel about the activities they have published until now.
Whether they feel the current "visible to everyone" meant "everyone
following me" or that it meant "the rest of the world, I don't mind if
it's publicly accessible via a permalink!". Should we make everything
with the current visibility "everyone" available via a public feed
that others can subscribe to? After all, if someone starts following
me today, they will be able to see all the activities "visible to
everyone" I posted till now (well, the last 20, or everything if we
actually had Result Set Management).

We can make "everyone=anyone=public" and then come up with a new
"followers=subscribers" level of visibility if the current labeling
doesn't convey the appropriate meaning. I think the labeling itself is
less important than whether OSW folks feel comfortable with everything
they've posted until now being made publicly available. I'd be happy
to hear as many voices as possible on this one.

Cheers,
Diana.

On Mar 3, 7:48 pm, Julien <julien.genest...@gmail.com> wrote:
> Interstingly enough, we had this discussion with Diana Cheng last week.  Basically, we interpreted everyone as 'anyone'.
>
> --
> Julien Genestoux
>
> Sent from phone, please pardon brevity and typos.
>

> > Alas, I don't have comments working, but the post that started this can be seen here (if running):http://beta.jiksnu.com/notice/urn:uuid:83d366ed-6f5e-4f48-8fa4-51316c...

[Daniel Appelquist]

Yes - I think the blanket assumption right now is "what happens in OneSocialWeb stays in OneSocialWeb." We actually need more sophisticated privacy controls (evolving beyond personal groups which I don't think are terribly effective either as a metaphor or as a mechanism) and this is one of the things we'll be working on with FJ from Vodafone's User Experience team over the coming months. But in the mean time, I think if we change everyone to mean public then we need to set up some defaults and enable the user to at least choose whether they want their default to be "public" or "people on OneSocialWeb nodes who follow me."

We probably have a small enough user based right now that we can make this switch and make the default for all users to be public...

Dan

[Daniel E. Renfer]

It should probably be easy enough to come up with another sql query that
server admins can run that will change the privacy of all past
"everyone" posts to "my subscribers" and then once updated code is
deployed, they can choose how public they want their posts to be.

This does bring up an interesting issue with security. You can specify
privacy all you want, but once you allow that post to go to a different
server, you can not trust that it will stay confidential.*

*: I pledge that I will not intentionally violate the privacy of other
user's posts.

[Daniel Bo]

I vote for "everyone" to mean all subscribers and "public" to mean
just that. I think it will be less confusing when compared to other
social platforms..

[Renato Iannella]

On 4 Mar 2011, at 04:32, Daniel E. Renfer wrote:

> Diana mentioned needing a new level of privacy to differentiate between "public" and "public to my network". There is also the concern about legacy posts. Diana advocated the current status of "everyone" being defined as "public to my network" and "public" meaning "public". I have argued that "everyone" translates to me as public, and that there needs to be a sort of meta-group for "subscribers".

If you go back to a previous post [1], you will see this:

=========================
How it works:
------------------------
The user experience is dictated by the client, so different clients may expose none, some or all of these concepts, depending on what their aim is. The protocol itself enable to grant/deny actions to subjects. The actions and the subjects are extensible, so that some server and clients could add their own logic if required.

A subject could be:
- 'everyone'
- 'network' (e.g. limit to 'vodafonernd.com' to keep inside the company firewall)
- 'contacts' (anyone being in your roster)
- 'group' (e.g. a roster group. You could tag some contacts as 'friends' and limit sharing to them)
- 'relationship' (the users with who you have a confirmed relationship)
- 'individual' (a specific user JID)
==========================

I would assume that "everyone" takes on the normal semantics of "public".

Cheers

Renato Iannella
http://renato.iannella.it

[1] http://groups.google.com/group/onesocialweb/browse_thread/thread/502386112c761223

[Laurent Eschenauer]

Hi all,

 

I vote for "everyone" to mean all subscribers and "public" to mean
just that. I think it will be less confusing when compared to other
social platforms..

I agree that the term "everyone" may be confusing and we would not have this discussion today had we chosen to label the field "public". In our thinking, what we really ment, was "public" of course, since anyone can anyway send an <iq /> request to the pubsub node to retrieve your past items.

What I would do to clear confusion:

- Rename the label to "public" in the UI

- Add the 'followers' list in the drop down box (we already have the 'following' one), this should be trivial.

- Allow the user to pick a default broadcast setting (will set the default value for the dropdown box).

One key thing to keep in mind however: If you have a list (e.g. "my buddies", or "my followers") you can make items visible only to that list. When you add someone to the list, that person will have access to all previous items that were visible to that list. We debated this at great length with Alard and concluded it was making the most sense. I don't know how Facebook is handling that case however.

Cheers,

Laurent

[Laurent Eschenauer]

This does bring up an interesting issue with security. You can specify privacy all you want, but once you allow that post to go to a different server, you can not trust that it will stay confidential.*

*: I pledge that I will not intentionally violate the privacy of other user's posts.

Another topic that was debated at great length :-) The conclusion was:

- Technology will never solved this issue (in the end, a user can take a screenshot of your message and publish it if he wants). This is a social problem. If you d'ont trust a friend, to send him private content.

- One caveat however is the trust you have in the server on which your friend has his account. It may not have been recently updated, some security flaws may be existing, your content could be exposed. The only technology to solve this would be client side encryption, we felt at the time that it was too much an overkill to be placed in the core and that it could always be added 'on top' by specific clients: Nothing prevent you to write a client that does end-to-end encryption and run it on top of the OSW infrastructure. 

Cheers,

Laurent

[B. Kip]

Hi,

A few comments:

On Fri, Mar 4, 2011 at 7:25 AM, Diana Cheng <daian...@googlemail.com> wrote:

I think the most important question rather than the label itself, is
what people feel about the activities they have published until now.

On a personal level with respect to past posts,  I have always assumed that since: 1. this is an early version of developing software and 2. there exist no specific privacy controls- everything I put in OSW is out of my personal control.  However I do think that giving people control and choice over what happens to their old posts is the best and most ethical way to go whenever it is possible to do so.
 

Whether they feel the current "visible to everyone" meant "everyone
following me" or that it meant "the rest of the world, I don't mind if
it's publicly accessible via a permalink!".  Should we make everything
with the current visibility "everyone" available via a public feed
that others can subscribe to? After all, if someone starts following
me today, they will be able to see all the activities "visible to
everyone" I posted till now (well, the last 20, or everything if we
actually had Result Set Management).

We can make "everyone=anyone=public" and then come up with a new
"followers=subscribers" level of visibility if the current labeling
doesn't convey the appropriate meaning. I think the labeling itself is
less important than whether OSW folks feel comfortable with everything
they've posted until now being made publicly available. I'd be happy
to hear as many voices as possible on this one.

From a *control* perspective there is no essential difference between public and  'followers only' since I have no control over who chooses to follow me (except in the case of an approved followers only scenario).  I'm not sure it makes a lot of sense to differentiate between those cases in user settings.  It would make more sense to have settings that allow people to post things to groups of people they specify the members of themselves.