Links

Ben Laurie blathering


Why Privacy Will Always Lose

In social networks, that is.

I hear a lot about how various social networks have privacy that sucks, and how, if only they got their user interaction act together, users would do so much better at choosing options that protect their privacy. This seems obviously untrue to me, and here’s why…

Imagine that I have two otherwise identical social networking sites, one with great privacy protection (GPPbook) and one that has privacy controls that suck (PCTSbook). What will my experience be on these two sites?

When I sign up on GPPbook, having jumped through whatever privacy-protecting hoops there are for account setup, what’s the next thing I want to do? Find my friends, of course. So, how do I do that? Well, I search for them, using, say, their name or their email address. But wait – GPPbook won’t let me see the names or email addresses of people who haven’t confirmed they are my friends. So, I’m screwed.

OK, so clearly that isn’t going to work, let’s relax the rules a little and use the not-quite-so-great site, NQSGPPbook, which will show names. After all, they’re rarely unique, so that seems pretty safe, right? And anyway, even if they are unique, what have I revealed? That someone signed up for the site at some point in the past – but nothing more. Cool, so now I can find my friends, great, so I look up my friend John Smith and I find ten thousand of them. No problem, just check the photos, where he lives, his birthday, his friends and so forth, and I can tell which one is my John Smith. But … oh dear, no friend lists, no photos, no date of birth – this is the privacy preserving site, remember? So, once more I’m screwed.

So how am I going to link to my friends? Pretty clearly the only privacy preserving way to do this is to contact them via some channel of communication I have already established with them, say email or instant messaging, and do the introduction over that. Similarly with any friends of friends. And so on.

Obviously the experience on PCTSbook is quite different. I look up John Smith, home in on the ones that live in the right place, are the right age, have the right friends and look right in their photos and I click “add friend” and I’m done.

So, clearly, privacy is a source of friction in social networking, slowing down the spread of GPPbook and NQSGPPbook in comparison to PCTSbook. And as we know, paralleling Dawkins on evolution, what spreads fastest is what we find around. So what we find around is social networks that are bad at protecting privacy.

This yields a testable hypothesis, like all good science, and here it is: the popularity of a social networking site will be in inverse proportion to the goodness of its privacy controls. I haven’t checked, but I’ll bet it turns out to be true.

And since I’ve mentioned evolution, here’s another thing that I’ve been thinking about in this context: evolution does not yield optimal solutions. As we know, evolution doesn’t even drive towards locally optimal solutions, it drives towards evolutionary stable strategies instead. And this is the underlying reason that we end up with systems that everyone hates – because they are determined by evolution, not optimality.

So, is there any hope? I was chatting with my friends Adriana and Alec, co-conspirators in The Mine! Project, about this theory, and they claimed their baby was immune to this issue, since it includes no mechanism for finding your friends. I disagree, this means it is as bad as it possible for it to be in terms of “introduction friction”. But thinking further – the reason there is friction in introductions is because the mechanisms are still very clunky. I have to use cut’n’paste and navigating to web pages that turn up in my email (and hope I’m not being phished) and so forth to complete the introduction. But if the electronic channels of communication were as smooth and natural as, say, talking, then it would be a different story. All of a sudden using existing communications channels would not be a source of friction – instead not using them would be.

So, if you want to save the world, then what you need to do is improve how we use the ‘net to communicate. Make it as easy and natural (and private) as talking.

12 Comments

  1. the popularity of a social networking site will be in inverse proportion to the goodness of its privacy controls

    No. the popularity of a social networking site will be in directly proportionate to how many people choose not to use the privacy tools. It is possible to preserve one’s privacy make use of social networking sites, it just requires a little bit more effort.

    That being said I am not quite sure how fruitful this is to notice. It is kinda like saying “I don’t think it is possible to have a successful potluck if no-one brings any food to share.” Well, duh.

    Comment by Jen — 4 May 2009 @ 19:05

  2. The other answer is to have a way for you to bring in your existing friends list to the new social site, by importing it from which ever site you choose as a social custodian, whether it is your Mine, your webmail, or a social network you use. That’s what the Portable Contacts work is about, and the OpenSocial sites that enable that model do reduce the friction of connecting.
    It has been much more effective in enabling users to reconnect, as both Plaxo and Facebook have shown. The challenge is that by doing it in a way that doesn’t reveal email addresses and enable mass-mailing, just identifiers in the delegated-to system, the sites doing the delegating can’t use scattergun techniques, whcih some of them are loath to give up.

    My hope with this is that we can reverse the evolutionary pressure; by having common standards for delegating contact lists, users of them will prefer the ones that give them more control over who gets to see what. In effect we switch from a prisoners dilemma to an iterated prisoners dilemma, and thus the good communications will mean we can shun the sites that betray us.

    Comment by Kevin Marks — 4 May 2009 @ 19:12

  3. How easy was it to “find your friends” before the advent of technologies such as “the telephone directory” and its equivalents on the Web? Privacy, _by definition_ means that it should be difficult to find someone.

    Privacy from other individuals on the Web doesn’t worry me too much. Privacy from large multinational corporations (including governments) though seems much more important (to me).

    Comment by John Kemp — 4 May 2009 @ 19:19

  4. “they claimed their baby was immune to this issue, since it includes no mechanism for finding your friends. I disagree, this means it is as bad as it possible for it to be in terms of “introduction friction”.”

    Hm, I do remember the conversation in the car from foocamp about this but never did I call claim Mine! to be ‘immune’ to anything. This would never be my choice of words as that just raises a red rag to a bull. 😛 I do recall however reiterating that Mine! is intended to capture and maintain existing relationships, upon which you surmised that it won’t have the issue described above. 🙂

    There is no introduction friction for my existing network. Therefore, I don’t need Mine! for discovery, there is plenty of ways to do that. So it’s like saying that because I can’t slice my parma ham with my corkscrew, it’s the worst possible in the cutting department. Go figure.

    Mine! is not social in the same sense as FB, MySpace or FriendFeed, the closest analogy to it is email – an exchange of data between individuals in private, that can be potentially extended. It may be social in human terms but not in technology terms – like social network platforms and social networks are. It’s a tool for alternative data and relationships logistics, one that’s better for me as an individual users from the perspective of ownership of data, its management and sharing it on my terms. Discovery doesn’t really come into it.

    Comment by Adriana — 4 May 2009 @ 19:20

  5. I just don’t buy this “privacy won’t work” argument that so many Soc. Net. evangelists embrace…not that I don’t think we’re in a “Wild West” phase of online networking. I think we’ll have a lot of issues with privacy that are going to take a while to iron out and things are going to be a little mucky for a while.

    Of course, if you embrace an “it just won’t work” philosophy, it’s kind of a self-fulfilling prophecy.

    I do think it’s true that for social networks to aggregate lots of connections, there has to be a well thought out process of discovery that involves identity, and if you want to connect, you have to make your identity known. But identity can have a hook without making all your data known.

    Consider the extent that online banks go to to protect your money in all its digital glory. This is extremely protected (albeit private) data. We can do the same with social network data. Not monikers or avatars or whatever the ID hooks are, sure there needs to be some kind of calling card. But all the other information?

    I guarantee you that over time, as information becomes almost synonymous with currency (information value), there will not only be a greater need and want for privacy/protected data, but you’re going to hear it from the people.

    This is my democratic-socially-minded prediction.

    Comment by American Yak — 5 May 2009 @ 3:05

  6. I wouldn’t conflate “ease of ability to find/identify/connect-to other users” with “privacy in general” when considering success factors for social networks.

    While I agree with your analysis as it relates to connecting, the life-blood of social networks is sharing content across that social graph, and in this case there is ample evidence that providing more fine-grained controls can *increase* the amount of content that is shared (because the sharer feels comfortable that only the right people will see this). Facebook certainly found this by limiting sharing to intra-college networks early on, and we see it everyday at Plaxo with separate sharing to family, friends, and business connections.

    The early web 2.0 model of “content is shared in public because we don’t have a good identity/privacy/auth model for the web” is only the tip of the iceberg, and the early social networking model of “only other users of this same service can see my content” is similarly limiting. True social sharing that is cross-site and non-public will ultimately constitute the lion’s share of activity, and we’re already seeing the early signs of that today. So I think this is some cause for optimism among those who value privacy. 🙂

    Comment by Joseph Smarr — 5 May 2009 @ 5:03

  7. I wouldn’t say that privacy is inversely related the popularity of a social networking site. It is about being more creative behind the scenes to protect privacy and make it convenient for the user. John Kemp’s comment above is pretty close. At least when I’m sharing information with friends, I have some measure of control over what I’m sharing and with whom. I don’t have any idea what is going on in the background when I grant access to my information to do some particular add-on application. The generic notice doesn’t let me make an informed decision. I don’t know that much would change, but the average person would at least have some awareness of what he/she was giving up/

    One other note that is making this a bit harder is that as you mentioned the privacy of a conversation, a conversation is gone and forgotten once it is over, but not so that same conversation on the net. ‘Forgetting’ is now a conscious act. It will take some time to train people to that change.

    Comment by James McCartney — 5 May 2009 @ 12:32

  8. Interesting to hear your thoughts-with my colleague Soren Preibusch at Cambridge, we’ve collected the data in the last 2 months to generally refute your hypothesis that “the popularity of a social networking site will be in inverse proportion to the goodness of its privacy controls. I haven’t checked, but I’ll bet it turns out to be true.”

    We signed up for 45 different social networks around the world and recorded data on size, growth rate, privacy controls, personal data collection, privacy policies, etc. As far as I know this is the first academic study to attempt this. Among many other interesting things we found a positive correlation between number of privacy controls available and the size and growth rate of networks. Still doing some data analysis but it looks right now like things are more complicated. Our results will be published at WEIS next month, and hopefully we’ll have the paper on my website sooner than that.

    Comment by Joseph Bonneau — 5 May 2009 @ 17:05

  9. You can have a private talk with someone because sound waves spread out and become inaudible a few feet away. Conspirators (con = with, spire = breath) talk so softly that they breath eachother’s breath.

    On the web, the least word echoes round the world.

    Comment by Peter - Ben's Dad — 6 May 2009 @ 6:39

  10. Joseph Bonneau:

    How do you distinguish correlation from causation, and in particular, forward causation from reverse causation?

    I would think that the more popular a social network site is, the more money and developers it will have, and the longer it will be around, thus the more opportunity to implement lots of fancy privacy controls. In other words, I would think that size and growth rate would cause privacy controls; given that, how do you test for the hypothesis that causation also goes in the reverse direction?

    Comment by Anonymous — 11 May 2009 @ 8:39

  11. […] Swire: Are data empowerment (networking) and data minimization (privacy) opposed? #cfp09 see also http://www.links.org/?p=615 […]

    Pingback by wseltzer's status on Tuesday, 02-Jun-09 14:06:50 UTC - Identi.ca — 2 Jun 2009 @ 15:06

  12. Our report is available, it will officially be published next week at WEIS:

    http://www.cl.cam.ac.uk/~jcb82/doc/privacy_jungle_bonneau_preibusch.pdf

    We both contradict and support Ben’s hypotheses. On one hand, the statistical correlations are between size/growth rate and better privacy, not the other way around. As a previous comment said, this is probably because more successful sites can afford to invest more in privacy controls and the like.

    More interestingly, we have some good data that suggests sites are intentionally hiding their privacy controls and policies, despite clearly investin in them. Our explanation is that sites have to balance between two goals: keeping most people’s data viewable (as suggested by Ben, making the site more useful), but also preventing criticism from privacy advocates. Thus, the winning model may be to have many privacy controls, but make them hidden and confusing to prevent most people from actually locking down their profile.

    Comment by Joseph Bonneau — 16 Jun 2009 @ 22:38

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress