Thursday, September 23, 2010

Privacy across Social Network aggregation

Social Network aggregation is a great personal service that allows me to see updates from all my social networks in one place. There are a number of services that provide this functionality: chi.mp and AOL Lifestream to name two. As long as I'm the only one viewing these aggregations, there are no privacy concerns.

However, the problem arises when content is shared (cross-posted) between social networks and then re-aggregated by the social aggregation service. Take the following scenario as one possible use case.

Alice participates in 3 social networks, statii (a real time micro blogging site), snaps (a photo sharing site), and frendz (a social network of my personal friends). In addition, Alice uses a social network aggregation site called socialview to give her a global view of all her social network activity. All of these social networks allow Alice to establish connections with her friends within those networks. Each of the social networks has it's own privacy mechanisms that allows Alice to share information publicly, or just with a certain set of friends. Even socialview allows Alice to establish relationships with other socialview users and share their aggregated social network activity streams. In addition, socialview allows Alice to cross-post status updates to both statii and frendz.

In this example, all of Alice's micro blog updates to statii are public. In addition, most of the photos she uploads to snaps are also public. On frendz, Alice is a little more careful and only shares information with friends. She does allow friends-of-friends to view her updates and any comments her friends leave.

Now, let's say that Alice uses socialview to post a status update to both statii and frendz. Let's also assume that Alice has decided that all her updates originating from socialview should be public. When Alice's status update appears in frendz, her friend Bob thinks it's relevant and leaves a comment in frendz on her status. Then Socialview, during it's normal aggregation cycle, sees the new comment from Bob and adds it to Alice's aggregated view.



This is where it finally gets interesting. Should Bob's comment be made public (given that Alice's privacy settings at socialview state that all her posts are public, and Bob is commenting on a "public" post?) or should his comment be visible only to Alice (because Bob didn't know he was commenting on a public post).

What I think is missing is a "visibility" scope attribute that needs to be attached to the activity as it navigates across social networks. In the above contrived example, this would allow frendz to make it clear to Bob that Alice's status is really public. It would also allow socialview to honor Bob's privacy settings that he only shares comments with friends when aggregating his comment back into Alice's aggregated view.

4 comments:

Gerald Beuchelt said...

Interesting problem which actually goes beyond the social networking realm:

For example, some documents within an enterprise might be releaseable only to a limited set of business partners, while other documents are publicly releaseable. If you want to manage them within the same repository, comments on these documents might have all kinds of releaseability caveats.

Another issue that is seem also outside the soc net realm is the problem of aggregation: while individual data points might be harmless, the aggregate of many such data points might become sensitive.

Traditionally, this problem has been solved by creating the appropriate meta data. In addition, you want to apply the most strict releaseability policy by default.

This is obviously less than ideal, but - to my knowledge - the only truly privacy preserving approach.

Conor P. Cahill said...

Out of curiosity, on what social network does bob get to tell whether or not Alice's post was public?

At least on facebook, Bob just knows that Alice's post showed up in his newsfeed.

And what, exactly does "public" mean for Bob when talking about Alice's posts? If she shares her posts with her networks but not the rest of the world, is that public? If she has at least one "not visible by xyz" setting, does that mean it isn't public?

I also think it can be a privacy leak if Bob is able to see what Alice's publicity settings are (just imagine that Alice has set it so that her husband can't see the post -- I don't think she would appreciate it if others who could see the post could tell that her husband was blocked).

George Fletcher said...

So part of the problem is that Bob can't tell that Alice's post is "public" when it show's up on frendz. In Facebook, you can hover your mouse over the lock icon and it will tell you the "visibility" of that post. However, that is just Facebook's "visibility" not the "visibility" of the activity that was cross posted into Facebook.

Now if all the Facebook comments just stayed within the Facebook social network, there wouldn't be any issues. The problem arises, when the comments are re-aggregated with the original activity.

When that happens, Bob's comment goes from friends-of-friend to public (at least in this example).

You raise a good point about the PII of the "privacy setting" itself. I agree that if the privacy settings are that specific, they shouldn't be shared with everyone else.

What I do think needs to be shared, is the exposure/reach of my comment when I leave it. If I know that only friends will see the comment, I might say something different than if I know the comment will be public and searchable by Google:)

Conor P. Cahill said...

As far as I know you can't tell the publishing level of another's post on Facebook.

You get that lock icon on your own posts and that tells you what the publishing level is for your items.

However, the lock does not appear on posts by others, even when they post to your profile.

At least that's the way it appears to me. Perhaps you've found some hidden feature that lets you see the lock symbol when you look at posts on my profile that weren't made by you.