How can a privacy-positive social media site gain meaningful adoption?

There is a fundamental tension when designing social media software with a focus on privacy: The more posts are set to friends-only access, the harder a time the network will have in gaining adoption.

Since social media to a large extent lives and dies by network effects, some combination of these are necessary to grow the network beyond a critical threshold and keep it lively. It must also stay reasonably competitive with other social media systems in attracting users. There are many reasons a person might choose to 1) create an account and 2) "friend" other users rather than sticking with what they already have:

  • Being encouraged to by their existing friends
  • To see what all the fuss is about (if it's in the news)
  • By seeing interesting posts by people they may or may not know

Privacy-positive social media software is by default at a disadvantage in the last category. How can it be made competitive with the likes of Twitter and Facebook without compromising on values? In this post, I consider the notion of "socially local privacy" as a partial solution to the discovery problem.


If most users use pseudonyms and avatars rather than photos and their "wallet names", and choose not to post publicly, as is the case with Dreamwidth and other Livejournal derivatives, the following happens frequently:

  • A makes a post
  • B and C both comment on it
  • B isn't sure who C is or what they're like, so they go to C's profile
  • There's nothing to see there, since everything is friends-locked
  • B does not extend a friend request to C
  • Even if they did, C might not feel comfortable accepting the friend request, knowing nothing of B

Since B and C are both friends with A, there is a very good chance they in fact know each other already. If B or C could read each other's posts, maybe they would recognize each other. ("Oh, she's a writer, who lives in Springfield, and was at that dinner with D... that must be Beth Jacobson!") But there's frequently no fluent mechanism by which they can discover this, so users are left to deal with the Catch-22 (or not, as the case may be.)

If a social network is to gain adoption, this sort of discovery is very important; it's not enough to transpose some subset of meatspace relationships into the digital medium; the network will not hold. Reading the comments on other people's posts helps, but it doesn't form a clear enough picture of the commenters. Some insight into their actual posts, if permitted, may be essential.


Taking Dreamwidth as an example again, there are 4 common privacy levels for posting, and who can view the post:

  • Public: Anyone, or maybe any user
  • Friends-locked: Only people who are friended or otherwise granted general access
  • Custom filter: Some subset of friends (perhaps on a named list)
  • Private: Only the poster

Since privacy is about having the power to choose how, when, to whom, and which information is released, this privacy model serves reasonably well. I can include people on a "Work" filter and post to that filter when I am discussing my job or my coworkers and not worry about my colleagues seeing it, even if I have them friended. More broadly, I can also be assured that my friends-locked political rant isn't going to be widely shared and mocked on news sites, bringing angry trolls to the comments. Or I can post publicly when I have innocuous cute cat pictures to share, and I don't mind wide exposure and re-sharing.

This can be simplified into two broad categories:

  • Public: Anyone in the entire world
  • Friends: Some subset of the user's friends

Technology makes it simple to provide the user with the ability to make custom filters or circles that narrow the friends level to various subsets. But the process of discovery, of expanding one's circle, requires some intermediate level wider than Friends, and that is not so easy to even define.

Socially local privacy

What if users could choose to publish posts at a "friends of friends" (FoF) privacy level? From the user's perspective, this may feel a little dangerous. "Friends" is a well-defined set; the user has taken a positive action to add each user into their friends list. But friends-of-friends is undefined and unknown. Even if the user enumerated the entire list of these 1-degree-out users, and even if the list never changed, still: They are unknowns. The only known is that they know some other user who trusts that user with some level of access. They're probably not jerks!

This is a compromise between the high exposure of public posts and the cozy but limited exposure of friends-only posts. Friend-of-friend is one possible approach to finding a middle ground, and might be the easiest for users to understand.

This would enable a very important interaction flow of potential friend discovery. I suspect that most users would find many of their posts suitable for viewing and commenting by their friends' friends.

It's also worth examining higher-degree connections. I think degree-1 (friend of friend) is sufficient for helping the network to grow and to approximate the shape of the existing social network, and that more is not necessary, but I would imagine that degree-2 (friend of friend of friend) would cover most of what people consider to be their "local social network" as well as covering a great many people who are considered to be strangers. Beyond that, the distinction from public posting rapidly reduces to zero.


Implementing a FoF privacy level would be simple on a social media site of the standard model, where users go to a website, upload images and write text, and trust the server to manage privacy partitions. The server just formulates an allow-list from the current social graph, and up goes the post.

I rather strongly dislike this centralized model, so I'd like to also consider trustless server models involving end-to-end cryptography. This might be quite difficult! "Public" is wildcard access (no encryption); "friends-locked" (and all variations) is an explicit allow-list (share the per-post session key to every friend). FoF would be a combination of those two, assuming a system where you cannot get a comprehensive list of your friends' friends. There are lots of questions here around encryption targets, revocation, etc.

Some of the technical burden could be lifted into the social realm. Say that posts contain a numeric "republish" field, on friends-locked posts set to 0 and on FoF posts set to 1 or higher. Clients might republish friends' posts with a positive republish field, decrementing the field as they do so. The content is then protected under the friend's encryption and software. (This feels risky, and I'm having trouble elucidating why.) This flood-fill approach has significant downsides in storage and bandwidth; users might opt out of it. (Or instead of an automated approach, perhaps any post the user "likes" or "hearts" is shared out.)

Additionally, not all friends of friends are to be trusted. Some blocking mechanism would inevitably be required, either for the problematic person, or for the friend who has unpleasant acquaintances. Perhaps only some friends (or all but some) would be included in the local dissemination.

Other approaches

I don't think this is necessarily a critical feature for privacy-positive social media software, and there are certainly other approaches which might be alternatives or complementary.

Another approach I've already considered is simply asking for an introduction: To pick up the scenario described earlier, B could send a message to A asking who C is, and whether they know them—A is well-positioned to answer this question. There's nothing to say this could not be a first-class feature of the site, reducing the activation threshold (as well as anxiety) some users might experience when contemplating composing and sending such a message.

If the software exposes the reified social graph to users, it might be possible for the software to help B notice that not only does their friend A have C friended, but so do B's friends D, E, and F. They almost certainly know C from somewhere, and it would be fruitful to inquire. This approach has a downside of only helping to fill in highly connected components of the social graph, but not of picking up more tenuous or long-range connections. My understanding is that novel information and ideas tend to come in on the long-range links, so it's very important to make sure discovery is supported there as well.

I'd love to hear any reactions or further ideas you have, or links to prior art in this space. Please leave a comment or send an email!

Responses: 4 so far Feed icon

  1. Dances Alone says:

    It's useful to poke at these ideas. Thanks for starting this conversation.

    I'm not sure how much you've researched what has already been tried. "Friends of friends" used to be a standard privacy option on Facebook. I never took it seriously as an option though: I'm pretty inclusive in what level of acquaintance I'll accept as a Facebook friend, and my immediate feeling was that friends-of-friends might as well be strangers. For that level of interconnectedness, two degrees out is probably meaningless.

    It seems that this has been borne out:

    Interestingly, it seems that Facebook may have uncovered an interesting middle ground: "Friends (+ friends of anyone tagged)". This is a more specific and more limited list, and makes a lot of sense for the way Facebook has done things (e.g. when you tag someone, the post very often shows up on their feed - I can't say how reliably this happens because Facebook keeps changing their default settings).

    Facebook friend tags are generally published as part of the post, which might not always be what you have in mind when the goal is intermediate privacy levels. Maybe something interesting could be done with private tagging of friends, or tagging of friends that is only visible to the friends in question?

    Regarding requests for introduction, I believe that LinkedIn has formalized exactly this process. This fits with LinkedIn being a professional networking site. It's used to leverage social networks to get introduced to people who might help you find or obtain a job, so there is a clear assumed motive for wanting an introduction (although honestly, I normally use email to request the introduction because it feels both more friendly and more professional). I wonder whether the idea of formalized introductions would work as well on a strictly social social-networking site.

  2. Tim McCormack says:

    I haven't done a lot of research, other than seeing how sites I use handle things. And as for scholarly research on this—I don't know what venues such research is published in, and what keywords to use. As I find relevant articles, I think that will become clear, though. (I do know I should be looking at danah boyd's work, to start with.)

    My experience with Facebook is very outdated; I haven't meaningfully used it in over a decade. I do see articles about Facebook privacy settings and screenshots of the interface, though, which gives me some idea. I think friends-of-friends may even have been an option I saw in the privacy settings for profile elements.

    The promiscuity of "friend"ing on Facebook is something that's been bothering me. It's clear that "friend"ing != friending; people want to reify social connections that do not include the level of trust and light intimacy that the word implies, it should really be "acquaintancing" or something. I like how Dreamwidth does away with the term and splits it into the two unrelated elements that it bundles, although "grant access to" and "subscribe to" are a bit of a mouthful.

    Anyway, this exposes an assumption I hadn't realized I had made: That a privacy-conscious site would have privacy-conscious users. But that's not right, is it? If it's a successful model, it will attract all sorts of people on its own merits, and while it can nudge people via interface design and default settings to be a little more aware of who can see which posts, we're likely to see the same kind of promiscuity in accepting connections from other users.

    So maybe that acquaintance/friend distinction needs to be embraced by the interface: Make it safe to connect with just about anyone (especially since it might be taken as a slight not to) and then have a default filter denoting "actual friends" that includes a subset. (Ugh, I can just see the drama produced by lifting these social elements from implicit to explicit. No idea how to design that without making it a Thing that people get angry at each other about.) People already have a notion of "just Facebook Friends, not real friends", so maybe just changing the term is enough, as long as filtering options are provided.

    Acquaintance-of-acquaintance (let's say that's the term the site uses) has the interesting property that the site could tell the user, "Hey, this post you're about to write? 35,400 people could potentially see it." But if the site provided a reified Actual Friends filter that acquaintances could be added to, while Actual Friends of Actual Friends would be a useful posting level, you'd lose the ability to (safely) tell the user how many people that would be. Maybe that's OK, though.

    (I have no idea what to make of tagging.)

    Yes, LinkedIn is exactly the sort of thing I was thinking of! But LinkedIn feels a bit fraught and formal to me even in a professional context; the interface would have to be very different to make users feel comfortable using it socially.

  3. Dances Alone says:

    Some things:

    First, a lot of the bigger Facebook dramas and "unfriending" incidents seem to involve people who actually are friends. I think there's more to the emotional hurt than just the terminology used, thought it is unhelpful. It's also unhelpful that LJ and Facebook using the term has gotten us so used to it that it's sort of a default term for contact lists.

    Second, and relatedly, with regard to the idea of private "real friends" filters and the potential for drama if that kind of information becomes public, there's quite a bit of drama potential without that. I once was a bystander to a Facebook drama in which Alice had gotten a bit personal in a political discussion with Bob and Bob's wife Carol, and Bob responded by putting Alice "on mute" for a while (this is a thing Facebook lets you do, but with different terminology). Months later Alice caught onto the fact that she'd been secretly excluded and ended up feeling betrayed (she also had no idea when or why this had happened). I don't even know if Bob and Carol still had sour feelings toward Alice at that point.

    Third, it actually isn't clear to me what you imagine the relationship to be between readiness to establish new social network ties and privacy-consciousness. Maybe you could write more about that.

    Different users are not only going to have different norms of who they are ready to connect with and trust, but also different norms of what level of information they're willing to share --- with their contacts, with their intimates, or with the general public. Some people's idea of privacy consciousness is that you should never publish anything in digital format to anyone unless you want it to get out. People exhibiting that level of caution might do a great job of protecting their own privacy despite promiscuous "friending", and yet do a very poor job of protecting the privacy of "friends" of theirs who make the mistake of using "friends-of-friends" as a metric of trust and then reveal information they really don't want to get out.

    My final thought (for now) is that I have a hard time setting up a system where users can be induced to conform to a consensus view of what it means to "vouch for" someone. Look at how ready LinkedIn users are to say "Oh yes, my drinking buddy is very good at programming in C/C++. I don't know anything about computers myself, but she's definitely brilliant at it."

  4. Work in progress: Cavern, a decentralized social media protocol | Brain on Fire says:

    […] use of social accountability: Encourage posting at a socially-local privacy level (not world-public) so that any adverse behavior occurs within a social context, where […]

Commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can email me and I can manually add comments.