There is a fundamental tension when designing social media software with a focus on privacy: The more posts are set to friends-only access, the harder a time the network will have in gaining adoption.
Since social media to a large extent lives and dies by network effects, some combination of these are necessary to grow the network beyond a critical threshold and keep it lively. It must also stay reasonably competitive with other social media systems in attracting users. There are many reasons a person might choose to 1) create an account and 2) "friend" other users rather than sticking with what they already have:
- Being encouraged to by their existing friends
- To see what all the fuss is about (if it's in the news)
- By seeing interesting posts by people they may or may not know
Privacy-positive social media software is by default at a disadvantage in the last category. How can it be made competitive with the likes of Twitter and Facebook without compromising on values? In this post, I consider the notion of "socially local privacy" as a partial solution to the discovery problem.
If most users use pseudonyms and avatars rather than photos and their "wallet names", and choose not to post publicly, as is the case with Dreamwidth and other Livejournal derivatives, the following happens frequently:
- A makes a post
- B and C both comment on it
- B isn't sure who C is or what they're like, so they go to C's profile
- There's nothing to see there, since everything is friends-locked
- B does not extend a friend request to C
- Even if they did, C might not feel comfortable accepting the friend request, knowing nothing of B
Since B and C are both friends with A, there is a very good chance they in fact know each other already. If B or C could read each other's posts, maybe they would recognize each other. ("Oh, she's a writer, who lives in Springfield, and was at that dinner with D... that must be Beth Jacobson!") But there's frequently no fluent mechanism by which they can discover this, so users are left to deal with the Catch-22 (or not, as the case may be.)
If a social network is to gain adoption, this sort of discovery is very important; it's not enough to transpose some subset of meatspace relationships into the digital medium; the network will not hold. Reading the comments on other people's posts helps, but it doesn't form a clear enough picture of the commenters. Some insight into their actual posts, if permitted, may be essential.
Taking Dreamwidth as an example again, there are 4 common privacy levels for posting, and who can view the post:
- Public: Anyone, or maybe any user
- Friends-locked: Only people who are friended or otherwise granted general access
- Custom filter: Some subset of friends (perhaps on a named list)
- Private: Only the poster
Since privacy is about having the power to choose how, when, to whom, and which information is released, this privacy model serves reasonably well. I can include people on a "Work" filter and post to that filter when I am discussing my job or my coworkers and not worry about my colleagues seeing it, even if I have them friended. More broadly, I can also be assured that my friends-locked political rant isn't going to be widely shared and mocked on news sites, bringing angry trolls to the comments. Or I can post publicly when I have innocuous cute cat pictures to share, and I don't mind wide exposure and re-sharing.
This can be simplified into two broad categories:
- Public: Anyone in the entire world
- Friends: Some subset of the user's friends
Technology makes it simple to provide the user with the ability to make custom filters or circles that narrow the friends level to various subsets. But the process of discovery, of expanding one's circle, requires some intermediate level wider than Friends, and that is not so easy to even define.
Socially local privacy
What if users could choose to publish posts at a "friends of friends" (FoF) privacy level? From the user's perspective, this may feel a little dangerous. "Friends" is a well-defined set; the user has taken a positive action to add each user into their friends list. But friends-of-friends is undefined and unknown. Even if the user enumerated the entire list of these 1-degree-out users, and even if the list never changed, still: They are unknowns. The only known is that they know some other user who trusts that user with some level of access. They're probably not jerks!
This is a compromise between the high exposure of public posts and the cozy but limited exposure of friends-only posts. Friend-of-friend is one possible approach to finding a middle ground, and might be the easiest for users to understand.
This would enable a very important interaction flow of potential friend discovery. I suspect that most users would find many of their posts suitable for viewing and commenting by their friends' friends.
It's also worth examining higher-degree connections. I think degree-1 (friend of friend) is sufficient for helping the network to grow and to approximate the shape of the existing social network, and that more is not necessary, but I would imagine that degree-2 (friend of friend of friend) would cover most of what people consider to be their "local social network" as well as covering a great many people who are considered to be strangers. Beyond that, the distinction from public posting rapidly reduces to zero.
Implementing a FoF privacy level would be simple on a social media site of the standard model, where users go to a website, upload images and write text, and trust the server to manage privacy partitions. The server just formulates an allow-list from the current social graph, and up goes the post.
I rather strongly dislike this centralized model, so I'd like to also consider trustless server models involving end-to-end cryptography. This might be quite difficult! "Public" is wildcard access (no encryption); "friends-locked" (and all variations) is an explicit allow-list (share the per-post session key to every friend). FoF would be a combination of those two, assuming a system where you cannot get a comprehensive list of your friends' friends. There are lots of questions here around encryption targets, revocation, etc.
Some of the technical burden could be lifted into the social realm. Say that posts contain a numeric "republish" field, on friends-locked posts set to 0 and on FoF posts set to 1 or higher. Clients might republish friends' posts with a positive republish field, decrementing the field as they do so. The content is then protected under the friend's encryption and software. (This feels risky, and I'm having trouble elucidating why.) This flood-fill approach has significant downsides in storage and bandwidth; users might opt out of it. (Or instead of an automated approach, perhaps any post the user "likes" or "hearts" is shared out.)
Additionally, not all friends of friends are to be trusted. Some blocking mechanism would inevitably be required, either for the problematic person, or for the friend who has unpleasant acquaintances. Perhaps only some friends (or all but some) would be included in the local dissemination.
I don't think this is necessarily a critical feature for privacy-positive social media software, and there are certainly other approaches which might be alternatives or complementary.
Another approach I've already considered is simply asking for an introduction: To pick up the scenario described earlier, B could send a message to A asking who C is, and whether they know them—A is well-positioned to answer this question. There's nothing to say this could not be a first-class feature of the site, reducing the activation threshold (as well as anxiety) some users might experience when contemplating composing and sending such a message.
If the software exposes the reified social graph to users, it might be possible for the software to help B notice that not only does their friend A have C friended, but so do B's friends D, E, and F. They almost certainly know C from somewhere, and it would be fruitful to inquire. This approach has a downside of only helping to fill in highly connected components of the social graph, but not of picking up more tenuous or long-range connections. My understanding is that novel information and ideas tend to come in on the long-range links, so it's very important to make sure discovery is supported there as well.
I'd love to hear any reactions or further ideas you have, or links to prior art in this space. Please leave a comment or send an email!