Trust and Impersonation in social networks

[A quick meta-note upfront: I haven't been posting much lately, because I started a Real Nearly-Full-time Job a few weeks ago.  I'm continuing both CommYou and Art of Conversation, but my time is now much more limited.]

My friends mindways recently posted a link to an interesting but not surprising article about the growth of fraud in social networks.  The idea is quite simple: since Facebook verifies nothing but your email address, it is terribly easy to pretend to be someone else.

I’m not talking about fancy high-tech breaking of security here — it’s simply that, if I was to claim to be Bill Gates, how do you know that I’m not?  (In practice, a quick search turns up a bunch of them.)  More to the point, how do you know whether or not I’m your buddy Jim?  If I have Jim’s picture, and a little of the right biographical information on my profile, I sure look like Jim.  Do you vet your Facebook friends carefully, to see if they are who they say they are?  Would you even really have a way to do so, short of calling Jim and asking if he friended you on Facebook yesterday?

This is all the flipside of the “pseudonymity” question that comes up from time to time.  If you have a lot of persistent information online, that is all strongly linked together in a secure way, that counts as a fairly clear identity — perhaps not an identity linked back to the real world, but an identity.  OTOH, if all you have is a bunch of information about a real world identity, but no secure relationship between that and the online one, you don’t really have anything meaningful.  But most people are still used to thinking in terms of real names and faces, so the gut reaction is to believe the latter more than the former, even though it’s actually much easier to fake.

Curiously, I suspect that LiveJournal is actually less prone to this problem than Facebook is, precisely because it does not use your real name as your handle.  (And many/most people don’t use their picture for their icon.)  This preconditions people to be just a hair more suspicious: there isn’t the knee-jerk, “Oh, look — it’s Jim’s picture so it must be Jim.”  And on LJ, Who You Are is mostly determined by What You Say.  If you post a lot of things that only Jim would say, you’re probably Jim.  But just asserting your identity and friending people is more likely to make them suspicious: there is more burden of proof.

At least, that’s my guess.  I don’t know that anyone’s really studied the matter yet — it would be interesting to see what came out of such a study.

What do you think?  Have you found yourself more apt to simply friend someone on Facebook than on LJ, because they have the right user name and photo?  Do you think the rise of OpenID and other online-identity-linked mechanisms will gradually reduce this threat, by raising expectations of a deeper, richer and more consistent online profile?

Autopilot and Social Networking

I’m sure that, by now, you’ve all heard about Google’s new Autopilot extension to Gmail, which was announced today.  Obviously, Autopilot represents a major leap forward in conversation technology.  (Yes, yes — CommYou will begin letting users appply Autopilot to conversations, as soon as Google opens up the APIs.)

Let’s talk instead, though, about the potential of this technology for social networking.  Autopilot is doing a good job of easing the burden of conversation, by removing the need to read and reply to your email.  But really, that’s the easy bit.  Nowadays, the really challenging problems are all coming on the social networking side.

So I’m going to propose two products that I think Google should be working on.  (And given how fast the CADIE project is evolving, probably will have finished by tomorrow.)

First up is AutoNetwork.  This would monitor your existing social network, as well as all aspects of your real life, integrating your calendar, your phone calls and your emails to derive a complete picture of who you are and who you know.  (Google already knows all of this anyway, so it’s just a matter of putting the pieces together.)  Then, when you apply AutoNetwork to a given social network, it chooses who you should friend and who not.  It will automatically add friends, decline invitations from people you don’t know *that* well, and unfriend people who you really shouldn’t be talking to.  This will remove the burden of keeping track of your social network, by doing all the heavy lifting for you.  In release 2.0, it will decide which social networks you should be on in the first place.

Second is AutoTweet.  This is simply a logical extension of AutoPilot, aimed at broadcast media.  It will use its advanced heuristics to decide which elements of your life are worth talking about, summarize them, and post them automatically to Twitter.  On the other end, it will keep track of which tweets you’ve responded to in the past (as a measure of what you are interested in), and use that as a basis for filtering which ones from your friends you will see.  After a few days of evolving the heuristics, it will simply provide you with a running commentary of everything interesting that is happening to everyone you know, in realtime, in a convenient 140-character form.

While none of this was announced today, I think it is safe to assume that we’ll be seeing it by — oh, next Monday at the latest.   Given that CADIE already has her own blog and Twitter feed (granted, she needs a couple more days to evolve decent taste), they’re clearly moving in this direction already.

So I figure that, by around next Wednesday, the entire Internet will be taking care of itself, leaving us humans to ignore it and go back to focusing on the real world.  Really, it’s about time…

Information Shadows, and the Difficulty of Anonymity

Chris Herot wrote a very interesting short post yesterday, with some of the ideas coming out of Foo Camp East.  Some of it will be unsurprising to folks here (most of whom, I think, have long since lamented how inadequate the word “friend” is for most social networks), but there are some neat references.

One point isn’t exactly surprising, but worth noting nonetheless: see this PDF, which argues for a formalism of “information shadows”.  (The PDF is 74 pages, but it’s actually not very long — it’s essentially a slide show, in the breezy Head-First style.  The file is large, but it’s mostly pictures.)

The initial argument is that, as we move into a world of ubiquitous computing, it will become more and more essential to have data that corresponds to real-world objects, and therefore we need ways to refer to those objects.  It’s not rocket science — indeed, it’s almost exactly why the URI standard is as ridiculously flexible as it is — but he makes a good argument that steam engine time is here for this idea.

Stick around to the final third of the document, though, which is where it gets really interesting.  He generalizes the concepts of “serials” and “services”, and explores how real-world and digital concepts are mushing together, to produce new models of ownership that simply couldn’t work before ubiquitous computing.  While the facts contained in it are well-known, it shows that there are some new emergent concepts in the air, and we should start thinking about what we can really do with them.

Also, Chris points to a paper that I’m sure will disturb a lot of people here (although, again, I suspect many will be unsurprised).  De-anonymizing Social Networks demonstrates that, if you simply know that somebody is on two different anonymous social networks (they use Twitter and Flickr), you can relate their handles together with a decently high degree of confidence simply by analyzing the topology of the social graph.

I haven’t read the paper in detail yet, so I’m not sure how well it generalizes, but it does illustrate that our cozy notions of anonymity aren’t as secure as we might wish.  Modern data-mining techniques are powerful, and keeping multiple identities truly separate is harder than it looks…

Portable Contacts gets a big boost

I’ve mentioned the Portable Contacts (PoCo) project a few times in the past — it’s the group that is trying to do for contact lists what OpenID is doing for identity, allowing you to use a single contact list across the Web.

That’s been growing steadily in recent months, with a lot of small players and several mid-level ones picking up on it.  And as of yesterday, it’s gained another significant supporter: Google Contacts has begun to support PoCo.  This means that any PoCo-enabled app can now make use of contact lists from Google, if you give it permission to do so.

No, it’s not Facebook — if that ever happens, you’ll know that PoCo has well and truly won as a standard.  (Nor is it LJ, which matters most to a number of my readers here.)  But it’s a fine step in the right direction, moving from social-network “walled gardens” to a more open and consistent infrastructure…

Fine- vs coarse-grained group management

There’s an interesting discussion going on over on the Portable Contacts mailing list right now, that seemed worthwhile to bring up here.

Portable Contacts (or PoCo for short) is the standard brewing up for how you share contact lists.  It fills a gap in the “Open Stack”, which already had things like OpenID for sharing your identity (so you can log into various places with a single ID) and OpenSocial (so you can plug various applications into your social network).  PoCo provides a standard way for you to let an application (or another social network) see who your friends are, so you can use your flist for various purposes.

(CommYou doesn’t yet support PoCo, but that’s solely because I haven’t gotten around to it yet — once I’m done with the current rearchitecting, it’s medium-high on the priority list.)

Anyway, today’s conversation brought up the point of how you share that flist.  Currently, it’s mostly being done all-or-nothing — you tell your social network that app A can see your flist, and it gets access to the whole thing.  Which works fine for me personally, but as was pointed out in the discussion, won’t work for everyone.  The point came up that your custom friend lists can and should be used to manage which contacts get exposed.

In particular, Martin Atkins argued for finer-grained access controls:

The sort of uses I’m imagining are, for example, importing my business contacts into LinkedIn without giving LinkedIn access to my personal contacts, or conversely pulliing my close friends into SomeEmbarassingSocialNetwork.com without pulling in my business connections.

That makes sense, and while I tend to be fairly loose about letting my networks and identities slosh around between each other, I know that many of you are much more careful about it.

So I’m curious: how do you think you would approach these access controls?  Do you believe that you would use fine-grained controls, to make sure that certain apps only knew about a subset of your social network?  Do you think you’d do this generally, or only for certain apps and networks?  And do you see handling this differently between, say, LJ, Facebook and LinkedIn?

Do you trust your identity provider?

In a comment to my post yesterday, dsr brought up a very good point: trust in identity providers.

Consider — at the moment, the vast majority of users aren’t even thinking about this, but they’re buying into this brave new identity world by default.  They don’t care about “unified identity” or anything like that: they’re just enjoying the fact that OpenID and Facebook Connect allow them to remember fewer passwords.

Yet this casual decision, of using your Facebook or LiveJournal or whatever account to log into other systems, may have profound effects down the line.  If you use a single identity more and more, across a broad swathe of the Net, it becomes you in some very important ways.  The possibility of losing that identity, or losing control of it, becomes ever-more painful and problematic.

Pseudonymity actually makes this much worse.  When you are known by your real name, you generally have multiple avenues for getting the word out if an identity goes away — if this email address croaks, you can go to your friends face to face and tell them.  But if you are only known to a community through a specific online pseudonym, moving to a new one is kind of problematic, since they don’t have good ways to verify the move.

There is a lot of implicit power being handed to these identity providers.  Millions of people are beginning to use their Facebook login as their One True Online Identity.  That gives enormous power to Facebook — indeed, it’s probably the one thing that justifies their preposterous stock valuation.  And few have given any thought to what it might mean to them if, a few years down the road, Facebook were to start slowly making use of that power.

So — do you trust your identity provider?  It’s pretty clear to me that I don’t trust any of the major ones very much — are there lesser-known companies that are structured in ways to make them less likely to be abusive?  And which are stable enough?  That’s the flip side of the problem: you need to trust your provider to not become evil, but you also need to trust it to keep your identity running.

It does all lead me to wonder if there’s another step yet to come, of a more robust, truly distributed identity system, that would not leave your identity in any single hands.  Hmm…

Contacting your users in the Open Stack world

Here’s an interesting new problem for us conversation facilitators to deal with: what do you do when you are legally mandated to contact your users, and can’t?

This is inspired by a recent court ruling, described in Ars Technica.  The upshot here is a pretty reasonable decision: before revealing the identities of anonymous commenters who are being sued for defamation, the plaintiffs must make a good-faith effort to contact them and give them a chance to respond before they are outed.

The court said that posting on the message board in question should suffice, but I don’t expect that to hold up in the long run.  As we move towards more community-oriented and filtered communication systems, the fact is that posting something publicly just isn’t going to be a plausible way of getting the message through.

In a traditional system, there’s an obvious fallback position: require the messaging system to pass an email through to the users in question.  (Assuming the messaging system has some idea who these users are; if not, the case is meaningless.)  It does put more onus on the messaging provider than the current ruling does, but I won’t be surprised to see that happen.

But what if the users joined the system through OpenID?  In this case, there might well be no means of contacting those users other than partly outing them.  At the least, the front-line messaging system would have to bring the identity provider into the loop, and things could get complicated and messy.

It’s just an example, but it illustrates a tension that’s going to be coming up more in the coming days.  The new identity environment — especially the Open Stack — is all about spreading identity out, and making it easy to keep it a bit opaque.  But a lot of laws and customs assume that identity is fairly easy to penetrate.  I suspect we’re going to find all sorts of places where those come into conflict, especially as “publication” and “identity” become entirely separate functions.  Any bets on how messy things will get, or how far the law will fall behind reality?

Invitations as Group Conversation

As I was RSVP’ing to a Facebook event invitation today, it occurred to me that the rise of online invite services is fundamentally changing the dynamic of party invitations.  In particular, it turns the invitation process itself into a rough and ready group conversation.

Consider: a traditional snail-mail invitation is mostly between each individual inviter and invitee.  Sure, the invitees might talk among themselves a bit — but often, they don’t even know who else has been invited.  So any conversation that happens is one-to-one and private.

In most of the online services, though, whether it be Evite or Facebook or whatever, there’s a lot more group knowledge and interaction.  By default, you can usually see everyone else who has been invited.  You can usually see who has accepted or declined — in many cases, you can even see why they did so.

This, in turn, has knock-on effects on the party, because the process is self-reinforcing.  If I see a lot of people who I like going to the party, I’m more likely to attend.  Contrariwise, if it’s been two days and nobody has RSVP’ed in the affirmative, I’m likely to pause and think about it myself — an intended 20-person party is less fun if only three people are going to show up.

The result is that the invitation mechanism becomes a simple dynamic system, with feedback loops driving it up or down.  That can be good or bad, depending on the circumstances, but it certainly changes the nature of the beast a little.  Statistically, it seems likely to make events a little more likely to succeed or fail big, rather than being simply “okay” in the middle.

Effectively speaking, the invitation becomes a conversation.  (Sometimes explicitly, as in the case of the Wall for a Facebook Event.)  Instead of being a purely individual decision, the group interacts more to decide whether this is something that “we” are going to do.

Opinions?  This is purely anecdotal, and I can’t say I’ve tried to gather concrete evidence for it, but it’s the way I react at a gut level: who else is coming does influence my decision a bit.  Do you find the same?  Are there countervailing forces in this little dynamic system?  Are we going to see new rules of etiquette, as Emily Post confronts these effects?

The weak link in the spam war is always people

I always appreciate clever spam, at least aesthetically — it may be evil, but evil-and-smart isn’t quite as irritating as evil-and-stupid.

In this particular case, it was a comment in The Art of Conversation, which hit my moderation filter a few minutes ago.  The comment itself is simple but well-designed to stroke the ego: “Just passing by. Btw, your website have great content!”  (Okay, so they blew their English roll.  But that’s not unusual in the blogosphere.)  I actually contemplated approving the comment, but the sheer generic-ness of it made me pause an extra second.  And that pause was long enough to actually look at the signature — which is, of course, a link to a make-money-fast scheme.

I hadn’t previously realized that I don’t pay much attention to signatures, but somewhere along the line I clearly started tuning them out.  Going to have to be more careful about that in the future.

And there’s an important general point here: automated tools can only do so much in the fight against spam.  There was nothing technically sophisticated about this particular attempt to place spam in my blog, just a little smart social engineering.  They appealed to my ego, betting that I wouldn’t read the rest of the message closely enough to realize I was being used.  And they almost got me, despite my being pretty sensitive to these ploys.

What have you been seeing lately?  Has anything new and different from the spammers caught your eye?

Conversation Analysis and Multi-Threading

Some of you know rising_moon, some don’t, but I commend her to you as a generally smart and interesting person, and particularly this post from a few days ago.  It mostly asks questions, but presents a few interesting musings about the relationship of communities, knowledge management, and how to deal with the plethora of competing conversational threads that can arise around a topic.

In also reminds me of a point that I’ve thought about idly in the context of CommYou, but which could use a lot more thought.  Most people assume that deep asynchronous conversations should have threading, and it’s not too radical to have the ability to split threads — to promote a thread to being a top-level conversation unto itself.

But what about thread joining?  That is, it’s not unusual for multiple conversational threads to run in parallel, but they often really are running into each other and crossing over.  If you and I are both talking about X, it’s not unusual to hit a situation where really, what I want is to join your conversation with mine, so that we can cut down the redundancy.  At the moment, you do this by links and pointers, but there’s no real concept of unifying the conversations.

This might be particularly helpful in conversations that are mediated by social networks, where parallel conversations can easily arise, with some participants in one and some in the other — a bit of cross-pollination could sometimes provide some interesting insights.

Rising_moon’s post talks about nodes, and I suspect that’s the right way to think about this.  It’s not precisely that you would join two conversations into a single one, as that you could import a thread node from one conversation’s tree over into the other, and vice versa.  We normally think of a conversation as a tree; if we instead think of it as a directed graph inside a forest of conversations, we wind up with a lot of possibilities, some of which make sense and some of which probably don’t.

I’m just musing here — I don’t know if anyone has yet written a serious conversation tool that plays with this sort of thing.  (I haven’t seen one, but it wouldn’t surprise me to find academic work along these lines.)  But it’s a feature I am vaguely contemplating in the long term for CommYou, so I’d be interested in any thoughts about it…