Posts Tagged: identity

Noticed / Thoughts4 Comments
15
Nov 06

Stalking by Slider: Facebook Updates News Feeds

This morning, Facebook announced a series of changes to their controversial news feeds product. Here are the two major modifications.

  • First, Facebook has introduced a “slider” system, much like a graphic equalizer, that lets you control how much of each type of information you see in your friends’ news feeds. For example, if you want to see more about relationship information and less about group adds, you simply slide the appropriate toggle.
  • Second, Facebook has introduced 20-member personal whitelists and blacklists. Want to see everything about one person? Throw them on your “More about these people” list. Want to not get updates about this person but not have to defriend them? Put them on your “Less about these people” list.

This move is in response to some very fundamental user experience challenges the Facebook feeds introduced. The average Facebook user has hundreds of friends, many of which frequently update the profiles or engage in activity that creates news feed items (10 types of action in total). Furthermore, of those hundreds of friends, many of them are only nominal friends – people that you aren’t really interested in seeing everything they do in life. With all of this information being shared, the average Facebook user was being deluged with more information than they could process. This was a classic case of information overload.

These changes should go part way in helping Facebook users deal with the information overload feeds introduced. However, they aren’t perfect. It is quite obvious that limiting the “less about” list to 20 people is a poor choice, as the average Facebook user has more than 20 people who could easily go on this list.

The other things the more/less about lists introduce are very interesting internal data. One of the core challenges in a SNS is identifying “real” friendship in the service. Facebook has attempted to do this with social timeline, but I think this move is the best to date. While these lists don’t get to who are our best “friends” in the service, they address who we care about the most and least. In a SNS, I’d wager that this is as good a notion of friendship as any. This is very powerful data.

Also interesting is looking at personal feeds history for users of the Facebook. You can do this by clicking the “View All” link of each person’s news feed. All of the information they have shared in the Facebook since September (when feeds were introduced) are available to interested parties. This “record” is what I was talking about in my writing on Facebook as an identity archive.

Noticed1 Comment
18
Sep 06

New Scientist on the social networking revolution

This week, the New Scientist is running a number of articles on the social networking revolution. Guest writers include Sherry Turkle, Bruce Sterling and Ted Nelson. I don’t know how long until these articles will remain online, so you might wish to check them out now.

New Scientist’s guide to the social networking revolution:

This is your space – Discover how social networking evolved, how it works and how it is already revolutionising the way we live, socialise and work

I’ll have to ask my friends – Instant messaging, Wi-Fi and cellphones allow us to be constantly plugged into our social networks. Sociologist Sherry Turkle worries this is transforming human psychology

I saw the best minds of my generation destroyed by Google – A short story by Bruce Sterling

The internet could be so much better – Social networking websites like MySpace or YouTube owe everything to the genius of Ted Nelson, who invented hypertext in the 1960s

Very interesting reading, especially from Sherry Turkle. Its very enlightening to see her opinions regarding social networks and cultural change. Fascinating.

Noticed1 Comment
5
Sep 06

Blogosphere Reacts to Facebook Feeds

Its been an interesting day watching reaction to the new Facebook “feeds” percolate through the blogosphere. Here’s a selection of some of the posts I found interesting, with commentary.

First, posts with a positive review.

Echo chamber much? Granted, one can’t expect A-list bloggers to completely understand the ecosystem of something like Facebook, but the long-tail blogosphere clearly doesn’t share their collective opinion.

Scott Kidder writes:

Mike [Arrington, of Techcrunch] and Liz [Gannes, of Giga OM]: have you ever used Facebook? Not tried it out, but seriously used Facebook, day after day? This is not cool. It’s one thing to stay up-to-date by seeing a friend has updated their profile. It’s quite another to be able to view the history of their relationship status, and see exactly who and when they make new friends.

The blogosphere replies with a collective Amen.

Onto some of the less positive reactions:

Of course, this is just a small sampling of what has been written today. Unfortunately, the major blog search engines don’t have temporal searching (so I can’t really pull out stats), but perusing recent posts about facebook feeds shows them almost lock-step highly skeptical on the feature.

I’m blown away by a few things. First, the reaction of the blogosphere has shown me, again, the power of the long tail. The A-Listers are out of touch, spouting about technology they don’t understand or use heavily. The best posts I read on the subject, far and away, were from folks who didn’t have any “authority” in Technorati. I hope people from the Facebook also read these posts – they are truly a splash of cold water to the face.

I’m blown away by how strongly and negatively people reacted to the feature. As a pretty huge privacy-phobe, even I didn’t think this feature was that “bad”. With the press’ recent obsession with Myspace, it only stands that students are more attuned to privacy and disclosure issues – and the completeness of disclosure in Facebook feeds seems to have stunned many.

Finally, I’m blown away by the sheer level of emotional investment the community has in Facebook. Well, actually, I’m not, but I do feel that a day like today really validates my research. When social software is adopted by the community, that software begins to have a responsibility in (and to) the community. That software must play by the rules of the community, and it must not deviate too strongly from the norms of the community. A generation of college students are socialized on the Facebook, and today Facebook went and changed everything. Imagine going in to your favorite local coffeeshop and finding out they no longer serve lattes, because it is user friendly and efficient to only serve brewed coffee. If you’re a fan of lattes, wouldn’t you have wished they’d asked your opinion first? Facebook’s users feel like that today, except we’re not talking about lattes, we’re talking about their identity.

As someone who watches the Facebook closely, this has been a fascinating day. Earlier today, I wrote “This morning, millions of college students are thinking differently about their online identity.” I’m starting to believe that just might be true.

Thoughts12 Comments
5
Sep 06

Facebook: A Generation’s Identity Archive

This morning, millions of college students are thinking differently about their online identity. The reason? Facebook, the industry-leading college social networking website, introduced “feeds” last night. Feeds are pretty simple – they’re a running list of what you’ve been doing in the Facebook. For example, if you add a friend, update your relationship status, upload photos – this all gets dumped into a feed, viewable by anyone that can view your account.

The logic that went into such a feature is easy to explicate. When you’ve got 200-400 friends in Facebook, it is impossible to keep track of them all. Remember when we had to keep track of 30 blogs manually? It sucked. And we solved that problem with RSS – let the updates come to us. Facebook has taken this notion and applied it to our lives. Facebook knows that its userbase uses the service to “keep up” with people – continuous social research, if you like – so this addition appeals to very base motives of Facebook users. Clearly, this is an idea that sounded great on paper.

In reality, however, this gets messy. Let’s get some background. First, I’m convinced that many young users of Facebook don’t look at the site as a social networking service per se. This generation has been socialized on Xanga, LJ and forums – they are comfortable and used to the idea of being on a social website. The Facebook simply represents another game-like social website that they are on – nothing more. Second, digital identity, like that presented in the Facebook, thrives because it is temporal. You can change your identity at the drop of a hat – you can become a liberal or conservative at the push of a button, change your interests an hobbies on a whim. The point is, you’re always presenting the identity you want to present – you never have to worry about the identity you used to present.

I believe that identity disclosure is so high in the Facebook for the first reason I cited – students see this as a game, something that is qualitatively less than real. Students disclose lots of real information, but they also disclose lots of false information. The key to winning in the Facebook is maintaining a good mixture of the real and false information. Implicit in this is the reality that you can always change the fake information, when you want – you can rewrite history at any time.

This morning, millions of students were shown that they can’t actually rewrite history. Everything they do, all of the groups they join and interests they state or friends they make – it is all being recorded. Not only is it being recorded, it is being presented as content to other users of the Facebook. The Facebook is no longer just a current method of identity presentation, it is an archive of our digital identity. This is a cold, hard reality for students, and you’re seeing a lot of public venting of discomfort as a result.

So lets prognosticate a little, and see what might happen to the Facebook, now that entire userbase is acutely aware of the fact that everything they do is being recorded and shared with the world.

  • First, I believe this move will cause a lot of mental discomfort to students who hadn’t really thought through online identity. They will be presented with all of the changes from their friends and realize that they, too, are having every minute change in their identity fed to hundreds of others.
  • Second, I believe students will be forced to rethink how they socialize in the Facebook. Facebook has reached a critical mass among college-age students, and my research has shown that many students on the Facebook now use the service heavily for out-of-network connections. Their cousins, old friends, brothers and sisters are on the Facebook. Knowing that everything they do will be presented to their entire network will have a chilling effect. Here’s an example: A student posts a change to their profile late at night, as a joke for a friend. That student knows that likely, only a few people will see his change, and he can revert it in the morning. With the new Facebook, that change is now broadcast to the entire network – and it is saved in an identity archive – the feed.
  • Finally, I believe this change will wake students up to the realities of sharing identity information online. Granted, it won’t wake them up much, but it may just convince them that these sites aren’t really games. It may also convince them to think of the future repercussions of sharing information anywhere – not only in the Facebook but in Bebo, Myspace, Hi5, Xuqa and the like.

Personally, I don’t believe this is a horrible move for Facebook. They took a pre-existing model (RSS) and applied it to identity. What they may not have done is thought deeply about how their users approach identity. People love exploring each other, but we don’t want to leave traces behind. We don’t want people to be able to see if we’ve viewed the profiles of others. We don’t want people to know if we decline their friend requests. Social networkingsSystems must enforce basic structural rules for trust to occur, I believe “not leaving traces behind” may turn out to be one of those rules.

Of course, Facebook has stated that feeds are subject to all privacy controls. You can opt out of the system totally, or on a case-by-case basis. However, opting out of sharing in these services, where sharing is incentivized, creates issues of inequality in the system. Students who opt-out aren’t playing the game fairly, more or less.

Reaction to the service has been mixed, with Techcrunch’s Arrington giving a neutral review (mostly a recounting of the features). The comment thread was less friendly. Over on the developer forum, a self-selected bunch of power users are engaging in threads with names such as “Why are people allowed to stalk every move I make now” and “Stop it – I almost cancelled my account today!”.

While an interesting move, I do believe that a gradual rollout or more in-depth consideration of user’s privacy concerns would have benefited Facebook. The Facebook seems to be run by a group of extremely determined Facebookers (many were early and full-immersion adopters), so it is possible that groupthink effects have caused the team to lose some focus of the average user.

The takeaway here is that Facebook, like it or not, has brought to bear a very real issue in online identity. Everything we do in public or semi-public spheres can be tracked and chronicled. We don’t see our digital footprints as much because systems haven’t cropped up to collect them, but collecting them is trivial. Facebook has simply put one of those systems in front of us – wrapped up nicely as a feature – but it isn’t hard to see the reality. As we grapple with this reality – that our privacy is only a construct of a system, and that our identity can be tracked and chronicled – how will students change their behavior? We’re really only at the tip of this iceberg, but with Facebook’s new features, we’ve accelerated this discussion substantially.

P.S. – I should also note that Facebook now has a official blog, which you may want to check out. Hopefully they’ll add an RSS feed soon.

Thoughts4 Comments
22
Jun 06

Creating a Social Web of Trust with MicroID: Part 2

In the previous post in this series, I issued an impassioned call for content providers to adopt MicroID as a way for individuals to create a verified social web of trust. “Verified” and “trust” are big words, so here’s a little breakdown of exactly how this could work. I’ll address these from the “verifier” and “content provider” positions – the verifier being a actual verifying service (like ClaimID) and the content provider being any web content service (flickr, del.icio.us, last.fm).

The core assumption of this system is that there are users who want to verify pages on the net. As the MicroID must reside in the page’s header (per the spec), there are two main content provider-side cases we must account for. First, there are pages on the net that users will have write access to (their homepage, their blog), and, second, there are pages on the net they won’t have write access to (at least to the header, these are your flickr, last.fm, etc.).

For this system to work, a user needs to have a verified email address on at least one side. If the user has write access to their content provider-side pages, validation is only necessary on the verifier’s end (our standard of ownership allows that if a user can edit a page’s header – thus adding a MicroID, that is a fair standard of ownership). If the user does not have write access to the content provider-size page, the verifier and the content provider must verify the individual’s email address (and automatically generate the MicroID from this email address).

In terms of actual implementation of the system, there are two roles – verifier and a content provider. As this post is written as a reference for content providers, I’m please to report that the content provider (you) need only to automatically include the MicroID in the page header. All you do is generate the MicroID off of a verified email address, and include it in the user’s page header. It couldn’t be simpler.

The verifier has a more complicated role, but not by much. The state of verification is a binary state. It means “At time x, resource y was verified”. If resource y changes, you need to break that verification. That’s really the only rule that verifiers need to enforce above and beyond. A verification is a state, and if the URL changes, they have to re-verify (because a new URL is really a new claim). If they change their email address, they don’t need to re-verify. You’re claiming a URL, not an email address. The email address got its verification when a human clicked on the link in the email you sent him/her. That state persists. Now, if a person adds a second, third, or fourth verified email address (so they can verify against different resources using their different email addresses), you just compute the MicroID for each when you verify, and if one matches, you’re in a verified state. It really is that simple.

So, what are the problems that you need to look out for? Well, people are going to complain that one person can have someone else verify an email for them. If I’m friends with Larry Page, I can have him verify the larry@google.com email address to my verifier. I’d argue that isn’t a problem as much as it is a solution. Say that you own a company, and your employees have profiles on many services on your behalf. Now you want to verify those services. So you ask the verifier to verify Susan, Bob and Kathleen’s email addresses, and you can then go out and verify the accounts they’ve created in content providers using their employee email addresses. So this “vulnerability” actually has an upside.

The real problem is DNS cache poisoning. Since a MicroID verification is done with an HTTP GET, the DNS system is its core vulnerability. However, this sort of attack doesn’t scale; it is also easy to distribute verification (verify from multiple locations and compare the results) to mitigate the possibilities of attack.

It is also important to remember that this system is limited by its simplicity. This simplicity is beautiful because it leverages our existing trust patterns. Two-sided email verification means something. A web of identity means something. The fact this couldn’t be easier means something. People can actually use this, and that means something.

I’d really like to urge some cutting-edge content providers to think about adding MicroID to their service. All they need to do is add the MicroID to their web templates. Since MicroID is a standard, anyone would be able to run the verification – wether it be a tiny outfit like ClaimID, or a Google or Yahoo. This easily answers a need that many of us feel very strongly about – how do we display proof-positive that we actually own something? And how do we do this incredibly simply, in a user friendly format.

Of course, there’s probably a good deal I’ve left out, and these posts have been quite lengthy – so I apologize. However, when you think about how this beautifully simple solution would work…it actually makes sense. So, content providers, will you join in this initiative? With this one little MicroID, we can start to change the nature of how we construct our identities online – for the better. Please drop me a line at fred @ metalab.unc.edu, or leave a comment, if you’d like to continue the conversation.

Thoughts7 Comments
22
Jun 06

Creating a Social Web of Trust with MicroID: Part 1

A few weeks ago, we introduced MicroID based verification in claimID. Since doing so, we’ve seen use take off – a real sign that users are very interested in making actual verifiable claims of ownership of their web content.

First, lets start with a little history. A few months ago, Jeremie Miller, the creator of the Jabber messaging protocol introduced MicroID. Jeremie called MicroID “Small Decentralized Verifiable Identity” – an apt description. Jeremie also called MicroID radically simple, and he was absolutely right. The core technology of MicroID is a simple hashing function (more on this in just a second) – and this radically simple technology may change how we think of ownership and social trust on the web.

Lets explore the problem space for a second. You have stuff on the web that you’ve created. You’ve got your homepage, your blog, your del.icio.us links, your flickr photos, your last.fm playlist. All of these things were created by you – they are a part of your identity. The next question is: How do you prove to people that the content you’ve “created” was actually created by you? For the meantime, you post your name, your picture, your bio – stuff that helps people disambiguate you and make a reasonable guess that you are the author of your content. The problem arises when you want to make an actual verifiable claim of ownership on this content, because for the time being, all we have to go on is our instinct.

What if people could simply make verifiable, distributed, standards-based claims of ownership of web resources? You’re investing your time, money and effort into your peer production – doesn’t it make sense that you should be able to tie your production back to your identity?

Enter MicroID. A MicroID is a standard identity microformat. A MicroID looks like this (may not render properly in news readers):

<head>
<meta name="microid" content="a9993e364706816aba3e25717850c26c9cd0d89d" />
</head>

The MicroID is computed by hashing together a users email address and the URL they are claiming. The pseudocode looks like this.

MicroID = sha1_hex( sha1_hex( "mailto:user@email.com" ) + sha1_hex( "http://website.com" ) );

Indeed, radically simple. How does it work?

To start off, you need two things – a verified email address, and a URL. The URL is the resource you want to claim, and the email address is your identifier. The URL and the email are hashed together to produce a unique identifier (see the psuedocode above), which becomes a shared secret between a content provider and a verifier. The content provider and the verifier have both verified your email address; as such, you can create a claim of ownership in the verifier service using the url. The verifier then goes to the content provider and checks for the status of the microID, and if the microID exists, ownership is established.

Now, lots of people have gone up in arms about using an email address as a verification entity. I’ll be the first to admit that MicroID only works when the email address is verified (either by both sides, or by the verifier when the person has write access to the content page). If there isn’t a verification process, forget about it. But once we do verify those email addresses, things get very interesting.

To think about this reference implementation, we’ll need a content provider and a verifier. The content providers in this example will be flickr and del.icio.us, the verifier will be claimID. In flickr and del.icio.us, you have a verified email address. Say you use bob@microsoft.com for your flickr email, and bob@hotmail.com for your del.icio.us email. Using that verified email address, both flickr and Del.icio.us could compute a MicroID for your pages. Now, you want to verify these to your claimID. In claimID, you would verify each of your addresses (bob@microsoft.com, bob@hotmail.com). ClaimID would then go and check the MicroID’s on your claimed page, using MicroID’s generated by both of your verified email addresses. Since both email addresses were verified in claimID, claimID would be able to validate your claims and display them as such.

So something interesting just happened. That stuff about you, the stuff that you use to show people how cool and smart and hire-worthy you are, the stuff that is only tied together by the fact people believe what they see, now has something behind it. You are actually creating a web of identity, which is a very interesting thing. Imagine that I know you, but not very well. I know that your flickr pictures are by you, but I don’t really know what else is owned by you on the net. Since you’ve verified your flickr pictures to your claimID, I’d follow that line of trust around to other verified sites on the net. I’d develop a trusted picture of your identity. Imagine how useful this is.

Now, the counter argument is that all of this can be falsified. You can create a fake flickr account with a fake email address, and a fake claimID with a fake email address – sure. And you can verify using that fake email address. I acknowledge the validity of the case, but by doing so, you haven’t broken MicroID. MicroID verification only proves that two things on different services are the same – a claim and a content page. It can’t go any further than that, and I don’t think we want it to.

We construct a social picture of identity based on stuff we trust. I know you have a flickr page. I trust it because we’ve talked about it, or emailed about it. I can follow that flickr page back to your claimID, and I can trust your claimID because you’ve verified your flickr to it. Indeed, the trust process is bidirectional – which makes this completely beautiful. Sure, claimID does multifactor authentication with openID and multiple email addresses – but the point is you’re creating a web of identity. Anywhere I come into the web, as long as you’ve verified one thing to another thing, I can transverse the web and see a trusted picture that you’ve chosen to present. The only requirement is that I have a fair amount of trust of my entry node into the web – and that’s what we as humans already do.

So this is revolutionary. With this tiny little MicroID and a verifying service that follows the MicroID standard (doesnt have to be claimID, we’re just the first doing it), users can simply create these webs of identity. No need for verifying services to log in to each other, no need for passwords or API’s. All we need is a little MicroID, and we can start changing the nature of social identity on the net.

So this is the case for MicroID, and why you should implement it. In the next post, I’ll cover exactly how.

Noticed / ThoughtsNo Comments
10
May 06

ClaimID on Inside the Net Podcast

I’m happy to report that ClaimID was featured on this week’s Inside the Net podcast. Hosts Amber MacArthur and Leo Laporte gave Terrell and I a great opportunity to talk about claimID, the thinking behind it, our goals for the service – and a lot more. If you’ve wanted to know a little more about why we built ClaimID, I’d really recommend listening to the podcast. I think it shines a nice light on our motives and goals – we’re really trying to build a service that will be useful to you for the next 10, 20, 30 or more years. The identities we create on the net will only multiply – and the need for identity services like ClaimID will become more and more evident.

This summer, Terrell and I will both be working on ClaimID full time. This is a unique experience – we’ve always had “day jobs” as full time Ph.D. students and researchers. Thinking back to when ClaimID was first being incubated, I had a full-time job and was in school – it’s amazing anything got done. We plan to invest our time building a service that is really useful to you – we’ve got a number of really interesting ideas. The most important thing to note is that we’re just getting started. We’re at the beginning of a long journey as we build ClaimID into what it will become. Indeed, the future is bright.

← Older Entries
Newer Entries →