Livejournal Done Right: The Case for a Social Network with Built-in Privacy

September 9, 2009 at 11:52 am 21 comments

Is it time to give up on privacy in social networking? I argue that the exact opposite is true. Impatient readers can skip to the bullet-point summary at the end.

Based on my work on de-anonymizing social networks with Shmatikov, and other research such as Bonneau & Preibusch’s survey of the dismal state of privacy in social networks, many people have concluded that it is time to give up on social networking privacy. In my opinion, this couldn’t be farther from the truth.

Being a hard-headed pragmatist (at least by the lax standards of academia (-:), I will make the case that there is a market for a social networking site designed from the ground-up with privacy in mind, as opposed to privacy being tagged on piecemeal in reaction to PR incidents.

It would seem that a good place to start would be to look at existing social networks with designed-in privacy, and see how they have fared. Unfortunately, researchers are still hammering out exactly what that would look like, and there are no real examples in the wild. In fact, part of the reason for this post is to flesh out some principles for designed-in privacy. So I will use a definition based on privacy outcomes instead:

The privacy strength of a social network is the extent to which its users share sensitive information with one another.

Viewed from this perspective, there is only one widely-used social network (at least in the U.S.) that has strong privacy, one that stands out from all the rest: LiveJournal.

While Facebook’s privacy controls are more technologically sophisticated, there is little doubt that far more revelations of a private nature are made on LiveJournal. This discrepancy is central to the point I want to make: achieving privacy is not just about technological decisions.

There is one overarching reason for LiveJournal’s privacy success: They make it (relatively) easy for users to communicate their mental access control rules to the system. In my opinion, this should the the single most important privacy goal of a social network; the technical problem of implementing those access control rules is secondary and much easier.

On Livejournal, the goal is achieved largely due to two normative user behaviors:

  • Friending is not indiscriminate (see below).
  • Users actually use friend lists for access control.

Herding users into these behaviors is far from easy, and LiveJournal stumbled there through a variety of disparate design decisions, some wise, some not so wise, some that worked against their interest in the long run, and some downright bizarre.

  • Friendship is not mutual. While in practice over 90% of friendships are reciprocated, the difference crucially captures the asymmetric nature of trust.
  • The site is insular — it plays poorly with search engines; RSS support has been way behind other blog platforms.
  • Privacy settings are highly visible, rather than being tucked away in a configuration page. Just a couple of examples:
    • there is a privacy-level dropdown menu on the post-new-entry page.
    • when you add a friend, you are prompted to add them to one or more friend lists.
  • Weak identity. The site does not require or encourage a user to use their real name. Many users choose to hide their real-life identity from everyone except their friend-list.
  • Livejournal doesn’t inform users when they are friended. From the privacy perspective, this is a feature(!) rather than a bug — it decreases the embarrassment of an unreciprocated friending by letting both users pretend that the user who was friended didn’t notice (even though most regular users use external tools to receive such notifications.). The social norms around friending are in general far more complex than on Facebook, and there is a paper that analyzes them.

As you may have gathered from the above, social norms have a huge impact on the privacy outcome of a site; this explains both why privacy is about more than technology, as well as why privacy can never be achieved as an afterthought — because norms that have evolved can hardly ever be undone. Regrettably, but unsurprisingly, the CS literature on social network privacy has been largely blind to this aspect. (Fortunately, economists, philosophers, some hard-to-categorize researchers, and needless to say, sociologists and legal scholars have been researching social network privacy.)

Returning to my main thesis, I believe that privacy has been the central selling-point of Livejournal, even though it was never marketed to users in those terms. The privacy-centric view explains why the userbase is so notoriously vocal, why the site is able to get users to pay, why they have a huge fanfic community, much of it illegal, and why Livejournal users find it impossible to migrate to other mainstream social networks, which all lack any semblance of the privacy norms that exist on Livejournal.

Livejournal is dying, at least in the U.S., which I believe is largely due to erratic design decisions. While the decay of the site has been obvious to most users (who have seen the frequency of new posts basically fall off a cliff in the last few months), I don’t have concrete data on post frequency. Fortunately, it is not essential to the point I’m making, which is that Livejournal got a few things right but also made a lot of mistakes. We now know a lot more about privacy by design in social networks than we did a decade ago, and it is possible to do much better by starting from scratch. There is now a huge unfulfilled need in the market for someone to take a crack at.

Finally, I’m going to throw in two examples of design decisions that Livejournal (or any other network) never implemented but I believe would be hugely beneficial in achieving positive privacy outcomes:

“Everyone-but-X” access control. This is an example of a whole class of access control primitives that make no sense from the traditional computer science security perspective. If an item is visible to every logged-in user except X, X can always create a fake (“sybil”) account to get around it.

However, let me give you one simple example that I hope will immediately convince you that everyone-but-X is a good idea: your sibling is on your friends list and you want to post about your sex life. It’s not so much that you want to prevent X from having access to your post, but rather that both of you prefer that X didn’t have access to it. The relationship is not adversarial. Extrapolating a little bit, most users can benefit from everyone-but-X privacy in one context or another, but amazingly, no social network has thought of it.

The problem here is that traditional CS security theory lacks even the vocabulary to express what’s going on here. Fortunately, researchers are wising up to this, and a new paper that will be presented at ESORICS later this month argues that we need a new access control model to reason about social network privacy, and presents one that is based on Facebook (I really like this paper).

Stupidly easy friend lists. Having to manually manage friend-lists puts it beyond the patience level of the average user, and offers no hope of getting users who already have several hundred uncategorized friends to start categorizing. But technology can help: I’ve written about automated friend-list clustering and classification before.

Summary. As promised, in bullet points:

  • Livejournal is the only major social network whose users regularly share highly private material.
  • Livejournal achieved this largely because they made it easy for users to communicate their mental access control rules to the system.
  • To habituate users into doing this, social norms are crucial. They matter more than technology in affecting privacy outcomes.
  • Designing privacy is therefore largely about building the right tools to get the right social norms to evolve.
  • Livejournal doesn’t seem to have a bright future. Besides, they made many mistakes and never realized their full potential.
  • Therefore, privacy-conscious users form a large and currently severely underserved segment of the social networking audience.
  • The lessons of Livejournal and recent research can help us design privacy effectively from the ground up. The time is right, and the market is ripe.

Final note. I will be presenting the gist of this essay (preceded by a survey of the academic attempts at privacy by design) at the Social Networking Security Workshop at Stanford this Friday.

Some of the ideas in this post were inspired by these essays by Matthew Skala.

To stay on top of future posts, subscribe to the RSS feed or follow me on Twitter.

Entry filed under: Uncategorized. Tags: , , , .

Privacy Law Scholars Conference Oklahoma Abortion Law: Bloggers get it Wrong

21 Comments Add your own

  • 1. HS  |  September 9, 2009 at 12:13 pm

    Maybe I missed this point, but I’m feeling that part of the reason Facebook privacy is complex and non-obvious is because they are deliberately trying to encourage users to open up their walled garden and make it public. (Possibly because of a misguided feeling of being threatened by the new media darling, twitter)

    I really like the points you mentioned about LJ not alerting people to friend requests (although I could have sworn they used to do this, like 6 years ago) and ‘everyone-but-X’ privacy.

    I guess the term for that is ‘allowing plausible deniability’ :)

    I found Facebook awkward in several ways. For example people would give me friend requests and while I didn’t want them to see everything I had, I didn’t want to offend them by not reciprocating.

    I guess the problem was common enough, that FB recently addressed this by letting you select which friend-lists the person should belong in the same step in which you add them. Thereby making sure they were always restricted in the way you choose.

    Reply
    • 2. Arvind  |  September 9, 2009 at 12:21 pm

      Maybe I missed this point, but I’m feeling that part of the reason Facebook privacy is complex and non-obvious is because they are deliberately trying to encourage users to open up their walled garden and make it public.

      Check out the Bonneau and Preibusch paper I cited. They have an excellent analysis for why Facebook privacy is the way it is (and more importantly, I believe, the right paradigm for analyzing these questions.)

      Facebook privacy is complex because they want to signal to the media and law-makers that they care. And Facebook privacy is tucked away for reasons that are indeed similar to what you suggest.

      As for Facebook friend-lists, I think it’s probably too late, for the reasons I explained — 1. most people have hundreds of uncategorized friends 2. the norms that have already evolved aren’t likely to change.

      Reply
    • 3. februaryfour  |  April 14, 2010 at 3:38 pm

      Actually, you can choose to be notified if you are friended (or de-friended). It’s in the Notifications settings. I just choose to leave both options off, but some people actually turn them on because they want to know.

      Reply
  • 4. Neil Kandalgaonkar  |  September 9, 2009 at 2:51 pm

    Thanks for writing this, Arvind. You captured my feelings about the platform. For years I’ve tried to explain to users of other blogging platforms what was attractive about LJ.

    At least among the technology elite, LJ looks underpowered since it does not work well to increase one’s personal micro- (or macro-) fame. Nor does it give the blogger many tools to gauge popularity or manage hundreds or thousands of relatively shallow relationships. There are a few tools to make cross-links among entries such as tags, but again, northing to keep the user clickety-clicking for hours. In short, this is not a media platform.

    Instead LJ is designed around blogging personas and communicating with people’s *real* social network, which tend to be multifaceted. Even the techno-elite might find these features interesting if they realized that these offer ways to share tentative, controversial, or personal content with a smaller subset of users.

    Reply
  • 5. Rajat  |  September 9, 2009 at 4:09 pm

    Doesn’t ‘asymmetric friending’ also apply to Twitter? Some of the points which apply to LJ also seem to apply to Twitter. But Twitter doesn’t have granularity of privacy (among a whole bunch of other features). I protect my tweets & it peeves me quite a bit that I can’t reply to tweets by people who don’t follow me.

    Reply
    • 6. Arvind  |  September 9, 2009 at 8:37 pm

      While it is true that some people protect their tweets, if there is a predominant social norm on Twitter, it would be exhibitionism. There might be privacy lessons to be learnt from Twitter, but I haven’t given it any thought.

      Reply
  • 7. Ashwin Nanjappa  |  September 10, 2009 at 9:17 am

    “of a private nature are made on LiveJournal” should be “… that are made on LiveJournal”.

    Just being a grammar nazi, you can delete this comment after you read it :-)

    Reply
    • 8. Arvind  |  September 10, 2009 at 9:32 am

      Thanks.

      Reply
      • 9. Ashwin Nanjappa  |  September 14, 2009 at 12:35 am

        I was changing the permissions on a Facebook photo album and noticed that it has Everyone-but-X feature. I had no idea they had implemented this :-)

        Reply
        • 10. Arvind  |  September 14, 2009 at 8:23 am

          How is it worded? Could you send me a screenshot? (I don’t have photos on FB.) Thanks.

          Reply
          • 11. Ashwin Nanjappa  |  September 14, 2009 at 8:35 am

            The UI is surprisingly well done (note the red color on the Everyone-but-X section):

            Reply
            • 12. Arvind  |  September 14, 2009 at 8:37 am

              Ah.. the UI actually rings a bell. They must have it for things other than photos as well. Thanks!

  • 13. nikitaborisov  |  September 11, 2009 at 4:30 pm

    I like the perspective of thinking about social norms. I know LJ has spent a lot of time considering them, and I’m sure FB has as well.
    BTW, an upcoming paper on using clustering for privacy policies:

    http://research.microsoft.com/en-us/um/people/gdane/papers/AISec22-Danezis.pdf

    Reply
    • 14. Arvind  |  September 12, 2009 at 3:47 am

      That’s great, I’ll be sure to cite that if and when I write this up. Thanks!

      Reply
  • 15. Matthew Skala  |  September 13, 2009 at 10:02 pm

    I spotted this in my referrer log for the “Terrible Secret” item, but I’ve actually written other things that might be more applicable: How to run a conspiracy and How to run a drama. I was especially interested in the “Everyone except X” security level you describe. People want it, but they don’t want its consequences. It’s especially a problem because people really do want to make things *public* – visible to strangers – while still keeping them out of the hands of a few closely-connected individuals.

    I’m pretty sure Livejournal actually does inform users when they are friended – or at least, that users can set an option to receive such notifications. That’s the basis for a Livejournal-specific form of anti-social behaviour: “serial adders” run bots that rapidly add and remove large numbers of randomly users from an account’s friends list, in order to generate large numbers of such notifications.

    For a long time, Livejournal displayed “Friends” and “Friend of” as two separate lists on a user’s profile page – so that you’d have to do a cumbersome visual diff to determine which friendships were not mutual. That behaviour is still available as an option, but it’s no longer default; now they display “mutual friends” and “also friend of”. I kept my account configured for the old behaviour so as not to draw attention to the people whose “friendship” I do not reciprocate.

    Random thought: my siblings are among the very few people with whom I openly discuss my sex life. They wouldn’t be the X in “everyone except X,” for me.

    Reply
    • 16. Arvind  |  September 14, 2009 at 8:19 am

      Hey,

      I’m familiar with your two essays, and that’s partly where I got the idea for everyone-but-X (the ESORICS paper I linked to also proposed something similar.) I’m sorry I couldn’t remember where I saw it when I made my post; I’ve updated the post now with links to your essays.

      I’m thinking of everyone-but-X mainly in a “you must be logged in to see anything at all” context, so your objection isn’t as applicable. Besides, I’m using everyone-but-X as an example of what I consider an entire class of unexplored access control primitives, which I didn’t have time to go into in this post.

      “I’m pretty sure Livejournal actually does inform users when they are friended – or at least, that users can set an option to receive such notifications.”

      I’m surprised by this — I looked again but couldn’t find the option you’re talking about. I’m also surprised by your description of serial adders: I’ve read about them in multiple places, and the offense mentioned was always that people would be annoyed by the adder appearing on their friend-of list at all. (The reason for the adder then un-adding people seems to be to add yet other users, because of the out-degree <= 750 restriction, rather than to repeatedly harass the same person.)

      My talk based on the themes in this post went better than I'd hoped, so I'm thinking of doing a more formal write-up. I'll be sure to cite you if I do.

      Reply
  • 17. Matthew Skala  |  September 15, 2009 at 3:50 am

    If I go to the Livejournal home page, then click “manage accounts” and choose the “notifications” tab, I get a page where I can select a box under “notify me in my LJ inbox when…” “Someone adds me as a friend”. There’s another box next to that for “Also notify me by email.” My account is a “Basic” account grandfathered from before the recent “No more ad-free Basic accounts” change. Your mileage may vary, of course, especially if you’re using a different account class.

    On serial adders: bear in mind that people have the option of shutting off their “friends-of” list from appearing at all, and that’s what LJ support usually tells people to do if they object to being friended. I myself have received several notifications from the same serial adder repeatedly adding and removing me within the space of a few days; that’s harder to deal with because turning off incoming friend-notifications is more expensive than turning off the friends-of list. Just for me I can easily filter them, but not everyone has as good email-fu as mine. We probably can’t reliably guess what serial adders are trying to accomplish, though; they don’t exactly publish their motivations in any believable form.

    I suspect everyone-but-X may be one of those things that may work better in practice than in theory. You and I can instantly see the holes in it, from a theoretical perspective that assumes adversaries will do everything they CAN do. But when people would actually attempt to use it, it might well work as well as they hoped just because the people being excluded wouldn’t bother making dummy accounts. Especially if they didn’t know they were being excluded. Certainly, no amount of argument is going to convince users who think they want everyone-but-X that they don’t.

    Reply
    • 18. Arvind  |  September 15, 2009 at 4:22 am

      Ah, it was right there. Don’t know how I missed it. I don’t think I’ve changed those settings since creating my journal around 6 years ago, so I never noticed when they added that feature. Or maybe they always had it and I always missed it. Anyway, thanks.

      Reply
  • 19. charmian  |  November 8, 2009 at 11:52 pm

    Fascinating.

    Although it’s not post data, LJ has been declining in daily visitors, especially U.S. daily visitors. According to Google Trends, there are around 100K daily U.S. visitors, vs. around 100K Ukranian and ~300K Russian visitors. (I posted about this here.

    The serial adders are said to probably be bots, brought on by the massive popularity of LJ in Russia. In general, recently the site has experienced huge spambot traffic.

    Reply
  • […] Everyone-but-X access control, which I described in an earlier article, shows in a direct way how access control fails to capture privacy requirements. From the […]

    Reply
  • […] in mind. One major reason why LiveJournal has a “closed” feel — which is a big part of its appeal — is that posts don’t rank well in Google searches, if they are indexed at all. For […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


About 33bits.org

I'm an assistant professor of computer science at Princeton. I research (and teach) information privacy and security, and moonlight in technology policy.

This is a blog about my research on breaking data anonymization, and more broadly about information privacy, law and policy.

For an explanation of the blog title and more info, see the About page.

Subscribe

Be notified when there's a new post — subscribe to the feed, follow me on Google+ or twitter or use the email subscription box below.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 217 other followers