Although it’s not post data, LJ has been declining in daily visitors, especially U.S. daily visitors. According to Google Trends, there are around 100K daily U.S. visitors, vs. around 100K Ukranian and ~300K Russian visitors. (I posted about this here.

The serial adders are said to probably be bots, brought on by the massive popularity of LJ in Russia. In general, recently the site has experienced huge spambot traffic.

On serial adders: bear in mind that people have the option of shutting off their “friends-of” list from appearing at all, and that’s what LJ support usually tells people to do if they object to being friended. I myself have received several notifications from the same serial adder repeatedly adding and removing me within the space of a few days; that’s harder to deal with because turning off incoming friend-notifications is more expensive than turning off the friends-of list. Just for me I can easily filter them, but not everyone has as good email-fu as mine. We probably can’t reliably guess what serial adders are trying to accomplish, though; they don’t exactly publish their motivations in any believable form.

I suspect everyone-but-X may be one of those things that may work better in practice than in theory. You and I can instantly see the holes in it, from a theoretical perspective that assumes adversaries will do everything they CAN do. But when people would actually attempt to use it, it might well work as well as they hoped just because the people being excluded wouldn’t bother making dummy accounts. Especially if they didn’t know they were being excluded. Certainly, no amount of argument is going to convince users who think they want everyone-but-X that they don’t.

I’m familiar with your two essays, and that’s partly where I got the idea for everyone-but-X (the ESORICS paper I linked to also proposed something similar.) I’m sorry I couldn’t remember where I saw it when I made my post; I’ve updated the post now with links to your essays.

I’m thinking of everyone-but-X mainly in a “you must be logged in to see anything at all” context, so your objection isn’t as applicable. Besides, I’m using everyone-but-X as an example of what I consider an entire class of unexplored access control primitives, which I didn’t have time to go into in this post.

“I’m pretty sure Livejournal actually does inform users when they are friended – or at least, that users can set an option to receive such notifications.”

I’m surprised by this — I looked again but couldn’t find the option you’re talking about. I’m also surprised by your description of serial adders: I’ve read about them in multiple places, and the offense mentioned was always that people would be annoyed by the adder appearing on their friend-of list at all. (The reason for the adder then un-adding people seems to be to add yet other users, because of the out-degree <= 750 restriction, rather than to repeatedly harass the same person.)

My talk based on the themes in this post went better than I'd hoped, so I'm thinking of doing a more formal write-up. I'll be sure to cite you if I do.