RealTime IT News

Flickr Taking Privacy Just Casually Enough

SAN FRANCISCO -- Applications that let consumers share their content, like Yahoo's Flickr, have made many a millionaire, and built a new generation of powerhouse companies. But with sharing come privacy concerns.

Flickr has found it can increase usage on its photo-sharing site by providing just enough privacy. Flickr developer Kellan Elliott-McCrea presented the company's concept of "casual privacy" at the Web 2.0 Expo, held last week in San Francisco.

"Sharing has been a great growth strategy for Web 2.0 companies. But there are things that people do want to share privately, including pictures of their kids, their homes, their weddings and last night's party," he told the audience. "We have very rich privacy controls already, but they can be too challenging for a lot of people."

Flickr's solution was GuestPass, launched in 2006. It creates a unique -- and very long -- URL photographers can send to others. Following the URL lets people bypass the Flickr login and see a private photo without having to register for the site. Only the photographer can create one. It also provides navigation hints, because a lot of people following it may be first-time visitors to Flickr. Last Tuesday, Flickr rolled out a "share this" button that lets you pull addresses from your address book or contact list. "It's huge because the people who are using it were not sharing before," Elliott-McCrea said.

Share nothing? Share everything?

He identified four models for sharing: share nothing, share everything, manage a crowd or casual privacy. The manage a crowd is the traditional model, it's about assigning roles, giving permissions. "The problem is, those models are insufficiently complex and yet too complex at the same time," he told the crowd.

GuestPass uses long, obscure URLs that are hard to guess but easy to implement. These URLs can be forwarded on to others, who can also follow them to see the photo. "We expect it to be propagated; it's a leaky privacy," he said. But it happens slowly, more like the way gossip might be passed along from friend to friend -- instead of the almost instantaneous way that scandal can permeate the blogosphere.

Elliott-McCrea recommended that companies that want to implement the casual privacy strategy make sure the URLs they generate are opaque, so you can't tell who made it. There should be no hinting in the error messages, such as, "I'm sorry but Leonard hasn't shared that photo with you." And no obvious gaps in the photo stream, for example, "Leonard has 37 photo streams, of which you can see 13."

They should also be revocable, so that people can change their minds later about sharing the content.

GuestPass-type URLs should be hard to guess. Flickr uses eight-digit alphanumeric URLs; if developers are willing to go up to 12 to 14 digits, they can check their validity on the client side, without querying the database. But Flickr hasn't found this level of security necessary.

There are some security concerns. "Your token will leak at a conference, much like a password," he warned. Proxies can be problematic and the data hygiene of centralized feed aggregators is not good.

Casual privacy is good enough for most Internet users, Elliott-McCrea said, but it may not be the right strategy for truly sensitive information. He cautioned, "If you're terribly worried about malicious leaks, casual privacy isn't for you."