SAN FRANCISCO — Applications that let consumers share their
content, like Yahoo’s Flickr, have made many a millionaire, and built
a new generation of powerhouse companies. But with sharing come
privacy concerns.
Flickr has found it can increase usage on its photo-sharing site
by providing just enough privacy. Flickr developer Kellan
Elliott-McCrea presented the company’s concept of “casual privacy” at
the Web 2.0 Expo, held last week in San Francisco.
“Sharing has been a great growth strategy for Web 2.0 companies.
But there are things that people do want to share privately,
including pictures of their kids, their homes, their weddings and
last night’s party,” he told the audience. “We have very rich privacy
controls already, but they can be too challenging for a lot of people.”
Flickr’s solution was GuestPass, launched in 2006. It creates a
unique — and very long — URL photographers can send to others.
Following the URL lets people bypass the Flickr login and see a
private photo without having to register for the site. Only the
photographer can create one. It also provides navigation hints,
because a lot of people following it may be first-time visitors to
Flickr. Last Tuesday, Flickr rolled out a “share this” button that lets
you pull addresses from your address book or contact list. “It’s huge
because the people who are using it were not sharing before,”
Elliott-McCrea said.
Share nothing? Share everything?
He identified four models for sharing: share nothing, share
everything, manage a crowd or casual privacy. The manage a crowd is
the traditional model, it’s about assigning roles, giving
permissions. “The problem is, those models are insufficiently complex
and yet too complex at the same time,” he told the crowd.
GuestPass uses long, obscure URLs that are hard to guess but easy
to implement. These URLs can be forwarded on to others, who can also
follow them to see the photo. “We expect it to be propagated; it’s a
leaky privacy,” he said. But it happens slowly, more like the way
gossip might be passed along from friend to friend — instead of the almost instantaneous way that scandal can permeate the blogosphere.
Elliott-McCrea recommended that companies that want to implement
the casual privacy strategy make sure the URLs they generate are
opaque, so you can’t tell who made it. There should be no hinting in
the error messages, such as, “I’m sorry but Leonard hasn’t shared
that photo with you.” And no obvious gaps in the photo stream, for
example, “Leonard has 37 photo streams, of which you can see 13.”
They should also be revocable, so that people can change their minds
later about sharing the content.
GuestPass-type URLs should be hard to guess. Flickr uses
eight-digit alphanumeric URLs; if developers are willing to go up to
12 to 14 digits, they can check their validity on the client side,
without querying the database. But Flickr hasn’t found this level of
security necessary.
There are some security concerns. “Your token will leak at a
conference, much like a password,” he warned. Proxies can be
problematic and the data hygiene of centralized feed aggregators is not good.
Casual privacy is good enough for most Internet users,
Elliott-McCrea said, but it may not be the right strategy for truly
sensitive information. He cautioned, “If you’re terribly worried
about malicious leaks, casual privacy isn’t for you.”