Last session of the conference. And yes, another Schill recommendation. But this one I wanted to go to as well. We always have this problem — how to let people know something is private without the fear of “unauthorised” access.
Sadly, Kellan’s slides exploded just prior to the session, so we see an Apple-like presentation sans imagery.
Presenter: Kellan Elliott-McCrea, Flickr
Sharing/privacy two sides of the same coin
Casual privacy is a design pattern for doing sharing - Can’t replicate the human experience in software, so we’re not even going to try
Software needs to have the experience of whispering at a party
Security through Obscurity++ - It’s make of (unguessable) URLs
Sharing vs. Privacy — why do we care? - We’re on information overload
We share to try get over all that
“Outboard brain”
Participate in the wisdom of crowds; collective wisdom
Basic models: - Share nothing - Total privacy is a fire suppression technique (aka it doesn’t work; one minor spark and you’re screwed)
We need a leaky privacy model (for the 99.5% of us who don’t need total privacy)
Share everything - There are some things people should not be sharing (kids, home, last night’s party)
Manage a crowd - Signing up people, adding people, assigning permissions
Leads to social fatigue
Massive cognitive burden
Human internal patterns are incompatible with the web
Casual privacy - Unguessable (but unprotected) URL for the purposes of sharing
Only the author can create one for their own content
URLs are neat (have neat properties); email, blog, IM, list, etc.
Whispers are forwardable, which means the URL is effectively the same
Whispers are deniable, so how do you do this with URLs? - “Beneficial hypocracy”
URLs need to be opaque, non-identifiable and unable to map it
No identifying error messages
No obvious gaps
Casual privacy works because of context - Leaks happen not maliciously
Give enough people enough information, and they’ll understand why it’s important
Deniability also supported through revoking - Removes the guest pass to see something previously allowed
GPs could be used as REST targets
Possible to pre-sign URLs and expiry (less casual privacy, BTW)