[liberationtech] How the Next Generation Diaspora* Should Be Built to Help High-Risk Activists

[Uncle Zzzen]

Since we're discussing "where did we go wrong with Diaspora*", I'd like to
use the opportunity to discuss something I'm working on, which is not
aiming for high-risk activism (e.g. all content is public), but addresses
other privacy concerns in the area of social networking.

I believe the main conceptual problem with Diaspora* and similar projects
is that they're trying to *imitate existing networks* and provide
"features" that clash with privacy. This mindset stems from "original sins"
of the "web 2.0" era (when data mining was declared as a good thing and the
dawn of a new era in commerce).

Maybe if people had a platform that *complemented* facebook et al instead
of trying to *compete* with them - they would gradually move their
activism-related social activity to that platform.

I've been toying with an idea I call "asocial networking". There's  a *very
partial* prototype called Mingle at http://mingle.thedod.iriscouch.com (or
bit.ly/minglecouch). The important functionality (whitelists) is still
missing <https://github.com/thedod/Mingle/wiki/To-do>, but I'll describe it
here.
It's a CouchApp. Try to suppress the snickers <http://couchappsec.couch.it/>:)
Anyway, I hope it can at least give some insight to those in search of the
holy grail of privacy-minded social networking.

A Mingle server (it can easily be expanded to a decentralized network) lets
users login and post items (similar to tweets). In order to make traffic
manageable, items will also have a topic (a text string, similar to an IRC
chatroom), but at the moment, there's only a single topic ("general", if
you peek inside the db) since there's not much activity and there's no need
to split the feed yet.

The way Mingle deals with privacy is unorthodox: Content is public, the
rest (relationships and identities) is on a "we don't want to know" basis.

*Content*
All content should be public and easy to mine by *everyone*. What you try
to "hide by proxy" (mark an item as "private" in a web 2.0 service) ends up
in the wrong hands anyway (governments, corporates), so let's give the rest
of us a chance too ;)

*Relationships*
Who I "follow/like/tag/befriend/etc." is not only a private thing, but also
very dynamic. A feature [not yet implemented] in Mingle enables you to
maintain a whitelist of users you want to "follow" *now*. This whitelist
only exists inside your browser (not even as a cookie).
The only way to import/export/save/share whitelists is via copy/paste of
their text representation (json): You can save this text to a file, share
it via mail, IM or even bluetooth it (if you're close enough). You can sign
and/or encrypt a whitelist, all this is out of scope for Mingle.
In some cases, you may even wish a whitelist to be public: list of speakers
on the debate tomorrow, bloggers/graphic-designers/geeks for some-cause,
food critics, etc. Such a list can be uploaded as a json file anywhere on
the web (web site, pastebin, etc.) and made public.
In the future, we may add integration with a choice of pastebin-like
services (pastebin itself? write something?) but as long as it's text,
premature-adopters have all the flexibility in the world when it comes to
storing, managing and sharing whitelists.

*Identity*
An account is not a person. It's a *facet* of a person. A gay Jewish
chemist with cancer needs at least four accounts. The information that two
or more of these accounts are actually the same person is a serious privacy
breach.
"Asocial networking" should allow
anonymity<http://couchappsec.couch.it/Anonymous_accountability>.
"Out of band", you can decide to associate one of your Mingle IDs with your
blog, and have another one associated with a twitter account (e.g. write
the ID in the bio). It's your call. As far as Mingle is concerned, you're
anonymous.
OpenID is the best way to authenticate users who may (or may not) wish to
stay anonymous, because it allows more than a single identity provider.
This makes it the only single sign on (SSO) scheme that does't have single
point of failure (SPOF) problems:

   - You can use different providers for different facets of yourself (no
   SPOF where your differeny facets can be integrated).
   - It's blackout resillient: If both you and the Mingle server are inside
   a "Mubaraked zone" (or even a standalone mesh net) and there's no access to
   your external provider, all you need is an accessible provider inside the
   zone. Orgs and geeks inside the zone can easily start running OpenID
   servers. Pick one, and you're back in. You don't have your previous
   identity, but you can notify whoever you think needs to know via mail, IM,
   etc.

Note: For boring tech
reasons<http://getsatisfaction.com/iriscouch/topics/support_openid_or_at_least_janrains_engage>,
what Mingle uses at the moment is BrowserID and not OpenID. To protect your
anonymity, your identification (an eMail address of yours) gets hashed with
a server-specific salt (the only secret in this system :) ). This solutin
is not optimal (e.g. because browserid.org is a SPOF), and I hope to move
the project to OpenID soon.

*How will it be used?* (example scenario):
Suppose there was a demonstration, there was violence, people got arrested,
etc.
Some org links to a Mingle topic (e.g. "Aftermath of Our Demo") and people
can join it.
The org also publishes whitelists of org staff, lawyers handling arrests,
etc. If you want, you can add them to your browser's whitelist.
Your personal whitelist would also include your friends, whitelists you got
from other orgs, press, bloggers, whoever you think is relevant.
Once in a while, you can temporarily disable your browser's whitelist (show
everyone's content), and maybe you'll find someone interesting and decide
to add him/her to your browser's whitelist. If they become boring or
irritating, out they go. Nobody would know. There's no "who unfollowed me"
;)
At the end of the discussion, the whitelist you'll have onyour browser
could be useful after demonstrations in a specific city. You can decide to
clean it up a bit and save it to a file. Maybe share it.
On the other hand, if you don't really have to, there's a reason *not* to
save it: what you don't store can't be taken away from you and mined.
Tomorrow is another day and you'll discuss graphic design of sign posts for
a future demonstration in some other city. That's a different crowd, and
you should be able to build your whitelist in realtime pretty fast.

It's still too early to tell how people will use the system once it's
finished (if at all), and what can go wrong (or right) with it, but the
source code is out there. If you're a developer, maybe you can fork it and
make it better. If you're not, you can still play with it. Your feedback is
welcome.

Join us <https://thedod.iriscouch.com/mingle/_design/mingle/_rewrite/>.
*Be*a stranger.

Respect,
The Dod


On Sun, Nov 27, 2011 at 9:22 AM, Yosem Companys <companys at stanford.edu>wrote:

> How the Next Generation Diaspora* Should Be Built to Help High-Risk
> Activists<http://liberationtech.tumblr.com/post/13377461578/how-the-next-generation-diaspora-should-be-built-to>
>

-- 
http://zzzen.com/zzzen.asc
4759 A11D 6E05 D778 4A51  A002 A758 BD37 C2C1 AEFB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111127/701c68e8/attachment.html>