[foaf-dev] [Fwd: [FriendFeed] Re: FOAF tweaks]

Simon Reinhardt simon.reinhardt at koeln.de
Sat May 10 16:58:45 BST 2008

Julian Bond wrote:
> The thing is there's two 
> diametrically opposed use cases and user views. The first is "find my 
> friends who are already here" allied to "Use the web for personal 
> publicity." That approach assumes openness and the ability to do 
> matching across different sites. The second is "let me use a specific 
> site in relative anonymity".

I don't think they're diametrical at all! As I said, bblfish is going in the right direction. With a widely adopted access protocol for RDF data, I can decide which pieces of information about me (especially which identities are connected to me) I want to expose to you. I don't have to make everything public by default so I retain my anonymity. But I can still let certain people (or websites) know about things. If each website uses a different URI for the foaf:OnlineAccount this will allow me to do so, they can even expose it publicly then. But if they all publish foaf:mbox_sha1sum, there's no choice for me left but to ask them to turn that off (this means I have to know about it and the consequences). But if they turn it off and there are no other ways of identifying, I can connect to it at all!
The only advantage of foaf:mbox_sha1sum is that it doesn't require the manual act of connecting. Oh well. :-)

> Like I said. Offering a switch, defaulted on, as to whether you want to 
> publish FOAF and respecting other privacy switches so that no data is 
> published in FOAF that isn't also published in world readable HTML seems 
> to work. And that isn't that hard to explain.

Even HTML is not that obvious. I was surprised to find out that last.fm put microIDs (like foaf:mbox_sha1sum but the URL also gets mixed in there) into their profile pages by request of a user in their forum. You can't see it but it's there. I asked them to provide a switch for that several times but they didn't react. The only thing I could do was remove my e-mail address from my account.

>> Probably. I don't think it's good to publish the OpenIDs people use to 
>> login or post on blogs either. When you publish an e-mail address, 
>> there are two bad things about it: you can be spammed and stuff can be 
>> related to your identity. When your OpenID gets published, you cannot 
>> get spammed, but the other problem still remains.
> Increasingly as people use OpenID delegation, their OpenID *is* their 
> home page. I really don't see the problem.

But maybe I don't want to put my homepage URL in the respective form field when writing a comment on someone's blog but I do want to login using OpenID?
Maybe I want to use the login-advantage of OpenID but not publish my homepage?

> Back to my comments at the start. One group of people relish the 
> publicity.

I see that from your signature. You're biased in one direction as I am biased in the other direction. :-)

> Lack of privacy is not a problem for them because they want 
> to be public. The opposite group of people want to be able to post on 
> the web and retain anonymity. That can be done if you really work at it. 
> Scott's comment takes aim at the naivety of the middle ground. The 
> people who think they can take part in public forums while retaining 
> privacy and are then surprised when they are actually public and not 
> private.

I see the middle ground quite differently: to me it is publishing information about me but doing so consciously and deliberately and retaining complete control over it. I decide when to connect my different accounts / identities and how to expose that to whom.
I take part in public forums and I can let certain software / sites / users take advantage of the connections I have to everything (for example a tracker that follows everything I post on the web and tells me about replies) but not the whole world.

> Back to the original issue. FriendFeed adding mbox_sha1sum to their 
> FOAF. My view is that mbox_sha1sum is good enough obfuscation to get 
> over most of the objections to posting mbox. And in practice it works 
> well enough with not much downside. I'd like to see included.

So here's my pleading. :)
foaf:mbox_sha1sum doesn't let you find out the original e-mail address but it lets you find out if an assumption about the e-mail address is true. And most importantly it is an *implicitly* public identifier as opposed to site-specific identifiers which I have to connect *explicitly*.


More information about the foaf-dev mailing list