• Print

If You Want My Trust, Give Me Control of my Data

Spock, the people search engine/social network that launched at Web 2.0 Expo, got many things right, but as Tim noted in a previous post, “This private beta of Spock exposes the tips of many icebergs, some of which have the power to sink one feature or another.” Looks like they’ve run smack into one of those icebergs during the implementation of what they’re calling Trust Networks.

I’ve received a spate of cryptic emails stating that “Person X has added you as a trusted contact on Spock. By accepting trust, you will be able to search each others’ network, share contact information, and get news.” Spock’s FAQ says, “You should only add people you are comfortable sharing your network connections with,” but doesn’t reveal how those connections are shared. What’s up?

I’m not the only one who’s annoyed and/or confused about how and why my contacts may get Spocked. Brad Templeton identifies a key issue with Spock’s approach to harvesting users’ contacts:

“We have to consider just how much we want to allow applications to ‘mail everybody in your address book.’ This started with Plaxo and Goodcontacts, which wanted to be address book managers, and now has moved into social networking tools.”

When Shelfari got heat for setting defaults to “Share my contacts,” Andrew Savikas pointed out that users and producers of Web 2.0 sites are in the process of crafting a new social contract. My social network is a subtle, fragile, and valuable asset. I want to have as much control over this social capital as I do the money in my bank account. So if a site wants my participation (and my friends’), they’ll build an architecture and set defaults that let me protect my social assets.

tags:
  • http://www.openlogic.com/blogs/author/stormy/ Stormy

    Not only does it spam all your contacts but it gives your contacts very little to go on. There’s nothing in the intro email to say what Spock does and nothing on their home page. You actually have to sign up to find out what it is!

  • http://www.stapleton-gray.com Ross Stapleton-Gray

    My social network is a network of networks. No way do I want to give anyone access to that, without a lot of oversight. And it’s very situationally dependent… around Xmas it’s distorted in certain directions, etc.

    I will likely jettison my Orkut account(s), after their little scrapbook spam escapade, and I’m doubting I’ll have much time to consider Spock.

  • http://www.gottahavacuppamocha.com Michael H

    I wonder why it seems as if these companies come up with ideas that are “all-or-nothing” propositions. I sort of mix and match my address books and contacts so I have a mixture of family, friends, and business acquaintances. While I don’t really mind my family or friends finding out what movies I watch, that info isn’t germane to work or school.

    If a company wants me to use these types of “features”, then they should make them something I’m comfortable using. They shouldn’t automatically assume I will opt in. Maybe they should let me decide who the information can be sent to. Maybe they can come up with a system that lets me describe my relationships in multiple, different ways.

    I guess an example might be someone I consider a “friend”. They may be a very close friend, a long lost friend, a friend who is touchy about certain subjects, a friend who is open to pretty much anything, and so on. They should also do something similar for family, and business contacts.

  • http://kevincurry.blogspot.com Kevin Curry

    This is a timely, important, and difficult topic being discussed from many perspectives. In Facebook it is particularly complex when your friends, people you do trust, invite you to “Do the wave,” “send a hug,” “do a personality test,” or “compete in an online trivia challenge.” Behind each of these seemingly innocuous requests is an *application.* I have yet to come across a Facebook application that did not prompt me by default to share all of my information with the application – not with my friends who I trust, but with the application and application provider. Supposedly you can uncheck permissions, but often the app will complain that it can’t work. And in any case, how are we supposed to make informed decisions with all of these new, opaque choices. This sharing of data is needed, the thinking goes, in order for the app to provide you with the wonderful service you are sure to enjoy. Sometime the “application” is just a link to a 3rd party web site. The whole thing seems like SpyWare 2.0. 10 years ago we’d have received the same type of request from a friend forwarding an email or from some other electronic free offer (remember Gator?). The only thing different in Facebook is our perception; that we are safe while we are happily granting permission to expose all of our data to every app that comes our way.

  • http://www.cosential.com Dan Cornish

    The biggest problem here is that people are trying to mix social networks with professional networks. In a company, the contact list is the property of the company, not an individual. There are MANY issues in sharing this information. The biggest problem here is context. I share my contacts depending on the Context I am interacting with them.

    The FaceBook context of college does not work with the contect of the Outlook contacts in Tim O’Riley’s address book.

  • http://www.librarything.com Tim Spalding

    I’ve love to believe this is happening, but I’m not so sure.

    When you’re “in” the club the way we are—reading O’Reilly Radar and Mashable every day, or even just living in a place like Boston or San Francisco—it can be hard to remember that social software is *social* in the most basic sense—it’s a society, not a club.

    Societies are big, diverse and mostly uninterested in themselves. I suspect that most users of social software have as much interest in “crafting a new social contract” as most Americans have of discussing political theory.

    Shelfari is an extreme case, but illustrative. It affected readers–an educated, privacy-conscious bunch. It went on for months, and if somebody hadn’t put together all the pieces and made a case out of it—that someone was me, and I’m a competitor—it would have continued. And even though they stopped the practice and got some bad press, it was certainly worth it for them.

    As an industry we don’t want to poison the well. But company-by-company I’ll bet it makes sense to.

    Maybe things will change if all of this can be boiled down to three bullets and a simple logo—”Trusting Social” or wahtever. After all, I know nothing about tuna fishing, but the “dolphin safe” logo appeals to me for the 2 seconds it takes to decide on a can, after which I stop thinking about the issue entirely.

  • http://www.ichoosr.com Bart Stevens

    Sara,
    The problem you raise (and lot’s of others lately) is what we try to solve (or at least talk a lot about ;) in “the VRM school of thinking”.
    We envision that users will regain control of their data like ID, purchase history, preferences. Not like giving “your CV” to Amazon, before you are allowed to buy a book. People call it sometimes CRM on it’s head.
    Anyway, what we do is make a lot of noise in the online and off line world about the concept described first by Doc Searls.
    Furthermore we are developing use cases and are looking into standardization.
    Feel free to have a look at ichoosr.com/blog. I have an interesting question on what values to present to vendors in the Telco business on VRM
    Enjoy Xmas !

    Bart

  • TK

    The danger of all these new pushes into the “social graph” is that the utility for the user is often theoretical or abstract while the opportunities for marketers or developers of specious services are more concrete.

    The icebergs Tim sees in Spock are similar to icebergs appearing all over the web. With everyone under the sun racing to turn their existing services into “platforms” I think we’ll all suffer from inundation as the bottom feeders in our address books/social graphs become vectors for whole new categories of difficult to filter junk and spam.

    In many cases, perhaps the problem isn’t that users don’t have enough “control” over their data, but that they have too much and are willing to opt that control over to less reputable parties.

    Google has taken a small but revealing misstep with its poorly considered new Google Reader sharing implementation which mines your gmail contacts to auto-subscribe other users to your shared items – imposing a new social aspect (with limited opt-out functions) to a service that previously offered the same functionality on a granular, user-defined basis, pissing off a lot of legacy users. It would appear that at Google, your address book and gtalk contacts are becoming a new social network.

  • http://webandlife.blogspot.com Andy Wong

    Though Web 2.0 services like social networking is about openness. However, many service providers always tried to make your privacy to be open, at least to the providers in order to explore business opportunities. I think, it should be only about platform openness, not privacy openness.

    The fact is, when your private info goes to the server of the service provider, your private contact info is under the mercy of the provider. There’s not yet regulations governing the service providers to adequately protect your private data. For example, how can you be sure that your private data got deleted after you close the account? no yet regulations, no independent auditor. I heard a few times that startup companies stored passwords in plain text, and hackers just pick them up. Obviously when a company has no basic skills of protecting password storage, the company will not protect their own computers well, and any commitments to users’ privacy will be just null.

    The industries should come up with standards/protocols of protecting user privacy, with enforceable measurements, and the law makers should also follow up.

    The platforms can be more open without boundary, however, the disclosure of my private data should be well regulated and moderated. It is not realistic to expect/educate all internet users have moderate common scenes of protecting their own private data when using social networking. Industries and regulators should do take more care for public interests.

  • http://www.etelos.com Scott Smth

    I agree, but I think that this is more about data ownership and not just trust. I should own data about me – just as a Hollywood star owns their image/likeness.
    Right now I get all kinds of email, marketing materials and daily letters that want me to refinance (how do the know how much my mortgage is!) – people are profiting on data about me (or my social network in the example above.) I should control who has access and when they can use it. There is a big business selling data about us, and we do not profit.
    In the Web 2.0 world we should try to break that – I use your hosting and services and you can use my data for specific things. If this is part of a trust network, good, you made that decision – but did those in your contact list agree?
    I got an invite from Plaxo the other day from a friend – when they wanted to upload my outlook contacts and my linkedin list. I stopped. I did not really know at the time what was in store for me if I did upload my contacts, and I’m guessing my friend did not know either.

  • http://spock.com/maia Maia Bittner

    Hi Sara,

    This is Maia, from Spock. I know Jay, our co-founder, e-mailed you personally to explain why
    there have been so many trust requests. I just thought I’d update you to the latest changes we’ve made to the site in order to reduce the number of emails being sent to people, especially by people they don’t even know.

    As a first step, we’ve removed any pre-checked boxes from our address book import process. We want all invitations that go through us to be very deliberate. We’ve also changed the process so that there are clear markers by everyone in your address book that has already signed up for Spock.

    There we also two changes we made for non-users based on the feedback we’ve received. The first is that we are no longer sending trust requests when the requester does not know the email address of the person they are requesting trust from. Instead, these requests are stored on the site for when (if) that person signs up. We also include an unsubscribe link at the bottom of all emails sent to non-users, so that anyone can unsubscribe if they don’t want to receive any more emails from Spock.

    The above changes will be implemented next week.

    We are working very hard to avoid excessively emailing people. We did not anticipate our users being so aggressive! As the next step, we are looking to implement throttles and digests as a way to still do what our users ask, while not annoying everyone else ;) If you have any suggestions on ways to avoid unwanted emails, please do let me know, either here, or personally.

    Best,

    Maia

  • http://boinkinchipmunks.com thacker

    Will say two things about the social networks, aka Web 2.0, they don’t think things through as much as they should. Two, this type of learning curve is necessary prior to any breakout and implementation onto the Net.

  • http://tim.oreilly.com Tim O'Reilly

    Maia –

    You’ve got to be kidding. You guys actually implemented a feature where you were emailing to “contacts” where the person requesting the email didn’t have their email address. That’s either incompetent or reckless. I keep getting mail from you guys about how various users have made mistakes, and how it’s not your fault, but it sure seems like you guys have done a terrible job of designing your system to prevent abuse.

    This shouldn’t have to wait till next week. Just TURN OFF all your outbound email functionality until you get this fixed.

    Protestations that “we didn’t send out this email, our users did” just don’t cut it. Logic to prevent wholesale spamming is trivial to add to an application. If you give your users the power to spam everyone whose contact information they have, some of them will use it. If you give them the power to spam people for whom they only know the name, and don’t even need the contact info, all bets are off!

    I love the idea of spock. I could really use a people search engine. But you guys are really losing any credibility.

  • http://radar.oreilly.com Sara Winge

    @ Maia: What Tim said. I also think part of users’ frustration is that, in its current implementation, Spock has some “worst of both worlds” aspects of both a search engine and social network. Like a search engine, it aggregates information about me that I can’t easily control or influence. Like a social network, it wastes my time with unasked-for email from people in a broadly defined set of contacts (I got a trust requests from someone to whom I sent one business email, three years ago). If I feel like you’ve misused my information, I’m not likely to use your service and get any benefit from the collective intelligence you’re attempting to gather.

  • http://www.scottconverse.org Scott Converse

    I have to agree that ‘being Spocked’ has become a new negative term for having your social graph violated. How about having dictionary.com add something like:

    Spocked
    -verb
    1. verb of unsavory website called Spock
    -adjective
    2. To have your email friends spammed.
    3. To be tricked into revealing contact information to friends, family and colleagues.
    4. To receive a vague email from a friend, family member or colleague inviting you to ‘join their network’ when none exists.
    5. Slang. To have your personal information and social network violated by a unscrupulous web 2.0 startup.

    I, too, was tricked into giving them access to my gmail that Spock then used to sent an obtuse message to a couple of hundred of my associates implying I was ‘inviting’ them (when I did no such thing).

    I think this kind of activity on the part of anyone claiming to be any kind of social network is, in my book, business death.

    I’ve already bogged about this and I plan on letting everyone I know, whenever the opportunity arises, that Spock (and any other system that uses inappropriate mining of MY personal data) should be avoided at all costs and in all ways.

  • http://buzzmachine.com Jeff Jarvis

    Tim,
    Amen. I got Spockspam and had a fit and asked to be forgotten in all ways possible by the service. They’ve already ruined themselves with me. They’re Plaxo, the Sequel.

  • http://www.spock.com/Andrey-Golub Andrey Golub

    Tim,

    from what do I know, after such strong comments like you’ve done, Spock guys have stopped all their R&D and developments and have been concentrated exactly on this feature for some time.
    and they have fixed it in a very record time!

    why do I think so? ‘coz I actively participate in the Spock Power Users working group, the place for Brainstorming 2.0 where Spock guys present to us (early adopters and supporters) their new features (or even the ideas not yet implemented), to perform brainstorming and find the best ways to solve the strong problems like the one indicated here by yourself and the other commenters.
    So the project road-map for Spock is in big part defined by its Community, so it could not be optimized, like someone here stated, against the community itself and be anti-social!

    and of course I am sure that the email spam issue that occurred was not intentional. How could a very 2.0 company like Spock intentionally make some thing that won’t be forgiven and forgotten by community?
    of course it was a feature too quickly put to production… I am also sorry about that and I hope Spock won’t repeat once anymore this mistake.

    then also from what do I know following Spock as active contributor to Brainstorming forum and Facebook fan Club :), is that the guys have fixed everything real quickly (with 2 days of this blowing up). I’d not judge the whole project so strongly after one problem happened and immediately fixed…

    let’s follow the future developments instead!

    Warm Regards,
    Andrey Golub, http://www.spock.com/Andrey-Golub

  • Steve Holt

    What’s even more annoying is this isn’t just limited to Spock. I mean, I recently got an email from someone I haven’t heard from in years! Sure, they had my email address from when they knew me in college, but we need ways to stop people like that. What’s worse, I’ve been getting “invitations” and “messages” from other MySpace users who don’t even *have* my email address!

    If someone could somehow invent a service where I could only get emails, messages, and any other electronic contact only from the people I want, but still let me use the sites I want, that would be a gold mine. If they could also prevent anyone from “Googling” me, that would be even better.

    I would write more on this, but I just got a phone call from my old, long-lost college roommate … man, it’s good to hear from him!

  • http://www.infakt.pl Wiktor Sarota

    In Poland we’ve got similar problem with polish “facebook” – nasza-klasa.pl about privacy. Someones stole all of data which people show, but they didn’t really know about adger. (all data are available on one site – numerygg.pl- site about contact to polish icq)

  • http://www.michaelramses.com Tech

    Regulations governing the service providers to adequately protect your private data.Example how can you be sure that your private data got deleted after you close the account.No yet regulations no independent auditor.