Tuesday, January 13, 2009


I don't get Facebook

That’s not entirely true. I get the whole “portal” concept, which has been around for a while. Facebook, and the similar services such as MySpace, collect a bunch of things in one place and give users a consistent view of it and a single place to go to find it. You can plug in your “friends”, and have one place to go to communicate with them, share things with them, see what they’re up to, and so on.

And if all of my friends use the same social networking service, and I consider all of my friends to be equal to each other, it works.

Only, they don’t, and I don’t. And that’s the part I don’t get.

My IETF colleague Eliot Lear has just joined Facebook, and his initial comments echo some of what puzzles me about it.

First, I have to buy into their security model. Do I like the idea of using a single identity and authentication for everything? As I operate now, I use separate authentication for email, instant messaging, blogging, and photo sharing — though Google is making its own play at blending them, if one uses GMail, Google talk, Blogger, and Picasa. Is it better to keep them separate, or to tie them all together?

Conventional security wisdom dictates keeping them separate, so that if one is compromised they aren’t all, and that one doesn’t accidentally leak things from one to another — one logs on to what one needs, and not to the others. Only, do I — does the average Internet user — need that sort of separation? Probably not; probably, most users are served well by having a single login. In fact, it’s arguably better: less logging on means less opportunity for one’s password to be compromised.

Of course, Eliot wonders about the authentication mechanism and the use of passwords in the first place, preferring better mechanisms. I agree, but I have two comments:

  1. Facebook certainly isn’t the only problem here, nor the worst. Google’s services also use password logins exclusively. So do most banks and credit card companies. So does PayPal. So do most Internet vendors. We have a long way to go to fix this.
  2. There’s technology that’s been (and being) developed to allow cross-service collaboration without revealing login credentials across the services. It’s called OAuth, it’s currently in use by such as Google, Yahoo!, AOL, and MySpace, and it’s been brought to the IETF for standardization.

But that brings me to the question of authorization and access control. If something like OAuth allows me to use my login on one service to do something on another service, that starts to blur the boundaries even more. Again, it’s something that most Internet users won’t care about — something that will, in fact, be helpful to most users — but it makes it ever easier for someone to do “social engineering” to trick people into giving up personal information and giving access to personal and financial web sites.

Then, too, there’s the question of controlling access to the information I’m making available. Most access control on the Internet is too broad. I usually have but three choices: make things on “site X” private, make them public, or limit access to a specified list of users. I usually can’t give different access to one item from a site than to others. If I post two photos to Flickr, for example, I can’t limit access to them to different sets of users. These pages, on Blogger, are either all public... or all not.

Different sites, though, give different options, and by using different sites (and even multiple identities on some of the sites) I do have more options. Putting it all on a single social networking site seems to take much of that flexibility away.

And that’s something that some people, at least, care about, as we saw when Facebook tripped on its own feet with its “Beacon” feature (and here). Even among one’s friends, one has information that one is willing to share with some, but not with all. And many people turned out not to like it when Facebook unilaterally decided that it would start sharing something new with their “friends”.

Beyond the security model is the question of whether I have what I need already, with the services I use. Or, as Eliot puts it:

Why is Facebook even necessary? Isn’t this what we want the Internet to be in general? Why should this form of communication be limited to one site? For one, people are tired of spam on the Internet and so they are looking for an email replacement. Beyond that, having one’s own web server is a royal pain in the ass. But moreover, the comment I got more than once was that a blog is isolating. Why is that? What makes this blog isolating as compared to Facebook?

I certainly feel no need for it. I share what I’ve chosen to share, and I communicate as I choose to communicate. Isolating? Not at all: people can and do comment, as I comment on the blogs of others. Nothing isolating about that.

On the other hand, people who want to find me need to know where to look. Coming here and reading these pages doesn’t automatically get you my “tweets” (no, there are none; I’ll have another post about Twitter soon-ish), my email address, my IM identities, or my Flickr photos. Some of these are accessible from here if you look around (email and Flickr, for example), but it’s not automatic, not all in one place. And if you have dozens of friends like me, you don’t get all of us in one handy portal.

But what do Facebook users do when some of their friends are on MySpace, not Facebook? Or LiveJournal or Friendster? With many social networking sites around and no standardization, no bridges, no interconnection among them, it’s hard to be sure you can collect all your friends in one place. Maybe it works for a bunch of kids in the same school class, or folks in the same office or coffee klatsch. But it doesn’t work so well in the wild world of the Internet as a whole.

It also doesn’t work well when people have multiple roles and exist in different communities. I have some friends who use LiveJournal who don’t read these pages because they can’t get them in their LJ feed — which is how they read all their friends’ writings. Other colleagues and acquaintances tell me about MySpace, others talk of Facebook... since we’re not all on the same social sites, we don’t actually get everything in one place.

Worse, we can’t see everything even if we go look for it. If I want full access to what my Facebook friends want to share with me, I have to join Facebook. It is, of course, how each site differentiates itself: by getting as many members at it can. From that point of view, it’s arguably not in any of the social sites’ best interest to have standard linkage among them.

In the end, I think it’s a question of the way we’ve each gotten used to using the Internet and its tools. Certainly, whether I get it or not, users of the social networking services love them. And that’s probably the bottom line.


Thomas J. Brown said...

I don't remember where I first read this, but it's certainly true: the built-in downfall of every social networking site is obligation. When that friendly-but-annoying coworker sends you a friend invite on MySpace, you have to accept it in order to keep the peace at work. Then Facebook comes along and you see your opportunity to start fresh and ditch the "friends" you aren't really friends with. That works for a while, until your coworker finds out about Facebook...

lidija said...

Errr... I don't know what to say. For someone who uses FB quite a bit and who "gets it" and who has found many many old friends there and, as I have lacked the time and the energy to find them all around the world after all the moves, real and virtual and who loves finding all the info in one place - it works. If I don't want FB collecting sensitive info, I email people via regular email. If I don't want my coworkers (who are also FB friends) to see me in a beach photo, I don't post that picture there. It's not too complicated. And I don't have to tell FB anything I don't want. I think it's generational so I see my age and younger embracing it more (I don't know how old your friend is). Re: blogs being isolating, they are, relative to a community discussion board, no? But it's not the same as FB so I don't understand the comparison. Also I've never checked out other sites (except to say MySpace had very annoying and overbearing web backgrounds).

Barry Leiba said...

«If I don’t want my coworkers (who are also FB friends) to see me in a beach photo, I don’t post that picture there.»

I think that really is my point: I’m not sure how well it works if you have “bff”s, college buds, co-workers, family, neighbours, and so on, and they’re all “friends”... but they’re clearly not all equal in how you want to treat the information you share with them. Sure, you can just post things to FB that are OK for the greatest common factor, but that’s limiting, and doesn’t seem to be the way FB is meant to be used (or generally is used).

And if you do that, then how do you share those beach photos with youf bff types and your family, without also giving them to your co-workers? You can email them, of course, or post them somewhere else... but then it’s no longer all in one place.

It seems to me that FB and its ilk work best for the youngsters, who pretty much seem to be willing to share everything freely. Will their habits remain over time? Or will they start wishing they could be more selective? And you’re alread not using it in the typical way, if you’re withholding photos and using out-of-system email to communicate with FB friends.

The thing is, it’d be very easy to add flexibility by allowing user-defined categories. “Friends”, as it is now, can certainly be a default catch-all category, and maybe most people will never use anything else. But those who want to can create others, like “co-workers” and “college” and “neighbours”, and then decide which category to put people in when they friend them. Then a photo (or journal entry or tweet or whatever) could be tagged for “friends” and “college”, but not for “co-workers” or “neighbours”. And, of course, some people would be in both "friends" and "neighbours", for example.

I suspect that the reason they’re not doing that is that there’s little demand for it. And that’s the part I really don’t get.

lidija said...

I would rather not keep track of the types of friendships. Too much work and every once in a while you have to redefine... 300 or 2000 people (like some extremes among my friends) - that's a lot of work. FB does ask you how you know someone and that's optional but there is no set category so you can say "met while looking for a restroom at Marti Gras" / "had a short, ill-fated fling" and other nebulous ones. Also there is family and there is family. I have cousins' kids on FB who probably should steer clear of sharing some of what they do with me, but I guess then they'd have to subdivide me into "old, not-cool family" from the rest. I think maybe we just need to be more selective about posting. I think more people have issues with others posting their pictures in some undesirable situation and tagging it (thus flagging everyone in their network). You can de-tag in fact.

W.M. Irwin said...

At present, I have four "friends" on Facebook, and they are all close family members. Yet, I get all of these strange pictures of people I don't know, as well as suggestions on the part of Facebook for complete strangers who are supposedly linked by Facebook, either directly or indirectly, with my official "friends". I don't get Facebook either. I can do more with social networking simply by going to my local Starbucks and talking with people at random. Also, I have different levels of intimacy with different people, and my communications on Facebook would seem to imply a drift toward the "lowest common denominator". After all, we're not all one big "happy family", are we? But that aside, Facebook may serve a useful function in connecting people who have lost touch with each other. Once the connection is reestablished, though, I suggest the reunited parties use a better forum such as a e-mail or a blog (with access restrictions, if desired). Otherwise you're just putting out personal stuff for strangers to read.

Frisky070802 said...

You should take a look at the very interesting post on
10 Privacy Settings Every Facebook User Should Know