How are your girls? Privacy leakage in information flows

One-way privacy settings are about as private as whispering to someone who insists on responding loudly (and often paraphrasing your whispers for good measure). So it is surprising that most, if not all, social networks allow one to specify the privacy of conversations flowing one way (those initiated by you) but not also of those flowing the other way (those initiated by others and directed at you).

Update: The New York Times has a piece that raises similar issues to my post. Here’s the relevant quote:

Yet an individual’s actions, researchers say, are rarely enough to protect privacy in the interconnected world of the Internet … You may not disclose personal information, but your online friends and colleagues may do it for you, referring to your school or employer, gender, location and interests … “Personal privacy is no longer an individual thing”

Polygamous Pimps

In response to a recent tweet in my buzz stream, a friend buzzed back:

“How are your girls?”

This particular buzz was public, which automatically meant all responses to it were public, including the utterly innocent question “How are your girls?”. Regardless of how air-tight my privacy settings in Google Buzz were, one can immediately infer some things about me: that I “have girls”. Most people would correctly understand that I am a father, though more creative readers may assume polygamy (or that I am a pimp).

Whatever your creative conclusions, one thing is for sure: an inadvertent leakage of my private details because of an inadequate online privacy model, one that largely regards privacy as flowing in one direction (uni-directional).

I am the captain of my ship. I am the master of my destiny.

Not when it comes to privacy, oh no!

Imagine a close friend bumped into you in a crowded elevator and asked how your new Viagra regimen is going on. From a privacy standpoint, you might as well have worn a Viagra costume to work, because the net effect is the same: an inadvertent leakage of your privacy. Assuming your friend had no ill intent, it is likely he was simply socially inept and did not realize the  privacy implications of their question.

It is clear then, that we are neither captains of our privacy ship nor masters of our privacy destinies. Why then, do most social media sites continue this illusion? Some sites allow you to specify an outgoing post as being private (Google Buzz example below):

privacy settings in Google Buzz

Two way street

As far as I can tell, no social site or app allows one to specify that conversations involving certain people will always be private, regardless of who initiated the conversation. This model of privacy correctly views information flow as a two way street (bi-directional), with privacy leakage capable of happening in either direction (you directly revealing your private information, or someone else revealing your private information while in conversation with you).

A number of chat applications implement such a privacy model in their “Off The Record” (OTR) features. Here is an excerpt from Google Talk’s description of their implementation:

We know that sometimes, we don’t want a particular chat, or chats with a specific person, to be saved … when chatting in Google Talk or Gmail, you can go “off the record,” so that nothing typed from that point forward gets automatically saved in anyone’s Gmail account.

… once you go off the record with a particular person, you will always be off the record with him or her, even if you close the chat window, and the two of you don’t chat again until several months later … We’ve designed this to be a socially-negotiated setting because we want to give users full disclosure and control over whether the person they’re talking to can save their chat. — What does it mean to go off the record

Wishful thinking

1. I want to be able to go OTR with specific people, so that “nothing typed from that point forward gets automatically saved in anyone’s Gmail account.”
2. I want this to be a “socially-negotiated setting” that does not make my privacy dependent on the technological awareness of my conversation partners.
3. I want this setting to be persistent across all conversations involving specific people, whether one-or-one or in group conversations.Given the tight integration between Buzz and Gmail, it is not much of stretch to imagine a situation where a family member ask deeply personal questions in the midst of a public buzz stream involving my work.

In short, I want bi-directional privacy settings that work.

How about privacy leakage in conversations not involving me (from other people, to other people)?

Well, that’s a whole ‘nother can of worms.