Talking About Your Friends (in FOAF)

Last week I took my first serious stab at making a FOAF file for myself. I found myself in the middle of a couple of social problems.

Naming My Friends

I have 123 "friends" on orkut -- people who have acknowledged they are my "friends". The orkut terms of use are pretty clear:

As an orkut member, you can create a profile or orkut community that includes personal information, such as your gender, age, occupation, hobbies, and interests, plus other content, such as photos. This information may be accessed and viewed by other orkut members.

So my friends have no expectation of privacy, right? But in a quick survey of 31 friends, only 55% said that were okay with me saying in my FOAF file that I knew someone by their name. (That is, just saying { sandro:sandro foaf:knows [ foaf:name "John Smith" ]. }) Only 39% said it was okay to include a secure-hash of their mailbox. 13% said I could include the plaintext as well.

Maybe I didn't ask the question well, but I suspect the real problem is that no matter how well people understood the situation, no one really understands it. No one knows what threats to them might materialize from me listing them in my FOAF file.

A friend of mine asked the question differently in a parallel survey, saying

Imagine one of your friends posts a list of their friends' real names. Nothing on the page ties your real name and online identities together, but your real name and your friend's real name are now on one Googlable page. Are you upset with your friend?

65% of his sample (which was also 31 people, but different people) said "No", they were not upset. 30% were "Not Sure" and the rest said Yes.

So I think the answer is: only list people when you have their explicit permission. I think people who have their own FOAF file probably can be assumed to be granting permission. Maybe it's best to just convince people to make themselves a FOAF file (via whatever service provider they like, which hides the details).

Protecting Pseudonymity

Meanwhile, I have about a hundred livejournal friends. They present a different problem. Livejournal already publishes a FOAF file listing them. It has several problems (like using bNodes instead of URIs to name people), but here's the real problem:

How do I relate my livejournal identity to my professional identity? Do I link to people's LJ identities from my work-related FOAF file? 38% of my polled population said "no". But, oddly, 35% of them (ie all but one) were okay with me linking to my own LJ identity, making them two hops away.

How much do hops count in the semantic web? Not much, I think.

I heard a few interesting stories in response to my poll. People seemed concerned about losing their job if they were too public about their blog. It's okay to write "my employer sucks" if and only if the reader has to do some real work to figure out who your employer is. One friend mentioned having a job where the appearance of neutrality is important, so having an opinioned blog is fine if and only if their name is not obviously associated with it.

I'm reminded of the Judge Jackson's "appearance of partiality" mess that helped save Microsoft.

So what's the right course of action? I could just avoid linking to LJ. I could link to a few people on LJ — including myself — with foaf:knows. So I know a few of the threats now. I don't really know the benefits, though.

Benefits?

Oh yeah. What is the Use Case for FOAF?

The most ineffable is whatever compelled me to build that orkut list in the first place, to surf around my friends to find the people I had missed, to discover the back-door connections between people. To search my brain (and computer) for everyone I knew.

In Guns, Germs, and Steel (page 271) Jared Diamond writes:

In traditional New Guinea society, if a New Guinean happened to encounter an unfamiliar New Guinean while both were away from their respective villages, the two engaged in a long discussion of their relatives, in an attempt to establish some relationship and hence some reason why the two should not attempt to kill each other.

Maybe this is related. Is that a trust-network issue?

More concretely, can I use the network of who-knows-who to figure out how much to trust people? This is the basis of friendster as a dating service, and the friends-network part of okcupid.

If I learn a little bit about someone -- they send me e-mail, or we're briefly introduced -- it's tempting to look up information about them, and to ask around about them. Does that really produce better results? I doubt it. It just reinforces my prejudices.

The most concrete thing I want from FOAF is convenient access control. This is one of the things LJ does it; of course flikr learns about your friends for this reason, too. But they should both just be using the same data, right? An open standard for telling systems who you trust to see and do certain things.

But I think I'll have to name them by their pseudonym, pointing to their web presence -- whatever it may be -- instead of what I know about them from the so-called real world. It's not people we should be talking about, it's personal sites / blogs / personal-points-of-web-presence. Fortunately, this is exactly how OpenID works.

Hmmm. Sound like the next post might just have to be foaf:Person Seen As Harmful..