Rainblog

Going back over my post about Google Social Search, which I wrote in haste last night after the new feature was pointed out to me by a somewhat agitated friend, it looks to me as if I may have been wrong about some of the pitfalls of the new system.

The potential privacy killer is the exposure of private second-order contacts. But re-reading Google’s documentation more closely today, it turns out that Google already has a notion of ‘public’ and ‘private’ contacts. ‘Private’ contacts include your Google chat list and Google contacts, and according to the documentation, these are not shared, and will not be used to “expand your social circle”. So it looks as if the sky may not be falling after all.

I apologize for misleading you all, and for maligning Google. It seems that they have learned something since Buzz.

But systems such as Social Search are not risk-free. Google’s position is that they don’t make anything public that wasn’t already public. That’s as it should be, but it’s worth bearing in mind that what Google is doing is to make obvious what’s already public. Yes, all the individual links that make up your implicit social graph may be ‘out there’, but most people won’t necessarily connect all the dots. Tools like Social Search take the complete picture and dump it in your lap.

It’s easy enough to dream up scenarios in which that can still turn around and bite you. Your strait-laced Aunt Hettie may enjoy visiting your personal website full of kitten pictures, unaware that you’re also an active member of a flourishing bondage’n’spanking online community. The day that you inadvertently create a graph link that spans your separate personae, Google Social Search is going to make all the connections and give Aunt Hettie something to think about over her breakfast coffee.

You did it to yourself, says Google. All the information was there. We just put it all together. They’re right, but that doesn’t mean that it isn’t a problem. In general, people aren’t good at thinking about what you might call the calculus of privacy: what connects to what, who has permission to see what, and how they interact. Part of it is that we just don’t think that way yet. But part of it is that the rules keep changing. Just when you think you’ve got it figured out, Google (or whoever) will add a new way of inferring connections and suddenly the whole shape of the graph has changed in ways you never imagined.

There’s another problem. Tools for managing this new ball of wax are either non-existent or ill-adapted. Google says proudly “You control who is part of your circle”, and goes on to list ways that you can do that. But the suggestions seem to amount to changing the social graph itself by removing a person (or a network). If you detect a potential exposure, the recommended fix is to take a machete to your social network.

This seems unsatisfactory. Tools designed for one purpose - such as managing your social network - are usually inadequate for another - such as protecting your privacy or controlling your online persona. If your connection to your friend Joe reveals something about you that you don’t like, Google’s answer is that you should break that connection. But when you do that, you lose whatever functionality comes from the connection.

Let’s make that more concrete with an example (not a privacy example this time, but analogous problems exist in that space as well). Suppose Joe tends to write embarrassing drunken rants on every subject under the sun. Each time you do a search, Google’s Social Search feature brings up a couple of Joe’s inebriated screeds, which may not be what you want even when the boss isn’t looking over your shoulder. But Joe’s in your social graph, and the only way to get him out of there is to remove him from your chat contact list and your Gmail address book. To manage one feature - Social Search - you’re forced to reduce the utility of two others - chat and email. Surely that’s not the way it’s supposed to be.

Connections in the social graph are overloaded. Applications built on social networking such as Google Social Search assign a ‘meaning’ to those connections that may be quite different from the ‘meaning’ intended by the user. The connections that the user creates end up being used in ways that he or she did not anticipate or intend, yet there are no tools available to let the user correct or control the way that the graph is used or interpreted. The only tools provided are tools for editing the graph itself.

It’s unrealistic to think that we can stop Google or Facebook or anyone else from adding new whizzbang features that stitch together what people reveal about themselves online and use it in ways that we never anticipated. It’s also unrealistic to think that we can ever predict the ramifications of putting any single piece of information out there (or, equally often, having it put out there by someone else). But there ought to be a middle-ground between withdrawing from online life entirely or accepting that our online persona - the sum total of information that can be learned about us online - is completely out of our control.

If someone like Google wants to think about how to build tools to give users real, flexible control over their personal information, that will impress me a great deal more than their questionably-useful Social Search.

[CORRECTION: This post contains a significant error, which I explain in this post. But while the issues with Social Search aren’t as bad as I claim here, it’s still not problem-free.] 

Remember the Google Buzz fiasco? In their eagerness to roll out their latest whizz-bang new killer feature (by the way, does anyone still use Buzz?), Google didn’t bother to think about - or deliberately chose to ignore - the potential privacy implications of their model and ended up exposing everyone’s contacts. A predictable outcry followed, and Google was forced to walk it all back and put in the protections that should have been in there from the start.

But that’s all in the past now, and Google have learned their lesson, haven’t they? Well, no. Because now they’ve launched Google Social Search, another exciting innovation we didn’t need that … leaks all your contact information all over again.

How does it do that? If you’re logged in when you search for something, Google will show results that are somehow related to your ‘social circle’. Google assembles your social circle by the usual connectivity voodoo - digging through your Gmail contacts, your Google reader subscriptions and so forth. So far, there’s no great cause for alarm. But Google also includes second-order contacts - friends of your friends - in the results. And that’s where the trouble starts.

To illustrate the problem, suppose you are a married man who has been secretly carrying on with the local femme fatale. Your wife does a search for that charming little restaurant where you celebrate your wedding anniversary, and uncovers a glowing review written by that shameless hussy, accompanied by a helpful note from Google explaining that she shows up in the results because she’s a friend of yours. Marital ructions ensue.

Or you’re considering leaving your job at WidgetCo and have been sending out copies of your resume. When your boss searches for something, his social search results suddenly include half a dozen recruiters and the CEO of rival GadgetCorp, all tagged as contacts of yours. Problematic, no?

The possible scenarios go on and on. Subscribe to a mailing list for wombat fetishists? One lucky search hit and the whole world can know about your fondness for those winsome marsupials. And so on. And so on.

Friend-of-a-friend (FOAF) leaks are one of those nasty social networking gotchas that most users don’t think about. Apparently Google didn’t think about this one either because - even after the Buzz mess - they went ahead and engineered it straight into their new baby. What they didn’t do, of course, is provide any way for you to opt-out. There’s no mechanism for saying “No, dammit, don’t expose my list of private contacts to all my friends.” And unlike Buzz, which at least you had to start using before it could out all your contacts, Google Social Search will go ahead and expose your friends without you lifting a finger. I guess they call that progress.

So here we go again. Once again, we need to make a noise and get Google to undo their latest piece of thoughtlessness before it starts messing up people’s lives.