[Freedombox-discuss] FBX Privacy Enabled UX

Wed Apr 4 05:49:57 UTC 2012

Hi DKG,
Thank you for the comments

> On 04/03/2012 02:11 AM, Fifty Four wrote:
> > My proposal is that the
> > FBX issues the name (another layer of pseudonymous names) thereby
> > protecting peoples comments being printed/screenshot by an informant,
> > i.e. a contacts real name is never beside a contacts comment -
> separate screens.
> 
> I don't think this is a realistic proposal, and even if it were
> realistic, i don't think it would be a good tradeoff.
> 
> Realism:
> --------
> 
> Free software is about freedom.  A would-be informant could always be
> free to modify their freedombox to show whatever they wanted to show
> instead of some enforced layer of identity obscurity.  Sure, you might
> have this layer on your own freedombox, but you can't require our
> hypothetical informant to run the same obscurity layer.
An informant is free to change the software, but the burden of proof would rest with the informant that he did it correctly and not merely create a forgery because the accused/mainstream have a different UX.

> 
> It's also worth remembering that (a) screenshots are not iron-clad
> proof because they're trivially forgeable, and (b) an informant doesn't
> even need a screenshot to snitch at all.
(a) False Accusations can be easily dismissed. (b) The accused can deny it if there is no proof.   

> 
> Tradeoffs:
> ----------
> 
> Even if we could enforce this layer of identity obscurity, and limit
> ourselves to attackers who inform by taking screenshots, it would mean
> producing a tool that takes more cognitive effort to use safely and
> securely.  Is "Blue" my sister, or is it that colleague from work who
> i'm currently frustrated by?  This is a high cost to pay, especially if
> the goal is to make a tool that "just works" for regular humans.
I agree it takes more cognitive effort and that's the reason I posed the email as a UX question. Is the extra assurance of privacy worth the cognitive effort? Is there much cognitive effort anyway? As I said in my original email, I think most people on social networks are interested in the conversation rather than who said what, but if you needed to know/reminding who said what, then you are just a click away. Remember at an Inbox view you could still have the real name but in the reading/writing pane you have a pseudonymous name. There have been many social occasions where I have met new people had an enjoyable conversation and not know who I spoke to. Even mailing lists have a practice of inline comments where the conversation is more important than who said what. Do you know/care who made the inline comment 3 levels deep?

A benefit of this UX is that it confirms FreedomBox privacy credentials and that its not just another social network.

> 
> So let's look at the proposed gain: a would-be informant who plans to
> snitch by taking screenshots now has to take two screenshots instead of
> one: one of the relevant material they intend to leak, and another of
> their name-mapping page.
In my original email, I said the contact page does not include the pseudonymous name. The accused could easily deny that was them because there is no proof on the contact page.

> 
> I don't think the benefit is worth the cost.
I think the benefit is worth the cognitive cost. I am more interested in the conversation than who said what, which makes the cognitive cost quite minimal to me. However, if most people are interested in who said what, then the cognitive cost may be too great. 

Do most people think the cognitive cost would be too great?   

--fiftyfour