1. 39

Irene linked this and wanted to submit it because the software we develop and the rules it enforces touch our users in intimate ways.

  1. 12

    The alternative to hoping that facebook will develop the right policies based on feedback, is to make sure you’re in control of the infrastructure you depend on. Until now I don’t know how to achieve that without having to force all the people I want to stay in touch with to switch to the same medium. There is some interesting research in cryptography related to finding common friends without disclosing the friends list which is one major blocker for decentralized social networks.

    1. 3

      I took a mental crack at that just now. I want to see if X person and I have common friends. I take all my friends identities and hash them with their public key and my public key. I give this list to X person. X person takes their friend list and does the same. They hand me back the union. Done. At worst you can do this hash on every known identity you have come across to cross check, but you must do so every time you want to check against me, so put it in a 12000 round thing or whatever you want to specify as the one initiating checking against my friends list (and I only allow you to do this once a week, so cache the results).

      If you start with identity as a shared thing, cryptography in all communications, it seems really not complicated cryptographically that I can see. What am I missing? (Yes, missing something is usually the case when I think it’s simple.)

      1. 4

        ~~If you and X both hash your common friend P with your own keys you get two different hashes with no way to figure out that they belong to the same person.~~ (edit: misunderstood TodPunk here)

        At worst you can do this hash on every known identity you have come across to cross check.

        That’s exactly one of the challenges. These systems try to prevent one party from pretending to have a huge circle of friends to maximize the intersection. You can find more on that topic at https://eprint.iacr.org/2011/026.pdf.

        1. 4

          I think what @TodPunk was getting at was that if Alice wanted to see if Bob had mutual friends, Alice sends Bob A(pub)+B(pub)+Fx(Pub) for all friends 1 to x, then Bob would do the same calculation and return the intersection.

          The problem is there’s no actual information hiding; it’s just “tune the KDF slow and pray”.

          1. 1

            That is what I was getting at, yes.

            I thought information hiding wasn’t possible in this. I want to know if you have any of X set of friends. Either you need to know what X set is, or I need to know what set of friends you have. There’s no way around it. The best I could think (in this thought exercise that was the moments it took me to come up with that idea) was to make it so the irrelevant information is not easily seen, not that it was unseeable. dkreuter brought up a different axis entirely to light I thought was interesting. I forget sometimes that some people give a damn about how many friends someone else thinks they have.

            1. 7

              The problem is called private set intersection; follow the citations about it from the paper dkreuter linked. https://eprint.iacr.org/2010/469.pdf in particular has a good summary. It is solvable without revealing extra information, although algorithms for it are fairly inefficient still.

        2. 2

          At worst you can do this hash on every known identity you have come across to cross check, but you must do so every time you want to check against me, so put it in a 12000 round thing or whatever you want to specify as the one initiating checking against my friends list

          Yeah, that means the system ain’t gonna work - the KDF you use is either going to be

          • so slow that no work will get done either because no one wants to wait 4 weeks to see if mutual friends exist so no one uses your site, or because attackers who ~~control a large clique of the network~~ send a large bunch of fake hashes can tie everyone up in pretzels having them do busy work
          • or fast enough that some time on EC2 and a large enough body of pubkeys lets me know who your buddies are.

          As soon as you’ve published an attested list of friends and your scheme depends strictly on public knowledge to answer the question, the crypto just becomes window dressing.

          The only real path forward is some sort of zero knowledge proof between both parties.

          1. 2

            I thought the crypto was more verification than hiding. An obfuscation at best. If you want it unknown, I definitely don’t think there’s a solution (a la the DRM problem of secret telling, where you want to share something with Alice and not Bob, but you don’t know that Alice and Bob are the same person, so your entire approach is moot).

            I definitely see the problem of this sort of a thing at scale like you’re mentioning. Even if it wasn’t abused (HA!) you’d have to have some beefy infrastructure just to handle popular people like a celebrity.

      2. 10

        Best part of the article:

        Facebook likes to think of names as a one-to-one mapping. You have one name, and that name is how people refer to you at all times. It’s a very WASP notion of how names work, and the reality is far more complex. Names are a tool for description, a shorthand for quickly communicating the idea of a person or thing. They change based on context. Each person has many names, because each person has many contexts and social groups.

        1. 3

          I actually disagree with the description of a name. She is referring to a title, which is the thing that changes context. I am called different titles, of which my name is one. When we talk about names as identity ties (which they are officially and in the capacity of Facebook) the context is meaningless. We are saying “Identity X is blah.” If your official identity changes, it makes sense that a social network and the social structures around you would have struggles with how to fit you into those social contexts we think nobody should burden us with when we change them. This is not so. If I change my identity, I’m making it hard on others. Others having some resistance to taking all the pain is good. Building software to mitigate pain would be nice, but this isn’t Facebook’s purpose at all, and we shouldn’t use it as such.

          I should note this is semantics, because the meaning of “name” changes where we use it (english is “fun”) but if we’re discussing it in the context of what it means at Facebook, its meaning just has to be consistent, not match what we want it to when we use it elsewhere.

          1. 8

            Among other things, I imagine neither your manager nor your parents call you TodPunk. They very likely also have different preferred forms of your legal name. Everyone has many names, though, yes, only about 50% of the population is raised to expect their legal one to change at some point.

            1. 3

              That was, in fact, my point (though both my manager AND my parents do call me TodPunk in some contexts, as did both my managers before them). My failing in previous was not syncing up hard enough that this is a semantic difference in the use of “name.” As used in the Facebook context, “name” is supposed to be your legal name, which is an identity name (the identity being some summation of your existence as said entity) and your legal name being the title that identity is given.

              I wasn’t trying to make light of the author’s particular issue, just the point migurski was highlighting, which is incorrect because it assumes “name” means something from a different context than the one in which the term is used by Facebook. If Facebook were calling it your pet name, or title, or friendly moniker, or any number of other things when it called it “name,” then the authors point would be correct. The problem is, as presented by the author, Facebook is correct in that you DO have one name, and that is how people refer to your identity at all times in the case Facebook is referring to (as your legal identity). Facebook does have the added problem of different legal cases having different legal identities for the same person (like native american names were a good example from some comments in another thread). Their policies don’t always account for this 100%. It might be better to call it “most presumed legal representation” and that would cover things like stage names of celebrities (some of which used to have problems with Facebook as well).

              I don’t care to weigh in on the social side of it, as it’s not interesting and would just be my opinion, doubly uninteresting. What I was discussing from was, we as designers of systems need to be keenly aware of intent beyond our original, but every interpretation is ludicrous and ultimately users do need to meet us some of the way.

              I will say when this issue was discussed years ago as the need for pseudonymity, it was an even more interesting discussion to me. Facebook didn’t have an answer to that problem. The answer to “your name has been reported as ridiculous by X people, auto-action taken, paltry human effort shown” is there for anyone, celebrity or not, popular or not, and while tedious and imperfect, that process can’t go away without losing another group of people to the wayside. The pseudonymity problem was much more of a curveball for Facebook’s policies and engineering assumptions. I don’t remember how that got resolved off the top of my head. Still, this is all an excellent discussion on assumptions we make that have social consequences.

              I will also say I feel for the author. I can’t help, and any rage I could take up would be counter-productive to a net positive for the world in my belief, so I’d rather make progress where I can help.

              1. 8

                It’s completely untrue that everyone has more than zero legal names and fewer than two. Think about citizenship corner-cases. I apologize for not responding at greater length, but it’s a topic I’m kind of frustrated by too much time talking about it without progress, in general, not with you specifically.

                1. 2

                  I get that it isn’t 100%. It’s 99.99999% or something close to it, though, which is why the assumption is made (on all levels from social to technical and administrative). I assume you know that.

                  I appreciate that you recognize your frustration and don’t take it out on me as a focus point of it. I hope you recognize that I know and understand the generality of why you have that frustration, and am not trying to diminish the actual problem as much as frame one paragraph of a tangent from it. The overall is indeed a hard problem, and not one I even wish to wade into, let alone try to frame.

                  1. 15

                    Reponding to TodPunk’s comments:

                    The problem is, as presented by the author, Facebook is correct in that you DO have one name, and that is how people refer to your identity at all times in the case Facebook is referring to (as your legal identity)


                    I get that [having a single legal and social name] isn’t 100%. It’s 99.99999% or something close to it […] [I] am not trying to diminish the actual problem as much as frame one paragraph of a tangent from it

                    It really is not 99.999999%. Among my family and friends with european ancestry, most have multiple valid state names. Common variations include the addition or abbreviation of a middle name, use of a middle name as a first name, or changing family name during marriage and divorce. Among my family and friends whose background is not european, there’s those cases and more, roughly tripled by different writing systems and variations in lossy transliteration. My off-the-cuff guess is that low double digits of American Facebook users have multiple state names. This is a minor-to-major hassle for places where the state provides and reconciles identity papers, and a minor hassle in finance (you’ll see a lot of medallion stamps), where the state cares that it gets its cut or that money is not used in particular ways.

                    And all this is a tiny sliver of the actual problem discussed: it is overwhelmingly the case that people use multiple names in different social settings and relationships. Facebook wants to mediate those social interactions with a grossly, dangerously reductionist model.

                    Hell, I took a moment to count up how many names I’ve been addressed as in the last week and got 9. Most are “simple” variants on the state name on my identity papers, but two are transliterations and one is not in Unicode. I’m not even trying to be exhaustive and I don’t have any kind of predeliction for different names, it’s just a part of human cultures that we give setting-specific names.

                    Facebook wants each user to use a single name that will be recognizable and familiar to all of that person’s social groups, but wants to probhit joke names and multiple identities. It attempted to find a focal point): users must give a state name and, if challenged, provide state identity papers. They assumed that people would only need to use one name and would be comfortable with a documented state name. The state name variations they were familiar with (“Jim” vs “James”, “Smith” to “Smith-Jones”, “Alice Smith” vs “Alice Q Smith”) felt minor and ignorable.

                    The point of the article is that there are sizeable numbers of people with multiple names for whom this results in insultingly broken variations (eg. Spanish and hispanic compound names can’t be shortened to a single “last name”), significant confusion (eg. people with friends in two cultures have to pick which group will be unable to recognize the basic characters of their name), support intrusive state policies (eg. “Jim” may not become “Jane”; “Alice Smith” must become “Alice Jones” upon marrying “Bill Jones”), endanger people (eg. “Jane used to be Jim”), etc. etc.

                    Name variations are much broader and more impactful than Facebook (…and the typical American programmer) envisioned. The focal point they chose has poor tradeoffs, and there are many ways Facebook could fix the problems its unforced design choice caused. But dismissing the very idea that this these problems are common or meaningful is ignorant or hurtful.

                    1. 10

                      A great resource I’ve seen is Falsehoods Programmers Believe About Names.

                      I’ve taped this to a few doors before…

                      1. 7

                        This is definitely true in my experience. I’ve been surprised on at least 3-4 occasions when for some reason I’ve seen the “official name” of someone I’ve known for a while (usually when we’re traveling together and compare passport stamps). It’s probably the case that a nontrivial percentage of my friends whose passports I haven’t seen would be similar. The three most common cases in my circles are: 1) people who don’t use their legal first name, usually instead using their middle name as a first name; 2) people who legally changed their surname upon marriage but still use their previous surname professionally; and 3) people who have a “foreign” name and have unofficially (but not legally) anglicized it, either in the sense of a rough translation (legal name Yannis, goes by John), or just making up a new “anglo” name entirely (especially common among Chinese).

                        Not Facebook-related, but tangentially on topic: I personally have a slightly humorous bureaucratic situation at the moment because I have two legal names, in two different countries, and they are sort-of but not actually the same. In American government documents my first/middle names are Mark Jason, but in Greek government documents I’m Μάρκος Ιάσονας = Markos Iasonas. These are of course in some sense the same name, just translations, in fact that’s exactly why my parents picked them, since they work well in both languages. But in some other sense they aren’t the same name, like Lukasz and Lucas aren’t quite the same name. So, the Greek government is perturbed and thinks I really ought to have either been called Markos Iasonas on my U.S. birth certificate, or else have been inscribed in the Greek family registry as Μαρκ Τζέισον = Mark Tzeison. But I don’t like Markos Iasonas in English, and I don’t like Mark Tzeison in Greek! I’d prefer each name to stay in the language it’s suited to and not try to promiscuously transliterate itself everywhere. :)

                        1. 6

                          Even “official documents” are not always right. I am Norwegian and my wife is British/Chinese dual citizen. We named our son Sølve, an old norse name. We lived in Hong Kong at the time, and they were not able to represent the LATIN SMALL LETTER O WITH STROKE in his name, so his birth certificate has “Solve”. (It also has a field for his Chinese name, which we filled in.) When we moved back to the UK and got a British passport for him they too were unable to input the “ø” in his name, so the misspelling of his name stuck. Does it make it his official, or actual name? No, in my opinion it does not. It’s a bastardisation brought on by insufficient technology. I am hopeful that the British passport system will eventually allow Norwegian characters so we can represent his name properly where we live. (Frustratingly, we were told that the older British passport system accepted “ø”.) We may have been able to get him a Norwegian passport, but Norway doesn’t allow dual citizenship, so he would have to give up his British one—a bit silly when he’s never lived in Norway. (Luckily he’s not old enough to have a Facebook account, so he’s not had the opportunity to be thus insulted yet.)

                          (Edited to fix use of “password” where I meant “passport”.)

                2. 7

                  Facebook seems to want name in the sense of “official documents” rather than “what everyone calls you and you use personally and professionally”, though. Even in the case of very stable identities, those may not be the same, especially for immigrants. I know a reasonable number of Chinese-Americans who have an “American” name that they use personally and professionally. When they moved to the U.S. they picked a name like Albert or Conrad, and that’s what they use everywhere. It’s pretty stable and consistently used: on their office door, their journal articles, their business cards, etc. It just happens to not be the name on their driver’s license and passport. It’s not a change for anybody, because nobody in their Facebook network ever knew them by their original Chinese name.

                  This particular group is fortunate to rarely have problems on Facebook anyway, because names like Albert don’t trigger Facebook’s name-flagger, so they can get away with violating the real-name policy. (This also, incidentally, makes it trivial to use Facebook with a pseudonym, as many of my friends do: just pick a generic American-sounding name as your pseudonym, and you’re unlikely to ever get asked for documentation.)

              2. 1

                I don’t agree with the Facebook ( at least not completely), but I’ve never understood how these problems actually occur. One of your friends reported you for having a bad name. Why are you friends with an asshole? (Same question for breast feeding or child “porn” or whatever else Facebook bans.)

                1. 8

                  They don’t have to be your friends. Anyone who can see your account can do it. This means that if a large enough group of people decide not to like you, it’s an easy way for them to cause you trouble.