Pitfalls awaiting Diaspora

by on May 30, 2010 in Usability and Design

Diaspora was intended as an open-source Facebook replacement, first available as a self-hosted package (i.e. geeks-only) and later as a paid service.

The developer version of Diaspora was released on September 2010 and some time later followed by a private alpha that still goes on (March 2011). The logical outcome: too big a job with too few people and time to get it done. So you probably should stick to Facebook or try the open-source Elgg (also hosted).

Since this and my other post about Diaspora actually apply to any social platform, specially Facebook contenders, I’m just rewriting them to reflect Diaspora’s fading out.

These are some of the pitfalls awaiting Facebook contenders:

Technology
  • Don’t think it’s all about technology. In the Internet, it’s not really about technology, even if it’s something fancy like real-time communication with your friends.
  • Patents. These days it’s hard to tell the difference between technology and patents. Feel free to say I put them in the wrong category, but ignore them at your own peril.
Design
  • I can’t share with my friends if they don’t have their own social profile. The most important of all. For self-hosted platforms add: If I need one other person with Diaspora/whatever installed to make it work, that’s one installation too many. How it works, then? With guest-passes sent by email and special email addresses, allowing limited access and upload capacities. This is hardly new -Flickr!, Facebook and specially Posterous already do a lot of things with email. For more fine-grained control and broader access, they can sign-up at my own profile; having their own should be strictly optional.
    Sharing with my friends has nothing to do with their ability or willingness to share with me.
  • Postponing internationalization. If you don’t implement real internationalization/localization from the beginning, at every level, you’ll be in a lot of pain afterwards.
  • Not learning from file-sharing programs’ mistakes. Even government agencies that should know better have been sharing confidential info just because a secretary or clerk wanted free music.
Usability
  • The “stupid defaults only burn stupid people” mindset: the misguided belief of the UNIX guru that if your data becomes compromised for not changing the default settings it’s your own fault for running software you’re not smart enough to use. I call this incompetence and laziness: if you’re a developer and know a setting is insecure, it’s your responsibility to turn it off by default, and make it clear to everyone that changing it is not recommended.
  • Making the user interface an afterthought. Sure, implementing all those standards and protocols is difficult, even if you stick with existing ones, but the UI is the thing users see every day. The worst part? User interface problems can’t be solved simply by writing better code.
  • Failing the single download, 2-click install test. Of those two-clicks, one is for bypassing Windows UAC. And of course I can install two in the same host, although the second might require (possibly automatic) configuration. Bonus points if I can run it from a memory stick -I don’t even have to own a computer (think 3rd World).
  • Not learning from Facebook’s mistakes.
    • Lesson number one: People think “Everyone” means “All my friends” instead of ”Whole Wide World”.
    • Lesson number two: Just say no to Opt-out.
    • Lesson number three: “Friend” is a terrible catch-all term for including “People or organizations I believe exist”. (Lunch.com does something nice: you have Friends, Followers, Communities and Similars -you even take a simple quiz! See also Designing for Social Interaction.)
Security
  • Not having automatic/easy patching. It does have its drawbacks (like the McAfee patch that nuked a lot of PC’s), but it really increases security in the long run, specially in the consumer space. Just make sure you don’t corrupt people’s photos.
  • Not including monitoring tools. Yep, this goes against the privacy of visitors to my seed, but if I’m going to host my seed I need a minimum of information, specially if my ISP charges for bandwidth usage -in this case, the possibilities of mischief are endless.
  • Including the dev team as “trusted” in the GPG keystore. This happened in the original PGP, where the author’s public key was marked as “trusted”, meaning it could be used for verifying unknown digital signatures. Thus PGP users learned their first lesson in public-key encryption security: trust someone you don’t really know to verify other people’s signatures. Also keep track of who “introduced” who, in case of impersonation or revocation.
    (This is kind of a ”trick pitfall”: you really shouldn’t need to know there’s a keystore at all).
  • Requiring 3rd-party cookies. Third-party cookies are anathema to privacy, but sometimes you can’t avoid them, for example when you are using a third-party for authentication. Although this problem should be addressed by browsers, they usually provide a crude all-or-nothing configuration. Until this improves, avoid them as much as possible.
  • root-awe. ”OK, you know the root password, so clearly you are an authorized user and can do everything you want”. The UNIX-style permissions are so outdated it hurts. A variant of this: letting another user of my computer have access to my files. Unfortunately, encrypting storage has its share of problems.
Privacy and anonimity
  • Not supporting multiple, isolated identities. Why does the chess club has to know I’m also an avid mountaineer? Why do my coworkers have to know who my relatives are? I don’t have to protect my privacy only from advertisers -also from my connections. Just remember humans are bad at drawing boundaries.

The following has nothing to do with a specific platform, but I think it’s worth mentioning: nothing prevents your friends from automatically reposting your photos with them to the web or other social sites. The problem with digital is that “sharing” is a lot like “giving” -bad news if you want to share and keep control.

Suggestions

  • Publish by email for grandma (send her a pdf file of my latest album or whatever). She can send her comments back by email, of course. A variant of this: create a website that can be burned to DVD and mailed for off-line browsing. This can be used for yearbooks. (Facebook kinda does this to let you export your data.)
  • Panic button for temporarily closing your seed to everyone (aka “Damage control mode”).
  • 3rd-party security audits are always worth the money. Always.
  • A big differentiator would be a “Dislike” button. Just don’t try to turn it into a poll or moderation system. Better yet -rethink the “Like” system.
  • Parental controls -this would be great for school networks. Mattel did some pretty smart things with BarbieGirls (check their Parent’s Place). Look for “B Chat” levels -a way to control chat interactions to prevent griefing and dissemination of personal information, mostly via dictionaries, word analysis and physical procedures (think iPod/iTunes) to ensure participants know each other in the real world.
  • Find a way to deal with dead or just inactive users. Believe me, you’ll have to.

It’s nice to see people starting to pay attention to online privacy, and Facebook definitely got the memo (and proceeded to shove it in a secret location when they thought no one was watching) but they still have to monetize their free (and powerful) service.

Notes
  1. For some non-technical issues facing Facebook competitors, see this post.
  2. Interesting pre-release posts about Diaspora: their answers to Luis Villa’s questions, and Luis’ Notes on Diaspora Talk.

© 2010 Héctor Cuevas. All rights reserved.

Tags: , , ,

About hectorcuevas

View all posts by hectorcuevas

Trackbacks/Pingbacks

  1. Diaspora, Facebook, and closed societies « Associations - September 16, 2010

    [...] Reviews ← “Anathem” tries half-heartedly too hard Pitfalls awaiting Diaspora → [...]

Leave a Reply

Performance Optimization WordPress Plugins by W3 EDGE