Meta Discussion: Where should we discuss the question: "What do 'we' mean by public?"

Hi.

I want to continue my thoughts from POLL: SocialHub Scope and Purpose? - #24 by helge with a more concrete example. Also I want to repeat myself from the title: This is a meta discussion on where to discuss not to discuss. So the relevant question is:

What do ‘we’ mean by public?

Observations:

1. This is a relevant question to the FediVerse. By using the FediVerse, you make clear that you have an implicit answer to this question.
2. The answer is non obvious and a lot of discussions such as Search, Discoverability, Comment Control, Blocking, etc … are made more complicated by this question not having a good answer.
3. It’s actually a technical issue, but even on this people will disagree with me.
4. The question is not even clear as the 'we' is quoted and it is not made clear who is meant.

The actual question

So where do we discuss this question about the meaning of public? If we want to have SocialHub a tech focus, it cannot be the place for this discussion. This is a discussion that needs to happen with non-technical users to understand this issue.

My favorite outcome

Someone feels a calling and decides to champion this issue. In six months, I get to read an answer to this question breaking down what public means to different groups and what their requirements are.

Two more thoughts (edit)

To have this type of discussion, one needs moderation. If somebody replies “The meaning of public is obvious”, a moderator needs to make the effort that it clearly isn’t as somebody is asking the question “What is public?”

It is hard to to give examples that are public and not public. For example is something posted on the Fediverse, with a list of recipients that is not a specific list of people, public enough to be shared here? I would caution on the side of no. In particular, if the post complains about public not being public.

this is, essentially, a breakdown in communication resulting from what the software is communicating on behalf of the user.

the user may have any number of assumptions or intentions.

the software instead has only one: it signals that the resource MUST be available to everyone without authentication. per ActivityPub right under example 10:

Activities addressed to this special URI shall be accessible to all users, without authentication

“shall” = “must” = MUST per RFC2119.

any further assumptions about search, discovery, etc etc are not valid. if the user wishes to communicate such assumptions, they need a different way to do so. i’ve seen ODRL thrown around as a suggested solution to this, by declaring which “actions” are permitted or prohibited. a list of actions can be found here: ODRL Version 2.1 Common Vocabulary | ODRL Community Group – after which point, the conversations pivots to semiotics and what is truly meant by “archive” or “index”, as well as whether all of this is worth implementing or understanding when it can just as easily be ignored. if you’re interested in something far simpler, Mastodon defines http://joinmastodon.org/ns#discoverable as a simple boolean flag representing opt-in to “discoverability”… whatever that means. inside mastodon, this means being listed (“index”?) in the profile directory feature. it also more recently came to mean inclusion (“aggregate”? “display”?) in the trends feature. there is talk of attaching this boolean property to posts as well, not just accounts, and doing so would indicate opt-in to being full-text searched.

this again comes down to social intent and establishing consent. i think you can share a link to a public resource, but should you? if the author or owner indicates that they wish not to be shared, and you wish to respect their wish, then don’t share the link. the risk with republishing or sharing some resource with a different audience is that this can lead to context collapse.

on a technical level, there are a few approaches one can take in order to empower the user:

• do not use “public” on their behalf. instead, use a gatekeeper model. the resource must be requested from the origin, and the origin is allowed to deny these requests.

• allow the resource to be ephemeral. after some time passes, all requests will be denied.

• allow serving to new audiences upon some “sharing request”.

I think a lot of this conversation is simply addressing the mess the #dotcons made when they took over the #openweb for PROFIT. Here on the #Fediverse we have taken some of this logic over when we coped, #mastodon = twitter, #peertube = youtube, but It’s VERY impotent to see this for what it is non “native” to the #openweb we are #rebooting, can we think with this in mind. Maybe this would clear away a lot of the mess and give people space to get the shovels (#4opens) out to compost the piles of #techshit that need to be cleared to plant the seeds of hope we are here to grow.

eclogical caps506×768 43.8 KB

Yes, “public” is quite nuanced, and always has been. May we rephrase the reverse as “our expectation of privacy”? Suppose a social setting well pre-dating the internet… we used to have a reasonable expectation of privacy. But no guarantees.

On a party gathering, meeting with friends, the anecdotes talked about are likely spreading further in a friends-of-friends (gossip) network. There’s no control of that info spreading about. You might make a moral/ethical appeal to friendship and say “This is personal, so don’t tell further”. Still no guarantees, but you stated your intent and expectation of privacy. And you may be able to take action when you observe a breach of trust (e.g. “unfriend” someone).

Here we find the equivalence of ODRL and Mastodon’s discoverable… statements on our expectations, and a moral appeal to honor them.

If you want to be more serious about it, e.g. in a business setting, you might ask people to sign a non-disclosure agreement before sharing information. A betrayal of trust may now have legal ramifications, thus raising the barrier to do so. Still you may be secretly betrayed. There are never full guarantees.

Now, if you add internet technologies to this picture, the notion of “public” gets way more complex, and innocuous communications may suddenly have huge ramifications and impact (e.g. think victims of sexting). What you say in any context, may suddenly become plastered to a global audience, and be out there for years for all to see.

Any expectation of privacy is truly out the door. Anything we say is transferred through a range of technology platforms that serve as our talking and hearing aids. Tools with unknown side-effects, and that continuously change in the way they work. E.g. by using Mastodon’s discoverable under the hood, we implicitly defer to their app platform to define what that means in practice. When using a service we agree to be bound by their privacy policy, and the intricate network of privacy policies they relate to through 3rd-parties. Only lawyers might analyse the legalese and conclude the level of privacy we are entitled to, by accepting such policies.

In real life privacy is seriously eroded too. You sit on a terrace with your friends, while your mobile phones are gathering metadata about the meeting, and strangers make photographs with you in the frame, which are uploaded to FB and Instagram for facial recognition. Etcetera… surveillance capitalism is ubiquitous.

Observation:

• By communicating online we have deferred our privacy to online platforms, beyond our control.
• Hard guarantees don’t exist. If you wanna have highest level of control, don’t put your info online.

How to increase assurances and trust that information processing meets our expectation of privacy?

1. By being very explicit what our expectations are.
2. By information platforms working to meet that expectation.
3. By gaining insight in the level information platforms match our expectation

You might say that 1) constitutes our aspiration, and 2) boils down to enforcement, which leads to 3) providing informed consent.

The ODRL and Mastodon’s discoverable are ways to express our aspiration wrt privacy, whereby…

• ODRL offers a fine-grained standardized means to so,
• While discoverable is an arbitrary app-specific way.

With such mechanisms to express aspirations implemented, the enforcement in point 2) boils down to…

• Implementing effective ways (functionality) to honor our aspiration.
• Technical verification by independent parties that this is done in meaningful way.

The most tricky part is in providing informed consent. A non-technical audience should be able to…

• Choose information platforms with confidence.
• Learn about potential impact of their actions in an intuitive manner.

F-Droid is an app-store that comes with baked-in level of enforcement to ensure a level of trust with a non-technical audience that apps they install do not contain adware and the like.
Individual FOSS project websites try to convey assurances to the level of privacy and trust that can be expected, and if that isn’t accurate then the Free Software movement will be very vocal about that. In ways where hopefully the broader public may become educated about that.

For in-app activity, being properly informed on the impact of ones actions, is to large extent a UX issue. Other than that, a certain level of digital literacy may be expected from the user. And cultural norms, netiquette, may contribute a bit to the level of trust (Fediverse currently has a higher level of netiquette than e.g. birdsite).

Regardless what we do, and efforts to define our Right to Privacy in an online age, we don’t have hard guarantees. What’s public or not will remain nuanced, complex and partly in the “eye of the beholder”.

As for “Where do ‘we’ discuss this?” I guess that that boils down to everywhere
In each context where it is discussed we can contribute from a different perspective relevant to that context.

I think this a good three step procedure. I would expect the expectations from 1 vary from person to person. For example, I probably tend to delete a lot more stuff than the average developer. I see storing data without a plan to delete it as bad practice.

For example: Mastodon seems to store public posts forever. I guess forever is a bit stark, for at least 2 months. That’s at about 10 times as long as I find reasonable. I think it would be good to have a professional survey on what people think 1 should be.

Maybe I’ll contact the people behind Mastodon: Research Symposium and Tool Exploration Workshop

Am kinda confuse what people think this means?

public = users
public = society
public = culture

Think this conversation would be more meaningful if people were clear.

For me, public = #openweb culture

Then there are meany pejorative words for public = society

And I kinda like to ignore public = users as nasty #geekproblem thinking.

@helge, @trwnh @aschrijver what is “public” for you?

UPDATE openweb culture has an understanding of what “public” means, its #4opens and with this understanding we compost much of the mess.

i’d say it depends on audience. public access, public domain, public culture, etc. are all one sort of thing, but then there’s just being “in public”, which is not the same. like sitting in a park and having a conversation with your friend sitting next to you. it’s generally considered rude to pull out an audio/video recorder and record you talking, right? but it would be different if you were giving a talk at an auditorium.

Ok, first lesson learned for me: public is both an adjective and a noun and I need to differentiate between these two in this discussion. Things would be so much simpler, if we had this discussion in German. Then the nouns would start with a capital letter.

I was mostly thinking of public as a property, e.g. a public message or a message being public. The next thing in my mind is “how long is it ok to cache something public?” … see above.

This might sound like geek stuff, but see the following analogy (recording = caching)

yes, i think the same way. a message is public (adjective) if anyone can see it without asking for permission. but you might release or dedicate an object to The Public, meaning that anyone can do whatever they want with it. in legal terms you might consider “rights reserved” as a similar concept. publishing something does not grant any additional legal rights to anyone else; they are generally not allowed to republish or redistribute it, although they may be allowed to download it for personal use depending on the jurisdiction.

when it comes to cache control and TTL, we simply have no idea, unless the origin server specifies cache control headers and we understand such headers. generally in this type of delivery-based network, you might have a strategy of “cache forever until you receive a Delete”. each activity should be stored in the users’ inboxes just like an email.

I’ve been doing active advocacy for all-things-Fediverse for quite some time, and part of that was helping people find each other on common interests and projects, help the spread of ideas, etc. For that it is very handy to have a large amount of followers. My motivation to do all that work are the unique culture on the Fediverse - Free culture, the Commons, FOSS, etc - and the fact that in general real thought is given to offer humane technology. Which is also rare. The lack of commercial incentives and absence of adware are favorable conditions to how software is designed.

So for me, my audience, my public = #openweb culture too. But The Muskening™, subsequent mainstreaming, and now the corporate takeover gaining speed, has changed things significantly. We got literally billionaires asking how to monetize this Fediverse thing, and excited fedizens all-too-eager to explain exactly how to do that.

It has made my account worthless for doing advocacy. Followers including startup, unicorn, big-tech follow-the-money types. Folks laid off at Silicon Valley desperately seeking where they can be disruptive. Etcetera.

I can still reach my audience, but can’t avoid reaching people whom I’d rather not address with innovative ideas. My fediverse account is too public. This problem is interesting in itself. I named the need I have is for “personal social networking”. Again, there’s nothing weird or new to this notion, and it has an analogy to real life…

In real life I wouldn’t mingle with folks in expensive Armani suits, all day bragging about big cars they bought and the size of their crib, and other vapid talk about status. I would choose whom I want to have around me. I’d choose my audience. And if I would be a salesman to these folks, I would have a separate audience, my professional network, to address them.

So, for advocacy my personal social networking needs are:

• Ability to be more strategic in how I operate on the Fediverse.
• Ideally an easy way to be among different groups of people, i.e. ability to choose my audience.

There are a number of ways to achieve that, and some, not a lot, socio-technical support at my disposal.

(Note: I know effectively all our content is public, can be scraped, indexed and fed into specialized AI to harvest our data for any useful information)

A survey would find wildly different needs. Esp. if we think about different application types that may gain popular use soon. Think federated forums, which serve as archives, or wiki’s, semantic knowledge bases, etc.

In the current microbloggo-verse there’s an interesting “personal social networking” feature that Mastodon (among others) provides. You often hear people complaining how bad Search is on the Fediverse.

I do not agree with that. I don’t want the the Fediverse to be one big transparent public square. I want it to be personal, people-sized. What the current stored content of Mastodon offers me is a personal memory of my past exchanges. And that becomes more and more useful over time. "What was that discussion I had with this person some time ago? " → search → BAM, Aha Erlebnis.

I think we are getting to be able to formulate the proper question to ask. A few observations:

• Public is a problematic term. It is both a noun and an adjective. Depending on usage these can mean quite different things. Examples: “is public”, “for the public”, “in the public”, “in public”
• If I don’t want to use “public”, I need other terms. Mastodon uses public as a characterization of “post privacy” and then tells you who the post is visible to.
• I think @aschrijver’s use of “my audience” in the following quote probably captures what I want described the best:

So it might be a good idea to reformulate:

as

Who do we want in our audience? And how do we want to specify it?

Technical Excursion: On an #activitypub level, we might describe this as limiting who gets something delivered to their inbox. I’m fairly unhappy with how Follow handling is specified in ActivityPub, for varying reasons, I think it would be good to work out some type of best practice guide called FediAudience.

If somebody wants to write it, PLEASE include flow charts for how to get on and off an audience list, and what states this process can have.

Also introduce the Unfollow Activity type. Undo – Follow is all nice in theory, but in practice: “I have to look up the follow request from a month ago to unfollow this person: What were the authors thinking?”

Thanks for the good replies, nobody is wrong here

securaty modeal for mastodon712×478 66 KB

Yes, I understand the white lies about security and privacy that we’re told to boot up mastodon, but this #openweb tech is literally dancing elephant troughing paper planes as a security/privacy model.

This is not the right tool for most of the “common sense” things you won’t, better off with tech built for privacy and control, the is a LOT of this mature tech out there.

Inclosing the “commons” is a bad history for native society.

Let’s try and check focus on the “unspoken/unthinking” political aspect to this, much of this desire and proposed tech path comes from #mainstreaming liberalism where the Fediverse is not “native” to this thinking, coming from a more “trust” based anarchistic path.

I think a lot of this is down to ideas about “social media” as in social (one to mean) and media (news, what happened) that is telling the meany what happened, inherently a PUBLIC pastime.

Then we have encrypted chat one on one and in groups, this is inherently a private pastime.

In the #dotcons we have these mixed together, it’s a mess, that can only work because of centralization. Though this is also less obviously a black lie, as “they” do not actually respect the privacy they promise, and moreover their whole business model is based on this lie.

On the decentralized #openweb they have generally been separate, nice and tidy.

Can’t help getting a feeling in threads like this, that the is in part an attempt to mix these things up, thus reproducing as “common sense” what the #mainstreming has been doing for 20 years.

We can have the best of both worlds without reproducing the bad #mainstreaminging mess, let’s focus on #4opens and what this means for “social media” and leave (hard) privacy for individuals and groups in p2p encrypted chat

DD1236×1622 238 KB

Would this be solved by letting you specify the audience as a curated sublist of your followers? While maintaining the behavior of Public? This means follow-the-money-bros can still see your content, but they no longer get it delivered to the inbox.

Before writing something wrong, I checked. If I send the following to the inbox of themilkman on mas.to. It appears in helgek@mas.to’s home feed. Both accounts are following helge@mymath.rocks from which I send the message from.

Conclusion The shared inbox as implemented in Mastodon breaks public posts not addressed to followers. If I were to write a test suite for this type of behavior, I expect to find a lot more things that are brokenish. So the testing for addressing can only be phase 2.

{'@context': ['https://www.w3.org/ns/activitystreams',
  {'inReplyToAtomUri': 'ostatus:inReplyToAtomUri',
   'conversation': 'ostatus:conversation',
   'ostatus': 'http://ostatus.org#'}],
 'id': None,
 'type': 'Create',
 'actor': 'https://mymath.rocks/endpoints/SYn3cl_N4HAPfPHgo2x37XunLEmhV9LnxCggcYwyec0',
 'object': {'@context': 'https://www.w3.org/ns/activitystreams',
  'attributedTo': 'https://mymath.rocks/endpoints/SYn3cl_N4HAPfPHgo2x37XunLEmhV9LnxCggcYwyec0',
  'type': 'Note',
  'inReplyTo': None,
  'content': 'Can you see this?',
  'published': '2023-03-20T10:18:29Z',
  'to': ['https://mas.to/users/themilkman'],
  'cc': ['as:Public'],
  'tag': [{'href': 'https://mas.to/users/themilkman',
    'name': 'https://mas.to/users/themilkman',
    'type': 'Mention'}]},
 'published': '2023-03-20T10:18:29Z',
 'to': ['https://mas.to/users/themilkman'],
 'cc': ['as:Public']}

yes, i think last i looked at mastodon code, it uses to/cc for calculating scope, and the switch-case will short-circuit on “public” if it sees to:Public, or otherwise “unlisted” if it sees cc:Public, ot otherwise “followers only” if it sees a followers collection URI in either to/cc. all of these will be inserted into home timelines for all followers. any other activity will be “direct”. if there are additional recipients in to/cc who do not have a Mention in tag, then the status is changed to “limited” and those extra recipients are saved as silent mentions in the database

i propose audience

or, more specifically, audience controls who can see the object. to/cc control which inboxes will receive the activity.

I think this interpretation would have potentially been clearer, but the AP spec appears to be explicit that audience is also used for delivery targeting.

Targets for delivery are determined by checking the ActivityStreams audience targeting; namely, the to , bto , cc , bcc , and audience fields of the activity. (Section 7.1 Delivery, also 7.1.1)

you never actually deliver to Public, though. it’s a “magic collection” that doesn’t actually get dereferenced for an inbox.

Right. That part makes sense but it isn’t consistent with including Public in the to and cc delivery targeting fields in the AP examples. Other than Public and the case with no recipients, it’s difficult for me to find a clear distinction between delivery targeting and visibility in the AP spec.

If I didn’t mess something up

{'@context': ['https://www.w3.org/ns/activitystreams',
  {'inReplyToAtomUri': 'ostatus:inReplyToAtomUri',
   'conversation': 'ostatus:conversation',
   'ostatus': 'http://ostatus.org#'}],
 'id': None,
 'type': 'Create',
 'actor': 'https://mymath.rocks/endpoints/SYn3cl_N4HAPfPHgo2x37XunLEmhV9LnxCggcYwyec0',
 'object': {'@context': 'https://www.w3.org/ns/activitystreams',
  'attributedTo': 'https://mymath.rocks/endpoints/SYn3cl_N4HAPfPHgo2x37XunLEmhV9LnxCggcYwyec0',
  'type': 'Note',
  'inReplyTo': None,
  'content': 'Can you see this?',
  'published': '2023-03-20T14:18:54Z',
  'to': ['https://mas.to/users/themilkman'],
  'cc': [],
  'tag': [{'href': 'https://mas.to/users/themilkman',
    'name': 'https://mas.to/users/themilkman',
    'type': 'Mention'}],
  'audience': ['as:Public']},
 'published': '2023-03-20T14:18:54Z',
 'to': ['https://mas.to/users/themilkman'],
 'cc': [],
 'audience': ['as:Public']}

send to https://mas.to/users/themilkman/inbox becomes visible to only themilkman. helgek can no longer access it, even though it is marked as public in the audience field. Mastodon you are so lovely.

So there is currently no hack to get around Mastodon’s idiosyncrasies and the best one can do to restrict a public post not being in a follower’s timeline would be to exclude entire servers.

“When you need to name things with oxymorons, you should rethink your architecture” - wise thing about clean code, I just made up.