Executive Summary

Ten years ago, a website may have only constituted everything within its limited directory structure. Today, those borders have become porous. Facebook extends its reach far past the boundaries of what is contained after the last slash in The transformation of Facebook from a simple website to a mesh of APIs has allowed for everything from social games to social viruses and worms. When 90.7% of Facebook applications are given more private data than they need1, its imperative that a solution be found. One angle that stands to be significantly improved is the ecosystems usability. KnoBook is an attempt to keep all of this in check. This report is addressed at clients in the web security industry, particularly those with an existing presence in the desktop security market (Symantec, Microsoft) that desire to expand into social networking security. This system is designed with the most rapidly growing Facebook user group in mind: middle-aged users2. This group has rapidly come to define Facebooks target audience. Therefore, it should also define the target audience for any application designed to better enforce privacy on Facebook. One of the largest issues with Facebooks application platform is the vague language it uses to describe what an application has access to. Few users understand exactly what each permission listed by Facebook actually means in terms of what the application would have access to. This makes the user feel nervous about using certain applications for fear of exposing private information or unknowingly participating in promotional activity for the application itself (spamming friends). KnoBook provides extra information to the user. It maintains a database of crowd-sourced user reviews for both the level of interest maintained in an app and the level of negative surprise it may give users. In this case, unpleasant surprise could mean posting content to the users profile that was not expected or reading personal data that the user was not aware the application had access to. The primary goal is to allow the user to make informed choices about what applications to allow and disallow based on real, tangible information instead of the vague explanations that Facebook currently provides. During early tests of the system, users familiar with Facebook platform applications tended to ignore the new information being presented, as it was designed to be unobtrusive and fit with Facebooks existing dialogs. After iterating the design and modifying the system, users took action based on the information that was presented to them to either approve or decline app invitations. Users were able to parse the information provided to them and make decisions based on it. This contrasts with user

actions in preliminary interviews, where users were unsure about the decisions they were making on the site based on information provided.

Literature Review : Research before the project consisted of a preliminary literature review followed by one semi-structured interview and two contextual inquiries. The topic of user-facing API usability is very infrequently mentioned in the literature. In Stephen Clarkes (2004) look at programmatic API usability, he suggests that developers follow the same general guidelines as when looking to design usable graphical user interfaces and apply user-centered design methodology. In this case, the user is the programmer instead of the person eventually using the software the programmer is creating, however, the attention to user-centered design at all stages in the process is worth noting. As it stands, the Facebook APIs development has focused largely around Clarkes concepts to provide affordances for platform developers. However, the end users of the product are paid comparatively little attention. This becomes especially concerning when taking into account Lovejoy, Horn, and Hughes (2009) assertion that a good deal of Facebooks potential lies in exploiting social ties to third parties for commercial gain. This activity remains invisible to the average user, using the metaphor of an iceberg to separate the small portion of the visible social networking benefits (according to Lovejoy, Horn, and Hughes social networking and fun from the users perspective) from the invisible part of the network (the large network of detailed personal data provided voluntarily by users; to be aggregated, filtered and re-organized for purposes of targeted marketing, advertising, and PR). In this case, applications could be categorized as providing a marketing benefit for Facebook itself, allowing the reach of the platform to extend far beyond the walls of the site. Lovejoy, Horn and Hughes also note the gratifications of using Facebook tend to outweigh the perceived threats to privacy. They go on to say that the common solution, decreasing the visibility of information to friends only, tends to ignore the larger part of the iceberg that continues to collect information. Clearly, then, there is a need to expose the dangers of what may lie under the iceberg. Any product that is to confront this problem will have to be designed to emphasize the positive aspects of social networking in order to alert users of the potential threats to privacy. Danah Boyds (2008) Facebooks Privacy Trainwreck: Exposure, Invasion and Social Convergence makes an important point about the overall feeling of privacy in stating privacy is not simply about the state of an inanimate object or set of bytes; it is about the sense of vulnerability that an individual experiences when negotiating data. The negotiation of data is the central tenet around which API dialogs are based; the users vulnerability is at its highest at this point. There should be a significant amount of attention paid to making the user feel less vulnerable through transparency. Boyd also notes that young users are adjusting to a digital landscape where limited scope broadcast is expected, implying that the younger users of Facebook have at least

marginally become accustomed to the way privacy works on the site. With a product targeted at an older age group, there is still the question of to what extent are users comfortable with the existing privacy structure of the site. Audience: The users targeted by this product are between the ages of 35 and 55. This age group is rapidly turning into Facebooks core demographic, replacing the high school and college-aged users that originally made the site popular. According to a study by social gaming company PopCap, 66% of social gamers in the United States are between the ages of 30 and 604. Since the social part of social games is usually facilitated by the Facebook platform, the target audience is a perfect fit for a product that helps to manage that platform. In addition, most of those users were not part of the social networking phenomenon from its early days and, as such, may have different expectations of functionality and privacy than other users who are younger and more familiar with this type of site. Another audience for this product would include any and all users of Facebook platform applications. While not the focus of this research, users outside the aforementioned age range may find the information this product provides to be useful in making decisions about what platform applications to approve and which to deny. User profiles: This research used personas to best represent users that participated in contextual inquiries and interviews while respecting their anonymity. The first user participated in a semi-structured interview that focused on questions involving expectations on privacy online. She is in her early 40s and describes herself as very concerned about privacy. Her friends are spread out all over the country, and even the world. While she has experienced identity theft and other significant violations of privacy online in the past, her vigilance towards the issue has prevented many issues arising in the last several months. She has swept through her Facebook profile looking for any applications that may seem untrustworthy and removed them. She plays social games on occasion, usually to keep in contact and socialize with her geographically diverse network of friends. The second user participated in a contextual inquiry involving the use of Facebook platform applications. He is in his late 30s and teaches courses on games at a foreign university. To understand the subject, he recently became immersed in a large-scale social game. He began to devote significantly more time than was necessary to the game and eventually just put it behind [him]. Now, he uses Facebook to keep in contact with friends overseas as well as play the occasional game. He gave control over his Facebook to friends still playing the game he was involved in. He claims to not care much about privacy. The third user participated in a contextual inquiry, again involving the use of Facebook platform applications. He is in his mid 30s and married. He teaches at a

university. While his wife is an avid user of Facebook, he only browses. He has played social games in the past and still receives notifications from them, choosing not to remove the games API access to his Facebook profile. Many former co-workers are involved in Facebook, and he uses the site to keep in contact with them. His former students are also frequent Facebook users and he networks with them to help current students find jobs. He says privacy does not bother him. Results: Research was conducted in the first two weeks of October 2011. All interviews and contextual inquiries took place in the users offices. The goal of the contextual inquiries was to ascertain users responses to API dialog pages and gauge their understanding of what information each application would have the ability to access. Users were presented with a series of applications they had not seen and were asked to explain how they felt about each API permission, what information the application gave them outside of the API dialog, and how comfortable they were with approving the application. They then used the application to determine how their social information was being used. Applications used for these demonstrations were The Washington Posts Social Reader, Zyngas Words With Friends game, and two custom-developed applications (one game and one utility). The most important finding from my research was that even the users who claimed to not be interested in protecting their privacy on social networks had certain problems with privacy and control issues involved in the API dialogs. For example, all users studied were concerned by the Post to Facebook as me dialog. The cultural model revealed that this breakdown is coupled with the feeling that the application may be untrustworthy and have more access than the user clearly understands5. For example, one user said I generally assume that they have the ability to read just about anything.6 Some users wished this would be remedied by providing more information about what, exactly, the application would post. Others were generally concerned with the permissions vagueness. One said that in order to figure out what it might have access to, you sort of have to guess7. This could easily be solved through providing personalized data as examples, showing exactly what the application might post. For the users that have more than just a passing concern, it would make sense to offer a notification option, letting the user know when the application has posted as him or her. Zyngas Words With Friends game included a section of the API dialog for ratings from other users. Most users who viewed this said they felt more assured with this information, knowing other users have installed the app and enjoyed it8. Users struggled with the impersonal nature of the dialog. Instead of giving them information about what specific data from their own personal profile the application would have access to, they felt it only provided a generic and non-specific overview. This level of information was unsatisfactory for many users. A visual representation of

this data can be found in the consolidated artifact model9. As mentioned before, a personalized dialog could alleviate the concern. Many users found that they became less interested in an application after failing to find content to draw them in, or recounted times where this had happened in the past. In these cases, the user usually left the application installed, without worrying about its continued access to personal profile information. Notice in the consolidated sequence model, a user will stop using app, but only in rare circumstances uninstall it from their profile10. If the user could somehow know beforehand if the application would provide a high level of interest or if it would just be worth one quick glance, this problem could be solved before it starts. From the research, the artifact model shows that other users ratings frequently provide a sense of assurance to the user (cite artifact model) and, from the cultural model, that the amount of users often lends the application an air of credibility11.Therefore, letting other users populate a simple at-aglance rating system could lend it both credibility and usefulness. Design plan: My proposed solution to the aforementioned design issues is implemented as a browser plugin that a user could install on their browser of choice. It is appropriate for the entire range of users, from those who describe themselves as privacy-focused to those who do not. To accomplish this goal, the application will only provide information. It will not seek to alter already established Facebook behavior patterns except when necessary to provide that information. For example, instead of dramatically changing the application approval page, it will only modify it. Instead of changing how users come across applications, it will just seek to supplement the information that comes with applications in the News Feed. The flow will function as follows: User will see application status as posted by a friend On mouse-over, the application status will show crowd-sourced rankings for the level of interest and level of negative surprise experienced by other users. A user can decide to then click on the application, bringing them to the API approval dialog. Each data permission requested by the application is supplemented with examples of that data field The user can then choose to set a text-message alert if the application posts to their News Feed After using the application for a significant amount of time, the user will rate the application, adding to the crowd-sourced rankings

This flow will also be entered into from the application request page as well as the News Feed.

This system provides a way to keep users informed about the activity of the application without significantly changing their expectations of how to approve applications. It will only supplement the existing procedure, fixing the gaping privacy and control holes through personalized and relevant information. It will grant users the ability to more effectively control their own information online in a way that suits their previous modalities of use. Evaluation plan: A successful implementation necessitates that the user understand the information being presented to him or her and be able to act on it in order to make a decision on whether or not to allow a Facebook platform application to be installed. Additionally, the user must understand any rating system used in order to ensure that the crowd-sourced rankings displayed next to the application are appropriately reflective of the chosen metrics, as opposed to reflective of what each individual user believes the metrics to represent. This means ensuring a cohesive user experience from person to person. The user should be able to access the newly added information on their first use of the application. He or she should not have to search for the information somewhere on the page, nor should he or she simply glance over the information without attempting to read it. This means carefully balancing the goal of blending with the preexisting Facebook experience and providing the information to users.

Methodology: The evaluation methods chosen for this research involved a competitive analysis, three expert reviews (heuristic evaluations), and three think-alouds. A competitive analysis helps explain the various other products competing in the same space and helps to orient this product above and beyond what is already being provided. The expert reviews were undertaken as a quick way to evaluate a prototype before exposing it to users, allowing quick corrections that dont involve taking up a users time. This way, potential issues could be identified before user testing. The thinkalouds gave the best feedback, allowing me to tailor the system to my user base of 35 to 55 year-olds. The competitive analysis12 found that most services to protect Facebook privacy do not have the same granularity in information as KnoBook aims for. They also do not provide the same contextual information in-line with application approval dialogs. The first heuristic evaluation took place before the first think-aloud. I attempted to correct issues in the prototype before the think-aloud occurred. After the first thinkaloud, I created a new iteration of my prototype. I then conducted another two expert reviews on this new prototype, as it involved significant changes. This resulted in yet another iteration before my next think-aloud. This think aloud required only minor

changes to the prototype, and as such, a large iteration was not needed before the next think aloud. As such, I conducted the third and final think-aloud with a prototype that was essentially the same as the second think-aloud. Research was conducted between November 15th and November 25th, 2011. Think-alouds took place in familiar environments for the participants. The first took place in the users office, the following two in the users homes. Users interactions with the prototype were recorded through screen-recording software (QuickTime X) on a single laptop used for testing purposes (a MacBook Pro). Any inexperience using software outside of the prototype (for example, Windows users on a Mac struggling with scrolling) was corrected to the best of the researchers abilities without giving cues on the use of the prototype itself. User profiles: All expert reviewers are also members of the User-Centered Research and Evaluation class in Fall, 2011. All have significant experience using Facebook and experience using Facebook Platform applications. The first user of the prototype was the same as the first user from the original evaluations. Because this user participated in the first pre-prototype user evaluation (a semi-structured interview, used primarily as an information-gathering tool before starting contextual interviews), she did not have any significant expectations from the project outside of a very high-level overview to taint her perceptions of what the thinkaloud task was going to be. The second user of the prototype is in her early-50s. She uses Facebook to keep in touch with her children, co-workers and friends, as well as play social games very regularly. She has a separate Facebook account dedicated to a social game with several thousand friends. She is concerned about privacy and access and takes recommendations from other users on what applications to install. The third user of the prototype is in her mid-50s. She is a new user to Facebook, and doesnt use platform applications often. She is very concerned about privacy, but her understanding of the site is fairly limited. She has learned quickly how to use the site, however, and now interacts with friends and family on a regular basis. Visual cues are helpful to her in understanding how to interact with the site. She tends towards caution whenever interacting with third-party applications and other potential privacy risks. Prototype: The goals of the prototype were as follows: Extract relevant information from the users social media presence Display that information contextually when a third-party application asks for it Provide the information to the user in a way that makes it actionable Do not interfere with a users ability to work with the existing Facebook interface

To test the system and gather data without altering users Facebook profiles, I

constructed a prototype that essentially worked as a sandboxed Facebook environment. The prototype consisted of four main pages. These pages included: News Feed13 API approval dialog14 Application information page15 Application requests page16

These pages were downloaded with appropriate resources (stylesheets and images) from the Facebook website. They were linked together at appropriate points and then changed from static HTML files to dynamic PHP files to allow user-specific data to be displayed. The prototype was then constructed on top of these pages using HTML, CSS, JavaScript and PHP. The final version of the product will use a browser plugin to accomplish these goals on every Facebook page instead of just the ones downloaded to create the sandboxed test environment. On each page, the following modifications were made: News Feed: o Crowd-sourced application ratings on mouse-over of application name API approval dialog o Contextual information filled in from the users profile for each permission. In the case of the may post to my profile as me permission, filled in from the applications previous activity. o Option to use text-message alerts for unexpected use of the profile Application information page o Option to rate application based on both surprise and interest Application requests page o Crowd-sourced application ratings on mouse-over of application area o Modal dialog to present crowd-sourced application ratings

Results: The user was unaware that More information dialog boxes were new additions to the API dialog that would help them make decisions about using the application, and largely ignored them17. This was corrected in later iterations of the prototype by both making the text areas larger and automatically expanding the first drop-down18. The user was often confused about the language used to describe the crowdsourced ratings system19. This would result in potentially unusable ratings, especially as the first user to experience the ratings set them to neutral, not knowing what they meant. This was corrected in later iterations of the prototype by adding descriptive

text20. The user originally bypassed the crowd-sourced ratings on the application requests page as they quickly clicked the Approve button without hovering over the application description21. This would result in the user not being exposed to that crowdsourced information when approving an application in this manner. This was corrected in later iterations of the prototype by creating a modal dialog to grab the users attention when exiting this page and entering the API approval dialog The user did not find much use for the text-message alerts or was confused about their purpose. Most users said that they did not want to receive text message alerts from the system22. When provided with data from their profiles in context with the application approval permissions, the user was surprised and shocked at the extent of information that was given to the application23. This indicates that the information being provided was unique and not known to the user before viewing the prototype. When provided with crowd-sourced reviews in context with the application, the user was less likely to approve an application with poor ratings24. This indicates that the user may be able to be steered away from potentially dangerous applications before even reaching the API approval page, a major success for the prototype. Observations & Recommendations: The project succeeds on its original goals as described on page (X). Specifically, it displays relevant information from a users social media profile when a third party requests it, presents it in a way that encourages users to make use of it and integrates itself into the Facebook experience enough to not significantly interrupt the users existing knowledge of application approval. After several iterations, it is clear that the prototype shows demonstrable improvements over the existing Facebook API approval process. These areas are, in order of severity: First: The users desire to know what an application may post to their profile is addressed. Users no longer have to be in the dark as to what information appears to be coming from them and actually originates from the application itself. Second: The crowd-sourced data improves on the success of the original Facebook API dialogs ratings area25 and makes it accessible outside of the approval page. Instead, it now shows up to the casual browsers, as noted in the affinity

diagram26, before they even view the API approval dialog. Third: It makes rating an application an easily-understood and painless process, requiring only a small effort by the user and promising large benefits when significant numbers of users adopt the project. The text-message alert feature of the application should be removed. Most users either struggled interacting with it27 or simply found no need for it28. Users already receive enough notifications from Facebook applications, and users of this project would likely install it in order to free themselves from these notifications. The most singularly difficult part of creating this prototype was in finding a sweet spot between a too-radical reinvention of the Facebook experience that would negatively affect users previous experience and expectations with the system and creating a system that grabs the users attention enough to interrupt their previous flow of simply clicking approve when the API dialog arises. It is imperative that any system that seeks to make changes to the Facebook user-interface do so in a way that both is powerful enough for users to break their habits on a site they use every day to make use of the system and passive enough that it takes few skills beyond existing familiarity with the social networking site to use the system. In the end, KnoBook was able to accomplish even this difficult task. Users appreciated the flexibility and control the system offered. While it is far from finished, the research here shows promise for developing a better system for users that have been slighted for far too long by a system that is not attuned to their needs.

26 Appendix: 10 27 Appendix: 34 28 Appendix: 42


Clarke, S. (2004). Measuring api usability. Dr. Dobb's Journal Special Windows/.NET Supplement, S6-S9. Debatin, B., Lovejoy, J. P., Horn, A.-K. and Hughes, B. N. (2009), Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences. Journal of Computer-Mediated Communication, 15: 83108. doi: 10.1111/j.10836101.2009.01494.x Boyd, D. (2008). Facebooks Privacy Trainwreck: Exposure, Invasion, and Social Convergence. Convergence: The International Journal of Research into New Media Technologies, 14(1), 13-20. UNIVERSITY OF LUTON. Retrieved from Felt, A., & Evans, D. (2007). University of Virginia computer science department. Retrieved from PopCap Games (2010). 2010 social gaming research. PopCap Games Information Solutions Group, Retrieved from esults.pdf Social Networkings New Global Footprint (n.d.). NielsenWire. Retrieved October 23, 2011, from Nielsen website:




The artifact model was the most important of my models used, as it directly reflected the problematic interface.


The sequence model showed the various triggers that may induce users to stop using an app. It also shows that few users will uninstall a malicious or uninteresting app. Activity Load social application Intent Contact old friends Abstract Steps Trigger: Link or recommendation

Read socially-tuned Load API dialog news Approve API dialog Use application Look over permissions Approve and move on Try to understand them Avoid oversharing Look at reviews Avoid privacy issues Use application Play game Look to see if anyone is sharing Read news Read privacy policy Interact with content Trigger: No one sharing Find socially-relevant Look for relevant content content Stop using app Trigger: Confusing language Try to understand language Stop using app


The cultural model provided important insights on how users perceived themselves and others on social networks.


The flow model provided a way to understand the connections between each role in the Facebook API system, both tangible (sharing data) and intangible (assumptions about how that data is shared).


As most, if not all, of my research was location-independent, the physical model was not expressly useful. All interaction I studied took place around a desk, interacting with dialogs on a computer.


Affinity Diagram


Facebook Culture o Facebook is often about spontaneity from my perspective I am sometimes friends with people I dont know Facebook has a culture of browsing; I use it for that o I expect to gain something from my friends, but I dont expect that exclusively There are benefits to being social, and I expect my friends to pass those benefits to me Other people use the site very differently than how I do, and that is okay I look for social content on social apps o Games require a commitment, and their draw is understandable Games take a lot of time. They are often strikingly time consuming Social games can be a very compelling activity Problems with Facebook o Facebooks recent strategies sometimes give me pause Automatic passive sharing gives me pause, I dont know if thats okay. I try to avoid Facebook authentication when possible Facebook frequently changes their layout and privacy settings Im suspicious that social games will not give me the experience I want o You have to go out of your way to be private on Facebook I am concerned about privacy on Facebook. I have been proactive about it. Privacy on Facebook can be annoying to deal with Lack of concern o I use the site and see what happens I dont care much about Facebook privacy. I just use the site and get what I get I just ignore Facebook platform applications and alerts. Theyre easy to ignore. o I dont worry about using apps based on certain criteria Facebook can access certain things without bothering me I get cues on whether or not an app is dangerous based on friends and other Facebook users Concern about third-party apps o Facebook apps confuse me Facebook and Facebook applications may be able to do a lot more than I know 10


I generally dont understand what this app is doing Based on the API dialog, Im confused about what this app might do The in-application language is unclear; Im not sure what this application might do if I click on this o I want to be proactive about app activity I want an example of what it might post before it posts it If an applications activity crosses the line of annoyance or privacy, I want to be able to disable it I dont know what this app is doing, but theres something I can check or something I can do. o There are certain problems inherent in the application ecosystem There are parts of Facebooks functionality that really bother me Third-party application developers have selfish motives. They want you to use their app more or use other apps from their company



Competitive Analysis





Screen Shots



Contextual Application Ratings

Iteration One

Iteration Two

Iteration Three



Application Permissions Screen

Iteration One

Iteration Two



Text Notification Alert

Iteration One

Iteration Two



Application Requests
Iteration One

Iteration Two

Iteration Three



App Ratings Page

Iteration One

Iteration Two

Iteration Three



Usability Aspect Reports



Think-aloud criteria
1. User confused as to what a feature does 2. User unsure of what to do next 3. Feature does not function in the way a user expects it to (users expectations differ from reality) 4. User does not make use of a feature 5. User accomplishes the task, but in a suboptimal way 6. User expresses negative surprise 7. User makes a design suggestion

8. User accomplishes task in optimal way 9. User makes use of information provided by the system 10. Previous analysis has predicted a usability problem, but user has no difficulty with that aspect of the system



ID: Ksl-HE-04 Name: Not clear in what format phone number should be entered Evidence:

Problem or Good Aspect Problem

No way to understand the phone number format before entering it. Explanation: This form entry field lacks an explanation of what format to enter the phone number in. Instead, it just returns an error when its not correct, prompting the first-time user to make wild guesses. This could be extremely frustrating, and encourages error, violating Heuristic 5 (error prevention) Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This is more of a frustration than a deal-breaking error. If the user types in the phone number in the correct format the first time though, the issue will not show up. If he or she doesnt, the impact is just typing in the number a few more times. However, this lack of any explanation will happen on every visit to the page. Possible solution and/or Trade-offs: There should be some sort of textual explanation on this page of how to enter the phone number, or pre-populate the text-box with example text. Relationships:



ID: Ech-TA-01 Name: User clicks link with no additional context Evidence:

Problem or Good Aspect Problem

When going through the prototype, the user clicked the second link on the application, which lacked crowd-sourced ratings. User did not realize there was other data that was being provided on the first link [02:32] Explanation: 4: User does not make use of a feature 5: User accomplishes the task in a suboptimal way The prototype is supposed to give the user additional information before clicking a link to add an application. This contextual information should appear along with the link to the app. Here, it was missing, but present on the first Spotify link. The first-time user will miss out on the information the prototype should provide by clicking the second link. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This appears only when the user clicks the second link. However, this user was more drawn to that link than others on the page. The impact is fairly high, as the user will miss out on a large degree of the functionality of the program. This happens every time the user clicks on the second link. Possible solution and/or Trade-offs: The possible solution here is to add the same contextual information that appears on the first link to the second. This may make the prototype slightly busier, design-wise, but the information is relevant and only one links contextual information is displayed at once. Relationships: Cas-HE-01: Deals with the visibility of this data.



ID: Ech-TA-02 Name: User does not respond to prompts for more information Evidence: When going through the prototype, the user clicked the approve button without examining any More information areas. When asked, the user responded that this was because they blended in with the Facebook experience. User: [while moving mouse around dialog] I usually just glance through this [03:30] Problem or Good Aspect Problem

Explanation: 4: User does not make use of a feature 5: User accomplishes task in a suboptimal way The prototype is supposed to give examples of what each permission will have access to once the application is approved. It does this through the use of expanding More information boxes that show the information when clicked. This user breezed through the boxes, without clicking on them. The average user is likely to do the same thing, negating the benefit of the prototype. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This issue only appears when the user breezes through the permissions screen. However, since these screens usually provide very little tangible data, users are accustomed to going through them and paying them little mind. The issue will persist for any users with a similar mindset. This largely negates the benefits of the prototype, so the impact is fairly severe. Possible solution and/or Trade-offs: The possible solution here is to highlight the more information links in some way. This may make it less blended into the Facebook experience, but a slightly jarring font or color could cause the user to pay more attention. Relationships: Ech-TA-11: Solution to this problem Appendix 24

ID: Problem or Good Aspect Problem Ech-TA-03 Name: Text alert notification doesnt catch the users attention enough Evidence:

This box could be a different color than the Facebook header to command more attention. User said that, while she was able to read it, it did not catch her attention as much as it could have. User: I think this would catch my attention more if it werent in the same color as the header bar for the page on Facebook. [05:21] Explanation: 7. User makes a design suggestion The prototype should keep the user informed about what state the system is in and what actions it will take in relation to the user. The average user may not realize that this is part of the prototype, and not Facebook itself. It may also pass by the user entirely.

Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This issue will only arise for users who arent looking for it. It may affect their perception of the system (if they dont realize it will send them a text, they may think that the system that prevents them from being irritated by Facebook apps is actually irritating them more). This will happen every time a user turns on text alerts. Possible solution and/or Trade-offs: The possible solution here is to change the color to make it more apparent. This will make it look a bit less integrated into Facebook, but will draw the users attention. Relationships: BH-HE-06: Deals with this same pane of information Appendix 25

ID: Problem or Good Aspect Problem Ech-TA-04 Name: No information provided to user about meanings of numerical ratings Evidence:

User said that she didnt know if 1 was good or 5 was good, so she selected 3. User: I wonder if one is good or if five is good. [06:14] Explanation: 1. User confused as to what a feature does 2. Feature does not function in the way a user expects it to 5. User accomplishes the task, but in a suboptimal way The prototype should encourage the submission of valid, useful information. If the user doesnt understand how the ratings work, the ratings are rendered meaningless. No user will understand how the ratings system works without a better indication of what said ratings mean. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This issue will arise for all beginning users. It renders the social rating system of the prototype entirely useless, which is a very significant impact. Every time this page is loaded, this issue will come up.

Possible solution and/or Trade-offs: The possible solution here is to add some sort of verbal cue as to what 1 means and what 5 means, giving it a scale. Relationships: Ech-TA-10: Another users reaction to an iterated version of this dialog.



ID: Problem or Good Aspect Problem Ech-TA-05 Name: User goes to approval screen from App Requests page without looking at social ratings Evidence:

User did not view contextual ratings on the application (which appear on mouse-over) before clicking the Accept button. [07:43] Explanation: 4. User does not make use of a feature 5. User accomplishes task, but in a suboptimal way The contextual information that appears on mouse-over is supposed to give the user an idea of both interest and potential surprises from the application before they even get to the approval screen. The user bypassed that entirely by clicking on the Accept button. There are no cues in the prototype for any user to realize that there is mouse-over-able information to be read. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This issue will arise for all beginning users. It skips out on a very valuable part of the application that is supposed to help inform users about the impact of their actions within social networks. The user will not have the information the system is supposed to provide before clicking Accept, so the impact is fairy severe. This will happen every time the user does not mouse over the correct area. Possible solution and/or Trade-offs: There are two possible solutions here: either add cues that suggest mouse-over information is available or make the user pause to read the information before the Accept button lets them continue. This could be accomplished through a modal dialog with Continue and Back buttons that appear after clicking Accept. Relationships: Ech-TA-01: Click through to the approves screen on another page without looking at rating information.



ID: Cas-HE-04 Name: Surprise text requires hovering over thin text label Evidence:

Problem or Good Aspect Problem

Spotify is the only text that supports hover Explanation: The hover target for getting this information is too small. The user can easily go off of it, providing an issue for usability. Any user may struggle with this.

Rating: 3 - Major Justification (Frequency, Impact, Persistence): This will happen to any user that doesnt exactly hover over a small area. It affects the basic information that is to be presented within this system, so it is fairly impactful. The hover area is set by code, so it persists across users.

Possible solution and/or Trade-offs: The hover area needs to be expanded. This could lead to unintentional hovers, however the act of hovering down does not hurt the existing usability of the system. Therefore, the tradeoff is minimal Relationships: Ech-TA-01: Also deals with visibility of same information.



ID: Problem or Good Aspect Problem Cas-HE-05 Name: No idea what Works without surprises and Level of interest means before going to App page Evidence:

These labels are essentially meaningless to the user Explanation: The words chosen to explain the concepts of unexpected app activity and interest in services provided by the app do not adequately explain the underlying ideas behind them. The information they provide to the user is fairly ambiguous. This violates heuristic 10, the availability of help and documentation. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This will occur with any user who doesnt have an explanation of each concept beforehand. It is very impactful, as it makes data rendered by the system meaningless. This will persist across users and uses.

Possible solution and/or Trade-offs: The language could be changed to This app has surprised me negatively and This app interests me to more accurately reflect the users perspective. This would require more space for the text area. Relationships: Cas-HE-04: Deals with interaction with this information. Ech-TA-01: Deals with visibility of this information. Ech-TA-11: Fine details on this text. Related to the meaning of This app.



ID: Cas-HE-08 Name: No way to change rating Evidence:

Problem or Good Aspect Problem

Once an app is rated, it cannot be changed. Explanation: When a user has added a certain app rating, that rating cannot be changed. If the app changes the way it operates, this may be an issue. It is a violation of heuristic 3, which suggests that users should be able to control the system. The average user will likely only vote once, but experienced users may want to change their mind later on. Also, app developers may introduce changes that will change a users rating. Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This will only happen when a user wants to make a change after the fact. This is a fairly minor condition. It could negatively affect the systems ability to keep track of the data its supposed to monitor in the long term, after many changes to the app. It will persist across uses until this is corrected. Possible solution and/or Trade-offs: The data could be modified in the database. This will not result in any significant trade-offs in the long term and could help usability. Relationships: Appendix


ID: Ech-TA-06 Name: Hard to tell if information box is extended or retracted Evidence:

Problem or Good Aspect Problem

User clicked on box and was surprised it retracted. Thought information had yet to be shown. User: Oh, so that was already open [06:20] Explanation: 3. Feature does not function the way the user expects it to The average user visiting this page will not immediately understand that the information in the first box is already being shown. Its hard to understand the system state without any explicit information as to what it is. Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This issue will occur on the permission dialog on every load. The impact is fairly minimal, as the already-extended information fulfilled its purpose to the user of providing information. It will only persist across users who have yet to interact with this page. Possible solution and/or Trade-offs: Instead of More information, extended information boxes could display Less information Relationships: Ech-TA-02: This was my solution to the issue of passing over the information boxes.



ID: Ech-TA-07 Name: User wants option to turn on and off sharing Evidence:

Problem or Good Aspect Problem

User says that an option to turn off posting to Facebook as me would be appreciated. User: I would want that to give me an option. Because I dont necessarily want everyone to know everything I do. [06:40] Explanation: 7. User makes a design suggestion Users want not just to be informed, but to have granularity in sharing settings as well. Most users in the preliminary research wanted to know what an application would do if approved; now that they have this information, users want more control over the application itself. Rating: 3 - Major Justification (Frequency, Impact, Persistence): The logical next step in having information about the way an app works is wanting to turn the negative parts off. Most users will realize this and want this option, eventually. It goes above and beyond what my system is currently capable of, and would do lots of good in achieving my goal of privacy protection, so the impact is fairly large. However, not all users have immediately brought this up in think-alouds. Possible solution and/or Trade-offs: Add a checkbox to each permission indicating whether or not it will be approved. This will involve very large trade-offs, as some applications simply will not work if they dont have access to the permissions they request. Dummy data could be given to the app, but that may make apps significantly less useful. Relationships:



ID: Ech-TA-08 Name:

Problem or Good Aspect Good aspect

User was informed of scope of information access from prototype Evidence:

User read information presented in this section, said: Thats kind of scary! [07:09] Explanation: 9. User makes use of information provided by the system The goal of this project was to more accurately inform users what applications have access to. Here, the approach is clearly working, as the user clearly did not understand the scope of that permission until it was presented here. The user is then more informed about the exact data that is being shared. Rating: 3 - Major Justification (Frequency, Impact, Persistence): The user that is concerned about his or her privacy will click this More information field and said information will be delivered. Clearly, the user is taken aback by this information and is now more informed about data he or she is sharing online, representing a major accomplishment of the prototype. The information will always be presented in this way. Possible solution and/or Trade-offs: The problem has been solved. The trade off here is that people may be more concerned about the application and not install it. Relationships: Ksl-HE-02: This was the heuristic that dealt with the availability of this information. It noted that it was there, where this UAR indicates that users are being influenced by it.



ID: Ech-TA-09 Name: Validation errors in phone number are hard to read Evidence: Problem or Good Aspect Problem

User was presented with this and stared at screen. The page did not let the user advance because of the error, but the user did not see the Enter a correct-length phone number warning below the box. User assumed it was frozen. User: I would be looking to see if my bar was moving, if my computer was frozen. [10:25] Explanation: 2. User unsure of what to do next 6. User expresses negative surprise The average user will not realize that an error dialog box has been created under the text entry. In this case, this was a huge breakdown, as the user assumed the page was loading the next step when, in reality, it was displaying an unseen error. Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This issue will only occur when a user has text-message alerts on and mis-types a phone number, not reading the guidelines above the dialog box. It will temporarily stop the user from advancing and may cause the user to not install the application. It will occur every time a phone number is mis-typed. Possible solution and/or Trade-offs: The solution is to make the error more noticeable, possibly via increasing text size. The trade off is that slightly more space may be taken up, and it might not look as elegant as with a smaller dialog. Relationships: Ksl-HE-04: This heuristic evaluation shows that the phone number format was originally unclear.



ID: Ech-TA-10 Name: User understands the rating scale for applications Evidence:

Problem or Good Aspect Good aspect

User looked at scale and described the start and end point and what the rating meant without additional explanation. User: Its pretty clear I guess I do know what that means. [17:26] Explanation: 10. Previous analysis has suggested a usability problem, but the user has no difficulty This was one of the issues with the earlier prototypes, and it appears to be fixed. The average user now understands what the ratings mean and can appropriately rate an application between one and five. The system serves its purpose. Rating: 3 - Major Justification (Frequency, Impact, Persistence): The meaning of the ratings should be apparent for most users. It lets the user make an informed judgment of an application and its suitability for installation, meeting one of the projects goals. These ratings will show up on every page load. Possible solution and/or Trade-offs: The only trade-off here is that the dialog is slightly bigger and less sleek. However, it is now more usable, and usability trumps aesthetic appeal in this case. Relationships: Ech-TA-04: In another think-aloud, the user clearly did not understand this dialog. Appendix


ID: Ech-TA-11 Name: User interacted with the page without additional explanation Evidence:

Problem or Good Aspect Good aspect

Interviewer: Just interact with this page as you normally would User: Okay. [interacts with page, appropriately clicking on More information buttons and clicking approve when finished] [05:35] Explanation: 8. User accomplishes the task in an optimal way The user interface here is similar enough to the existing Facebook UI that, for users familiar with the Facebook dialog, no additional information was necessary to explain actions the user will need to take. This makes it vastly easier to learn than a system that tries to reinvent the UI, and will appease long-time users of Facebook apps and not place any additional barriers to entry on new users. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This should make the system much easier to use for long-term Facebook users, as well as not introduce any new UI problems for new users. It takes the best of the existing system and makes it better. Making this project fit seamlessly into the existing interface will allow easier learning for existing users, heightening the impact of the project. This interface will appear identical on every load, leading to a consistently similar experience. Possible solution and/or Trade-offs: The only trade off in this case is that, by adopting a similar interface to the original Facebook one, it might not allow the project freedom to display additional information that doesnt fit into this dialog. However, this is worth it, as it makes the system vastly more accessible. Relationships: Ech-TA-02: User struggled to do this. Iterations have significantly improved.



ID: Problem or Good Aspect Good aspect BH-HE-06 Name: Permission request page tells me it will access my basic information, and I am told what that information is Evidence:

Describes directly what the information is. Explanation: This is one of the goals of my prototype: to illustrate what data the application has access to. The evaluator understood the benefit of this on the first time through the system, hopefully indicating that the user will as well. This addresses heuristic 1, visibility. Rating: 3 - Major Justification (Frequency, Impact, Persistence): The lack of information is likely to bother most users, as determined from my research in the first part of this project. Even those who say they dont care about privacy want this information. The impact is likely to lead to breaches of privacy, something that Facebook has already received criticism for. This is persistent across users and uses. Possible solution and/or Trade-offs: This problem is essentially solved. The trade-off is that more information may lead to users being more concerned about their privacy and not allowing all apps. Relationships: Ech-TA-02: Deals with presentation of this information. Appendix


ID: BH-HE-06 Name: No feedback telling me the app has been successfully added Evidence:

Problem or Good Aspect Problem

No information here after approving an app without text messaging. Explanation: This violates the first heuristic, visibility of system status. There should be a way to let the user know that he or she has approved an application after they return to the main screen.

Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This will only happen when the user does not sign up for text message alerts. The prototype isnt designed to actually let a user accept or reject a real app (only provide information), so the impact here is fairly minimal. It will always occur if the user doesnt sign up for alerts. Possible solution and/or Trade-offs: Fixing this involves simply adding a small amount of text on the top of the page to let the user know the app has been added. There are minimal trade-offs. Relationships: Ech-TA-03: Other issues with this dialog (color)



ID: Problem or Good Aspect Problem Ech-TA-12 Name: User struggled to understand what the ratings under the app applied to Evidence:

User wasnt sure the ratings were applied to the songs being displayed, the application itself, or the application providing the overlay. [05:34] Explanation: 1. User confused as to what a feature does 2. User does not make user of a feature 5. User accomplishes the task, but in a suboptimal way These ratings should be fairly clear, as they are designed to show the user what the benefits and drawbacks are to installing the application. In this case, they could be significantly clearer. The average user may not understand exactly what is being said by this information. Rating: 2 - Minor Justification (Frequency, Impact, Persistence): This is the only user that struggled with the issue, and the user understood the ratings later in the think-aloud when they were presented differently. It makes part of the prototype useless (the part that gives information quickly to casual browsers), but does not affect the rest of the prototype. It will look this way every time the page is loaded. Possible solution and/or Trade-offs: The possible solution here is to replace this app with the name of the app, to make it clear that its the application itself that is being rated. Relationships: Cas-HE-05: More broad issues with this text. Appendix


ID: Ech-TA-13 Name: User acted on data provided by user-ratings Evidence:

Problem or Good Aspect Good aspect

User was presented above dialog, recognized the app was rated with moderate surprise and moderately low interest and ultimately decided to not approve the application. Its interesting that this one has a high negative rating and a lower rating on the interest scale than the last one [12:15] Explanation: 9. User makes use of information provided by system 10. Previous analysis has predicted a usability problem, but the user has no difficulty This shows that the ratings can provide users inexperienced with API-based applications information to quickly make an informed decision about using the applications. The information may have to be presented in a very obtrusive way (in this case a modal dialog) in order to draw the attention of the user and correct for missing the information in other think-alouds. However, the user will ultimately find it useful and important. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This information will be provided to all users, and most will find it helpful. It lets the users make informed choices about the applications they approve, using ratings as assurances or deterrents. This was one of the main goals of the prototype, so the impact is fairly high. This dialog will appear for all users on the App Requests page. Possible solution and/or Trade-offs: The problem has been solved. The trade-off is that it requires a large number of users to rate an application. Relationships: Ech-TA-05: Earlier problem where user did not view this text.



ID: Problem or Good Aspect Good aspect Ech-TA-14 Name: User was provided with information contextually, saw it, and read it Evidence:

The user stopped to process this information. While said user struggled with exactly what it applied to, the user said: I like user feedback. I do that when Im out shopping. [06:50] Explanation: 9. User makes use of information provided by the system The user clearly made the connection between this contextual information and other systems that provide similar information (in this case, shopping). This indicates a match between expectations and reality, as the way the information is presented here converges with other presentations of similar data. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This information will be exceptionally useful to casual browsers, as they will see the information whenever they mouse-over a link. It helps a user make an informed decision about installing an app, meeting one of the goals of the prototype. This will persist every time the user holds their mouse over an application link. Possible solution and/or Trade-offs: The problem has been solved. The trade-off is that most users are not familiar with this sort of drop-down, and may be confused about what the information applies to. Relationships: Ech-TA-12: User does not understand what the text presented here applies to.



ID: Ech-TA-15 Name: Text messages not wanted by the user

Problem or Good Aspect Problem

Evidence: User: I know that I would not want anything to send me text messages I get annoyed when Verizon, whos my carrier, sends me text messages [14:52] Explanation: 4: User does not make use of a feature The user clearly has no interest in receiving text message alerts from the application, regardless of their utility. Text messages greatly distract users, and are generally thought of as annoying. Even when it is explained that the text messages are there to prevent surprise posts and protect privacy, the user is still not interested. Rating: 3 - Major Justification (Frequency, Impact, Persistence): This user skipped the text-message alert field unless asked to fill it out on every task involving the field. This means that the text message system either needs to be explained better, or needs to be removed. Even after explaining it to the user, this user did not want to use it. The impact, then, is that the user has an extraneous feature that is entirely not useful and will make the UI unnecessarily busy. In all think-alouds, users skipped the text message alert field, opting out of it. Possible solution and/or Trade-offs: The solution is that the text-message alert field should be removed. In this case, the trade off is that the user does not have any way of knowing when not on a computer if the application has posted to the News Feed or messaged a friend without the users knowledge. This could be done more passively through a standard Facebook notification. Relationships: Ech-TA-09: Deals with validation issues on this form.



Interview Transcripts
Design Idea Breakdown Question



Im Esten Hurtle, Im doing this interview as part of a project doing research into social media privacy and ways to better manage that online. S: Great I: And um, Im going to keep all the transcripts as anonymous as possible, the professor is going to be seeing the video, but theyll be as anonymous as possible. S: Okay. I: And, feel free to answer as freely as you can. If you have any questions about any questions that I have, feel free to bring it up and well work through it. S: Okay. I: So, my first question is, what Facebook games applications or integrated social websites have you used? S: [laughs] Its funny cause I was thinking I should probably go figure out what Ive used so that I can tell you, so that I can actually help



I: Sure. Its a little bit transparent, I know that there are a lot of websites that use it, so... S: So... uhh. Im just trying to think. What was your question, what Facebook games? I: Any kind of games, any kind of, ah, platform... any kind of Facebook platform thing. Uh, so anything that uses their API basically. S: So, Ive used a lot, Ive just recently went through and dumped a lot of stuff. Um. But, um, used Im just looking at whats still in my apps, uh, for facebook. Branch Out, Friend Map stuff, um. I got rid of all the games. Um. So, I do use, and I dont think that its on Facebook cause I do it on my iPad, I use Words With Friends, which I know is on Facebook, but I dont do it on Facebook. Like, I tried to clean out all of my stuff. I went through and had all of this... Any game, well, not any... a lot of game stuff I wasnt interested in, but some stuff I would add just to connect with friends and then realized I probably dont want to be accepting all of this so I went through and cleaned out a bunch of stuff, mostly due to privacy concerns. I: Alright, well, uh, have any of those applications, have they ever posted anything on to your Facebook that you didnt expect?



S: Yes. Which is probably why I got rid of some in the first place. Um. A lot of um... like, 3rd party type stuff like apps that would come in and say, you know This is safe, blah, blah and then something would show up. I cant... I dont.. Im not sure if I can give you a real good example, I just know that something happened that caused me pause, and then I went through and just got rid of a lot of stuff that I had had on... on Facebook. I: Sure. So, just to clarify, your reaction was to kind of pair it down and... S: Yeah. I: Okay. Now, have you ever been surprised by what its read from your Facebook? Like, have you ever logged into a game or website and just seen data where you think I didnt know it could read that? S: Um. No, I generally assume that... that like... I generally assume that they have the ability to read just about anything. So it concerns me, again, [laughter], um... to... what I let it have access, so. I: Okay. Um. Now, youve used these apps before so Im gonna ask, what do you think is necessary for like a minimal level of social integration? What should an app have if its going to be social that is at a minimal level of interfering with your privacy?



S: Um... Well, so, like, I use, as an example, I use Words With Friends, and I dont use it on Facebook but I use it on my iPad, just because that generally, generally I have that with me and it seems like one of those easy things. I dont feel like its... and it connects me through Facebook to the friends that I have, so. I feel like that that connection, like that level of... it pulls your friends list doesnt seem too intrusive to me. Um. And it gives you the option to send a request and people can either opt in or not. But I havent... I havent felt like that has been intrusive. So. I: Okay. So, you think, just to clarify on that, a minimal level of social integration would be just pulling your friends and knowing who your friends are? S: Right. I: And, what would be the opposite of that? At what point does it cross the line? S: Uhh. Posting like... and Facebook in particular, posting stuff without my knowledge, reading personal like... stuff thats not public on my profile, that stuff kind of concerns me. Because I know theres stuff thats in there that I made private that I worry about other people being able to access. I: So, posting without your knowledge and reading private information? S: Right.



I: Okay. And, do you think any social integration is necessary on the web for the new webapps that are coming out lately? S: Do I think any social integration? Depends on the type... It really depends on the type of game. With... if its a multiplayer game, than obviously you need social integration. But if its... if its just a single-player, single-person play game, I dont think there needs to be any social integration. Like, if I just want to go play some brain-numbing game that... I dont... I dont need to socialize wtih, I want to be able to do that without being socially connected or have people know, you know, that thats what Im doing. I: Sure. And in the case that one of those comes up, say that youre on a website thats a single player game, and it pops up with the Facebook login dialog, what do you usually do in that kind of situation. S: Um. Dont play on that site. I: Okay. S: Um. Its gotten a little bit easier. Like now that I have... like... Im sort of particular about games that I play, and will generally just play them on my iPad or just not play them at all. Really, is what its sort of gotten to these days.



I: Okay. And... lets see, now, and weve kind of already gone over this, but I figured Id ask it anyway just to sort of clarify it, but um... when you do use social integration on an app, what are your goals with it? Like, what do you intend to get out of that social integration S: Uh. Probably just a different way to connect with people Im already connected with. Um. People are... uh... I just think about people um... that are around the world that I dont talk to regularly that it just gives a different way... gives a different way to connect on maybe a more regular basis thats not um... Im... I cant think of what the right word is, but its not intrusive, its just passive connection you have with somebody thats in your network, but you dont talk to or see every day. I: Okay, that makes sense. Um. Lets see... Now um, what services, and I know weve mostly talked about Facebook, but what services do you think these social apps should connect with and, I guess, Facebook is kind of controversial but its also ubiquitous, but um... are there anyb services that you think are as ubiqutious or otherwise not all that controversial that you would prefer? Or are there any other services that you would use to connect. Like if you had the option to use any other social networks to connect, which ones do you think you would use? S: Umm... I dont think I would use any other one. I know that theres a way to connect through Twitter, and I dont... Ive not opted for that option. Uh. And, you



know would there... you know, my first thought would be like Google Plus, um, but, again I wouldn't think to you know, integrate or log in through that. So. Facebook seems to be the sort of go to login for that. And mostly because I look at Facebook as this weird sort of mix of personal fun slash work type stuff. Um. So its, in my, the way I look at it is just a sort of conglomerate of stuff. And. So. I: So, is that why you say Twitter wouldnt be appropritate for that? What makes Twitter or Google Plus not as acceptable as sort of a universal login for social? S: Um... I dont... Twitter, because think Ive kept that somewhat separate, um, I mean there is some work and personal stuff, but its more about my network and my connections and it just doesnt seem... I just dont want to mix them. I guess its personal preference. Google... maybe if Google seemed a little friendlier, then I might consider it, but right now it just doesnt... like, it irritated me when I was in there the other day and the game stuff is starting to pop up. Its like really? I kinda liked you cause you didnt have this and now its starting to popup so... Its sort of makes me thing back to like... MySpace, when MySpace had all of the stuff and it kept adding and adding and it sort of imploded. I know that it still exists, but... I: Less of what it was. S: Yes. Right. And now I think, you know, thats sort of what Facebook, kinda does that. So...



I. Mhmm. Its funny that its drawing comparisons to myspace and its only been out of a few months. Thats probably not a good sign for Google Plus there. Um... I guess, um. Do you, do you ever use browser extensions? Um, and its kind of like a left turn here just to ask about this. Im just looking for potential methods to sort of solve the privacy issue and to find some additional context. S: I have not. I: You havent used browser extensions. What browsers do you use? S: Uhh, I use Safari. I: Okay. So, why have you chosen not to? Just none of them have come up that were especially itneresting or is there a lack of availability, or...? S: Um. I have no idea? I really dont. I know that... I know that they exist. I know that and and, Im not gonna, Im pretty certain that Im not going to remember what um... what I used, but I know on Firefox, many years ago, that I had extensions. Um, but, that was also due to the fact that I was married to a network engineer, who was very concerned about privacy, and yeah, would sort of give me guidance on that. So. But yeah, Safari, at this point, I havent really added anything or thought about it, so.



I: Have you had any problems with browser extensions in the past? Either when you had firefox or just like, anecdotally from friends? S: No. I: So theres not really any compelling thing that would stop you from using that? S: No, no. I: Alright. I know that the past few questions have shed light on this, but, how much do you value your privacy online and why is it important to you? S: Um.. privacy online is kind of a pretty big deal. And, why is it important? I think probably because Ive had things... I mean Ive dealt with a couple rounds of um, Identity theft, and um, that was, you know with online banking stuff, um. And, so thats always sort of in the back of my head. What can they get access to? Why do I have to... why do I need to give you my birthday, why does that matter, and um, just, different things like that. Its just important due to safety, I think. Both physical and that empotional mental I feel like Im good um. So. I: Alright, um. Well, and if you could kind of go through it, and I know we just sort of talked about it, but, in a general sense, but specifically narrowing it down, what aspects of privacy do you think are worth highlighting? Like, if you could give a



bulleted list, top 3 things that youd be very very upset if someone found out that wasnt authorized to find out certain things online, what would be your top three? S: Hmm.. I: You dont have to do it in any kind of order, its just more to get a feel for what you prioritize. S: Um... what would I be... passwords. Umm. Id say birthday, but, um, its so easy to... its so easy to find that out, so I dont... Social Security number, um, where I live. Like, you know a complete physical address, might kind of freak me out. So uh, yeah. I: Yeah, definitely. That makes perfect sense. Feel that way sometimes too. When they geolocate you and youre just like okay? S: Right, right. I: Okay, um, now, we kind of talked about this, but if you see this dialog here pop up [present subject with printout of Facebook API authorization dialog] on a screen, the sort of Facebook API... just walk me through your process of what you think when you see this. If a site... if you click on a link and you see this site. What do you click, what do you read, what do your eyes gravitate to.



S: Um, usually my eyes gravitate towards this area [points to permissions list] as far as whats being accessed. Um. And, um. Something... with this one in particular, what would probably cause me to click dont allow would probably be, you know, sharing other information Ive shared with everyone. Although... Any other information I share with everyone, so, which means, I would read this as, on Facebook if I said only share with friends, its not being shared with everyone so it wouldnt be shared. That might actually lead me to click allow. I: Okay. So if you saw... if you just saw this Access my basic information, youd probably click allow? S: Probably. I: Is there anything that would... say, if you had direct examples of what it was sharing, like if it went into your page and said heres an example of what we can see, you know, would that make it better or worse. S: Um, so like, for example, something that I know Ive shared is my location. Not like, my address, but like, my city location. I dont really have an issue with that. It just seems... I dont have an issue with sharing that with my friends list. I dont want it shared with the entire world, but I feel comfortable with having it shared to my friends list. So does that make sense?



I: Yeah, totally. So, um. But I guess the bigger question is then would you feel comfortable with sharing it with Example application or whatever application, like for example Washington Post social reader or something like that. S: Uh.. Probably. Probably. I: Sure. And, I guess um, Im kind of wondering, weve already talked about um, friends list and you know, uh, what sgenerally public, but if you could tell me, in general, what you keep public on your FAcebook? Like, what do you generally classify as public information? If I visit your profile page, Im not signed in, Im some random person whos not friends with you on Facebook? S: Youre not gonna be able to see very much. And actually, I was just wondering... uh... Umm. I know that its pretty much locked down, I think that people can search for it. Um. But, I dont think you get to see... um... I know that I went in, and after recent changes, it was sharing location and stuff. I went in and shut that off, mostly because it seemed annoying. Not so much that I was concerned that people knew where I was, um, or that I was concerned about my privacy, but simply due to um, it was just annoying. Um. But what do I... people can look. Anybody can look up my name and anyone can send me a friend request, anyone can send me a message, but only friends can post or stuff like that. Um. And... um... Yeah. Im not really sure. I just went into the privacy settings and even those have changed since the last time I was in here, so I should probably go poke around and see what Im actually, uh,



what Im actually showing. But, you know, I show the month and day of my birthday, I dont show phone numbers or anything like that, but I show email addresses and websites. Um. I: So, it wouldnt bother you if some random person came in and saw the month and day of your birthday and an email address? S: Um... No, but theyre probably not gonna get to that point. Um, cause that doesnt show on the... I believe that this doesnt show on the initial like... Ive looked up somebody and this is what I see. I: Okay, alright. S: Does that make sense? I: Yeah, definitely. S: Now Im all paranoid. I: Yeah, Im sorry, this interview probably isnt helping any. Thats something Im gonna run into a lot.



S: Now Im like, crap, now I need to go look to see... and I cant search for myself without, yeah, anyway. I: I know that they changed a few things lately, so, especially, like in the last week theyve changed a bunch. S: Yeah. I: And I guess, um... What would help you sort of understand the scope of the information youre showing? Is there any kind of visual representation you could think of that would really help demonstrate oh, Im sharing this with these people or Im sharing this with the world? S: So, I know that Facebook has a way for you to like... click on view as, but then it asks you to type in one of your friends names. So, but, if theyre a friend, then Ive given them permission to see what Ive given permission for my entire friends list to see, but it would be nice... from my perspective, it would be nice to see, so if I think that Ive locked everything down, if I think that Ive made it so that people cant access that, how can I check that? Like, how can I get some sort of visual representation of view as somebody whos not connected to you. And it... pops it up with just your profile picture and whatever generic information, youre willing to give. That would make me feel better.



I: Sure. And what kind of phone do you have? S: Android. I: You have Android. Whenever you install an app, you know how it gives you that list of permissions and stuff like that, do you read what its doing, when you install an app? S: Uhhh, most of the time. Most of the time I do. I generally dont install apps on my phone that I... that I dont know of, either somebody else installing or hasnt sort of been highly recommended. I: So, you sort of rely on a vetting process to do that... S: Uh, yeah. I: Okay, alright. Im just thinking about that because its a very similar kind of process, and I wanted to see if its similar across platforms. Um. Now, we sort of... might have... no, I know weve already talked about this, Im just going to ask you to explain this one more time. If you go to a site that uses Facebook authentication, and you see... youre at the homepage, and you see... it says log in with Facebook to get... or it just says log in with Facebook. Walk me through your mental process there?



S: Uh, so. I go to like, the New York Times, and it says, they now have some sort of login, login by Facebook. If Ive gone there and I need to log in to read something, Id probably consider it. Um, if I dont need to log in, I generally look for ways to not have to log in to other sites. Um. If I have to log in then Ill go through that process and log in, um, Ill check to see if its going to post stuff, if its going to pull stuff, pull data from my login, or if its just using it to authenticate, um, login. So. I: What features would a social app have that would make you want to use that. Like if you didnt have to, say you go to the New York Times and you dont have to, and it said on the bottom See what your friends are reading or any kind of feature like that. Would that motivate you to possibly log in, or what level would that have to be at. S: Um. I think I would be motivated to log in to share stuff or to recieve... You know, the giving and the recieving of sharing what people are reading. In an active mannor. Not in sort of a passive manner, like how you log in and everybody can see what youre reading, just an active mannor of sharing. I: Does it bother you that its sort of... That theyre doing the passive thing right now with Washington Post and a few other apps?



S: Um, well I dont use the Washington Post, so I... Does it bother me? Im not gonna be inclined to go visit them anytime soon, but um. Yeah, that kind of bothers me. I: Okay. So its sort of the passive part that bothers you? S: Yeah, its the passive part and, Im sure I sort of am giving them more credit than they deserve, but they probably told me that they were going to share this information and I probably just didnt pay attention. I: Okay. Now, has one of your friends ever posted something that you think they didnt mean to share? Like, you think, oh theyve posted either something as innocuous as just a game request or an advertisement because their facebook had been hacked somehow? Has that ever happened? S: Ive had stuff end up beiong posted because peopl ehave been hacked, sure. But as far as... Im trying to think. Ive had people post pictures that have shown up tagged that Ive had to ask people to untag or remove altogether but no, I cant think of anything other than that. I: Okay, but if someone... So mostly its just been pictures, and if someones been hacked? S: Game stuff shows up a lot, and I tend to just ignore it or delete it.



I: Okay, now in the case that they had been hacked, did you tell them that they had shared something that was probably not their doing? You know? S: Sometimes. It depends on the... if its someone I havent talked to in like 5 years, probably just gonna delete it. If its my sister, probably gonna call her and tell her to change her password. Um. If its one of you guys, probably gonna be like, uhhhh, youve probably been hacked. Usually doesnt happen from one of you guys. It usually happens from somebody who isnt on the computer all the time, isnt... I mean, I hate to be very broad and generalize, but generally speaking there are certain people who tend to be hacked, so. Not that it cant happen to anybody, but just in general. I: Sure. And, if you could change just one thing about social interaction online, like if you could just make one wish, to change the way we interact socially, through Facebook and Twitter, what would you change? S: Good god. I: You can go all the way back to 1994, and you can just completely change something.



S: The first thing that came to my mind was make people be honest. But, I dont think... You said one wish, my one wish, and well go back all the way to 1994, because I remember, its always been a problem. Make people be honest. For whatever reason, I dont think this is anything you can fix, but for whatever reason, people feel like they can do whatever, they can say whatever. I: So, honesty. You would just create some kind of truth... yeah. That makes sense. S: One very lofty, high-level wish, that would be it. I: Thats cool. Well, thats really pretty much my entire list of questions. I was wondering is there anything that Ive missed, anything that youd like to add to the project, anything you feel I mightve glossed over? S: Well, what were you hoping to do? I: My general thought was sort of a browser extension that would highlight exactly what information youre sharing. So, like... S: Thats kind of cool. That would make me be like, oh I should check that out. Like... So... Anyway.



I: Yeah! So, I was just sort of looking at it as a way that you could see real data instead of just like that abstract basic information. Instead of saying basic information, it would say heres an example of this and show exactly the information it could get access to. Would that be something you would use? S: Yeah, that would be something that I would definitely consider using. So... I: Great. Um... well. I think Im done. Thanks so much for letting me do this, I really appreciate it. S: Youre welcome. Hopefully that helps. I: Yeah, definitely. I actually figured out a lot. So, that will be really really nice. A lot of different kind of design stuff I can work off of. Especially thinking about what you look at when you look into this. Because, most people, I sort of imagine are just like oh Facebook, yes and click it. S: Right, right. I know that there are people who do that so. I remember when like, my one sister joined facebook and she put her entire birthday on there, and I was just like You know, you probably dont want your entire birthday showing, just a thought. They only need a little bit more information to piece together and so... you know.



I: Yeah, its making me rethink a lot of what Im doing on mine too. Doing this project and starting to think about it. I know my birthdays up there. Phone numbers up there. Ummm, websites are up there. S: Well, so, heres the funny thing. Its very contradictory in that, I dont want to put my phone number up there, but I am so grateful that, when theres an emergency and I really need to get in touch with a student, that most everybody has... I can go on my phone and its there, even though Ive not called you before. I: You want to encourage sharing, but... S: Yeah, where do you draw the line. I: Thats interesting though. It is something that you sort of take for granted when other people do it. S: you take it for granted when somebody else does it, but then at the same time, if your concerned about yours, then I stop and go, well, if I publish a phone number, like my phone number has been published in handbooks, and documentation that weve sent out to students in the past, and its out there. Its like... okay.



I: I dont know how you see it, but this is sort of how I see it that theres sort of a centralized information hub, and it makes it that much easier to get that information. Is that kind of... S: Yeah, yeah. Definitely.



I: Alright, Im going to start by saying that my name is Esten Hurtle, I am working on this project as part of a study on social networking privacy, to try to figure out and design something that can kind of make that a little bit better and easier to understand. And, these interviews are going to be kept as anonymous as possible. I think the professor might ask for the video at some point, but anything else will be anonymous. S: Right, sure. I: Great, so lets get started. The first website... actually, if I could just ask you a few quick questions about your background first. Could you tell me what youve done in the past involving social networking. Like, what applications games anything like that youve used? S: Social networking... uh. I mean I guess, the main thing would be just using Facebook which Ive done for quite a while. How long have I used Facebook... about 5 or 6 years ago, something like that. Uh, and, yeah, I guess that I used it quite a bit to begin with. At the time it was relatively new and I wanted to figure out how it all worked. And its clear it was a relatively new phenomenon. Um. And then, within that so uh, part of teaching game development, I got deliberately involved in a social



game, just to sort of see what that was all about. So yeah, I got quite involved with that and eventually just put it behind me. In fact, I basically gave my Facebook account to the other people that were in my clan at that point. Ive since started taking it back, but I sort of use it irregularly. I: Okay. So, now, what kind of drew you into the game and what kind of made you not want to be a part of it? Like, what are the aspects of it on both ends. S: I mean the social side basically is, is surprisingly compelling in a game, just how much more something matters when youve got other people that are sort of you know, hanging on the outcome of something, rather than it just being completely personal. I: Mhmm. And did it ever show you anything like... Did it ever get into your account and show you something that you didnt expect it to have access to? S: Uhh, the game itself... Hmm. I dont think so, no. Its a strange one for a Facebook game because it actually... Facebooks really just a portal into it. You can actually connect to it completely separately from Facebook as well actually. It can, of course, access things from Facebook, but it tends not to. Just for that one. I have seen other cases where, yeah. It does happen on Facebook. I just consider privacy on Facebook to be something that takes a lot of time to really understand whats going on.



I: Sure. Alright, now the first thing Im going to ask you to do is, on your computer, go to the URL [Subject visits URL] I: Alright, now if you could just go through that page, read it, and then therell be a start doing this kind of button with Facebook. S: Okay. [Subject reads page, and nods head] S: Alright... right, so just here? [Points to connect link on screen] I: Sure, but before you click on that, just given the landing page, if you just saw this URL without a researcher coming in and asking you, would you actually use this product? S: Would I use it? This actually happened to me within the last few days. What exactly was it... Oh, I signed up for Hulu. With Facebook. Um. And it said Do you want to share with your friends what youre watching and I went No, no I dont.



But similar to this, it presented itself as a very positive thing that your friends would know what youre doing. But here, its not quite the same but its similar. I: Mhmm. S: Whatever it is you read, everyone, all of your friends on Facebook can see. I: Sure. S: So my impression is, yeah Id be a bit careful with what I let happen?\ I: Just judging from this, what do you think its going to do when you start using it? S: Uh. Its basically gonna start generating noise that my friends may or may not get depending on what sort of their preferences are and whatever. Each time I read a story, they may or may not get something saying [Subject Name] has been reading this. I: Sure. S: I expect probably that, you know, exactly whether they see it or not may depend on how many of their friends read it or something, I dont know what. But anytime I read something, someone else might... yeah.



I: Of course. So, if you could click on the read now button, itll probably come up with the API dialog. [Approve application dialog is reached] I: Alright, now before clicking approve, Im going to ask you some questions about that page] [Subject reading page] I: Now... S: Right, I havent quite finished. I: Sure. S: Alright, so its telling me something here... [points to area on screen where access level is listed]. Friends... I: Okay, so what do you think the most important parts of the dialog are to you? Like, what kind of jumps out at you when youre reading that?



S: Um. Basically who things are going to be visible to, and whats going to be visible. So, the articles I read, websites I use. Its hard to know what exactly that means... um... this is, I guess exactly what Facebook is going to be giving to this application, so yeah. I: Okay. And are there any parts of it that sort of give you pause? S: Uh... yes well, first of all, theres pause, I wanted to know what that meant. So. But, mouse over and it says friends, I guess thats sort of what I expected. But, also then, just also, yeah, you have to think do I want people to know... I mean, every news article I read, what it is? I: Sure. Are there any contextual clues that make you feel more or less worried about using the app? S: Um... As compared to on the previous page? I: Well, both. Just as a whole. S: Yeah... um basically, yeah, there are some cues there that, I would say, I am going to keep an eye on what happens here. On exactly what it asks me. Because, you know, there is potentially something there I may not want to happen. I think the



news articles I read... its not a huge deal, but given a preference, thats probably something Id go towards no rather than yes. I: Okay. Now, if you dont mind, uh, Im going to ask a few more questions about this. Does reputation, you know since its the Washington Post, does that play into it at all versus if it were someone like I wrote a website! S: Yeah, definitely does. Theres just a sense of trust there and its similar to outside of the computing domain, that sense of trust, but um... Yeah, with all of these things just being new, I guess you dont quite have the same sense of trust as compared to dealing with someone like the Washington Post in a more traditional way. I: Sure. And, does the type of app play into it? So, news versus game versus applications versus Hulu? S: Um, yeah it does. It does because... mostly because of the kind of information that you expect might get distributed. Um. Uh. But, I guess with games, yeah, I probably spent more time playing on the game I was playing than I should have and um, all of my friends knew that cause they could see that they were getting regular announcements of that.



I: Definitely. Alright, well, if you could login and click login and add to Facebook. And we can remove it later. I feel bad asking you to add social apps that maybe you otherwise wouldnt but... S: At this point, other people use my account. So you can always... [laughter] Blame it on other people. I: Perfect. Now, if I could just watch you use the app. Just click around, read articles that are interesting to you. S: Yeah, I mean, the first thing that Im looking for is some hint of what my friends have been reading. And... [ Subject clicks around application, reading articles ] I: I see you clicked the link on the bottom there. S: Right. I didnt really even think about it, but I can see something changed, youre right. So, Ive gone out of Facebook. Right. I: Yeah, it appears that youve left that reader app. So I guess you werent expecting that.



S: I wasnt expecting it, no. Uhh. Its, youre right, yeah, I can see why. This has come from some other feed. And this doesnt even know its on Facebook. Right... I: Thats actually intriguing. I wouldnt have thought that either. Hm. S: So probably I can get to that story some other way, but probably not what they want. I: Just use it like youd normally use it, dont... if theres something I need you to click on, Ill let you know. S: Theres noise too, just in general from Facebook, but I havent seen any recommendations. I: Is anything being populated from like Facebook data? Do you see anything that youd think oh, its looking at this information? S: Yeah, no I cant see that, no. Im looking, so... [scrolls]. Yeah. Ah, here we are [sees friends article], so yeah, but these are people I dont even know, so... which is not too surprising. Im sure theyre in my Facebook friends. I: Sure.



S: [continues scrolling, using application] I: I notice that you did click on that link on the side there that looked like it was shared by one of your friends. S: Yeah yeah yeah, I dont know who that is, but yeah. Uh. Right. I: Now, Im going to ask, just from a brief looking through it, do the features of this justify you using the Facebook authentication for it? Do you think this is feature-rich enough through that that it would be worth it? S: Yeah, I mean, so far I would say no, but yeah... um, Im looking up here, Im getting the impression that its a newer app or something, because not many friends of mine seem to be in it. Uh... seems like just two. Which is strange, but. I: Sure. S: Or maybe just no one likes it. But yeah, so far its not very different to just having gone to the Washington Posts site. Except that theres some bits of noise along the side. I: Yeah, and youre describing them as noise rather than...



S: Yeah, they dont have any real interest, I mean, its sort of like having a Facebook in another window. I: Yeah. S: Um, but, yeah, it doesnt really seem related to the... to the news at all. I: Sure. Are you aware at all, just from using the site, are you aware of what information its sort of gathering and being social about? S: Um, I could make some guesses. And I think its mostly just waht I read and what I go to. I can see that, because Ive got friends that, yeah that are showing up here and telling me what they read. I: Alright. Now if you could go to, in maybe another tab, if you could go to your Facebook profile. S: Ahh, right. I: If you could go onto your profile page. S: Uh, how do I do that?



I: Just click your name on the upper right hand... S: Oh, right. Right. I: I know that, it depends on what version of the Facebook profile youre running what shows up... so if you could just scroll down and see if you see any traces of that from using it. S: All of this is... older. Um. I: Just judging from the first page its... it doesnt look like you really see much there. S: Uh, no. Where would I expect to see it? I: Well, Ive tested it using the new Timeline profile. In the Timeline profile it shows information directly next to it. S: I dont think Ive even looked at that yet. I: Thats fine. Um. Well, I was going to ask, you kinda saw their, you know, on there that some of your friends have been using the app, and do you think your friends are aware that you saw that information that they had read those articles?



S: Yeah, maybe, maybe not, I dont know. Like I said, Im not too sure specifically who they were. If I did, Id probably make a guess, but yeah. I: Fair. And I guess the last question for that site is: Do you feel comfortable with logging in through that site for the experience that you got? S: Um. Yeah, I suppose. But Im not sure Id want it as something where I was regularly reading the news, I mean, yeah. I: You wouldnt make that your primary news...? S: I dont think I probably would. Um. Yeah. I dunno, its not a huge deal. I: Alright. Well, the next one is, and youll probably know this one, S: Actually, I dont. I: Ah, its a Zynga game. S: Okay, so. Just go to the URL? I: Yes. All one word, just WordsWithFriends



S: So, its I: slash wordswithfriends. I: And Im probably going to ask you to spend a bit less time on this. S: Alright. I: Now, from the landing page, once again, going to ask: would you use this without me asking you to use it? S: Um, yeah. Sure. I have used something similar, so yeah. I: Alright. And, um, if you could click on play the game. Um. Now, its going to give you the dialog, like youre used to. Now, what does this dialog kind of tell you that it will be using social features for? S: Um, what does it tell me, well... I: If you just had to surmise what its going to do now that... what social features it will incorporate given...



S: Right. So, its its, tough to see exactly from what it says. You sort of have to guess. I mean, it basically says, its going to post to Facebook as me. And that sort of sounds scary, but I sort of know what it means, its going to be posting things just sort of to say that Im playing the game and so on. Thats what I expect, but you know. It could post as me other things, just that I dont think that itd be sitting on Facebook and be popular if it sort of posted malicious things. But, I would say its probably fine. I: So, you base it a lot on popularity then, or other people using it? S: I would... yeah, I would be a little more careful if something was brand new and there wasnt, sort of, any indication that many people had used it. Um. If, in this case, it seems like its probably fine. If it was doing something malicious, people would have noticed. I: Okay, so youre gathering a lot of contextual clues. S: Im getting contextual clues. What it tells me here is actually a little more scary than that, so I have to think a bit further. I: Okay. Once again, on this dialog, I mean, its a little bit different of a dialog than the other one, the other one kind of gave you the option to choose friends and stuff like that. What draws your attention out of this one?



S: Well, it looks... it just looks like its quite generic. But its just one that Facebook has basically put together, that its not very specific to this application. I: Okay. So its very generic and... what would help it be less generic? What do you think would make you feel better about the dialog? S: Just like, to give say, an example of what kinds of things it might post. That would... that would be the main thing. So what other things is it going to find out. Its going to look to my... to whos in my friends list and things like that. Thats not a big concern to me. Really. I: Okay. That was really helpful. Lets see, once again, Im going to ask you... Zynga is a pretty big company, so does that play into it? S: No, not really. Ive sort of heard the name, but I couldnt place it. I: Sure, great. Well, um, alright. Click allow. [ Subject clicks allow, enters site. Looks at friends list.] S: All sorts of people have showed up now. Playing all sorts of different games. Alright. [Privacy policy and TOS window pops up]. So, we have a terms of service



and a privacy policy. And I would normally ignore those. Most likely at this point because I couldnt be bothered reading them, but... I: Alright, just do what you would normally do. S: And by doing so, I realize that it may say something in there that um, that would inform me of something I actually wouldnt like, but, its unlikely to me that Id find anything in there that would... yeah. I: Okay. Sure. S: [ Clicks yes ] [ Confirmation pops up ] Oh, am I sure? Im pretty sure. [Clicks through]. Right. Alright, I can see, there are people there that I know well. Hang on, so if I click on this button and choose a friend, and if they... ahhh, if they dont already play, then they get an invite. I guess thats pretty standard for Facebook. Id forgotten that aspect. Right. So, I can start a game, but its not clear whether these people have already signed up to play this game or not. When I click that, they may just get a message telling them to play. I: And, if you dont want to invite anyone to this, thats totally fine. I just wanted to see your general take on mostly through the API dialog, but if you want to kind of look around and tell me, if you could tell me I guess what makes this game social and what you value out of that?



S: I think what makes it social is pretty obvious in that you can play against your friends. Um, yeah. That. Ah. I guess you can see quickly whether or not theyve played it. Actually, Im kind of figuring that out. You can start a game with someone or you could send a challenge. So you can sort of tell whether theyve opened up the game I think. I: In your opinion, what does Start a game with mean and what does send a challenge to S: Send a challenge means that yeah, theres going to be a message sent to them saying heres this application. Itll probably look like I had actually written it myself. But yeah. People will understand that. But it has some value, just, you know, playing a game against friends, I could play with my friends back in Australia or whatever. I: Sure. S: So, yeah. Anything else, or...? I: Yeah, sorry, ah. Do the features of the app, do you think that they justify, once again, you giving it all the permissions you just gave it in that dialog?



S: Um... Yeah, I guess, sort of yeah, I think so. Yeah, it would be nice to sort of be... explicitly informed of what kind of messages get sent, as you... But... I dont think thats a big concern, the social side here, yeah, I can see it has its benefits. I: Sure, and ah, do any of your friends, um, I can see that some of your friends probably are using that but it makes it a little bit unclear. I guess the question is, are your friends using it and Sort of would be the answer? S: Some of them are, by the looks, yeah. Um. Theres probably a way explicitly to come up with all the friends that are using it, but yeah. I: Is there anything that makes you uncomfortable using this application? S: No, no. Ultimately there isnt. I: Right, I think I will go into a site that I have written. If you could go to And just hit enter. And the reason Im using this one is because its one I have been working on so I kinda know the features of it. If you could just read the dialog and same questions as before Ill ask you whenever youre done. S: Right. [reads dialog] I: And, given the landing page would you use this without me asking to?



S: Uh, yeah, I guess I would. So, this is a... I click here. Right. Now, straight away here, you can see its connected to Facebook, yeah. Its asking yeah... similar sorts of things. Yeah. Not typically different from the last one. I: So, click on that. [Interviewer note: I clarified this for him because I am not attempting to study the UI layout of the game, and am instead focused on privacy questions. This is just to speed the CI along] I: And, since this is probably not a standard kind of website, the slider on the bottom controls level. S: Oh, I see. Right. [ uses site ] S: Interesting. Right. Okay, then you get to actually recent news. Not really what I was expecting. I: That was mostly just an example I had around that I figured would be useful. But, as far as the facebook features go... I think that opened it in a new tab... if it didnt I



wrote some bad code... um... yeah. So, the Facebook features itself, where it says, all that stuff [ point at Facebook links ], do you feel comfortable with what its doing here, like you know what its doing? S: Uh, okay. Yeah, Im a little less comfortable, just because Ive got a general uncertainty about whats this website doing. So, just yeah, Im a little bit less sure about it. Ive got less evidence that theres a lot of people using it and whatever, and yeah, I would be watching it a bit more closely, thats what I would say. I: Alright, and the social features of the app, could you tell me what social features its actually using? S: Uh, I can sort of, I can see that theres some way to compete with friends, but I havent seen how thats going to happen. As of yet. I: Okay, great. And my question was going to be are any of your friends using it, but theyre not, so. S: Right. I: Mostly saying that for myself there on the video. Okay, alright. The next one is entirely artificial, and that one is going to be at... go to: h-u-r-t-l-e, sorry, slash media slash research slash fb_test_1.html. Allow it to open pop ups.



Then just refresh the page. Alright, now, once again, API dialog, um, now what are you looking at on this dialog? S: First I notice that it looks similar to the last one. Next just looking through and seeing whats here. Um. Uh. It looks similar. Access my location, access my information, right, thats public, yeah, right. I: So, would you feel comfortable given the permissions that it asks for to hit the allow button. S: Yeah, comfortable enough, yeah. So, Im still uncertain as to what its all about, but looking at that, I dont see anything Im too concerned about. I: Okay, and what do you think that, once again, what do you think its going to do, like, what specific information do you think its going to have access to. Since this doesnt really do anything, its not really an application, but mostly about access. S: Its going to, I would guess at least its going to access who my friends are basically. Um, and possibly just also announce itself to my friends, or some of them. Or announce, I dont know. It will announce something, somewhere. So, those things dont particularly concern me. Exactly what its going to do, I have no idea. I: Okay, if you could click allow.



[ Page lists location, email address, any family relationships and names ] S: It knows where I am. I: Does any of the information it presents here, does it surprise you, does it concern you, do you think it shouldnt have access to that, based on what you read in the previous dialog? S: Uhhh, no, thats pretty much what I would expect. This is... this is public, this is for friends, this is, this is probably public, so yeah, Im not surprised. Um. Yeah. I actually did update that when I got here, so its correct, yeah. I: Great. So if you could go to your Facebook page. S: Right. I: Refresh it. [ Page has posted to subjects wall] So, once again testing that, the fact that it had posted to your wall is something that you said earlier, you are aware that this would happen? S: Yeah, that it could, yeah.



I: That it was a potential. S: Yeah. And, yes, I mean, it looks like I posted it in a way, but then you can see here, actually no. I: Does it concern you that it attributes it down in the bottom right corner? S: Yeah, so that is the kind of thing that if I was using Facebook and I was still unsure about trusting it, thats the sort of thing Id be looking for, basically. Um. Yeah. I: Okay. And, thats it for the demos. And I guess I have a few more questions really quick that will be more oriented towards just using FAcebook and that sort of thing. I guess, going back through all the things that youve seen for the last four sites, is there anything that strikes you as being a bit overkill? S: In terms of the security or the privacy? I: Anything that youve allowed it to do that in a normal situation you wouldnt have allowed it to do? S: Um. Yeah, uh. I mean, not really. The closest would actually be you know, just general information about every news article I read. But, I sort of understand that the main way this would be used that it gets aggregated when someone has multiple



friends reading the same thing, thats when... its not really overkill, its just... its sort of to me, something that would make me pause a bit, I think. Do I want that or not? I: Alright. Do you think it would help you to have some sort of notification of what it actually is giving info to? Like, for example, real examples from your profile, like it has access to this item, this item, this item. S: Yeah, sure. Having information like that would just remove a lot of these question marks of what exactly is it going to do and I mean, when you just get very generic information, you just generally dont know. I mean... I: Definitely. Okay, lets see if I can think of anything else here... Have you ever had a friend that has sort of posted something you think they hadnt meant to post? And its come from either the API, and getting hacked, or getting a token to post? S: Im sure that has happened, but I cant think of any specific instances. Its sort of been a while since I was doing... such things very closely. So yes. I: Is there anything else you could think of that would help you understand the scope of the information thats being shared? S: Um. No... Hmm... I suppose it could be useful, but it could also be very annoying to be told each time that informations gone from somewhere to somewhere. At least



have somewhere where you can sort of check. Say whats... What has sort of gone into and out of this application and made it to me. Um. I dont know. I guess there are sort of logs for that sort of thing. I dont know. Um. Yeah. I: Certainly they dont make it super-obvious about where they are? S: No, thats right. I think a lot of people are probably a bit more privacy oriented than I am and would stop using things if they knew what was going on. I can make some reasonable guesses coming from a Computer Science point of view, but yeah. I think some things no one knows exactly what theyre doing. I: Alright, well, is there anything you think I shouldve brought up that I havent brought up, anything in the interview that something came to mind and I didnt ask about it? S: No, nothing springs to mind. I: Well, thank you very much, I really appreciate your time. It was really helpful, seriously, so I do appreciate that. Thank you so much.



I: Im Esten Hurtle, Im doing this project as part of a study to figure out how best to manage social media privacy in a world where the website itself isnt the only thing youre dealing with on the social network. And, I just want to let you know that this interview will be kept as confidential as possible. I think they may ask for the videos at the end, but other than that, it will be kept confidential. And, that is about it. Could I get you to say... could you give me a brief overview of your experience using social media and what you use it for? S: Well, okay, um. Well, I guess all media is social to me, um. What I use social media for... I think primarily I guess a few different things. Ah, well. Remembering things. I use something like, say Flickr just as an archive to put my stuff into, and to be able to show that to specific people, so, usually in situations like that, its kind of a one-off kind of use, like I shot a lot of photos or I shot a video or I have some weird file format or a lot of stuff and I wouldnt say Im really a regular or repeat user of things like that? Ive loaded maybe three or four batches of stuff to Flickr all my life, like when we bought a house, it was like, well, walk through the house, take pictures and share it with everyone, and uh... yeah. and then, Facebook and... Im trying to remember like when Facebook snuck into my life, it wasnt that terribly long ago. But I do remember doing a lot of things... so I remember like, during the dot-com boom, I remember being amazed how everyone would be at work all day and



basically goofing off, right? So, yeah, we were all being paid, but we spent a lot of time on various things, but I really dont remember what it would have been. It wasnt Facebook at the time... What were we doing, I guess we were just reading the news and stuff, Im not sure. Sending each other emails, Im not totally clear. Myspace I guess was happening back then. Im not a big Facebook user per-se, although I now have lots and lots of connections, same with LinkedIn. In both cases I use it well, I use LinkedIn now that Im at <university>, a lot of times, Ill come across situations when Im talking with a student whos interested in something or working for a certain place or something, so Ill go to LinkedIn to see if I know anyone whos now working there, or knows anyone whos working there. Use it to help network other people, which is kind of interesting. Facebook, I dont post a lot of stuff on. My wife posts a ton of stuff on Facebook, she has a lot of friends, shes Italian, she has a lot of friends in Italy she tries to stay in touch with, um, so shes on there all the time. She asks me regularly, I took a lot of photos, can you go comment on them? [laughter]. I need to generate more buzz around it. Nobodys commenting on THIS batch of photos and I dont really know why. So she uses it really casually in that way, you know? Its like shell get dozens of comments but none of them say anything, so theyll be like youre beautiful! or oh, I miss you love! All these comments that are sort of a light, chatty way of staying in touch with people. Um. I very seldom go into Facebook I think. Anymore. I used to when I had more time, you know? It was my birthday last week, and I logged in just because I knew I was going to have crazy amounts of stuff, and there were yep, I mean, we can log back in and check, but last I checked there were over 60 people that posted to my wall happy



birthday which was like incredibly crazy. So. Yeah, I dunno. Im always surprised when I go in there, I see stuff that I never expected. I: Definitely. Well, this will be interesting then, and Ill have some questions for you. Well, have you ever used any platform applications, so either games or things that have tied into the Facebook API to use for authentication? If so, could you tell me which ones? S: I feel like recently, Ive began to notice login using your Facebook on other peoples sites. Um, and, I havent tended to do that. Im not quite sure why, I think Ive tended to set up a new account in all these places. Probably because Ive changed my Facebook password, like, all my passwords across the entire Internet are the same except for like, the banking ones and my email. Because, Im, you know, every day theres some new service I sign up for, so to keep my password and username the same is very simple, and I just do that everywhere. I dont really mind setting up another account. With regards to plugging stuff into Facebook. Yes, in the early days of Facebook, I spent much much more time doing stuff in there. I remember, like, in the very beginning, people were always sending each other gifts and stuff that then, suddenly, they made you have to pay for them and everyone stopped. So. Those games were very much there, there was a circle of friends app that you could plug in and visualize everyone you knew and how, that was kind of interesting to do like once. And then, yeah, occasionally, I cant remember what games they would have been but there are occasional stupid games you know, just



like... there was the Mafia Wars for a little bit. Yeah, you know, like for the first five minutes, it upgrades you like five levels, quickly, you know, You got a revolver and now you killed somebody, great! Now, youre a hitman! right, and very quickly it became like this is going to be a huge waste of time. We could log in to see what all Ive got plugged in. I: Sure. Sounds great. If we could do that, Im just going to ask you questions then, about what youre doing on there, as you login, Ill point to various things, and later, Ive got some sites that Im going to ask you to go to and Ill ask you questions about those. S: Cool, alright. So, lets see, its always a surprise... [logs in]. See, Im still logged in. Im logged in from the other day. So, here we are. Typical behavior includes scrolling down through the list and seeing whats going on... its funny, there are people on here from like, all over the place. Most of my Facebook connections are um, interesting, some of them, I dont even know who they are. This, I think, is a Jessica who I know from long ago who got married and changed her last name. I think. I: Okay. S: Many of them are... well, this looks like an undergrad friend, hes in the program now, most of the people I know, theyre... a significant number of <former employer> people, and then, cause I worked there for a long time, and <former



employer> was like a huge and very social network. There were 400 people I worked with just there and theyve all friended everybody. I: Sure. S: Some undergrad people, but not a whole lot. For the most part, the undergraduate people were people I havent talked to in a very long time. Um. A few random people, like this guy, who is... we had a show together in Milan, randomly. Ive actually never met him, but his work was in the show with me, and we connected. Um. I: Im curious about the 51 requests up there. 51 requests, or sorry... S: Wow, thats an awful lot, um, notifications. I: Yes, I was going to say, a few of those are from platform apps like Mafia Wars. Do you still play that, do you still get notified by it? S: No, I havent played that in like... two years. Yeah, its been a while. So, I have no idea whats up with that. I: Do you think you know... are you aware how to turn off getting those, if you wanted to, do you know how something like that would happen?



S: I dont particularly want to. I believe if I go like this [clicks on and off notifications panel] theyre all gone, so all the notifications dont bug me. I: Okay. S: Cause, uh, yeah. I mean it presumes now that Ive seen them all. I: Sure. Do you ever worry about what it still has access to on your profile, or do you feel like theres any worry about malicious issues? S: Not particularly. Um... [exhale]. Whats going to be malicious on Facebook? So... people can probably see who Im friends with. Um. They could probably figure out if... they wanted to, they could probably figure out names of my wife and family members. Im not sure how that would benefit them. They could look at pictures, figure out what I look like. They could probably figure out where I am, in Pittsburgh. What I do. Yeah, nothing thats not really publicly available. I: Alright. S: I should probably, I mean, no... my attitude towards privacy concerns is: if I was concerned, I wouldnt be using the Internet. Basically. And I would be very happy just unplugging it and going into the woods and that would be cool. But, I figure



youve kind of got to pay to play. And, yeah. If Im doing online banking Im careful and thats really about it. I: Okay, so for something like Facebook, you wouldnt be at all upset if it, you know, read your profile information, figured out who your friends were or posted something... S: Pushed me ads or something? I: Yeah. S: Not really. If it became really invasive, I would probably try to switch it off and Im sure I could figure it out. And theyre constantly changing things and theres stuff up here, like here are all my friends on chat, and a lot of those friends on chat might try to chat with me when Im logged in, and Im not sure if I want to chat with them. [laughter]. Theyre pushing it all over the place [clicks on secondary chat list] here are all those people. I remember yeah, like, being at work um, or not being at work? When I was doing my dissertation at a certain point I remember logging into Facebook and having someone in my lab give me a work assignment, like hey, oh, Im glad I caught you, here like, can you read this paper by tomorrow and review these three things, you know, like that just felt inappropriate. Um. Because it was very direct, and anything automated doesnt really bother me. If I get requests from stuff I usually just ignore them. I tend to ignore requests from friends who... well, so



called friends, people Ive never heard of. Or yeah, requests to add stuff. Theres a lot of those ones that kind of have hooks in them right, like, You want to spy on people online? Fill out this survey and send it to 500 friends. Ocassionally you get that stuff and then I kind of ignore it. I: Alright. S: Quite frankly, I dont use Facebook enough that it really bothers me cause Im just not here to see it. And... I was actually surprised. Evidently, I must have turned something off, because I dont believe I got any emails, or they went to an old email account. Usually if someone posts on your wall or something you get a notification. So I had all these 60 plus birthday notifications and got no emails about it, so I guess I either switched it off or... who knows where they went. I: Lost in the ether? S: Yeah, pretty much. I: Alright, now Im just going to give you a URL and you could go there for me, its Washington Post dot com slash social reader all one word. S: Okay.



I: Now, if you could just kind of do that, and tell me before you click anything when youve kind of finished scanning. S: Okay, Washington Post... here weve got some news... Dan Wheldon died in a car crash, uhh, Huntsman boycott, Herman Cain, so weve got news, this looks like a website that has to do with news of some kind, must be Washington Post. Social reader, news better with friends, so some sort of networked news thing. A Facebook app that offers new ways to read news from posts with your friends, once youre using it stories will be instantly shared with your friends [continues reading] Very cool. I: Alright. Given the landing page, um, if you came across this site, someone shared a link with you, do you think youd click the Facebook read now button on it? S: Um. Depends. I think it depends who that someone is and the situation. If I had a PhD student say who is like... well, this is actually making me think. So, Ive got a friend whos starting a startup company, and um... yeah, and I work kind of in the new media space, right? So I tend to click on things more frequently than others, but only if it seems useful to me in some way. Um. And, useful would mean someone recommended you check this out because its related to the work youre doing or Im intrigued in this particular case and I just stumbled across it, um. And, well, so, I have a friend whos interested in starting a startup that basically is redefining the,



uh, what do you call it, so... he works in film, hes a writer, hes writing screenplays for movies and trying to get them produced, and basically he wants to apply social media to the writing of scripts. Um, not even, but really to the distribution mechanisms of Hollywood to take down the studios. So, to have like individual film fans uh, spread the word about independent films so that you can collect media of kind of thats below the radar but more personally tailored in some way. So this, you know, share the movie, its like Netflix meets social media, which would be cool. Rather than Netflix tell me suggestions, Id rather have you tell me youre movie or whatever... I: Definitely. S: So, in that case, I guess its interesting. It also makes me wonder about the echo chamber effect, you know, my friends are maybe more on a certain spectrum, you know, right? I dont have a lot of Tea Party friends on here so, you only here one slice of the news. I: Alright. S: But I would hope that, you know... from the news up here, I dont particularly follow Formula One, and Im not following the Republican campaigns, and here I have news about them. Assuming the Post is somewhat neutral. I go to the New York Times all the time and read news so...



I: Sure. S: Cool, so yeah, I get it. Should I click it? I: Great, yeah, if you could click on that and it should come up with a dialog here, and before you click approve, if you could flip through that and sort of tell me what the site is telling you about the social features of the application. What do you think... S: What this page is saying to me? I: Yeah. S: Okay, um, so its a new way to spread the news, theres stuff on the way, so somebodys developing it, add Washington Post Social Reader to Facebook, includes articles you read, websites you used, and more. Websites you used? Not quite sure what that means. Uh. It needs my description, my likes. Okay. My description is probably information about me, my likes are probably all the things that Ive thumbs upped in the past. it would be visible to friends... yeah. Its um. Its telling me what others would be able to see about my activity. Basically. I: Sure. Is there anything in there that gives you pause, makes you consider maybe I shouldnt click on that?



S: Um, well, it makes me wonder what the options are here [clicks on options]. Um okay. I noticed that recently, Facebook introduced the idea of close friends that didnt used to be there, so thats interesting. Um. Its one of those things where I would think about it right now and I would probably do it anyway, but Im not sure that I would spend a lot of time using it, and if I found it to be useful, its probably because other people have been giving their information up, then I probably wouldnt mind so much, because itd be useful to them. Or something like that. I: That makes perfect sense. S: But uh, not sure how I feel about it yet, because Im not sure really what it is. Or what Im going to do with it. I: I was going to say, this leads into my next question, which is: Are there any contextual clues that make you feel more or less worried about clicking login and add to Facebook. Anything contextually from the site that would either make you feel more assured or make you feel more nervous? S: From this particular page? I: From this page and the landing page, from before.



S: Well, it does seem... it does seem more like youre broadcasting a whole new feed. And that feed is not something that youre really saying post it there, its something that its just doing. Right, so, I do feel like it is monitoring more closely what Im doing and feeding it somewhere more, Im not sure where its feeding to exactly or where it gets used, um, but it does make me wonder... yeah. Im guessing, and its only a guess, that if I like something um, there probably is a way that anybody in the world could search all my likes and see what I like. And, if you go to Washington Post Social Reader, you wouldnt see it like that. And Im imagining theyre using my likes to push content to me that I like, not so much to broadcast what I like to others. And its more like the articles that are read are the ones that are shared, somehow. So, my friends would know that those are the things Im reading, which kind of reflect on the things I like, but are not actually the fact that Ive liked it? Does that... I: Sure, definitely! That actually really helps. Good mental process there. S: Whatever. I: Sure, so does the type of app play into it? So like, if you saw this versus a game, or this versus uh, like, Hulu or netflix. S: Yeah. Um. Yeah, I dont know that I want everybody in the world to know what Im watching on Netflix or even what news Im reading or even that Im reading so much news, right?



I: Yeah. S: So, Im quite happy in that particular case, going... not having it be social media, per se. Because Im quite happy with the way I get news at the moment. Which doesnt mean it couldnt be improved, just that... I mean, I go to the New York Times, I only get 20 free articles a month, and Ive figured out how to fake it, so I get them all for free anyway, so. I just keep doing that until they go out of business [laughter]. Uh, yeah, so I dont really feel the need for this particular app, but it seems interesting. I: Sure. Alright well, I guess, click it... ah, one more question actually, reputation. Does... I know we said earlier that the Washington Post thing, does the reputation of it play into it at all? S: Of the Washington Post? I: Yeah. S: Does that make it more credible? Um. I dont... quite frankly know a lot about the Washington Post, so I have a sense that newspapers are more or less partisan, and Washington Post doesnt really mean anything to me. Because, I get all my news from New York Times or BBC for the most part.



I: As far as privacy goes, do you feel S: As far as privacy... no, I feel no or more or less secure because its a brand. And, um, yeah. Yeah, I dont know, when you mention reputation I think, what comes to my mind is not that their reputation meant anything, it was more, how does it influence my reputation as a user of this. I have a certain friend... I have a friend who, who is a very high paid patent litigator, hes an attorney for a big company out of California and like... he like... scrubs the Internet for any evidence that hes ever existed. Hes got like one profile photo and like, you search for him and like the only thing you get is his company and his profile there. And Im in a situation now, and its always kind of awkward at first. Im now friends on Facebook or LinkedIn with hundreds of former <university> students. At first it was kind of like Well, is the student teacher relationship really appropriate, well, of course it is for Facebook because Im in a new media space but I think for a lot of more traditional... Yeah, I dont know. Like, my whole existence here at <university> is all about my reputation, its the only reason Im here in the first place. So you would kind of like the right stuff to come up when people search for you. And not necessarily pictures of you on the beach... so. I: So you conceptualize it more as how it reflects on you rather than the site and its own intrinsic reputation?



S: Yeah, when I think reputation. I guess Ive also worked in branding and in graphic design and stuff and there you talk about like corporate identities and like... I dont really see the distinction between a reputation of an organization and that of a person. I: Okay. S: I think the mechanisms by which they operate are the same and, if anything, because if its an organization I trust it less because no one is necessarily accountable for it, or not accountable in the same ways, and its hard to know what the politics behind them are. And its like... with this whole Murdoch scandal, right? Theyre like oh, we knew nothing about it right? And youve got lawyers, or whatever, so its good enough. I: Alright. Okay, that makes perfect sense, so if you could just click in, and Ill watch you mess around with this. S: Okay. Here we are... and nothing is here. Oh, its loading slowly. Americans not spooked by economy for Halloween. Okay. Alright. So we have news. And um. A long list of news. Im curious, this seems to be the biggest one. These are trending now, um. Feels like a pretty random smattering of stuff thats all about the same size. So, one of the things I really like about the New York Times, for example, is that, as a newspaper, these people think a lot about whats above the fold and how to organize



it. If you come back every two minutes, itd be different. I mean, its very much a good reflection of whats going on... when Steve Jobs died it was huge. And the stuff below the fold, and you can really dig in if you want to. So, I feel like this is not so terribly sophisticated. And as a... as a relative page, um, I can be guaranteed on this page that Ill find something here that Im interested in. As I look at this page, Im not particularly interested in clicking on anything. Except maybe this one. [clicks on article]. I: Okay. Even with these social features youre not getting any additional value content out of it? S: Potentially. But Im not sure what the social features are exactly. I: Okay. S: Yeah, not particularly sure. But this is trending now. And I presume, because it says trending now, something interesting... this feels more relevant in some way. Maybe just because its got this... it makes me think ah, something is in the know you know? Maybe click that... S: Alright, so Siri.... I was listening the other day on the radio. I listen to NPR a lot when Im driving. Yeah, voice recognition stuff is pretty hot. So. Here we have an



article, I could read that. Similar, more technology links. People commenting on it. Or maybe not. People commenting on something. Not sure how related this is. I: Okay. So, I guess my question then, when youre going through all of this, is uh, do you feel any large sense of social integration on this that would justify adding it to your Facebook page? S: Um. I: Or, allowing the app to access your Facebook page? S: Well. Its funny. I guess I dont really think about it that way. I think at this point, the damage is already done. Ive already said okay, its already there, and I dont really think about it anymore. Um. If I was someone who came to Facebook a lot, then I guess, my real question, this brings me to my front page [clicks on link]. Heres Facebook. Right? Alright, how do I get there again? If it was something I really wanted Facebook to be for me, then I would want probably, and I guess I do have my apps here, but I have like, a lot of apps and here they all are, right? Theres probably even more. And, I really dont ever come to Facebook and expect to use it as a dashboard for my life. Maybe I ought to? Maybe I can configure it that way? I feel like... Google kinda had that for a little while, like personalized Google, you could go there, and nothing you seemed to personalize it with felt particularly relevant, you know?



I: Do you feel like, as far as the dashboard for your life, do you feel like there is room for that and it isnt on Facebook, or just do you find that not to be a general need for you? S: Um, I think theres a huge need for that. Totally. And I think the question is how much... how autonomous should that dashboard be? I think my computer could generally do a lot better job of giving me that, I know it could. Um. And yet, Im not quite sure where it would be at the moment. I: Okay. This app records those news articles that you put in there and broadcasts them on your profile as you read them in real time. S: The ones that I put in there, how do you mean? I: The ones that you click on, itll say in the profile <subject> read this article, um, and Im wondering, do you find that to be... if you saw that on a friends profile that your friend read that article, what would your first reaction be to seeing a list of articles that a friend has read? S: Right, so I just clicked on myself and I see this [Facebook shows that he read an article].



I: Yeah, there you go. Theres a friend up there too. S: And somebody else read this, so lets see what he is... what this looks like. Thats not bad. Recent activity, he started using it, he read this thing, um. Im not sure how I feel about that. It doesnt particularly bother me, particularly, but uh, if I used it a lot... I do think theres something different between intentionally posting it and it just be recorded. And... I dont know. I guess this is a real nice way to get people hooked on using the Washington Post reader. From their perspective, right? I: Are you likely to click those links as a reader when you see someone elses S: On other people? Potentially. If its interesting... Yeah. Whenever I find myself, oh I dont know, heres <name>, I just became friends with him last week, oh this is interesting, I can kind of scroll through and see the things that hes posting. Theres always groups of people, lots of friends that I also know, right, so, I might find myself going, oh, heres a picture and look, they went and had dinner together somewhere, where are they? Theyre in a restaurant somewhere, right? I: Mhmm. S: So, yeah, you get kind of sucked into browsing these things and liking stuff and whatever. Um. It is very much a browse kind of activity. So, if Im kind of in the



browse, I wonder whats going on, I might click on anything, because Im kind of in that mindset of not particularly having a purpose other than, going through this. I: Definitely. When you link out of the site, when it links to something like the Washington Post, or another application like that, would you like to know that youre out of the site, or would you like to know any kind of other information, like where its been, where its taking you, what information its getting, anything like that. Is there any information you feel like is missing when you are browsing something that is not necessarily in Facebook itself? S: Um. Thats weird, so I consider this to be in Facebook. This is in Facebook as far as Im concerned. And. It would be nice if it told me, like you did, hey were going to post that. You just clicked on, whatever, you know. Playboy Bunnies Have Crazy Sex Orgy and suddenly thats on your page and nobody ever... whatever, thats probably not good. If you had told me, hey, thats where it goes, as somebody whos using it for the very first time. After that, whatever. I figure, you know, youve kind of bought into it. But um, say if Im browsing around the internet in general and its logging me? I: Well, my general question was when it links out of it, when youre in browsing mode and you see that your friend read that article, would you... is there any information youd like to know when you click onto an article and youre going into



a page that isnt necessarily Facebook itself? Like um, it could work with Mafia Wars too, you click on Mafia Wars, and it takes you into... S: Well, he read this on Social Reader and if you click this, where does it bring me? It brings me here, I presume, this just got posted also then, thats interesting. Um. Yeah, so youre kind of asking about the blurry line between whats in and whats out of the network? I: Yeah. S: Um. No, I dont think I particularly care, it can send me where it wants and I just presume that the stuff... its interesting though right? Because if I travel from Facebook to some site somewhere and Facebook knows thats where I left to go to, it could presumably post that also. Hmmm. <name> left this to go to... you know. I: Sure. Is there a point where that starts to bother you, or are you fine with just having that information stored? S: I kinda have to think about it. I mean. It would only really bother me if I couldnt erase it. Or if I couldnt find out immediately how to get it off. So, for example, um, what was happening. So, Im from California. My state Senator is Barbara Boxer, and so, during the most recent campaign, what was it? Like, I followed her on Facebook I believe because by following her on Facebook you could win a chance to get



something special that I knew my mom really wanted to go to, because I know my mom is really active within the community. Um, so I figured, hey, if I get some tickets to that, I can give them to her. One in a million chance. But whatever. So I click on the thing, and you CANNOT unsubscribe from Barbara Boxers mailing list. I sent them like 50 emails, they were spamming me every day, sending me tons of things like Barbara is speaking here talking about this, doing all this stuff, and I was just like, you know, Im a supporter of your cause, but youre pissing me off. This is not cool anymore. So that would really bug me. I think, you know, ocassionally... I think in the early days of Facebook I heard a lot of people commenting on the fact that the search field and the find a friend field were right next to each other... or... the search field and what you post, so, I had a student tell me, she was like, oh, there was this cute boy and I was searching for him, and I posted his name to my thing right, or whatever, and thats sort of like a design fail in terms of communicating what exactly you were doing. Yeah, I figure, youre always taking risks. If youre using stuff like this, you dont know what it always does, you hit it and suddenly you get embarrassing friends sending you things. I: Sure. Alright. S: But, whatever, you kind of deal with it social media fauxpas or whatever.



I: Sure. I guess the next site if you could go to would be... Once again, take a look around the landing page, Ill ask you some questions before you play the game. S: Okay. Looks like a fun game thats something like Scrabble. I: Yeah, well, once again, is there anything contextually you would get out of this besides the scrabble game? S: Brought to you by Zynga, our friends who make useful things like the fishtank game and Farmville. I think. I think they make Farmville. Um. And who notoriously give people really crappy menial jobs to design like icons all day. I heard a story of someone who went there and had to just keep designing coins. Like, hundreds of thousands of coin icons. Because thats what Zynga does, is give people little badges or widgets or whatever. Um. And so evidently, yeah, they sort of bottom feed on the Bay Area job market. I: Oh wow. So, you dont have a very positive... S: Eh, theyre in this kind of educational... well, its not even educational. Yeah, theyre in, theyre in... social media entertainment at the most kind of, not particularly beneficial for society level. But no, it doesnt bother me particularly. Ive always wondered kind of why Zynga has this funny little dog icon.



I: Alright. S: Its good, Im glad that they exist, I guess. I: Cool. Well, if you could click on play the game? S: Definitely want to play that game. Alright. I: Alright, now another API dialog. Um. S: So it is. I: Now, if you could read around the thing and before you hit allow, Im going to ask you some questions. S: Alright. So, this one is... interesting doing two in a row actually, because theyre doing different things. It has lots of high stars, thats good. People must like it. I dont mind that it gets my basic info. I mind that it sends me an email. But its sending it to this old email that I never ever check. Um. Cause thats where all of my spam junk goes, so it doesnt particularly bother me. I would hope that if I didnt want it to, I could drill into the preferences of Words with Friends and switch that off. I hope. Post to Facebook as me? May post status messages, photos and videos on my behalf.



Thats kind of sketchy. I have no idea what that means. It doesnt particularly say why it would do that. So, its like, you know <name> hasnt used our cool game for weeks, he must be a loser. Send him a message that says, please play Zynga games. It could well do that. Okay. Access my data any time. Thats fine. Publish games and app activity. Scores achievements, fair enough, yeah. Thats cool. I: So, is there anything... I could tell that the send me email made you a little bit worried, and the post to Facebook as me maybe a little bit more so? S: This one just makes me wonder what are they up to? Im kind of perpetually fascinated by this stuff, so Im like maybe it is me, maybe I just dont know its me which is kind of interesting. I: Alright, so theres still a question in your mind about what its actually going to be saying? S: Um, yes. And, I dont know, I would think... Youve sort of set this up in a way that I wouldnt actually come across this. I would probably come across it in kind of a viral way, seeing somebody else is playing it, say, and seeing whatever had been posted on their feed, or whatever, or having been invited by them to do it, and then, if they were one of those random people who I was like I have no idea who this person is and they just need to spam 15 people or they dont get to the next level, then I just might totally ignore it. Um. So again, I dont really have a sense of what it is. In real



life, I would probably be sort of curious, if I seemed sort of curious, click it, come to a page like this and think ummm, nah. Or think, yeah there was enough interest in the first place and yeah, I will do it. I: Sure. And I know its sort of artificial bringing it, its one of those things where I figured it would probably be the quickest way to sort of... S: Thats cool. I probably wouldnt be... Id probably be more interested in the Washington Post Reader than this, just because I dont have a lot of time to play games online. I: Sure. And the Zynga context, does that affect your decision to use it or not? S: Um. Not... well... Ive sort of given up on the idea that this would actually truly connect me to feel any closer to actual friends while gaming. I dont know. So I think, Farmville. I probably tried Farmville for like 30 seconds once just to see what that was about. And the only people using it were like... I dont even know who they were. There were a few friends of mine, who I have no idea how they became my friend, right? And I think at the beginning of Facebook, I was much more liberal about it, yeah, Ill friend this person, whatever. Now its like... I kind of owe it to my friends to only friend friends that are real. Thats how Im feeling about that.



I: Sure. Thats interesting, about the obligation to sort of be a filter for friends when youre saying you owe it to your friends to do that. Could you tell me a little more about why? S: Um. Because I think they will get a better experience out of... I dont know. And I would as well, quite frankly. It would be more beneficial for both of us if we really did know each other and we really might reconnect with each other by playing this game, than I could ever expect becoming friends with a complete stranger from playing this board game with them. But if theres someone I went to school with 20 years ago and we havent talked since then and we both find ourselves playing scrabble online and then we actually met when I went to New York or something, then we might say oh, you were on that scrabble game. And that would lead somehow to a real relationship. Maybe. I: Sure, so that could happen? S: It could, but in reality, it doesnt. I: Sure. Alright. S: Basically. And it doesnt usually because the kinds of people that Im really in real world friends with arent usually the kinds of people spending lots of time playing Zynga games.



I: Alright, that makes perfect sense. S: Although there are a lot of people who play Zynga games just because they have day jobs. I dont know, like, I have a friend in California, she works for a non-profit, save the redwoods or something, where she just sits around all day twiddling her fingers on facebook. Um. And theres nothing wrong with that and yeah, thats just not like... I right now am so crazy busy that I dont have time to be killing on someone elses payroll, so yeah, and if I was, Id love to have these games to burn some time. I: Alright, well, if you could click allow real quick and well just go through this, we dont have to play an actual game. S: [reading] as part of our efforts to improve our service, we have update our terms of service and privacy policy Ah. Right. It says okay. Okay is like, dismiss this, make it go away forever so we dont have to see it, these are the things you actually have to [clicks one of the links], alright, prepare yourself for a wall of text. I: In a normal circumstance, would you actually read that? Would you click on that link?



S: Yeah, I do. Often. I dont read it, but Im always kind of curious about lawyers, I think theyre sort of preposterously archaic. Um. Privacy policy. Hah, thats not what I expected that to do [PrivacyVille game option]. This is their privacy policy? Ah, down here [text privacy policy option clicked]. Hmm. Yeah, this is crazy, people think a lot about this stuff, but again, it feels like this is sort of the fallout from these things existing in a corporate setting, which is unfortunate. I guess they could get sued, so... okay. Already playing on mobile? No, I am not. Are you sure? Oh Im sure. Okay. Here we are. Here are some friends. I presume these are people already playing, already members of this thing. Youve already interviewed. Play against more friends, alright. So, I really need to invite an individual. Thats a poorly designed JavaScript popup. Um. So, typically, yeah, like, Mafia Land, it really paid off to have my friends who I dont care about, because those are the ones who I want to be playing with. Like this guy. Totally play with this guy. But now were going to have to wait, I dont know who this is, and were going to have to wait, and I dont want to bug him. I: Sure. I was going to say, in the top there, in that menu, there was one that said start a game versus invite and Im curious if that distinction means anything to you and what do you think it means? S: In here, or over there? I: In the center menu. See, play, and theres...



S: Start a game with, Yeah, I know, before it said different things, right? Um. And it keeps kind of changing. Start a game with, send a challenge to. I presume start a game with might be someone whos actually online? Just a guess. Send a challenge to might be more like then they would have to reply. Maybe. I could probably figure that out if I... Hmmm... well, he is online at the moment. So that would sort of make sense. So, it looks like to start a game you would need to have a friend to play with and maybe actually even in real time. Its either in real time or its a back and forth kind of thing. If it was back and forth, I would never come back, probably. If it was a real time thing, I might actually get into it. I: Alright, definitely makes sense. Well, um, lets see. I guess the other few questions I have is do the features of the app, that its using, do they justify the privacy intrusion that it might cause and do you think there even is a privacy intrusion on this app? S: Um, again, like, I really dont know what its doing. Im guessing if I go here, itll say <name> just became... Click on me to see what happens here... Yeah, so it doesnt say that I just accepted this app, as near as I can tell. Maybe it did to somebody. But it doesnt look that way. Yeah, it doesnt seem... to a certain degree, its kind of like all that legal junk, all the hoops you have to jump through to get to the stuff. At that point, youve jumped through all the hoops and youve forgot about it probably. And... I think all theyre really interested in doing is getting more people



to play Zynga games and increase their market share of advertising revenue or something, right. So I cant imagine it particuarly matters. I: I think thats about all the questions that I have. I just want to say thanks so much for letting me do this. This has been really, really helpful. Im starting to think a lot more about potential solutions to the problem of not kind of knowing whats going on with the line between Facebook and not-Facebook. I really do appreciate that. So thanks so much!



