I think your post hints at a general schizophrenia in the latest, culture-war-fueled push against Facebook. On the one hand, the public debate is still significantly dominated by the old guard of anti-Facebook activists, whose objectives can be summarised as "Facebook's power over its users must be reduced". On the other, the renewed interest in doing /something/ about Facebook in the wake of Cambridge Analytica and fake news (and, before that, cyberbullying, stalking, harassment...) essentially amounts to "Facebook's power over its users must be exercised to quell evil". More often than not, the two are actually diametrically opposed (as when quelling evil turns out to require an increase in power). A hypothetical actually usable decentralised social network would advance the former cause, and, as you pointed out, set back the latter.

> The whole Cambridge Analytica issue was caused by APIs that are too open. For distributed systems there are more ways to exploit the APIs and gather data on users.

Huh? Scuttlebutt is fully encrypted.. doesn't that make the API vastly more locked down than Facebook/etc?

> There is a clear issue with Facebook's accountability in these areas. Distributed systems are typically open source, they run on multiple servers by different owners, this leads to zero accountability.

This is no worse than Facebook though. With Facebook, your friend could steal all of the data you let them see. With Scuttlebutt, your friend could steal all of the data you let them see.

At least with this I control who sees my data, no? Sure, I can't have accountability with a friend, but at least no company/etc has access to my data.

> GDPR compliance about deleting data is almost impossible in a distributed system.

Doesn't GDPR apply to companies? If my mom sends me a physical card, do I have to adhere to GDPR laws with her address/name? How is that any different than Scuttlebutt?

The whole issue with facebook is that they:

1. Follow you from site to site, scooping up all the data they can on you.

2. Allowed all of that data to be accessible not just by you opening up to a bad actor app, but by any of your friends opening up to a bad actor app.

Calling it "overly open APIs" is misleading at best. The point of an API is that it is a public interface. If Scuttlebut has proper permissions controls then they wont have these problems... and because they're open source those problems can be scrutinized rather than remaining opaque.

You're missing one very large differentiator: user control.

With Scuttlebutt, largely, the client controls every one of your points. Different clients (with different settings/controls) can interact with a network upon which other users are using completely separate clients, each with separate settings controlling how user data is contributed to the network. Consent is not an issue.

With Facebook, as a user, you need to agree to Facebook's strict terms to be a part of their closed network, and—largely—cannot do so with your own client with its own data-contributing settings. The only close equivalent is using something like uBlock with your own browser, but the control you have their is very limited.

I say consent is not an issue but I'll devil's advocate myself and describe a Scuttlebutt setup where it would be. Say a company sets up a normal centralised service, which you visit in your browser, sign up for a central account, and it's backed by Scuttlebutt behind the scenes. Users of that centralised service can connect to a larger Scuttlebutt network upon which other users may be using their own dedicated clients to access. Consent is an issue for that central service (which acts as a defacto client on your behalf), but not for the network at large.

In my case, I don't care about the "privacy protection" of a given social network: I assume that everything I post is public (except private messages), so I filter what I upload based on that assumption.

Things I do care about:

-No censorship

-Chronological feed

-Open source & non-abusive client. (i.e. no tracking what users see or read)

-Good usability

I don't care about abusive content or fake news. If I see fake news, I just stop following whoever posted it.

So, under my criteria: decentralized > facebook

We fail to consider policy when thinking about centralized/federated services. Centralized services provide strong, regular policy adherence across the network, whereas federated services provide weak, irregular policy adherence across the network. Centralized services can effectively silence a bad actor. They may also silence a good actor, but generally only under external pressure from government. Federated services have little or not ability to silence bad actors across the network, though individual instances may effectively silence "bad" actors. However in this capacity "bad" is not well understood and can simply mean the instance administrator does not like the person the silence. Individual instances may also give voice to bad actors.

The GDPR argument is a bit moot because Scuttlebutt is no different than sharing pictures in gossip style (a.k.a. memes). If one of your childhood pictures happens to become the new meme, there's little hope that GDPR enforcement would suffice to de facto delete it from the internet: from Reddit, from Imgur, from independent websites, from Torrent, etc. The same is with Scuttlebutt, but data is primarily shared between friends without contracts, not from people to a particular company. GDPR applies to institutions.

The other points are just stating "much harder", which seems to just bring skepticism and little actionable suggestions.

I have similar concerns. If I had a magic wand, I'd solve this by splitting Facebook into an infrastructure-and-core-data non-profit and one or more for-profit companies that are building tools or interfaces on that platform.

I think there is a natural monopoly for some aspects of this, which is why Facebook is so hard to quit. But I don't think the whole thing need be in private, for-profit hands. Mozilla shows that a nonprofit can be a good steward of important web assets, with much stronger user advocacy than for-profit companies normally do.

Doing something like that for identity and interconnect between messaging and micropublishing providers seems much more robust than pure decentralization to me, which I expect would have the same failure mode as OpenSocial [1], where forces pushing toward natural monopoly are basically unchecked.

[1] https://en.wikipedia.org/wiki/OpenSocial

For a properly designed distributed social network, there's no reason your data should be visible to anyone other than those you have approved.

It's a philosophical issue, negative liberty vs. positive liberty.

Positive liberty is the distribution of responsibility to the collective (and managing/controlling the collective through central bureaucracy), negative liberty is distributing the responsibility to the individual, self organization, or stateful components in dev lingo.

Your error is that you're set on only one perspective, positive liberty, like many people in europe. GDPR is like that, instead of giving people the tools to protect themselves, and not leak data in first place, and educate them about voting with their wallets, they just take it from the individual and apply it to the collective.

That's the mindset of centralization. It's clear that decentralization efforts fail if you insist on distributing the responsibility collectively.

Personally, I hope (and I think I'm not alone here) that on a network like scuttlebutt, there will be much less "noise" than on facebook. My timeline on facebook (whenever I check it, like weekly) is a mishmash of...

* ads (if using a browser that doesn't get rid of them)

* "you missed someone's birthday who you didn't even remember you were "friends" with

* look at this really popular post in your social vicinity, ENGAGE!!!

* cat/dog/food pictures

* politics of the same kind I had to ignore as a teenager, back then by mail. Sign $petition here!

* the occasional thing I give a flying fk about

This is not accidental. It is what facebook is built to do: keep you on their page, engaged. Scuttlebutt and such don't have that incentive. Liking "Pizza" or "Justing Bieber" doesn't exist. You can like a specific post, but that's not the same as putting your entire preferences on there. The possibility to digitally model your entire family and social graph and all your preferences in the open doesn't exist, simply because... why would someone implement that? And why would they then gear the UI to reward you for doing that? And it's not as inherently in danger of becoming an across-sites profile kept by a single entity.

> 1. ... For distributed systems there are more ways to exploit the APIs and gather data on users.

However there is no global state, users only push-pull feeds of friends and friends of friends. (In part for privacy and in part for performance, you don't need to carry all the data for a social network to be useful)

> 3. GDPR compliance about deleting data is almost impossible in a distributed system.

However that doesn't apply to individuals that aren't providing a public service.

> 4. ... Open source software and distributed software tends to be much harder to use.

Yes, however there has been some exiting discussion around what UX could become possible in a decentralized context. See https://coolguy.website/writing/the-future-will-be-technical...

> 5. Any future concern/issue will be much harder to resolve if there are thousands of different instance running decentralized social networks.

There are no instances, only peers. (Pubs are sort of easy to connect to peers and there is work being done on peer discovery to outdate most pubs; they could still be used to connect communits around topics, hobbies, etc as a way to reduce the distance between peers)

> 6. Using AI to detect abusive content or spot fake news is much harder if you only have a subset of the data.

There is no retweeting/sharing, though there is work being done on Out of Order Messaging to propagate a single message along the follow graph and there is work being done on flagging/tagging feeds/ids and posts. (Along with some semantics around how to interpret the flags/tags to improve UX and user control)

Well, it's not a Facebook replacement for the masses. It's more of the alternative in the way that Linux used to be an alternative to Windows long time ago. Linux was a nightmare for the majority, but for tech-inclined people (with a lot of spare time one might add) it offered a lot more safety and power, at the price that you had to learn how to set it up and use properly first. Same applies here. If you share data that shouldn't be shared it will not protect you, but if you know what you're doing it gives you a lot more control and safety.

Your concern about APIs in distributed systems seems to neglect the fact that cryptography can be used to ensure that only the right people have access to the data.

Although I do agree on the fake news point you make.

Edit: It seems that scuttlebutt does support optional end-to-end encryption: https://github.com/ssbc/secure-scuttlebutt#security-properti...

It’s hilarious that people think Facebook could be held accountable. Senators didn’t say we need rules for privacy protection or that any specific response should be made by them to CA leaks, just a vague “do suff better or we might regulate you”

These guys really have free reign and just get a slap on the wrist WHEN ELECTIONS ARE MEDDLED WITH.

We should leave their platforms in droves to deprive them of power cause it seems like even the US Congress won’t stand up to them.

"1. The whole Cambridge Analytica issue was caused by APIs that are too open. For distributed systems there are more ways to exploit the APIs and gather data on users."

No, the issue was that other people had access to data they shouldn't have. there's no problem with the API being open if only the right person has access to the right data, ie, if access management is done right

You are mixing up openness of the code and protocol with access to data. Access to data should be managed by security features, and security through obscurity isn't the proper method anyway.

this entire complaint centers on the over-paternalistic notion that it is the service operators responsibility, rather than the users, to solve these problems, and that this is the desired state of affairs.

1) ... on the users that have chosen to enable this

2) ... for the users that use other peoples servers or servers from disreputable people, or share to those who do the same.

3) ... and? this presumes GDPR is a good thing

4) ... it's impossible to view a list of viewed messages, perform bulk operations, flag, sort, group etc. facebook to the same level that can be done in other 'archaic' technologies such as email. presuming commercial ui's are designed for user friendlyness rather than increasing user engagement, etc. is a red herring. also, strawman.

5) much like HTML, TCP/IP, SMTP, HTTP and everything else the internet runs on?

6) which is why spam filters don't work? and users don't have brains to do this themselves?

The principle is that the network can become federated, which makes it possible to switch providers while remaining on the same network. This allows there to be competition between providers. Presumably, providers would compete based on their ability to protect your data. Facebook, on the other hand, competes almost solely based on the size of their network, which eclipses every other factor like accountability.

You are assuming the network holds personalized data. While this is true for facebook (because this is their business model) it is not necessarily true for a non commercial social network.

Not saying that scuttlebutt is useless, but within the parent's perspective, almost everything applies as well on HTTP and HTTPS. But no one seems to care? I mean, google caches your website on their machines and so on, be it personal or not. I guess once things become ubiquitous enough, they start to become invisible. Whois service, I heard recently, was being scrutinized over personal data in the context of GDPR, so it's not ALL invisible.

> 6. Using AI to detect abusive content or spot fake news is much harder if you only have a subset of the data. So it becomes harder to address those concerns in a distributed setting.

Maybe people will have to start paying the market what this data is worth, as opposed to burying it in EULAs and using venture and angel funding to create a next generation data oligarchy more difficult to overcome than any financial oppression?

You're absolutely right. Distributed social networks are terrible, so we should stay on Facebook forever.

And if that is not what you are implying, perhaps you could explain what it is you do think we should be doing instead.

I think the idea is no ads -> nothing to target -> no need/value for personal data. Sure, maybe Cambridge Analytica can scrape Scuttlebutt or Mastodon but then what can they do with that data?

It's an open source alternative to FB, which makes this a more efficient FB. You are very correct on all points.

Google and others operating a crawler would have the same data as FB has today.

I'm super impressed with all you've done. I've been white-boarding similar ideas for a couple of years from the other side concerning protocol security, secure messaging, user identity management and related which utilizes Curve25519 and related crypto.

I think these ideas will change the world for the better.

Can you point me towards the Go implementation? I'd love to contribute.

It certainly seems interesting. I tried to test it out quickly today, but couldn't connect to any of the public hubs.

Nice work...impressive work. Are there any plans to add this to the freedombox? I think it would make a great fit!

>it should at least do 50% of what facebook does

It's a common mistake to attribute the success of Facebook to its features (it boils down to microblogging + threaded discussions). The usefulness (i.e. product from a marketing perspective) of Facebook isn't its features, it's the people who joined it. Look at Google+, it's not that bad in terms of features. But it lacks people, therefore it's not a competing product. A competitor would be not someone who does 50% of what FB does. It would be someone who has 50% of what Facebook has.

Completely agree.

I am very interested in the UI/UX opportunities for training the decentralized generation how to interface with decentralized systems and manage their identities, especially across devices and contexts. This has been my biggest criticism of pretty much all of the attempts at a decentralized version of an existing mainstream web service that I have seen.

I love the decentralization community but it often feels very much like an engineer's realm, probably because it's mostly interesting from an engineering perspective. Maybe it's just who I follow, but I don't see a lot of activity in this area from user experience designers. Some collaboration could really help build a decentralized service that stands a chance of truly competing in the global space. Thus far I think it's highly unlikely the average mainstream user will convert.

You can build 'a facebook' in Drupal which is more or less functionally equivalent and people have been doing that for years. But you still have the real work - building the network of users, which is where the value lies and not the software features (which are mundane in the case of fb).

What's far more compelling but challenging is open source federated social networking, which is a facebook on rocket fuel and overcomes the network effect as each provider implementing adds to a shared network. Even if it takes decades, this is going to be the inevitable model and fb will end up either joining in as a provider or do a myspace.

"You need ... a business plan."

I don't agree. What is the business plan of email (by which I mean SMTP, not some webmail provider)?

One can always hope. But, we all know where "this is the year of..." gets us in the software industry.

Your explanation of the offline utility definitely makes this more interesting.

What is this "offline" you speak of?

> There is nothing inherently wrong with centrally stored data.

I'd argue that a 3rd party having the personal details and communication logs of 2 billion people is a massive problem. Privacy, governmental data requests, accidental information leakages, profiling, job applicant scrutiny, fake news, spam, data misuse by employees etc. Or even worse, in times of war.

Actually with a few tweaks, this technology would be much simpler to use than Facebook, for a person like your grandma, simply because it removes that annoying registration process. You just open the installed app, and that's it.

It's odd that we got used to the idea that "(1) registration, (2) strong password creation, (3) username selection (in case of conflicts), (4) email verification link, (5) login" is somehow a good user experience.

>It isn't an alternative to Facebook unless my grandma can use it, and she couldn't set this up for herself.

Facebook isn't an alternative to email if my grandma can't use it.

Computers aren't an alternative to telephones if my grandma can't use it.

Telephones aren't an alternative to mail if my grandma can't use it.

etc.

---

It'll get easier and simpler, I promise.

Okay, but FB wasn't something your grandma used when it began.

Arguably it isn't FB if regular college kids can't use it. If they can subsequently onboard less tech savvy people, so be it, but that could be a future goal.

Why do we even want to be in a creepy digital relationship with our grandma? I used to think like you, then one day I realized that the real life is outside, I began calling my aunties, visiting them, and also created a Whatsapp group so the big family can have fun & share updates.

> It isn't an alternative to Facebook unless my grandma can use it, and she couldn't set this up for herself.

I wonder if Facebook is perhaps just not worth it.

I joined a pub but 90% of the messages in my feed were other people joining the pub and subscribing to topics. 9% were people introducing themselves as new to Scuttlebutt. 0.9% were either talking about Scuttlebutt or unreachable, and 0.1% were actual content.

Yeah, I had the exact same experience. It's cool conceptually but basically unusable at this point.

Same. Just tried to give it another shot and there's only 3 public servers and none are currently working