In this post we would like to explain our thinking on the various forms of privacy and how we have implemented them to support you and keep you safe from the bullies, spammers and scammers who have plagued the internet for decades. This is not written in legalese, but it can get a little technical in places. But stick at it or come back to it later when you have time. We want you to be fully aware of how we treat your privacy in principle and practice. We will not be founders or marketing hacks who say one thing about your privacy, and lawyers who say something else.
The key concepts for understanding how Tuvens treats privacy are:
- Technical Privacy – the way your data is stored and encrypted so that what you think is private is genuinely private
- Managed Privacy – the account & content settings that you have or will have on Tuvens to keep your data safe and secure
- Visibility – the contextual controls that you have or will have to control the visibility of your profile and content within the various spaces that you engage in and those you do not wish to engage in
- Reach – the capacity you have to communicate and influence other users on the platform based upon your reputation and your direct relationships with other people using the platform
The first thing to note here is that Tuvens is private by design and a privacy first platform. We aim to preserve and promote your right to privacy as a universal human right and the basis of a free democracy. Your data, including anything you submit to Tuvens voluntarily, is your own, for you to export or delete as you choose.
Having said that, implementing all of the privacy functions we have in the pipeline is a matter of transparency, as we aim to make you aware of the privacy implications of what you submit to us, and what we are doing to balance the utility of the application with the levels and types of security in place.
For example, we will design our systems with end-to-end encryption as a principle, so that we design a cradle-to-grave secure lifecycle for the management of your data, including securely destroying said data when we no longer need it for the normal function for which we stored it in the first place. We will not engage in building shadow profiles or amassing pools of data to share with advertisers and marketers without your knowledge. But that does not mean that your direct messages to other users will be “private”. For technical reasons as well as concerns we have about customer support they will not be end-to-end encrypted, at least not in the beginning, and although other users will not be able to read them you should treat them as public. We will be able to read your direct messages (like Twitter and Facebook can) but we will keep tight and audited controls over who has access to them.
We are a small unfunded team and we regrettably ask you to have some faith in our intentions in this regard. We will not have all of the resources of the big fish to deliver on our intentions in day one, and since we feel that venture capitalists are part of the problem in this domain we won’t be taking any cash with strings attached that would pressure us into compromising on those principles.
With that out of the way, the concept of privacy can be further subdivided into technical and managed privacy. In other words, ‘privacy’ typically has a technical meaning and a subjective meaning. What can feel private, like browsing the web at home, is often not private in a technical sense. The difference between technical and subjective privacy is the threats that the subjective person is attending to. Large complex long term threats are not easy to comprehend, but the fear that a former friend will screenshot a message you have sent is easier to comprehend. Is a private message on an encrypted messaging app private? Well, technically yes, but not if they screenshot it and post it publicly on the web, or into another group message. On the other hand, when posting into a social network in which only people you have actively approved as ‘friends’ can see your content it is easy to perceive this as a closed circle, even though the social media company may in fact take the legal position that you have no right to privacy over any content you publish on their platforms.
Tuvens takes technical privacy very seriously, not just complying with regulations such as the UK’s Data Protection Act 1998 and The Privacy and Electronic Communications (EC Directive) Regulations 20013 and GDPR in the EU, and COPPA in the US, but by prioritising privacy in the architecture and design, and adopting as a principle privacy by design, with end-to-end encryption and a transparent or even open sourced codebase. We are also, crucially, building a revenue model that does not incentivise us to be invasive.
Technical privacy means being proactive about security rather than reactive, anticipating security events and preventing them from happening rather than trying to weather the media blow back from our failures. We will make mistakes, but not by design. Where other platforms move fast and cut corners on privacy, we move slowly and carefully, so we don’t break shit.
A key distinction between managed privacy and technical privacy is that with the former there is no action required by the user to protect their privacy, it is secure by default, where as managed privacy is about your choices and preferences.
Technical privacy is not bolted on, its not a specific feature, it is part of the process of developing and securing every feature from exploits and human errors.
If everything is going right, you will never notice technical privacy. You only experience technical privacy when something has gone wrong, which we will endeavour to ensure never happens, as a matter of respect for you as a human being and not a resource to be exploited.
But Privacy also includes the granular privacy controls available to all users. Managed Privacy is the baseline settings that allow the user to know definitively who can and cannot see something that they have voluntarily submitted about themselves, including their content or personal information. These are standard functions we see on most social networks and media applications. For example, on Instagram I can enable people who I follow and who follow me to see my profile, which is akin to a Friend connection, or I can make my profile totally public. I can block another user, or hide my profile from search results. We may set a default that is more open for your convenience, and flag it as clearly as we can.
Today social media apps are designed around individual connections, and managed privacy is a binary concept. Either a user can see your profile, your content, or message you, or they cannot. An ephemeral message is sent to a user, or it is not. If you post into a group everyone in that group can see your content. If you post to your news feed you set the privacy, and falling into or out of that privacy setting is a binary function. We are either close friends or not, this post is public or private, you are in this group or not. There is no grey area. A post may not reach a specific user, but that is not the same as saying it is not visible to them.
But in the real world, while there exist boundaries, such as walls and doors, in public spaces visibility has a gradient, of more to less, and some people are less private than others depending not only on the subject matter, but on their general levels of openness and extraversion. Even in the reality of social media usage, a private message may be screenshot and shared outside your privacy controls.
Visibility is the grey area between public and private that cannot be accounted for by managed privacy.
To return to the concept of subjective privacy, both managed privacy and visibility relate to the practical perception user’s have of who can see them and their content on the platform. But while managed privacy is completely under their control, visibility is only partially under their control.
Take, for example, a private conversation one has in a public space, like a bar or restaurant. How private is this if the person at the next table can hear it? Or what about a conversation in public with a pseudonymous account? If a person’s identity can be deduced from the public content and later doxxed, was it ever private in the first place?
Put another way, managed privacy tells you who you are sharing your content with, but visibility pertains to who actually sees it.
Visibility really relates to how much a user trusts the people they share content with, even in a public space. How comfortable people are posting into a group with their real identity, or at least pseudonymously with a known “screen name”, is a product of the integrity of trust networks. On Tuvens, as the reputation of users within spaces increases they can see more content from other users in that space. If a user’s reputation decreases they may lose access to conversations or events that they could see before, even if they have commented on them before.
Put simply, if one person says to another “you should dance with them, they’re really good to dance with!” there is no implication that you should let them drive you home or babysit your children, but there is an implication that they are not going to overstep implicit boundaries within the social dance context. Thats what a trust network is, a contextual relationship between people based upon their reputation within a peer group.
No app can give you total control of the visibility of your content, but we can help to control the visibility as with tools layered on top of managed privacy. An example of a common feature for controlling visibility is ephemeral content, like self-destructing comments or images, or content that is only visible while the receiver has their finger on the screen.
In contrast to privacy and visibility, reach is not a measure of who can see a person’s content, but how widely their content is published and seen, or how widely their content is propagated. On Tuvens this is a product of their rank within Spaces and how many people Follow them. People with a higher reputation within a Space will have higher reach when posting into that Space, but they can also choose to increase or decrease the visibility. Some people will post into the Space, but until they reach a minimum threshold of reputation/rank their Post or Event will not display in search results. The UI will clearly prompt the user to increase their reputation, through Follows, Endorsements and References, to increase their Reach within the relevant Spaces.
In short, Tuvens takes the principled position of facilitating Freedom of Speech, but not Freedom of Reach. This position reduces the technical and financial burden on Tuvens for identifying and removing accounts engaged in bad or disruptive behaviour, and keeps users safe from spam, scams and trolls.
Both privacy, visibility and reach are all aspects of ‘personae’. A persona is the way you portray yourself within a specific community and your reputation therein.
People can set their visibility for each of their personae differently, depending upon how comfortable they are with that community. This means, just like in real life, they may be very public in salsa and less public in philosophy, where the subject matters (the Interest) are differently sensitive.
Equally, a person’s tango persona can have much more reach than their salsa persona. When posting to spaces a person does not choose which persona to use, their persona is determined by the interest the space is related to, so a person cannot set their reach, only their visibility or privacy can be set by them unilaterally.
The final thing that users cannot hide is the contents of their personae, assuming their profile is visible. If someone can see one of your personae, as in if they land on your profile page, they can see all of your personae, but not necessarily all of the content you have added with it.