Access control "Friend of a friend"


#1

A common access control of social media is “friends of a friend”. That means that the content I am posting can be access by all my friends and all of their friends, but not anyone else.

Now, let’s assume we have a social media platform that is wholly Solid - then the page with the content I am loading in my browser grabs the post from the Solid of of the author. Let’s call that Pod A from User Z. Z has 60 friends, and I am a friend of number 54.

So, when I try to access the content, my application goes to Pod A and tells the pod that I am X and hands over my webID. Pod A immediately sees that I am not a friend of Z, so normally I wouldn’t see the content.

But Friend of friend is set, so…
…the pod goes to each pod of the 60 friends of Z and asks if they know me?

Or does the Pod periodically updates the friends of a friend list and keeps that data cached?

Neither way sounds very privacy-friendly nor efficient to me. Is friend-of-a-friend as access control option not really viable on Solid, or am I just missing something?


#2

Hi!

No, you’re not missing something! Indeed, we can’t do it now, but there has been talk (and some implementation) around query-based enumeration of agents. My life evolves around ad hoc and changing groups like “the girls aged 8-12 and their parents of the ski club.” :slight_smile:

My own thinking around that is that we could extend the acl:agentClass to hook into a query or reasoning system that would figure out class membership. Your FOAFs would certainly be amongst the most interesting classes to have.


#3

What if your FOAF (friend of a friend) query had a built in back trail? In your example, when your app goes to pod A the request could carry not only your Id, but the information that you are a friend of #54, who is a friend of Z. Z’s pod just needs to confirm this with #54’s pod, and you’re in. Kind of like source routing.

Sorry if this is naive suggestion; I’m still trying to get my head around how pods communicate.


#4

that assumes that my client knows that the common friend between me and Z is #54. It probably doesn’t though, so it’d probably have to send my whole friends list over to pod A - which again, doesn’t sound too good for privacy either :slight_smile: (Imagine a malicious pod that uses this to map out friend networks.)


#5

The question seems to me, where did the link for this content come from?

if it comes from my friend who is the friend of this person, then the POD already knows which #54 to ask to check if my webID is in the friends list.

If not, how did I get the link to this content?


#6

that is certainly a way to catch a good chunk of the traffic on that link, but there’ll also be a number of people who will try to access it without that source information.


#7

BTW, it would be great if you submitted a user story around this topic!


#8

For the github-impaired, could you give us a 1-2 line dummies guide to adding the user story to the repo? I’m used to using GIT for massive code bases.

Here’s the story: “As a social network user viewing an interesting comment on a friends page, I would like to visit the page of the “Friend of a Friend” who made the comment.”


#9

@Stitch626 To add a user story, go to the top of the page for the user stories in the link @kjetilk provided, click the word “issues”, then submit a new issue with your story. Hmm, there are two links at the top of github pages labeled “issues”, I mean the second one, under the title “solid/user stories”.


#10

Thanks! Done.