Decius wrote:
] Currently the privacy policy says that your reputation tables
] are private. This reflects the fact that I think what you read
] ought to be your own business.
]
] However, what you recommend is not exactly the same as what
] you read, and this is reflected in the reputation data.
]
] The only way to truly protect the fact that you are reading
] someone's recommendations is to never recommend their
] recommendations. They will still show up in the agent, but
] this information, I think, is private and ought to stay that
] way.

There's nothing to stop readers from posting URLs similar in form and behavior to that of the Memestreams visit URLs. That is, your browser initially visits a URL that logs your request in a database and auto-forwards you to another URL (which is the URL where the content of interest is located). Typical browser users (particularly those that have MSIE's "friendly URLs" enabled) may not distinguish these as special. This is not really a Memestreams vulnerability, per se, but rather more of a general Web-awareness issue for Internet users. Still, it is of at least some relevance to the discussion at hand. My point is that clickthroughs (on any Web site) are not anonymous to the operator of the web site you're visiting, and Memestreams does not do anything to improve your odds on that. However, it *is* accurate to say that the Memestreams web site and its operators do not intentionally and directly reveal clickthrough data to third parties.

Although anyone could blog such "log-your-request" URLs, having them persist is tricky, because if someone clicks through and then uses the bookmarklet to recommend, they'll be recommending the destination URL, not the log-your-request URL. However, if they use the context-specific "recommend" link on the Memestreams web site, the log-your-request URL is what will be recommended.

Here's another thought to ponder. Consider the case of frequently logged web sites such as The New York Times, CNN, and the Washington Post. When the system administrators run their logfile analyzers, the referring URL (misspelled "Referer" for eternity due to Netscape) will be available for analysis. They'll see that N people read "article X" by following the link from my Memestreams web page. They'll also have an IP address to associate you with your visit. Assuming that you load the URL, read the article, and promptly decide whether or not to blog it, there will be a minimal and reasonably predictible time differential between your visit and the appearance (or not) of the URL on your Memestreams web page. (The site operator can easily keep track of comments about the URL by using the "Discuss" bookmarklet.) At this point, the site operator has successfully associated your IP address with your Memestreams identity. By browsing your Memestreams web page, the operator of one site can discover some of the other sites you've been visiting. In fact, the operator can essentially browse a user-defined (by means of making public recommendations) subset of your web history / activity log. Until your IP address changes, the site operator can also track which Memestreams weblog entries you clicked through (to his/her site) but chose not to recommend to others. This could be rather quite useful feedback to the site operator, but it could also be revealing of you, the visitor. For example, maybe you commonly read and recommend articles from the International/World News section. Those will show up in your weblog. Maybe you also read, but NEVER recommend, articles from the "news of the weird" section. A site operator could learn to understand this fact about you by correlating your visit history with your Memestreams page.

Here's another bit of trickery that a site operator could employ ... but it's mostly a theoretical "attack" at this point.

Consider a site like c|net news.com (news.com.com) that utilizes those mystifying non-human-readable URLs, like this:

http://news.com.com/2100-1023-983012.html

Once the site learns to identify you by your IP address, it can feed you the home page using a custom mapping of URLs to articles. For you, the above URL maps to a story about AOL, but for everyone else in the world, it will be mapped to a story about the RIAA. If executed so obviously, other Memestreams users may just think you made a mistake, unless you only wrote a context-free comment like "you've GOT to check this out!" for your log entry.

More subtle implementations could be strikingly effective, though. By knowing that you tend to recommend primarily anti-RIAA articles, the site could spin the story your way so as to encourage you to blog it (and thereby drive more traffic to the site). But when others view the page, the spin will be more pro-RIAA. Depending on the excerpts and comments you provided in your weblog entry, people who click through your log entry and read the article may mistake you for a pro-RIAA person.

RE: An important privacy question