LJ allows identity accounts to post in communities

[charmian]

In the latest release, LJ has now allowed for identity accounts (openID, Facebook, Twitter, and others) to post in LJ communities. While this new feature has been overshadowed by the LJ nav strip revision, it seems to have already caused some controversy.

Personally, I'm for this feature (although I don't think that it'll affect me personally much); I really don't think there's much of a security issue with Twitter/FB accounts posting, and actually I'm puzzled by the assertion that LJ-Abuse has less data on the identity accounts than other accounts. I mean, isn't LJ Abuse able to trace even anonymous posters through IP addresses and other things? Anyone with more technical knowledge want to chime in on those aspects?

I now wonder, though, if Dreamwidth is going to implement a similar feature, and if so, would there also be this kind of opposition?

Poll #6955 identity accounts posting in comms on DW

Open to: Registered Users, detailed results viewable to: All, participants: 33

View Respondents

Should DW allow identity accounts (openID) to make posts in communities?

View Answers

Yes
22 (66.7%)

No
8 (24.2%)

Other (explain in comments)
3 (9.1%)

Comments

[synecdochic]

I mean, isn't LJ Abuse able to trace even anonymous posters through IP addresses and other things

*wheeze*

No. *G*

Unless things have changed since I left and those code changes have been made in ljcomint and therefore not been piped through changelog or made available in the code repository, which is -- as always -- entirely possible but extremely unlikely, given how we always used to have to have fistfights to get any developer attention at all, abuse team members who are investigating something can obtain IP addresses for anonymous commenters if-and-only-if:

* IP logging is enabled by the owner of the account, was enabled at the time the comment was made, and an employee logs in as the owner of the account (or uses viewall on the entry, I think, but I'm not sure; it's been a while and I'm too lazy to go viewall my non-staff account on DW and see if it shows me comment IPs), or:

* The comment is deleted and marked as spam.

IP address information is stored in the db even if IP logging isn't on -- it has to be, in order to display the IP if the comment is deleted & marked as spam -- but there is literally no way to obtain it short of direct db access, which at the time I left nobody ever had the time, energy, or willingness to do for me. (I do not know what current policy regarding that is.)

actually I'm puzzled by the assertion that LJ-Abuse has less data on the identity accounts than other accounts

Again, assuming that things have not changed, blah blah potatocakes:

It has always been next to impossible to prove that two accounts are controlled by the same person if the person is at all trying to conceal this fact. At most, you can say that there's a reasonable degree of certainty that they are -- and that's only if it's reported as "account X also belongs to account Y", ie, you have the two accounts to compare. (A lot more information is obtainable but not searchable: ie, you can look up identifier X for account X, but you can't search "what other accounts have identifier X". I'm being vague here, because those identifiers are very powerful anti-abuse tools and an exact list of what they are just points out to people how to circumvent them.) If it's reported as "account X said they have another account", and the person who controls account X takes the basic precaution of not using the same email address for the two accounts, it is almost impossible to identify the other account.

(Almost impossible. People screw up the separation of their two accounts a lot.)

This is not unique to identity accounts. But people think that the LJ abuse team has access to way more information than they really do.

[charmian]

Thanks for the information!

So what I take away from this is.... that identity accounts are not significantly less identifiable or a significantly greater source of abuse problems than regular LJ accounts?

[synecdochic]

I can't see where they would be, yeah. I could see it being more of a problem if LJ didn't require validated email addresses to post to comms/post comments, but AFAIK, they changed the protocol to require a validated email address to do all of that, so.

(The other thing to take away is that the LJ abuse team is doing the impossible with shitty tools and zero support. But that's been the case since they started, heh.)

[charmian]

Yeah, I recall reading about that awhile ago.

(Yikes... hope they get better tools someday)

[pensnest]

I had a look at the comments on the LJ news thread you pointed to...

I think there's a difference between commenting on friends' personal journals and participating in comms. Fair enough, if you don't have a DW journal but some of your friends do, I don't think I'd have a problem with people being able to comment on personal journals that way. (I can definitely see a case for wanting to be able to define commenters as 'only those with DW account', though.)

But for communities... really, I think it'd be fair to say, if someone has enough interest in a community to want to join in the discussion, it's not unreasonable to expect that someone to have their own journal. If it were necessary to jump through innumerable hoops and/or pay lots of money to get one, that'd be another matter, but on LJ anyone can get a free journal, and on DW you can get a nice, shiny ad-free one with just a code. Someone who's into whateveritis enough to want to participate in a community *surely* will be able to acquire a code from somewhere.

I suspect my preference for posting to communities being open only to journal holders is probably an emotional one rather than a logical one. It feels more... right. Perhaps someone else will supply some logic!

[fiddlingfrog.livejournal.com]

but on LJ anyone can get a free journal, and on DW you can get a nice, shiny ad-free one with just a code. Someone who's into whateveritis enough to want to participate in a community *surely* will be able to acquire a code from somewhere.
To me, allowing someone to log in with an already established identity and quickly join in on the conversation is far more preferable to making them jump through a few hoops, even if the hoops are fairly large and low to the ground.

I can't possibly be the only person on the internet who finds some little forum somewhere, or reads a blog post, and thinks "Oooh, let me add this" or "I'd like to ask a question" only to be disappointed that none of the (let me check....) 37 profiles I currently have around the internet, including such "universal" ones like Disqus, Gravatar, or even OpenID, are accepted at the site. So instead of registering yet again, giving out my e-mail address, username, password (different each time in case of security breaches, but not so different that I can't remember the damn thing), date of birth, proving I'm human, choosing a locating and timezone, etc... I move on, and don't get involved.

[charmian]

Yeah, it's the whole bother of registering (and LJ IIRC asks for more than they did in the past) and also having to recall YET ANOTHER login.

[pne]

This.

Also, I remember reading an article about how there are lots of OpenID providers but very few consumers... which makes OpenID accounts that much less useful.

Making them more useful (by being able to use an OpenID account in more places) is, in general, a good thing.

[charmian]

I guess the question is "not unreasonable" for who? Maybe it's not unreasonable for DW to feel that, but that seems to be a business decision for the owners to make, or in the case of LJ to make, and LJ seems to have essentially said they're ok with that. Otherwise, I just really don't see the practical effect on community owners, and it really does create a hoop to jump through.

[pensnest]

I think I want people who join comms that I run to have a reasonable commitment to the comms. I dunno. At first I simply thought, sure, why not? But there's something about it that doesn't feel right - and, as I said in my first comment, I think it's an emotional reaction rather than a logical one. Probably.

But, you know, if someone is regularly reading DW comms, isn't it a heck of a lot easier to do that with a Subscribe list than a bunch of bookmarks? And if they're just drive-by commenters, how much do they matter?

[charmian]

Eh... then why not make them go through an app process? But I don't think most comm owners do care about a "reasonable commitment to the comms," (and also, I'm not sure if someone who uses an openID account can be said to be uncommitted. In some ways, you could say that someone who uses an account linked to major RL info, like Facebook, is making a greater commitment) so I don't think this is a reason for not allowing it period.

[torachan]

There are actually people who prefer to read from bookmarks. Also feeds can be read through any feed reader, which means they can subscribe without making an account. If someone only reads two or three journals on DW and twenty random other blogs, it makes more sense to read them all on a feed reader, rather than separating out the DW ones and reading those a different way.

[frogspace.livejournal.com]

But, you know, if someone is regularly reading DW comms, isn't it a heck of a lot easier to do that with a Subscribe list than a bunch of bookmarks?

What does this have to do with OpenID? o_O

OpenIDs can subscribe to DW journals and comms (my DW reading list is here (http://ext-3626.dreamwidth.org/read)) so why would using an OpenID mean using a bunch of bookmarks?

[foxfirefey]

This topic has come up before and the answer is always no because of spam concerns. LJ has a lot more resources to deal with those problems, and a lot less to lose since there's already lots of spam that has to be dealt with anyway.

The closest I can come to workable solutions are:

* External account posts are always put in a moderation queue. Possibly allow communities to opt out of putting them in a moderation queue, with the caveat that if untended spam in the community keeps getting reported that site admins can remove that ability.
* External accounts can post to communities, but only after applying a valid invite code to their account. This pretty much puts them on the same footing as regular accounts.

Unfortunately, both of these solutions are still barriers, and kind of inscrutable ones at that. They all put barriers on the external account to jump through hoops or endure extra scrutiny. So I'm not sure how attractive these "solutions" are to addressing the wants of those who want this.

The best candidate I can think of for this ability is scans_daily.

[charmian]

Ah, I see, but isn't there already that spam concern with open-ID accounts when it comes to comments?

Maybe another way the situation could be improved is if we account holders with invite codes could "validate" external accounts too? So that would at least get rid of one of the steps for the external account holder.

[foxfirefey]

There is a concern with OpenID spam comments! But comments aren't as attractive a target as top-level posts, which more people have more of a chance to see. And comments overall have higher barriers than posts: users have the ability to implement screening, CAPTCHAs, or only allow registered users. Community posting barriers are mostly up to the person running a community and is members only or open, moderated or unmoderated. No CAPTCHAs, only registered users.

I think the first option I suggested is probably the most tenable--I think if communities can turn off OpenID posting, and it goes to moderation by default, and if a community can opt into having OpenID posts not be moderated by default, it could strike a balance between spam concerns and both spectrums of user needs.

I'm not sure how getting validated would eliminate a step for the external account--they'd have to find somebody to do it for them, or be invited by somebody who already knew about it. I guess it could work, though, if OpenID users could be validated with an invite code by somebody else OR if they could use the invite code on their own. The latter might be easier for some folks.

[charmian]

I think it saves a step it a user with an invite code can directly validate an openID user, rather than the increased steps of sending it to the openID user and then having the openID user validate themselves.

Yeah, I think that is the best idea: have it non-default and just an option that can be turned on if the community maintainer desires it.

[azurelunatic]

The vast majority of reported spam on DW is still anonymous comments, followed at a distant second and third by OpenID comments made onsite and imported from LJ, and I honestly don't know offhand which is second and which is third.

[matgb]

I prefer the first option, and would prefer to be able to opt out of it (longer comment below about what I've got in mind).

For a 'standard' comm, you'd need controls and safety precautions, but for someone like me looking for an outward facing comm, the whole point of interoperability as a project is to allow people to just get on with it.

I really want Twitter commenting here, I really want an easy taskflow for identity login, and I really want comms to be able to let people post with whatever they're logged in as.

Spam is always a concern, but if it's in some way moderated, that should solve it--maybe ID accounts can only post unmoderated to paid comms?

Other

[fiddlingfrog.livejournal.com]

As much as I advocated (past tense now, I got my wishlist over at LJ) for increased identity-account access I'm going to have to say No, not while DW is on the invite system. Letting identity accounts post here, while great for interaction, kind of undoes the trust in the userbase that DW has built over the years.

Re: Other

[charmian]

Hmm, what do you mean "trust in the userbase"?

The spam situation seems, from what Foxfirefey says, to have been the deciding factor.

Re: Other

[fiddlingfrog.livejournal.com]

What I mean is that the trust DW users have now, for other DW users, is what so many of the objectors on LJ think they have. By having invite codes you do create a more selective group on DW, and other users may feel more comfortable with that group, even if the selectivity is only very slight.

Re: Other

[charmian]

? If they think they have that trust, don't they have it? Trust is something that is within the people who hold it. Whether you or I agree that having that trust is rational or not is another story, but they seem to sincerely believe in it.

Anyway, I am not sure a majority of DW users would be against this, although the point is moot because DW will reportedly not implement this because of spam concerns.

Re: Other

[matgb]

My take is that assumes that everyone wants to contribute to DW or use DW in the 'standard' way.

There're a few people I'd like to get together to make a 'group blog' with--I don't want it to be massively difficult, I want it in a friendly place,a nd I want it to be fairly easy for them to use.

A DW comm would actually be absolutely perfect for this, better than anything else. It would be completely outward facing, if there're DW users that read it other than me, that'd be an added bonus.

I would likely be getting the comm itself to be paid, but the people I'd want posting it, generally, aren't technical people, aren't web people. I'll be teaching them all how to use Twitter over the next few months, and the ideal would be that they just login with Twitter here to post as well.

Some of those people may enjoy DW so much they become normal DW users, and want actual accounts. Most won't.

In addition, the target audience for this blog will be a lot of 'normal' people, it'll be outward facing. Some of them may also come in, join DW, like the place for what it is, etc.

I actually have two, different, distinct blogs in mind, both locally themed, several of the people for one of them are local elected officials, one of whom is learning to use email in order to do the job of Cllr well (he got elected this month).

Allowing it as an option for comms doesn't really affect your usage elsewhere.

I'm ambivalent about keeping codes, and given there're going to be regular holidays now anyway, and anyone can pay for an account, I don't think it matters. Most of my comments (and miss_s_b's comments) come from off site users. I'd like to get some of them more involved.

As some of them will slowly get more used to using the site, I'd like to get them involved. Many, most, of these people are my friends. Some are colleagues, contacts, clients. Many will pay.

I think it's a grand idea. But I can't even really think about using DW as a platform without better identity account interaction.

Re: Other

[fiddlingfrog.livejournal.com]

I suppose I'm not quite expressing myself correctly on this. From my perspective, as a very casual commenter on DW, I would love better identity account integration but it feels like a majority of users would view this as a violation of trust. Now granted, my perspective mostly comes from posts and threads that charmian and azurelunatic point to and from the endless waves of "Come to DW, we don't have Facebook or Twitter" over on LJ news rants, so it might be a bit skewed. And yes, it does assume that there's a standard model of use for DW, but again, my limited experience is that it's the majority model. I'd be glad to be proven wrong, however.

What you want to do with your group blog is exactly why I made the suggestion (http://suggestions.livejournal.com/928644.html) a couple of years ago for OpenID accounts to be able to join and post to communities - I want an open, simple, outward-facing blog that can be used to disseminate information and open discussion among a small group of people. I'm finally having the meeting week after next to get it set up, get the program chairman online at LJ, and hopefully invite the current crop of students to join the community.

Re: Other

[matgb]

Fair enough then--I think most of the fuss over FB/Twitter was the godawful way LJ implemented with no warning and with massive security breach potential.

I haven't seen, after that, much actual fuss, and regularly see Twitter and Facebook accounts commenting in various places, I view that as a dfinite Good Thing.

And frankly the people trying to recruit to DW based on why they got fed up with LJ aren't doing the site any favours at all. I like DW for what it is and what it's trying to be, interoperability is king.

Given that the next version of OpenID is likely to work for Twitter and Facebook anyway by design (although I've stopped following it closely), that specific point may be moot anyway.

Re: Other

[charmian]

I am not sure it's a majority. It's not zero, but I'd be hard pressed to say what's really going on there? And also some of the anti- sentiment seems to be founded on erroneous ideas about how LJ/DW Abuse is run.

Like matgb, also, I think most of the controversy over FB/Twitter wasn't actually about allowing FB/Twitter accounts to comment, but about sharing posts on FB/Twitter, which is different.

Re: Other

[charmian]

Hmm... I wonder if Tumblr wouldn't work for you then? (With Disqus for comments) It depends how many features you need, however. WP I find fairly easy to use, but then I've blogged a lot, so for inexperienced people WP might be too much.

Yeah, I don't know how this is going to affect the appeal of creating comms on DW now that LJ has this function. I've already seen at least one instance of someone using their FB account on a comm I read that appeals to a widespread, public audience.