You Changed My Address To What?

Or, why not to let everybody edit a community address book

June 19, 2005


I'd like to offer a few thoughts on the issue of who gets to edit the online NBTSC directory. I confess I was very surprised that this has turned into such a hot-button issue. Score me another anti-point for assuming that everyone thinks like I do.

First off, thank you for all your work on the directory. It's been vaporware for years, and to my knowledge never got beyond vague batting-around of ideas until you took it on. I rate it as a highly commendable project.

...&strunk; &white; ... Strike that last sentence. Insert “I commend the project highly.” Or better yet, “Thanks.”

Second off, I don't want to come in on some high horse. You're already aware that I have opinions on the subject, and that like most people wrapped up in arguments I'm pretty sure that I'm right. That doesn't make me automatically better than anyone, nor do I have Expert status to back me up—in all honesty I suck at this stuff. I want to explain the reasoning which led me to my conclusions, not to ram my conclusions into anyone's unwilling orifices.

End of preamble. On to the unvarnished opinion.

I recognize that the directory as you envision it is a community effort, open for anyone to edit or add anyone's information. I deeply admire the collaborative model of database maintenance; in many cases distribution of effort is simply the best way to get a big job done. However, I'm still not convinced that the directory is such a case. My reasons boil down to three: privacy, accuracy, and trust. These three together make up a fair chunk of the concerns known in the aggregate as “security.”


I'm firmly of the belief that every person has an unalienable (if limited) right to disappearance. This doesn't mean that it's a crime for anyone to know my email address and I'm being raped by Big Brother when they force me to use my real name on tax forms. It does mean that I should, if I so choose, be able to exert a reasonable effort towards concealing, altering or revoking my email address such that a stranger would have to make distinctly more than a casual effort to obtain it.

I think of it in much the same way I think of copyright on creative works: I own my name and rent my address, and am entitled to choose how they are used in much the same way that a musician (or the agent who rents them) is entitled to choose how their music is used. Be it music or contact information I would prefer that the rightsholder tell me I may give a copy to a friend, but if they tell me they'd really rather I didn't, that's their prerogative.

The directory’s login requirement alleviates much of this problem, but most certainly not all of it. On the whole I trust people who've been to NBTSC more than I trust the general population of the Internet, but that' not to say I'd give every camper access to my bank account. If someone is unhappy putting their contact info where some particular person or group associated with NBTSC can see it, they will want themselves excluded. Thus a way to opt out is critical (and shouldn't be confused with merely not being added; come to think of it an explicit opt-in would be much better), whether or not anyone seems likely to use it. As a trafficker in personal information, it behooves you to help the people whose information you traffic.


This is really the least of my worries, mostly solved by one sentence at the top of the page that says “don't add any information unless you’re sure it's right, dummy!” Anyone who maliciously ignores such a warning can be convicted on other counts anyway.

The problem is that even this simple and necessary precaution will greatly reduce the pool of potential info editors for any given person. My certainty about the correctness of my contact information for someone drops off quite rapidly as they get further from my usual orbit. As you might expect for radiatively disseminated data, this “certainty quotient” for a given person seems to vary inversely with the square of their degrees of separation from me. In other words, I'm the person most likely to know where I am.

The guidelines you give on the current version of the edit page look to me as if they boil down to “always ask the person you're editing before you change anything.” If the directory is meant to be so easy to use, then why shouldn't you just prod the person to do the updating for themselves? I think the number of campers without access to a web browser is small enough that one or two admins could easily keep up with their changes.


I will let Charlie speak for me here. After reading and liking his principles of system administration, I asked him for advice on smart coding. His answer seems applicable to the directory, especially his exhortation to assume that the user is “simultaneously a moronic bedlamite and an evil genius,” and the rating of whitelists over blacklists. Be they moronic or evil, I really do not trust other users to change my information.

The directory is a reference project and a handler of privileged information. It needs trust from users if it's going to be authoritative at either. For both reference and sensitive information, I trust sources that get it right in the first place, which is not to be confused with correcting yourself after the fact. A change-tracking system is an excellent backup, and is probably adequate for innocent mistakes, but the “undo and send a nastygram to the perpetrator” approach to dealing with malicious changes is plainly insufficient—that's prosecuting the murderer rather than fixing the lock on the bedroom.

Let me emphasize that some more: Never, ever, ever confuse the containment measure of cleaning up after something goes wrong with the preventive measure of making sure things go right in the first place. If you want trust, you have to ask for permission so that you’ll never, ever need to beg for forgiveness.

In a nutshell, I don't think the directory is adequately secured unless it gives every user the means to control who can edit their information. If you want to allow the greatest possible flexibility, you could implement an all-out friends list much like LiveJournal, and allow each user to specify exactly who gets to see and who gets to edit which pieces of their information. I really doubt you want to do that, so the simplest thing would be to restrict users to editing or adding themselves only, and tell them not to post anything they don't want the whole community to see.

I congratulate you on making a simple, easy-to-use directory. If everyone who would have edited another user's info were to simply prod the user to do it themself, I think it will remain as current under a self-editing regime as it would have under the community-editing model, with less grievances all around.

Yours in geekery,