Shared publicly  - 
 
Google+ ProKvetching: Edit: This problem has been mostly addressed. See https://plus.google.com/113892479804684135897/posts/dtK1AH2n5u2.

Some important things to remember about post access, which I suggest you read if you care about the privacy of your postings here, as it's not all immediately evident:

When someone is +mentioned (for example, +Sierra Kempster ), in a posting that person then have access to the post and its comments, even if they were not initially specified as having access to the post.

When someone is +mentioned by you in a comment to a post the person mentioned then has access to the post and its comments, even if they were not initially specified as having access to the post by the original poster and even if you later delete the comment that mentions that person.

When someone is +mentioned by someone else (other than the original poster) in a comment to a post the person mentioned then has access to the post and its comments, even if they were not initially specified as having access to the post by the original poster and even if the original poster later deletes the comment that mentions that person.

Edit due to bugfix: If "disable reshare" has been selected on a limited post, +mentioning in comments, by either the original poster or anyone else, does NOT grant access.

I'm not sure that the behavior specified in the third case above is desirable.

For example, let's say I wanted to throw someone (for example, David Schlesinger) a surprise party, and make a post to plan it with a limited circle of our mutual friends and acquaintances. If any one of those friends or acquaintances then +mentions +David Schlesinger in a comment, he now has access to the post and all its comments, with no way to remove it. He will then know all about what we planned to have popping out of that giant cake; how sad!

I can think of a few considerably more malicious scenarios.

I'm not sure how the best way to go about implementing this in the UI, but it seems like it would be useful, and perhaps vital, for an original poster to be able to remove access to a given post that was later added by someone other than the original post through a +mention in comments.

What do you think?

(Many thanks to +Wade Aaron Inganamort, +Sierra Kempster, and +Autumn Tyr-Salvia for helping me test some of these scenarios out last night. This has been sent as feedback, but I'm not sure the G+ team sees this issue as a bug.)
96
312
David Schlesinger's profile photoTomas Kriha's profile photoMatthias Bolliger's profile photoPranesh Prakash's profile photo
107 comments
 
It's worth mentioning that the behavior I describe in this post was true as of about 9 pm PDT last night.
 
Also good to know that I'm not getting notifications every time someone shares this post, fortunately.
 
+David Schlesinger: Aye. I used a couple of team members as examples on the highly protected test-post that I originally sent feedback on last night, but I know they get tons and tons of +mentions.

I'd also be interested in what +Danny O'Brien thinks of this, as I think it pertains to his ideas of the private vs. the secret that have been being bandied about here a fair bit.
 
+Sai .: You and I just tested this, and "disable reshare" did not make any difference in behavior.
 
Also let me call EFF's +Kurt Opsahl to this post, and G+'s +Jonathan McPhie ... it seems like commenters being able to broaden the sharing of a non-resharable entry isn't something that people are intuitively expecting, and the scope for malicious use is very high.
 
Alright, I've confirmed this happens on reshare-disabled posts, both with the original poster and commenters bringing new people into the thread. Not good!
 
Anyone else in the circles a post is limited to can expose the post and the entire thread of comments to anyone they care to call in. That's scary.
 
I do appreciate the ability to broaden a discussion through mentions, but there should be some way to disable it on sensitive posts.
 
It is not a bug. If someone put a + or @ and writes name of someone that shouldn't be included, they can also simply copy the post and send to this person. If you share an information, it is not yours anymore
 
I think that if you are commenting on a Limited post, the +autocomplete should only auto-complete the people that the post is limited to.

Alternately, it could auto-complete your friends as well, but the +link should show up in RED or some other way that stands out where it doesn't actually give that person access to the post, doesn't send them alert, etc... it's simply a convenient link for everyone else who is a part of the post to know who you are talking about, especially if you're talking about John Smith... or you know two people with the same name.
 
No one other than the original poster should be able to broaden the discussion unless resharing is enabled. On the flip side, this seems like it should be easy to fix on the Google side.
 
Great find. Big issue!

I'd say there is a big difference between mentioning a person who is not part of the original limited circle and granting that person access to the private conversation. Circle members should not be able to bypass the limited access settings set by the original poster!
 
+Berk Gökden : "If you share an information, it is not yours anymore."

It is a bug. While there's no mechanism that can force people to be trustworthy—someone could take a photograph of the screen with a camera—the system should most certainly not facilitate the additional (inappropriate) sharing of posts marked "Do not reshare".
 
I'd argue that it's even less about "facilitating inappropriate sharing" and more about being predictable. It's not clear that mentions are invitations. There's nothing inherent in the mention that makes such a thing clear. At least with the "Share" button, it's clear that I'm resharing the post.

Behavior should be obvious.
 
But another rule is if you tell something about someone on a place, this person has right to reply in the same place. I am not sure if it is universal but it is used in Conventional Media.
 
+Remy Porter : A good point as well. We may have different priorities, but I can see this "misfeature" having the potential for gross abuse.
 
+Berk Gökden: As I mentioned above, I think the biggest problems will stem from people other than the original poster mentioning others in comments, thus expanding access to the post beyond what the OP intended (with no way for the OP to then remove that access), as +Tim Bonnemann pointed out.
 
Actually it is a good idea to disable tagging of outsider people if resharing is disabled.
 
It does have the potential for gross abuse. But were it an obvious expectation of the act of mentioning, it means that people could plan their uses around that potential abuse. Although having it trump resharing is completely a bug.
 
What happens if you delete the original update as well as the comment? It's less than ideal but could be used as an emergency response if you see someone break your circle by +mentioning someone you didn't want included.
 
+Peter Sitterly This is probably the best solution. Although, maybe there could be some differentiation between an @ and a +, where one simply mentions the person, creating a link to the profile, and the other actually brings them into the conversation.

Limited posts could restrict the "+" to those to which the post is restricted and @s could simply allow for mentions.

Of course the +autocomplete could use a little work as well as it seems to have trouble pulling up certain users if you type the names in too quickly.
 
It'll also be too late once third party apps are pulling data via API.
 
This sounds like a trust issue with the people you are sharing with and not a problem with G+. Away from online, any D-Bag can spill the beans on a surprise party and wreck the fun for everyone. Lets not build a platform that makes all these sorts of choices for us. I would prefere that there were warning when sharing outside of a circle from the orignal post, but would be mortified to see it blocked.
 
"This sounds like a trust issue with the people you are sharing with and not a problem with G+."

Sharing a "do not reshare" post with people who weren't originally included on it? What's "Do not reshare" mean...?
 
+Kyle Mecklem: It doesn't mention that there's no way to remove people once they've been added, nor for the original poster to prevent this from happening on a post-by-post basis, which is what I find problematic. The Dev team has already mentioned they're going to look into this security issues.
 
The behavior seems to have changed a bit, using the plus to get +Fox Magrathea Circe now shows up for me with a grey background/blue text, even while editing. And on a post, it adds the name to shared-with list, so that's a lot clearer.
 
Hey +Fox Magrathea Circe, thanks for sharing this out so it can be hightlighted and looked into. I have added Jonathan to this thread and escalated via email so he can communicate this issue back to the team. Feel free to +mention me to posts in the future so I can address these things quickly - was discovered from a reshare from +Alida Brandenburg.
 
I'm adding +Public to the thread. Whoops.
 
+Natalie Villalobos Thanks for the response! We originally made a test post yesterday +mentioning my friend Yonatan Zunger, and Trey Harris, since we know they work on this. Next time, we'll +mention you. :}

+Fox Magrathea Circe asked me to respond because (ironically) he can't +mention you at the moment due to a bug of some sort ( https://plus.google.com/u/0/113892479804684135897/posts/DuYRsp5JCXz for info). At any rate, once Fox is able to +mention again, he'll be sure to mention you if he finds something like this again.

Thanks! And, thanks for all your hard work on G+, it's awesome!
 
Compressing my thoughts on the original version of Fox's post (what an excellent post and thread!):
- I'm inclined to think that the design intended to inform users without lulling them into an unrealistic sense of security (anything on the net should be thought of as written on the back of a postcard, something even experienced users tend to forget.) However, I doubt the full extent of the current behavior was intended.
- Regardless, I think the fundamental metaphor is flawed. Playing with words, I came up with "include" as the verb to present when posting a share (to remind the poster that privacy is based on trust, not enforced by technological force of arms) and private (rather than limited, targeted, etc., etc.) as the converse of public. After all, the goal is to help keep all involved grounded, which can be a challenge, so why not be blunt about reminding the recipient of a share that they are about to copy and paste something that the sharer intended to be private? Why mince around with other words?
 
Two changes that would perfect functionality in my opinion:
- Use the word "Directed" instad of "Limited"? As in "This post is Directed to this audience, not necessarily Limited to it."
- "Disable sharing" should also disable +mentioning.
 
I'm getting lost as to the why. Can someone throw in some use cases that would warrant this. What I'm looking for are examples where it's not about a lack of trust with the people you're sharing a party planning thread to.
 
Mike: People you trust can still err or misunderstand functionality, with potentially disastrous results in this case. It's easy to believe that +mentioning just provides a link to a person being mentioned ("look at what +person posted now, we'll need to take that into account in our party planning"), or just sends a notification to that person (a quick inline IM).

Also, someone reading "Disable sharing" may not realize that there is a way of sharing it after all. One would have to be an expert on G+ details right now. Better make the default foolproof, and add power features for power users.
 
(Side-note: just found that it's difficult or impossible to +mention persons with common names. I tried to +mention Mike Jones, but it shows a random selection of all the world's Mike Jones's with Google profiles. It'd be good if people in the current thread were given priority.)
 
+Matthias Bolliger I think we all underestimate people. People figured out email. If this train of thought was true, we wouldn't have reply all. Yes, it can be misused, but how often does it happen anymore?

But just as we didn't cripple email, or DM's in Twitter surely the same should be so here. My concern is how complicated this is being made. Do we really need the system to dicate online sharing etiquette? Can't we set our own social. norms without creating a nanny state within out own social platforms?

If someone shares something outside of the intended group, thats not a bad sharing platform, thats a bad friend.
 
Mike: I fully agree with you about people learning and trust as a human skill etc. I think, though, that the current choice of words in G+ gives the wrong impression what it is. "Disable" sounds like "make not possible", and "Limited" sounds like "out of reach for most people".
 
Mike: I don't think giving people the option of control over how their own posting is disseminated amounts to creating a "nanny state". G+ is being touted as having superior granular privacy controls than Facebook, and for the most part it does; this problem seems to be the result of an oversight, which is why I pointed it out and why this is a public Beta.

A number of people I've interacted with about this have expressed surprise that "disable reshare" does not already solve this problem (and I'm certain as of today it does not, we've tested it out).

In most cases the ability to catch additional Plussers' attentions with a +mention is a great boon, but there are times when it can be a disadvantage as well; Google+ should allow the option for both eventualities to truly be the killer app we all hope it will be.
 
Thanks for the feedback. OK, loving the debate. Can we come back to the uses cases for this so I can understand the need?
 
+Natalie Villalobos actually, I pinged +Jonathan McPhie near the very start of the thread.

So, I think the biggest thing here is that we (the users) didn't work out that this is how it was working until several days into this test. That means that, whatever the norms or intent, this really wasn't apparent functionality. I talked a little bit in this thread ( https://plus.google.com/111128778940913280838/posts/CAehhpsLdRT ) with +Chris Messina about what my expectations were (that essentially the + was more of a way to hyperlink rather than to summon).

Thinking about it more, I think if comments are going to have this power, surely their interface should reflect how we observe and implement sharing in the posting box? If I type a name, shouldn't it appear in a comment sharing box at the bottom of the text area? How do I even know that this irreparable act of sharing is about to happen otherwise?

Finally, I think we're all agreed that this is tied to the debate about "Disable sharing" feature, and that if that is set by the poster, it seems very odd to invisibly undermine it in this way...
 
It's late and off the top of my head, and is assuming a hypothetical, generic "you" for sake of narrative flow:

Your cousin (who you included in your 'friends' circle (of about 54 people) because you're about the same age, you grew up together, and who seems pretty cool) is included on a post where you talk about issues dealing with recently realizing you are gay.

She makes a quick comment +mentioning your mother and your father (who you haven't told yet and are pretty homophobic), then quickly deletes it, giving them access which you might not immediately notice (since you'd have to go in and look at 'limited' and notice that your number has changed; I don't believe you currently receive notification that someone has been added for access, though I should test this to see for sure). You do get notification that she commented on your post, but not what she said.

Your mom and dad read this and all hell breaks loose.

Granted, this is a highly melodramatic situation and does not reflect how I would choose to use this service, and yes, this kind of ruckus could be created by someone with malicious intent taking a screenshot. But what if your cousin meant no harm and just asked, "Does +yourmom know?" when you weren't around to deal with the problem (and, given the way the system presently works, the only recourse would be to entirely delete the posting)?

It strikes me that this is a superfluous example as compared to, say, G+ were being used as a tool to resist oppression in Syria or Libya, but, like I said, it's late.
 
Another way forward would actually be to remove the "Disable sharing" feature altogether, and rely only on human common-sense trust.

Realistic use cases for enforced strict visibility limitations, as Mike asks for... I find them difficult to find. The one I can think of is "company employees discussing company secrets". But it's a long way before G+ or any externally hosted social network will get that level of trust. So it's no (priority) use case today. But maybe someone will give more use cases?

I guess the current problem is the gap between perceived functionality and actual functionality of "Disable sharing", and the gap is on the "potentially bad media coverage for Google" side. (Remember the Buzz privacy debacle.)
 
I also like the way +Peter Sitterly suggested.
If the linked person is not in the list of people that can see this post, highlight the link red and do not notify them.
You could notify the original poster and he can then, hovering over that link, grant the person access to the post.
 
Alexander: That seems like an elegant solution.
 
+Matthias Bolliger, you said "But it's a long way before G+ or any externally hosted social network will get that level of trust."

I deal with people trusting social networks (including one particularly big social network), all the time, using the systems that were originally intended for casual SMS chatting or college communications instead for life or death communication in dangerous or repressive regimes. Should they? Perhaps not. I strongly encourage more secure channels when I can -- but the fact is that for a large number of people, communicating through social networks is how such conversations take place.

People do really organize via Facebook in the hundreds of thousands; people do use Twitter and Facebook, even LinkedIn as ways to communicate on an individual basis. I already have seen people in the Middle East and Africa eying up G+ as an alternative, and have some people who have already joined in countries with authoritarian or repressive regimes. One of the first people I saw join Google+ was the chinese journalist +Michael Anti ; I already have a list of Chinese followers, even though G+ is allegedly blocked there. It's one of the reasons I wrote this early analysis of G+ for journalists working in dangerous conditions: http://cpj.org/internet/2011/07/google-for-journalists-at-risk.php (yes, I'll be writing a followup).

The two scenarios I would cite based on existing behaviour is, firstly, ad hoc groups using the existing social networking framework organize to protest or plan opposition statements. Obviously an accidental revelation -- or deliberate one -- would be extremely damaging, and the fact that in Google Circle terms, the list of names that you can pick from presumably comes from your circles, yet your circles aren't your friends but people you're interested in, merely adds to that risk. I'm someone who disapproves of what politician X. That also means that I'm interested enough in politician X to follow them, right? I'd also add that you also have the problem of brands coming to G+. If you're discussing, say, a protest against Chevron, whose G+ account you're following, and someone accidentally pluses that.

Secondly, you'd be amazed how much initial private conversations between journalists and their sources takes place through social networking. One of the reasons why organizations like ours pushed so hard for services like Facebook and Twitter to turn on https, is the face that DMs and Facebook messaging were being used for confidential conversations. There are many people out there who don't use email as their primary communication vector, but instead have Facebook messaging conversations. It's clear that everything in G+ is mediated through circles, and that the privacy spectrum goes from public to very private. I've already seen a common pattern of use on G+ where individuals communicate in a "circle of 2" for private conversations. (And if there's one sentence you should take from this comment, it's that one). The street finds its own use for things, and ironically I think the "real name" policy of Facebook and now, in a different form, G+, adds to this use. People feel like the other person is vouched for: one reach out to a noted investigative journalist on Facebook instead of a random email, because one has a reasonable belief that's really them. The same, I imagine, will occur on G+.

Another point is that most communications systems, even Internet ones, have plausible deniability. Most forms of copied communication -- forwarded emails, cut and paste, screenshots -- do not necessarily have immediately damning traceability, especially when it is a throwaway but incendiary comment. To give an example: I say "Lord Nelson is a coward" in an IM conversation with you. Sure you can cut and paste that to someone, and say "Good grief! Look what Danny said!": but it's rather like the spoken word. You have to go a fairly dramatic extent to prove that I said it, even though I said it on a loggable service. Even with email, it would take me a loong time to explain to someone that this IP address proves that this mail came from, say, Steve Jobs. Useful if I was using it in a court case or proving it to an editor at a newspaper; but not instantly incendiary.

Compare this to what happens with a +explosion. Somebody says something incendiary, and is accidentally plussed. What we have here is now effective proof that they said even (especially) a throwaway comment. Certainly, if they act quickly, they could delete it. But, of course, the person who is plussed can, I imagine, themselves plus more people -- and will certainly do so, and rapidly. Now we have an incredibly quickly propagating private conversation with no plausible deniability at all. It's sort of like one of those stories where a forwarded mail spirals out of control, but now with even small throwaway comments.

The classic known example here is Wiener and a misdirected tweet, and I think it's very understandably common to think of these things in terms of A Famous Politician getting outed saying something that we believe that they should be punished for. But, again, the instances that I deal with are actually the opposite -- critical voices in society being 'outed', such as atheists speaking pseudonymously on Facebook in certain middle east countries, or critiques of the Chinese government being targetted by the 50 cent army.

If you're looking for use cases for this being a problem, I think the model of thinking about critical voices in other countries is a useful one, partly because we often imagine there are relatively fewer consequences to accidental revelations for many groups in Western society. And partly because when critical voices are "outed" in our own context, we have an instinct to think that perhaps they deserve it. It's one thing to rub our hands at glee at imagining the next private Sarah Palin conversation being outed, or Anthony Wiener, but maybe an anti-corruption reporter in Russia or pro-democracy activist in Zimbabwe is less easily to be unsympathetic to.

Calling +Jillian C. York and +Rebecca MacKinnon and +Ethan Zuckerman to the witness table!
 
Very good comment, +Danny O'Brien. Your point gets even stronger when you realize that "the list of names that you can pick from presumably comes from your circles" seems to be not true, but the list actually seems to be the list of all persons in the world. At least I get huge amounts of random and completely unknown names to choose from, definitely not in my circles. I have a hard time even finding the correct "Danny" for +'ing you.
 
I made a comment on +Danny O'Brien's post on this: https://plus.google.com/111128778940913280838/posts/Ycx1uzKdiNe

+1 for +Alexander Sitte's extension of +Peter Sitterly's proposal: the decision to extend permissions should be in the hands of the original poster. And this same principle should apply for photos as well. It is very unfortunate that Google+'s photos are shared in the same manner as Facebook (tagging is sharing & one shared photo opens up the entire album) instead of following in the footsteps of Picasa.
 
+Sai . :
1. having a "!" grant access to the mentioned person is still very exploitable.
It would mean, that another person than you can expand the visibility of the post.
As you mentioned in 2. this should not be possible for resharing disabled posts.
But imho having two symbols (+ and !) can be distracting.

For me there are two reasons why you share your posts with a certain circle or circles:
1. The post is only interesting for them. (for example post an article about a new Android version to friends with Android phones)
2. The post contains private stuff that no one else should see. (for example: _I just heard Mom and Dad gettin' it on_)
While the first one everybody should be able to join in if interested and can be reshared, the second type of post is concerning private stuff that should not be accessable by everyone.

So, in my opinion, a combination of your suggestions (regarding shared and unshare posts) and mine a few posts up would make a good concept:
Reshareable posts to a circle: People referenced with +name that are not in the adressed Circles get a notification and can see and join the discussion.
Not resharable posts: People referenced with +name that are not in the addressed Circles are not notified and highlighted in a different color (red). The original poster is notified and can grant access to the person referenced. Upon granted access, the referenced person is notified and can join.

Edit
Regarding your points 3 and 4: I agree and have given feedback for this.
 
+Sai . That's my main complaint. While the privacy issue is the most obvious negative consequence of the design decision, that privacy issue exists because the behavior of the application is confusing.
 
+Sai . That only the poster should have !-rights was not clear to me. However, why should there be the ability for only the poster to add someone by mentioning him in a post when he can just add him to the list of permitted people (without posting).

I agree that mentioning and sharing are not the same. But if someone is mentioned in a resharable post, he should be notified of it IMHO you do not +mention a person in a comment to share the post with him, but to link him with the post. That the post also gets automatically shared with him is just a side effect.
 
+Pranesh Prakash I agree regarding the photo sharing. Every photo should have it's own privacy options. I could very well imagine picture circles, where you can drop pictures from your picasa albums and apply permissions to them. Or better drop the pictures on your existing circles! So you can share all pictures from an event with your friends and only pictures from that event without the drunken people with your coworkers.

So here is my idea with examples
You have three albums:
- Vacation photos from your last vacation to Spain
- Nature Pictures you took of the nature around your house
- Party Party pics. Lots of drunks, girls, booze ...
You have two circles:
- Friends
- Coworkers

Now you go to your Pictures page and see 3 circles: your two circles plus a Public circle.
Drop all the pictures in Nature on the Public circle
Drop all the pictures in Vacation and Party on the Friends circle
Drop some of the pictures in Vacation on the Coworkers_ circle

Now your Friends will see al three of you albums (containing all the pictures) and your Coworkers see Nature (with all pictures) and Vacation (with only some of the pictures).

This way, it feels very natural to other people and noone sees anything he is not supposed to.

Also Pictures should by default not be resharable.
 
+Sai . ok, you conviced me with the no-reshare argument.
But may I suggest then to use @ to mention people and + to add them to the conversion (thus sharing the post). (So your + is my @ and your ! is my + ;)
 
On one hand, I think a "!" verb is a good idea- it implies "notification". Quick, easy. On the other, I think you don't want to crowd the space with verbs. I think it would be best to just use the reshare mechanic to share content with people, but perhaps the reshare needs to either link back to the original post and its comments or it needs to allow individual comments to be reshared.
 
I'd keep it super-simple. Let the +mention both link, notify and extend share, just like now. Only change it so that the +mention cannot be used, ever, by anybody, in a "Disable sharing"-created post.
 
+mention should still be usable, but it shouldn't notify or extend in such a case. The linking is valuable to everyone.
 
+Remy Porter as mentioned in my first post I would give the OP in not resharable posts the ability to include the mentioned person if he wants and highlight the +mention. It would be more intuitive than searching an manually adding these people.
 
+Alexander Sitte The "+" itself could be the link (different style). The OP can click the "+" and get a confirmation "Do you want to share this post with +Soandso"? That strikes me as an easy way to do that.
 
+Remy Porter Sounds nice. Right now it is handy because the link covers the whole name. It might be a bit of fiddling to hit the correct link with your mouse. ATM you can hover over the whole link and get some info about that person. I say keep it that way and just add a button to the popup for the OP to share the post with this person.

Edit: Just to clarify why i am not that fond of making the "+" have a different functionality that the rest of the link: Steve Krug has written a book called "Don't make me Think". There he states that users like it simple and want things to work intuitively without thinking about them. If you have two functionalities so close together it is better to combine them in one link that to make the user think "What do i want to do withthis person? Ah yes, so i have to click the +, not the name".
 
Yeah, I think you're right. I keep forgetting that there's a hover-menu, despite it being ubiquitous in the application. I'm consistently surprised by it. A "add this person to the sharing" is something that should be in that menu.

I have a thing against disclosing menus and feel that every option should be immediately visible or exist someplace else entirely.
 
I feel that at the bare minimum, deleting a comment with a +mention (either the original poster deleting the comment, or the commenter deleting the comment) should remove any additional access that it granted to the post. There is no good reason that a +mention should grant permanent access to a post.

On LiveJournal, it was possible to link to a post that someone else could not access. For example, +Sai . could write an excellent post that was friends-only, and +Fox Magrathea Circe could copy the link and send it to me - either in another service like email or IM, or he could post a link to it on his own LJ. If I am not one of Sai's friends on the service, clicking the link would take me to a page that says "I'm sorry, you do not have access to view this post." Sai could reference me in his original post and people could talk about me in the comments all they want, and I would never be granted access to the post unless Sai explicitly added me to it.

I like this model a lot. I simply do not see a good reason why +mentioning someone should grant them access, ever. All it should do is link the profile. I think it should only send a notification if the person in question has access to the post.

If +Fox Magrathea Circe and I are having a private conversation on Fox's page and I think we should invite +Sai . to join the thread, what should happen is this: I make a comment that says, "Hey, I bet +Sai . would really enjoy this conversation. You should grant him access." This simply links to Sai's profile. Then +Fox Magrathea Circe decides he agrees, edits the post, and adds +Sai . to the people it is shared with. Sai now gets a notification saying that Fox has shared a post with him, and from there on out, all +mentions of +Sai . will send him a notification.

Let's say we talk for a little while, and Sai even comments on the thread. Then Fox decides that Sai is no longer welcome on the thread (consider a use case from +Danny O'Brien - perhaps we have just found out that Sai is a spy for China, or that he's a good friend with a stalker ex or something). Fox edits the post permissions and removes +Sai . from the access list. Now +Sai . will receive no further notifications if either Fox or I mentions him in the comments of this post. More importantly, if Sai goes through his old notifications and clicks the link to comment on the post, he will be taken to a page that says he no longer has access.

I think this is the most intuitive and clean way to handle this. I like the +mention system a lot, in particular it is useful to get someone's attention or to reference a specific person in a whole world where many people have the same name. I also like the access granting system where you can give access to a whole circle or just a specific person at a time. I don't think they should be mixed.
 
I'm assuming that feedback has been sent on this then?
 
In my opinion, this is how it should work:

When someone +mentions someone that didn't originally have access to the post and comments, the original poster gets a notification that someone outside the intended audience has been mentioned with the option to "allow mentioned user to view post and comments? - Allow Access | Deny Access"

The person who originally posted/shared something should have ultimate control over who can see their content. Allowing people to subvert that control is a huge flaw in the current privacy controls. Hopefully this gets resolved before G+ goes public.
 
My name was getting stuck in as my email address for at least some people. I didn't get that, either.
 
"It looks like one of ours, but it's a very bad design..."—Carl Lumbley as "John Parker" in The Adventures of Buckaroo Banzai: Across the Eighth Dimension
 
+Jon Pincus, thanks! I hope, though, that +Kevin McCurley understands that while the analogy with email forwarding is really fine, email doesn't have a "Disable sharing" ("Disable forwarding") feature. For me, the only problem in G+ right now is the possibility to share via +mention in a "Disable sharing"-created post. It would be fine for me to just remove the "Disable sharing" feature altogether.
 
I'm curious - in what way does marking such shares as 'private' fail as an obvious 'please do not share this' notice?
 
+Sai . If someone receives email notifications for a while, they have those messages. There is an element to this where one must be careful about watching things. If access and links are separate actions and access is more explicitly controlled, it's less likely that there will be errors to begin with. Additionally, if there's an authorization check each time someone clicks a notification to access a post, access isn't granted after it has been revoked.

I don't know that there is a way to handle the issue of notifications sent with "incriminating" content during an access period that has since been revoked. If notifications are to be useful, they must contain content. One of the issues with email in general is that once you send it, you generally cannot recall it. There is a certain element of this that is use at your own risk, and I am ok with a certain degree of this.

My real concern is the lack of explicit consent for access in the first place that leads to a lot of mistakes. At a certain point, if I give someone the key to my house, it is my responsibility to know that they are trustworthy beforehand. My concern is that this essentially lets anyone who has a key to your house give a copy to anyone without your consent or notice, and in such a way that the key can't be taken away.
 
Hi all - sorry for coming late to the party here :) I've spoken about this with the engineering teams and we're looking into how we might be able to improve the experience here. There are some really good insights here on a very complex subject - thank you!
 
+Sai . I think this is where my earlier suggestion comes in: The original poster gets a notification with a choice to allow mentioned user outside intended audience access to the post and comment thread or deny access.

And for the reason that you've just described, Google either has to go with OP has full control or none at all as is currently the case, treating it as an email forward.

I don't think the "please do not share this." notice is going to do much because most people do not realize that the +mention is sharing it with the person they're mentioning. That is not immediately obvious, nor intuitive.

Other suggestions include:
- A notice that when someone is +mentioning someone outside intended audience for post, a notice comes up warning the user doing the +mention that they are about to share the post outside the circle(s) the original poster dictated.
- Giving the OP an option when they post/share something regarding +mention privacy behavior, e.g.:
1. Allow +mentions outside intended audience access to post and comment thread.
2. Give me the option to allow access on a +mention basis.
3. Disallow all +mentions outside intended audience access to post and comment thread.

As you can there's a lot of options Google has, but it has to be very carefully thought-through. They are either going to treat a post as an email that allows all people with access to it to do what they will with it (which I think is a mistake) or they're going to actually give the poster/content creator complete control over their content's privacy, which given that this is well within the bounds of the technology and that it's what most people expect imo, that should be what is done. Facebook made it very difficult to manage your content's privacy for their own benefit - don't betray your users' trust, Google.
 
+Mike Jones (I only got 5 Mike Jones's, the one at Google seemed the obvious choice :). You are seeing the use case right here: the current terminology brings up a fundamentally inaccurate metaphor in people's heads and sets up inconsistent expectations, not to mention led the team to an inconsistent design in which "disable resharing" disables explicit resharing but allows implicit resharing!

How about following a 'trust but verify' model? Let people mark certain shares as private, but don't explicitly disable sharing or mentions. If someone shares or mentions, let it go through, but notify the OP, and tell the person who shared / mentioned that, as the share was marked private, G+ trusts that they had special permission but the OP has been notified to protect their privacy.

While +Danny O'Brien is technically correct about the distinction between mentioning and copy and pasting, for ordinary folks the distinction is meaningless as the cost of hiring a lawyer is prohibitive and their reputation has long since been destroyed.

I respect Google's stance on privacy. To me, this situation is in keeping with that stance. Rather than continue with the current practice of lulling people into a false sense of security, go the hard route of effecting change. Not easy.
 
+Sai . Oh I see. I do like your proposal, but then again you're giving the audience the choice, not the creator.. if I understand you correctly.

I agree that my second suggestion is unnecessary since share extension by mention can already be integrated into the current privacy options.
 
+Autumn Tyr-Salvia How is that not true about keys to your house? Anyone you give a key to your house CAN have copies made without your consent and give them to other people.
 
Off topic, but how come whenever someone tries to +mention me here it shows up with asterisks? Is there a setting somewhere that is causing that?
 
+Hilary Holz You're right, it is true about keys to my house. I like my data to be more secure than that. One of the nice things about non-physical information is that it is possible to grant better access control.
 
I really like the idea of that, when a +mention of someone without prior access is made in a comment, that a notification goes to the OP that reads something like this:

"+commenter wants to add +3rdparty to your protected post(linked). Do you approve?" with an approval button. This seems like it would be difficult to add to the current UI, and there's a question of what would happen to the response in the meantime, so it's probably pie in the sky, but it would seem to be the ideal solution to me.

Another way to approach this that hasn't previously been brought up to my knowledge would be to allow an option for a post to have comment moderation. Is this feature already available in Blogger?

Thanks you all again for all the discussion here, a lot of excellent ideas for the development team to chew on!
 
+Sai . They already have that option though. You just don't use +mention if you want to talk about someone without them being notified. Yes, you lose the link to their profile, but oh well. I'm more concerned about the fact that most people aren't aware that a +mention acts as a reshare to that person. There needs to be some kind of safeguard in place to protect against ignorance.
 
+Ben Moseley: Not being able to distinguish which user with the same name through a profile link is potentially a bigger problem than it would have initially seemed. I've already started running into duplicately-named people in my exended circles. I'm becoming more and more convinced that there ideally should be a dual system, with one way to reference a user and another to add access and notify a user, though how to work this into the UI and UX is an open question.
 
I'd suggest that in the meantime, while being further thought-through, Google should either just remove the "Disable sharing" option, or make it so that +mention in such posts does not reshare. This would put things on the safe side.

+Fox Magrathea Circe: is the dropdown list after + populated with one's extended circles? I've wondered. There are just so many people and so many duplicates, that I got the impression it's the whole world.
 
+Matthias Bolliger: Nope. With Extended CIrcles you get this in green text: "Visible to everyone in your circles, plus all the people in their circles."
 
+Fox Magrathea Circe +Sai . Oh okay, I see now. Good points from both of you. I agree that it is important to be able to link without notifying a user.

While I haven't read the whole thread due to time constraints, from the posts I have read, I believe that +Sai . has solved this through the current set of privacy options that is available and his suggestion of using + and ! as ways to grant access through mentions.

I definitely agree with the both of you that a dual system is necessary. It'll be interesting to see what Google comes up with here. Awesome conversation with all of you. UI/UX is always a favorite topic of mine.
 
+Fox Magrathea Circe: Thanks, though I wasn't thinking of the choice "Extended Circles", but rather about which names I see (and get to choose from) in the list that appears when I type +. You know, the people I can choose to +mention (and, thereby, currently, reshare with).

I just made a test, mentioning all the "Mike Jones"s that appear after my + - and my apologies to you five Mike Jones's for disturbing you... - and then checked their profiles for common contacts. Only 2 out of the 5 were in my extended circles. The other 3 were complete strangers. So either the list is global, or it is something less than global but greater than extended circles. In any case, a large number of people to reshare a private post with by mistake!
 
+Sai . Haha indeed. You're certainly a natural at it :P
 
+Sai . Oh, neither do I! This is a field that requires extensive studying and thinking. I didn't mean to underestimate the amount of time and effort you've put into it, especially with such an interesting background as yours ;)

Admittedly, I'm quite the amateur at all this being self-taught as I'm sure is obvious. Visual Display is a fantastic book and was definitely an eye-opener. Alas, it's been a while since I last read it. I think it may be time to blow this dust off the cover and take another crack at it :P

Oh and good luck at your interview!
 
+bunnyhero (wayne a. lee): I just did a test with +Trey Harris and it does appear that this has been at least partially addressed. I'll run a test post with you quickly; I'm writing a post summarizing the changes.
 
This was a bug? It took me 8 minutes to figure this out once I had access to the software. I thought it was ok that people were added to the convo publically after a repost. I think it should not effect the access at all, I think the correct fix would for google+ to scrape the original poster and comments from the limited access post from the post. So the idea would be once the permissions of the post change from private share to a public share, then any comments or users on the post previous to the permissions change should be scraped from the post completely. It would just make sense instead of making the post that you WANT to share publically a pain to share unless I literally repost the information myself to keep the privacy the previous user.
 
+Patrick Neville: This isn't addressing a problem just with reposts, but with security specifications period.

The problem was that there was no way for someone to make any post that allowed comments and also maintain sole control of who had access to view the post, since anyone who commented could add anyone they liked through a +mention, even if reshare had been disabled. This seemed problematic, and the Google+ team agreed.

Now disabling reshare includes disabling the ability for commenters to add access by +mentioning, leaving the original poster with sole access control if they desire it, as well as disabling the ability for anyone else to repost.

Does that make sense? Check out https://plus.google.com/113892479804684135897/posts/dtK1AH2n5u2 if you still have any questions; depending on when you got in to Plus, you may never have witnessed the bug this post describes.
 
I believe that makes sense. I just feel it would be easier to strip the permissions of the original poster and users who commented completely from the post once it was shared or reposted by a new user. This would make the original poster and the original comments now removed and they would have to comment to the newly shared post as a repost on the new owner's post. Any post on their original post would then keep to that person only. I just think there is an easier way to remove the permissions of the post rather than the ability to share the post. A person shouldn't have access to add to an original post that they are not the owner of, that makes sense. I just think if someone wanted to add a person, you prompted to to reshare the post on their stream and that new post is now under a whole new ownership. That to me would be a correct fix instead of hindering the ability completely.
 
+Patrick Neville: If I'm understanding you correctly, that is not what is being addressed here; this is for cases when the original poster wants limited access to, and no reshares of, their post.
 
Ahh, My mistake then. I did not realize this included the no reshare option as well as limited access. That is why I kept suggesting the client would be forced to reshare the post on their stream with all of the original posters stripped instead of add to the same post. My apologies.
 
+Patrick Neville: No problem.

Basically what this is saying is that, on a limited access post, +mentioning anyone in the comments (by either the OP or anyone else) adds them to the list of people that have access to the post unless you choose "disable reshare*.

Otherwise nothing has changed.
 
Gotcha. I think it would be a better option though to reverse it. If it is a limited access post I shouldn't be able to +mention anyone in the comments that were not in the circle of friends. As for the re-sharing, I still feel that re-sharing a post should strip the post of its original comments and owner otherwise the "social tentacle" that it creates is completely wide open.
Add a comment...