Private Data Use Cases And Their Trust Models

ezraboeth.com · September 18, 2025, 4:02pm

Hi all. I think it’d be very useful to synthesize some generic use case types and then understand each of their trust models and how they are different/similar. I’ll try to post some thoughts on this later today, but feel free to start the process if you have thoughts on types of use cases.

tessa.germnetwork.co · September 18, 2025, 4:04pm

Perhaps this could pull from or comment on/extend @davenash.com’s post on Github

bmann.ca · September 18, 2025, 6:07pm

Yep, also here:

Would be good to extract some use cases and pull them out. I’m going to write some notes around multiplayer that came up in the call.

jdp23.thenexus.today · September 18, 2025, 9:07pm

Here’s four use cases for facebook private groups I’ve heard from experienced progressive activists in the US who are not doing direct action. (I don’t think any of these are particularly limited to progressives, just clarifying that this is who I’ve been getting input from.). Signal groups are an alternative for all of these, but everybody I talked to says they’re in too many Signal groups to keep up with and are overwhelmed by notifications. So, they’d like other options for situations where they’re willing to sacrifice some security.

communicating between leadership and members – announcements (also going out via email), questions and answers, discussions. For large groups, this is the kind of “not-really-all-that-private” scenario that Blaine was talking about; there are almost certainly some untrustworthy members there.
communicating across organizations, for example as part of a network of local organizations that are part of bigger org (e.g. local Indivsible groups are part of a statewide coalition), different organizations in a geographical area, or an issue-focused working group that spans organizations. The content here is similar: announcements (e.g. events), discussions, questions and answers. Depending on how strictly membership is screened, this might or might not be examples of the “not-really-all-that-private” scenario.
communicating within a organization’s leadership team. Typically membership is tightly enough controlled here that there’s mutual trust.
a “lobby” for people who aren’t yet vetted to show up and either ask questions or start the process of becoming more trusted, with trusted members of the group interacting with them (often in 1-1 messages rather than directly in the lobby).

In terms of the trust model, people want to feel like the platform hosting the group won’t censor them politically, won’t show posts or group membership to people who aren’t in the group (because of the threats of trolling or getting reported to employers), won’t share information with law enforcement without a properly-scoped warrant (including fighting overly-broad data), and won’t share information with vigilantes. Of course if trolls or spies or vigilantes or journalists have snuck into the group then these protections are limited. That’s a problem no matter what the underlying tech is. With current events in the US it’s not clear how much sense the large-group untrusted model makes going forward.

It’s probably too detailed for this thread, but I’ve got some specific functionality requirements here.

erikologic.bsky.social · September 21, 2025, 5:04pm

Notion ←> Google docs alikes data interoperability

E.g. orgs having a private space to share files, in particular docs & sheets, and having different clients offering different UXs for the same content.

Also, the same can be true for internal messaging/ borderline-social experiences like MatterMost, Slack, Teams.

E.g. comments placed in a document on a Notion-like product being available in the Slack equivalent, all only available to the org/group

jdp23.thenexus.today · September 21, 2025, 10:32pm

“Going private” is probably the most-requested private data on use case: the ability to keep anybody but your followers (or people you’re following, or mutuals) from seeing your past and current posts.

This one’s very tricky from a trust perspective because it means trusting all the AppViews that may have copies of your posts cached to update themselves.

ezraboeth.com · September 23, 2025, 1:36am

I think it should be generally expected that any content that you created before you “go private” becomes unlisted (not quite private, but the PDS no longer provides access to it). And I think this is something people feel is a reasonable tradeoff for getting to go private temporarily.

Something that I agree with Paul on (from his most recent blog post that he posted on bsky) is that the systems that Private Data go through should be isomorphic to that of Public Data, so that it’s not hard to take Public Data and change it to be Private Data, and vice versa. The mechanisms that Private Data go through (xrpc calls, data model, etc.) should mirror Public Data as much as possible.

ezraboeth.com · September 23, 2025, 1:40am

I looove this! I am also active in local community orgs that could desperately use a communication platform where their data isn’t beholden to some big company, but the ecosystem of apps can be collectively developed professionally so that it’s not some janky app but can get really polished. Application aesthetic and an easy user experience is crucial to onboarding new users and getting buy-in from key people in the org, and it’s hard to have that from some small app/side project, so many orgs just end up using something from Meta or Discord or Slack or something like that. Or they compromise on some features while prioritizing others with things like Nextcloud.