
Don't Forget Your Logged Out Users - bjonathan
http://www.avc.com/a_vc/2011/06/dont-forget-your-logged-out-users.html
======
edanm
The "Phantom Profile" Fred Wilson talks about is a _great_ concept.

I particularly like Stack Overflow as an example here. You can visit Stack
Overflow and ask a question, all without having to create a profile. You are
given a name, given a profile, and given most of what a regular user gets.

As soon as you do decide to sign up "for real", your temporary profile is
turned into a real profile. The biggest difference being that you're not
cookie-based (you can log in to the profile from other machines).

Despite Jeff Atwood complaining loudly about how so many users have stayed
cookie-based for so long, Stack Overflow has gone to great lengths to make
sure their site is completely usable with a minimum of hassle, which makes it
a much better site in my eyes.

~~~
kmontrose
I definitely get the impression that Jeff is more surprised than upset by
users who have used cookie-based accounts for long periods. If I recall
correctly, the record for longest "active unregistered account" is around 2
and 1/2 year (Stack Overflow is just shy of 3 years old, for comparison).
That's a loooong time to go without clicking a Google/Facebook/Whatever
button.

Of course, not having to register is completely by design and almost certainly
never going to change, it's such an obvious win from a user experience point
of view.

Disclaimer: Stack Exchange employee.

~~~
edanm
"it's such an obvious win from a user experience point of view."

And yet so few implement this.

By the way, I think it only really became obvious, to me at least, when
StackOverflow implemented that design.

------
trotsky
I run logged out on many of these services because I'm not interested in
having all of my preferences and interested logged and having my experience
customized for me. In fact I intentionally log out of many of them when I'm
done with my logged in activity (google is the best example of this). I also
have cookies clearing on most of these services on a timed basis. Work against
my interests here (and put it in my face) and you're more likely to end up on
the cookie clearing list or simply not get used any more (facebook features on
third party websites is a great example of behavior that pushes me away from
facebook). I wonder if I'm all alone here, or perhaps your unlogged in users
would prefer to be a bit more forgotten than you're suggesting.

~~~
edanm
I'm guessing that most people don't really care, or at least don't think about
it enough to care.

And by most, I mean a huge majority, like 90%+.

I'm not aware of any studies though, does anyone have any study to link to?

~~~
Silhouette
Do most people not care, or are they simply unaware of what they are giving up
and the real impliciations of the social web?

For example, we all know Facebook is huge, and many people give up all sorts
of personal data to the company running it. And yet, on several recent
occasions when Facebook have made changes that they were demonstrably
technically capable of making and arguably within their legal rights to make,
but which diminished the privacy of their users, the outcry from the user base
was substantial and in some cases they gave up and essentially reverted the
changes.

That was basically a PR/marketing move by Facebook: when you rely on critical
mass of users in the way they do, you can't afford to upset people _en masse_
so that they start to drift away to a rival service. It wasn't forced on them
for technical reasons, and relatively few countries raised significant legal
concerns about the privacy implications.

I wonder whether users would be similarly upset if they realised how much of
their "private" data has been shared with other parties over the years, and
where it has wound up, and how many people have wound up
defrauded/stalked/otherwise genuinely damaged as a result. I think there's an
element of "It can't happen to me" at work here, and my biggest worry is that
as we've seen recently with organisations like Sony, corporate complacency and
denial are no substitute for real security and privacy protection when Bad
People decide to come after you.

[Edit: I would also be interested in proper studies if anyone has links, but
only if their methodology is sound. I am reminded of the "study" last year
about attitudes to the virtual strip search machines at airports, where
apparently 90% of people in my country said they supported them. When asked
with different wording in another study, not conducted by an organisation with
ties to making the machines in question, it turned out that many of those
people really meant that they preferred the hands-off abuse of the machines to
being physically abused during an aggressive pat-down, which isn't the same
thing at all. Privacy studies are all about how you phrase the question, and
those with vested interests are very good at that sort of thing.]

------
Joakal
A good example can be seen with Youtube. On a fresh computer with IP address,
I was given an old game video from a friend. Finished watching it and talked
other stuff.

An hour later, when I went to youtube.com (main page) to look for a different
old game video, I noticed the frontpage suggestions were the same as alongside
when I watched the video. Quite a basic guess of what the user wants but seems
effective to me.

Although I have an account with youtube, I rarely log in. What's the point?

~~~
fredwilson
that's a great example of what i am talking about

------
Silhouette
From a business point of view, this makes some sense, but I find it creepy.

Apparently, so do some other people, because it is almost certainly becoming
illegal throughout Europe as the recent rules on privacy/cookies take effect.

~~~
kevingadd
I find it highly unlikely that Stack Overflow's phantom profiles and similar
features are an intended casualty of those laws. Unless politicians just hate
the internet.

~~~
Silhouette
Preventing any sort of tracking without consent is the overt goal of these
laws, and tracking users who have chosen not to log in sounds a lot like
tracking without consent to me. YMMV.

[Edit: Just to be clear, if users have explicitly chosen to use cookies for
persistence of a "phantom" identity, then this is not without consent, and
neither I nor the laws in question have a problem with it.]

------
cpeterso
Is there a recommended design pattern to deal with the problem of coalescing
or "stringing together" multiple "phantom profiles" inadvertently created for
a user every time they browse when logged out (or from different machines
before logging in)? I imagine the site's database schema would require one or
two extra levels of indirection to map user IDs to user histories.

------
spatten
I just posted this on avc.com, but might as well add to the discussion here:

Songkick (<http://songkick.com>) nails this for first time users.

You can go to the site and start tracking favorite bands without providing any
sign up info. Only after you have tracked a reasonably large number of bands
and you're invested in your list does it ask you to sign up.

(I'm not affiliated with them, I was just impressed by the workflow)

~~~
Empedocles99
Songkick requires logging in to a facebook account. This site is doing exactly
what we're discussing NOT doing.

~~~
spatten
Heh. I just checked, and you're absolutely right. I guess they've changed it
since I first signed up.

Too bad, it was really good the other way.

------
chopsueyar
The BIG assumption is that there is only one user per computer per site.

------
philthy
"I think that social services that are public by default and have huge logged
out user bases, should "phantom register" their logged out users by storing
activity against their cookies and building user profiles on their logged out
users."

What about if the user isn't allowing data to be stored, is using a vpn or
proxy, a dynamic IP, or something else that prevents you from "storing
activity"/comparing/etc.. I've seen this done before to target advertising to
phantom users on adult sites, it doesn't work. Most of those people who aren't
logging don't won't to log in/participate and "comparing activity" isn't
exactly a piece of cake and is depending on those users having cooperating
connections. You might argue that these people are fringe users but even then
I doubt the ability/feasibility to accurately retain and compare data usefully
and not just using IP or something to compare visits.

~~~
edanm
"You might argue that these people are fringe users but even then I doubt the
ability/feasibility to accurately retain and compare data usefully and not
just using IP or something to compare visits."

I'm not sure I follow you.

If a user isn't one of the "fringe" group which doesn't allow cookies, then
you can store a cookie identifying the user to you, create a profile for them
as if they are a regular user, and track anything you want. You can treat them
like regular users, or treat them in a special way, but either way you can
store any information you want.

~~~
philthy
Yeah you can store each sessions activity but how can you accurately compare
the data between sessions?

~~~
edanm
You can put a cookie on the user's computer that isn't removed between
"browser sessions". That's how most sites "keep you logged in", even after a
browser restart.

What my framework (Django) does, and I assume this is simialr to other
frameworks, is this: it creates a user object (see note) in the database, then
keeps the user object id in a cookie on the user's computer. This is, by
Django's default, kept on the user's computer for 2 weeks before being removed
(and it can be made to _never_ be removed).

Using this, you can store any information you want about a user in their user
object in the database, and always have that information available to you via
the cookie.

Note: by default, Django creates an "AnonymousUser" object for each visitor,
not a real user object, and it is up to the site to create an actual user
object. To implement that "PhantomProfile" that Fred Wilson is talking about,
I usually make Django create a new user object with a temporary username, and
use this instead of AnonymousUser objects. In this way, when they do decide to
"register", I just keep the same user object and give it a new username.

------
synx508
Ebay used to have some rich pre-registration features like "watching", but
they seem to have been removed in the last year or so. They still track
logged-out profiles and tease a login with items that "you might like" and
recent search lists. These hang around for years, I expect somewhere in Ebay
Towers there's a top ten list of the Ebay identity that has been spread most
widely across devices/browser profiles.

------
dav-id
"There is a 100/10/1 "rule of thumb" with social services." Where did this
come from? Is it a rule he just made up?

~~~
fredwilson
i didn't make it up. i heard it back in the early days of the social web, in
2002 or 2003. i've seen it to be true (within a range of numbers) again and
again

~~~
falava
It's an old rule, "lurkers make up over 90% of online groups"
<http://en.wikipedia.org/wiki/Lurker>

And the 1% rule: <http://en.wikipedia.org/wiki/1%25_rule_(Internet_culture)>

------
click170
No, please DO forget your logged out users. They logged out for a reason,
respect their decision.

------
eegilbert
"90% just want to consume." Do they only want to consume, no matter the
service/site? Or, does somebody just need to build a better experience?

------
harrybr
This "phantom profile" concept already has a name. It's called "lazy
registration".

~~~
fredwilson
yes. that's right.

