Hacker News new | past | comments | ask | show | jobs | submit login
Don't Forget Your Logged Out Users (avc.com)
113 points by bjonathan on June 11, 2011 | hide | past | web | favorite | 39 comments

The "Phantom Profile" Fred Wilson talks about is a great concept.

I particularly like Stack Overflow as an example here. You can visit Stack Overflow and ask a question, all without having to create a profile. You are given a name, given a profile, and given most of what a regular user gets.

As soon as you do decide to sign up "for real", your temporary profile is turned into a real profile. The biggest difference being that you're not cookie-based (you can log in to the profile from other machines).

Despite Jeff Atwood complaining loudly about how so many users have stayed cookie-based for so long, Stack Overflow has gone to great lengths to make sure their site is completely usable with a minimum of hassle, which makes it a much better site in my eyes.

I definitely get the impression that Jeff is more surprised than upset by users who have used cookie-based accounts for long periods. If I recall correctly, the record for longest "active unregistered account" is around 2 and 1/2 year (Stack Overflow is just shy of 3 years old, for comparison). That's a loooong time to go without clicking a Google/Facebook/Whatever button.

Of course, not having to register is completely by design and almost certainly never going to change, it's such an obvious win from a user experience point of view.

Disclaimer: Stack Exchange employee.

"it's such an obvious win from a user experience point of view."

And yet so few implement this.

By the way, I think it only really became obvious, to me at least, when StackOverflow implemented that design.

stack does a bunch of things i think are smart. we've learned a lot working with them

They have a strong ethic and they stick to it, and it very much comes through in setting the tone of their sites. It's so sad to see so many other companies compromise when you get such a great RoI on little investments. Most sites have shopping carts that expire after a couple of minutes. Amazon's shopping cart lasts effectively forever though. The result is a better user experience at a modest cost of engineering and database resources. It's the polite and correct thing to do, and for amazon it probably results in a just slightly higher rate of sales, not to mention better customer retention, etc.

Ultimately the best companies are those who are passionate about their users and willing to go to considerable efforts to do things which have no other goal but making users happy.

Amazon's user accounts have some strange behavior. I have managed to get myself 2 accounts with the same email and different passwords. There is no way to merge these together!

This is the only site I've used where the username doesn't have to be unique!

There's a reason for this. Amazon started before the widespread availability of free email services and it was quite common for a family to share a single email address from their ISP. They built this feature in to allow for this case.

I knew an engineer who interned at Amazon who's responsibility was to maintain this legacy system as there were still quite a number of active accounts that shared the same email address.

Yes, the last time I bought in Amazon was more than 10 years ago but I use Amazon as a wish list repository for Books and Music.

Out of curiosity, where do you buy books from?

I live outside US and since a decade ago books from Amazon arrives on one of the mail building (except using FedEx). So, I was not buying tech books lastly, only literature in closer bookstores.

I run logged out on many of these services because I'm not interested in having all of my preferences and interested logged and having my experience customized for me. In fact I intentionally log out of many of them when I'm done with my logged in activity (google is the best example of this). I also have cookies clearing on most of these services on a timed basis. Work against my interests here (and put it in my face) and you're more likely to end up on the cookie clearing list or simply not get used any more (facebook features on third party websites is a great example of behavior that pushes me away from facebook). I wonder if I'm all alone here, or perhaps your unlogged in users would prefer to be a bit more forgotten than you're suggesting.

I'm guessing that most people don't really care, or at least don't think about it enough to care.

And by most, I mean a huge majority, like 90%+.

I'm not aware of any studies though, does anyone have any study to link to?

Do most people not care, or are they simply unaware of what they are giving up and the real impliciations of the social web?

For example, we all know Facebook is huge, and many people give up all sorts of personal data to the company running it. And yet, on several recent occasions when Facebook have made changes that they were demonstrably technically capable of making and arguably within their legal rights to make, but which diminished the privacy of their users, the outcry from the user base was substantial and in some cases they gave up and essentially reverted the changes.

That was basically a PR/marketing move by Facebook: when you rely on critical mass of users in the way they do, you can't afford to upset people en masse so that they start to drift away to a rival service. It wasn't forced on them for technical reasons, and relatively few countries raised significant legal concerns about the privacy implications.

I wonder whether users would be similarly upset if they realised how much of their "private" data has been shared with other parties over the years, and where it has wound up, and how many people have wound up defrauded/stalked/otherwise genuinely damaged as a result. I think there's an element of "It can't happen to me" at work here, and my biggest worry is that as we've seen recently with organisations like Sony, corporate complacency and denial are no substitute for real security and privacy protection when Bad People decide to come after you.

[Edit: I would also be interested in proper studies if anyone has links, but only if their methodology is sound. I am reminded of the "study" last year about attitudes to the virtual strip search machines at airports, where apparently 90% of people in my country said they supported them. When asked with different wording in another study, not conducted by an organisation with ties to making the machines in question, it turned out that many of those people really meant that they preferred the hands-off abuse of the machines to being physically abused during an aggressive pat-down, which isn't the same thing at all. Privacy studies are all about how you phrase the question, and those with vested interests are very good at that sort of thing.]

I'm fairly sure you're not alone, but that you're definitely in the minority. So the options are: make the experience significantly better for the majority of users and annoy the minority of users like yourself; or make the experience slightly less annoying for the minority of users (who could have just added the site to a cookie clearing list) and weaken the experience for the majority of users.

A good example can be seen with Youtube. On a fresh computer with IP address, I was given an old game video from a friend. Finished watching it and talked other stuff.

An hour later, when I went to youtube.com (main page) to look for a different old game video, I noticed the frontpage suggestions were the same as alongside when I watched the video. Quite a basic guess of what the user wants but seems effective to me.

Although I have an account with youtube, I rarely log in. What's the point?

that's a great example of what i am talking about

From a business point of view, this makes some sense, but I find it creepy.

Apparently, so do some other people, because it is almost certainly becoming illegal throughout Europe as the recent rules on privacy/cookies take effect.

I find it highly unlikely that Stack Overflow's phantom profiles and similar features are an intended casualty of those laws. Unless politicians just hate the internet.

Preventing any sort of tracking without consent is the overt goal of these laws, and tracking users who have chosen not to log in sounds a lot like tracking without consent to me. YMMV.

[Edit: Just to be clear, if users have explicitly chosen to use cookies for persistence of a "phantom" identity, then this is not without consent, and neither I nor the laws in question have a problem with it.]

Is there a recommended design pattern to deal with the problem of coalescing or "stringing together" multiple "phantom profiles" inadvertently created for a user every time they browse when logged out (or from different machines before logging in)? I imagine the site's database schema would require one or two extra levels of indirection to map user IDs to user histories.

I just posted this on avc.com, but might as well add to the discussion here:

Songkick (http://songkick.com) nails this for first time users.

You can go to the site and start tracking favorite bands without providing any sign up info. Only after you have tracked a reasonably large number of bands and you're invested in your list does it ask you to sign up.

(I'm not affiliated with them, I was just impressed by the workflow)

Songkick requires logging in to a facebook account. This site is doing exactly what we're discussing NOT doing.

Heh. I just checked, and you're absolutely right. I guess they've changed it since I first signed up.

Too bad, it was really good the other way.

we are testing a fully logged out version of the songkick experience with our new iPhone app. would be curious to hear how that works for you.

Grooveshark (http://grooveshark.com) does this very well... I started using their service and added a handful of favorites (which worked well enough for me at the time) before ultimately deciding to register.

The BIG assumption is that there is only one user per computer per site.

"I think that social services that are public by default and have huge logged out user bases, should "phantom register" their logged out users by storing activity against their cookies and building user profiles on their logged out users."

What about if the user isn't allowing data to be stored, is using a vpn or proxy, a dynamic IP, or something else that prevents you from "storing activity"/comparing/etc.. I've seen this done before to target advertising to phantom users on adult sites, it doesn't work. Most of those people who aren't logging don't won't to log in/participate and "comparing activity" isn't exactly a piece of cake and is depending on those users having cooperating connections. You might argue that these people are fringe users but even then I doubt the ability/feasibility to accurately retain and compare data usefully and not just using IP or something to compare visits.

"You might argue that these people are fringe users but even then I doubt the ability/feasibility to accurately retain and compare data usefully and not just using IP or something to compare visits."

I'm not sure I follow you.

If a user isn't one of the "fringe" group which doesn't allow cookies, then you can store a cookie identifying the user to you, create a profile for them as if they are a regular user, and track anything you want. You can treat them like regular users, or treat them in a special way, but either way you can store any information you want.

Yeah you can store each sessions activity but how can you accurately compare the data between sessions?

You can put a cookie on the user's computer that isn't removed between "browser sessions". That's how most sites "keep you logged in", even after a browser restart.

What my framework (Django) does, and I assume this is simialr to other frameworks, is this: it creates a user object (see note) in the database, then keeps the user object id in a cookie on the user's computer. This is, by Django's default, kept on the user's computer for 2 weeks before being removed (and it can be made to never be removed).

Using this, you can store any information you want about a user in their user object in the database, and always have that information available to you via the cookie.

Note: by default, Django creates an "AnonymousUser" object for each visitor, not a real user object, and it is up to the site to create an actual user object. To implement that "PhantomProfile" that Fred Wilson is talking about, I usually make Django create a new user object with a temporary username, and use this instead of AnonymousUser objects. In this way, when they do decide to "register", I just keep the same user object and give it a new username.

Ebay used to have some rich pre-registration features like "watching", but they seem to have been removed in the last year or so. They still track logged-out profiles and tease a login with items that "you might like" and recent search lists. These hang around for years, I expect somewhere in Ebay Towers there's a top ten list of the Ebay identity that has been spread most widely across devices/browser profiles.

"There is a 100/10/1 "rule of thumb" with social services." Where did this come from? Is it a rule he just made up?

i didn't make it up. i heard it back in the early days of the social web, in 2002 or 2003. i've seen it to be true (within a range of numbers) again and again

It's an old rule, "lurkers make up over 90% of online groups" http://en.wikipedia.org/wiki/Lurker

And the 1% rule: http://en.wikipedia.org/wiki/1%25_rule_(Internet_culture)

We definitely saw that pattern at reddit.

No, please DO forget your logged out users. They logged out for a reason, respect their decision.

"90% just want to consume." Do they only want to consume, no matter the service/site? Or, does somebody just need to build a better experience?

This "phantom profile" concept already has a name. It's called "lazy registration".

yes. that's right.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact