Wednesday, July 3, 2013

Deleting things

InterTwinkles just added support for deleting documents. What took us so long? Well, deletion in the context of group documents is not as obvious as it might seem.  When you collaboratively create something as a group, in a very real sense, the result belongs to the group, not to a single individual within it.  So when one person decides they want to erase something permanently, we want to ask the group if that's what they want.

Most services solve this problem in one of two ways:

  1. Some services never truly delete data. Out of the box, EtherPad works this way - a history is always maintained of every edit, with no way to delete. That way, if someone else objects, they can always restore it from the trash or revision history. Given the importance of online privacy and security, we felt it was critical that you be able to actually permanently remove things from the Internet.
  2. Some services assume that there is only one "real" owner of the data, and that person is allowed to delete it, but other group members are not. This goes against the model we're striving toward which enables groups to be owners of data.

We don't want to enforce any particular decision making policy on groups - we think it's great that some use consensus-based processes, some use modified consensus or various majorities, and we don't want to impose those policies structurally by building them into the deletion mechanism. At the same time, we don't want people to accidentally delete hard work that the group created together. Too much bureaucracy is harmful, but we still want to let groups check themselves when taking irreversible actions.

Here's how deletion now works on InterTwinkles:

  • There is a "trash" where things can be put, without actually deleting them. This is a safe place to put non-sensitive stuff that you just want to get out of your face. Anyone can put anything in the trash at any time, and can restore things from the trash with one click.
  • You can also delete things outright (as in, gone forever). If only one person in the group has worked on the document, they can delete it immediately - this handles the case of accidentally created items which shouldn't waste anyone's time.
  • If more than one person has worked on a document, "delete" starts a 3-day timer, and notifies the rest of the group that you want to delete something. Within those three days, any other group member can "second" the deletion and it will proceed immediately, or they can "cancel" the deletion to rescue the data. If three days go by with no action, the document is deleted permanently.

It only takes one other group member to delete something immediately or to contest deletion. We think this is a good compromise which lets you get sensitive data off the Internet pretty quickly, but still protects you from accidents or over-zealous deletionists. Like many of the other tools in InterTwinkles, it depends on you having a reasonable amount of trust in your group members. But it also doesn't bog you down with the access control mechanisms that you don't need for small groups.

Like this strategy, or have a better idea? Let us know what you think!

No comments:

Post a Comment