Following the Facing up to Facebook session at the University of Ottawa on Wednesday, Bob LeDrew and I chatted for quite a while about the privacy implications of social media. Specifically, we talked about services like Facebook and how they exploit trust and personal information for corporate gains — their own and their clients’. These companies do warn you on some level that, by accepting their terms of service, you forfeit your claims to privacy of your information and that you also assign full licensing rights (including for their own financial gain) for your content (text, photos, videos, etc…) to the them. However, they do this through obscure (certainly not plain English) terms and conditions. They also serve up what I call a ‘crippling and confusing suite’ of information sharing controls disguised as privacy controls.

Bob and I came to the realization that the key element in the discussion about privacy and an individual’s right to privacy in social media tools is the amount of complexity and confusion in the way the agreements are structured and what our real rights are. This is further complicated by the fact that privacy laws differ from country to country and while most countries have adopted strict privacy regulations in order to do business with the EU, the United States has managed to get by with a more relaxed set of rules called Safe Harbor.

From the Safe Harbor main webpage:

While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.

This raises a lot of concerns when Canadian companies like Flickr move their data servers to the United States.

As we talked, I mentioned to Bob that what the world needs is a Privacy Commons — a simple and easy to understand deed to privacy which clearly communicates the privacy (or absence of privacy) controls built in to a service (I blogged about this in November). We fantasized about a simple Privacy Commons modeled after the Creative Commons that would elegantly and concisely allow service providers to designate privacy features in a deed-like interface, indicating elements like:

• do they collect personal identifying data
• is the data stored and transferred in a way that protects confidentiality
• is the data shared or sold
• does the company expect blanket consent to share/sell private information or do they require case-specific consent
• how long data is kept
• how data is destroyed

Some would argue that it would be hard to get companies to adopt this model. I suggest that companies that are committed to privacy would have no issues adopting a model which would make that immediately obvious to people.  At the very least, it will help people understand the privacy features of the site. In the same way that the Creative Commons took a while to stick and connect those with a common vision of making creative works available under specific implicit terms as well as send a message to licensing bodies, the Privacy Commons would take some time to prove that taking privacy seriously is good business.

Many cultural, political, business and media revolutions have taken place online over the last few years. A revolution for simplified privacy in an increasingly public world seems like a logical next step.

Two questions come to mind:

• Who would build a Privacy Commons?
• Does anyone else see a Privacy Commons as being beneficial?