Following the Facing up to Facebook session at the University of Ottawa on Wednesday, Bob LeDrew and I chatted for quite a while about the privacy implications of social media. Specifically, we talked about services like Facebook and how they exploit trust and personal information for corporate gains — their own and their clients’. These companies do warn you on some level that, by accepting their terms of service, you forfeit your claims to privacy of your information and that you also assign full licensing rights (including for their own financial gain) for your content (text, photos, videos, etc…) to the them. However, they do this through obscure (certainly not plain English) terms and conditions. They also serve up what I call a ‘crippling and confusing suite’ of information sharing controls disguised as privacy controls.
Bob and I came to the realization that the key element in the discussion about privacy and an individual’s right to privacy in social media tools is the amount of complexity and confusion in the way the agreements are structured and what our real rights are. This is further complicated by the fact that privacy laws differ from country to country and while most countries have adopted strict privacy regulations in order to do business with the EU, the United States has managed to get by with a more relaxed set of rules called Safe Harbor.
From the Safe Harbor main webpage:
While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.
This raises a lot of concerns when Canadian companies like Flickr move their data servers to the United States.
As we talked, I mentioned to Bob that what the world needs is a Privacy Commons — a simple and easy to understand deed to privacy which clearly communicates the privacy (or absence of privacy) controls built in to a service (I blogged about this in November). We fantasized about a simple Privacy Commons modeled after the Creative Commons that would elegantly and concisely allow service providers to designate privacy features in a deed-like interface, indicating elements like:
- do they collect personal identifying data
- is the data stored and transferred in a way that protects confidentiality
- is the data shared or sold
- does the company expect blanket consent to share/sell private information or do they require case-specific consent
- how long data is kept
- how data is destroyed
Some would argue that it would be hard to get companies to adopt this model. I suggest that companies that are committed to privacy would have no issues adopting a model which would make that immediately obvious to people. At the very least, it will help people understand the privacy features of the site. In the same way that the Creative Commons took a while to stick and connect those with a common vision of making creative works available under specific implicit terms as well as send a message to licensing bodies, the Privacy Commons would take some time to prove that taking privacy seriously is good business.
Many cultural, political, business and media revolutions have taken place online over the last few years. A revolution for simplified privacy in an increasingly public world seems like a logical next step.
Two questions come to mind:
- Who would build a Privacy Commons?
- Does anyone else see a Privacy Commons as being beneficial?
I’d love to see this kind of thing in place. It would take quite a huge consumer movement (i.e. an effective boycott of online stores, social media sites, etc. that didn’t follow the Privacy commons).
It’s an import fight though, as we see, to be slipping more and more into the survelliance society, both from a government and corporate point of view.
Comment by John Meadows — March 16, 2008 @ 7:25 am
There is a researcher at the Berkman Center at Harvard, Mary Rundle, who is doing work on this type of project:
http://cyber.law.harvard.edu/people/mrundle
You can read what she has written about personal identity management tools that would use icons to represent privacy preferences here:
http://www.w3.org/2006/07/privacy-ws/papers/21-rundle-data-protection-and-idm-tools/
http://identityproject.lse.ac.uk/mary.pdf
Interestingly, I think, Professor Rundle’s proposal would allow users to control access to their personal information through standardized “licences” on the model of Creative Commons, rather than using icons in privacy deeds to simplify the privacy policies of service providers. I think many privacy researchers would argue that the problem isn’t so much that people don’t understand the privacy policies of sites like Facebook, but that there’s no regulation of their privacy policies in a way that allows users to be selective about how their personal information is used.
So there are some efforts underway to create a “privacy commons” of sorts. How successful it will be remains to be seen!
Comment by Andy Kaplan-Myrth — March 19, 2008 @ 10:23 am