More on the Privacy-Portability conundrum

(from the cc flickrstream of dalziel 86, thankyou)

My post yesterday on Data Protection Law, Facebook and Scraping garnered more interest than my normal Enterprisey software ramblings. Dennis kindly picked up on my post twice, and I  experienced a considerable spike in traffic and commentary courtesy of  Robert. 

I’d not paid much attention the announcement, so after reading about it over at Dennis’s and Mike’s  and at techcrunch HQ I had a little browse through the website and Ben’s blog

I’m pleased to see the social networking companies getting together and discussing inter-operability issues.  These issues are important, users of these services are right to be concerned about lock in, and the inconvenience of moving from one platform to another.

Sharing is only one side of the equation though, and I would prefer the companies concerned to look at a broader collaboration. They really need to be examining the broader topics  of identity, trust and context.  I hope that they are.

I’d urge the folks involved in this effort to get in touch with the Prime Project and other research projects in this space.  Talk to these folks, for instance. Researchers have been grappling with the challenges of technology, privacy, identity, data reuse for decades. There is a tremendous amount of prior art that should and must be leveraged. This isn’t just a European thing either.  Perhaps check out  Lessig, Rotenberg, Swires,  Litan, Hahn, Cate, Shostack, Westin, Cohen, Burk, Lemley, Acquisiti, Kesan, Froomkin,Samuelson, Solove….and more.

I was a tad harsh yesterday about Alec Sander’s manifesto post, as I later found out it has the backing of one of Canada’s (if not the world’s)  leading Privacy experts, Michael Geist. Thanks and apologies Alec. Oh, and Mike at Techcrunch UK,  I got the joke, eventually. Don’t give up your day job though.

My post yesterday merely glossed over some of the issues with scraping and Facebook, but I’m glad it helped get people talking.  The issue at stake though has little to do with sharing business cards.  It goes a whole lot deeper. If you have a moment, head over and read what JP had to say. a couple of weeks ago.

I am responsible for the contact information I hold. I am accountable for that information. Accountable to friends who have trusted me with that information. And if I pass that information on without their implicit or, in some cases, explicit, permission, I am breaking their trust in me.

This, to me, is issue number one to do with any debate on information “ownership”.


And it’s a biggie.

Then via JP I came across this blog – Freedom to Tinker. Goodness. Subscribed.

Where did we get this idea that facts about the world must be owned by somebody? Stop and consider that question for a minute, and you’ll see that ownership is a lousy way to think about this issue

( Btw also You may find Bill Zeller’s comment illuminating.)

There is significant debate in legal circles about the pros and cons of privacy as a right or/and  as property. Schwarz’s paper here is well worth a read.  As Schwarz notes,

At its core, information privacy has both an individual and a
social value. Hence, I end on a note of caution: ongoing scrutiny of
regulation of personal data is needed because failure in the privacy
market can harm both individual self-determination and democratic

I do think the concept of privacy as property is a good one, especially in places where defining it as a fundamental right is nigh on impossible. There is also some good stuff over on at the Burton Group blog

I’ve suggested before that folks, especially in the US, should read Solove’s latest book. You can download the first chapter here.  I’ll also be getting this for bedside reading.

The more people start thinking about the implications of what they share, the better. Many of the US commentators on the blog felt that EU privacy law was dumb, or worse. It does have its problems, but before you consign it to the bin, check out a bit of privacy law history.  The UK information Commissioner’s website has come on leaps and bounds too. The US site EPIC, is an excellent read.

I’ll leave you with a fabulous quote, from Michelle Dennedy, Sun’s Chief Privacy Officer,  courtesy of one of the  mighty governor‘s excellent posts.

Her own little girl came up with a brilliant take on privacy and what it is:

Privacy is like grass, she told her mom. Why asked Michelle? Because it keeps the dirt from being naked… 

Facebook, Scoble, Manifestos and European Privacy Law.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970’s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.