62 Comments

Summary:

Many corporations have a blatant disregard for the privacy of their customers. So what rights should you have? Guest blogger Alec Saunders lays out four principles that form a Privacy Manifesto for the Web 2.0 Era.

Written by Alec Saunders, co-founder and CEO of iotum, creators of the first conference calling service for Facebook. Alec’s personal blog is about VoIP and web products, technologies and businesses.

  • In October, Verizon revealed that it would share customers’ calling records, including numbers of incoming and outgoing calls and time spent on each call, with third parties. Customers were informed that they could opt out of the new practice by telephoning a 1-800 number within 30 days of having received notification from Verizon; failure to object was deemed by the company to be consent.
  • An ongoing practice of credit agencies is to charge consumers to see their own credit scores. Transunion, for example, charges a whopping $14.95 for a basic credit report.
  • In early January, Robert Scoble attempted to liberate his social graph from Facebook via the use of a prohibited automated script provided by Plaxo, prompting the social networking site to ban him. He was reinstated after the ban provoked a blogstorm. Scoble’s explanation boiled down to “What? I was just trying to migrate my social graph to another network…shouldn’t that be allowed?”

These three points highlight the disregard many corporations have for customers’ privacy. Corporations collect vast amounts of data, assert ownership over the data they collect, restrict access by customers to their own data, and cavalierly exchange that data with third parties. The misunderstanding of the basic guarantees corporations should offer is profound, and as consumers we all suffer.

Let’s start by defining what we mean by personal information. Personal information includes any factual or subjective information, recorded or not, in any form, about an individual. For example: name, address, telephone number, gender, identification numbers, income, blood type, credit records, loan records, existence of a dispute between a consumer and a merchant — even intentions to acquire particular goods or services. And let’s not forget health, medical history, political opinions, religious beliefs, trade union membership, financial information and sexual preferences!

Now, what rights should you have? Here are four principles that form a Privacy Manifesto for the Web 2.0 Era.

1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn’t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer’s hard disk without the customer’s consent.

2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it’s incumbent upon the corporation to obtain the consent of customers in advance.

3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer’s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation’s database.

4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to.

Viewed through the lens of these four principles:

  • Verizon should have asked customers’ permission before sharing their information, and should have assumed that permission was denied until informed otherwise.
  • Credit agencies should, upon request, share an individual’s information with them; should require consent from the individual before sharing their information with a third party; and should allow an individual to opt out of the credit reporting processes altogether.
  • Facebook comes up smelling like a rose. The guarantee that they made to their users was that they wouldn’t share personal information with third parties. Facebook banned the use of automated scripts to prevent that information from being taken from the site. And Facebook explicitly recognizes in their terms of service that a user’s personal information is owned by the user, not Facebook, and the company is merely a licensee.
    Facebook’s privacy policy, however, contains a paragraph allowing them to unilaterally change the promises they make to their customers. Facebook should remove these weasel words.

Plaxo’s role in the Scoble incident is both surprising and disappointing. The company has one of the best privacy policies on the web today. However, it’s also seeking to advance an agenda that would create an open social graph with CTO Joseph Smarr’s Bill of Rights for Users of the Social Web, which is the source of the conflict. Surely the Plaxo team can see how Facebook couldn’t permit such a flagrant abuse of its terms and conditions. While one can make a good case that the social graph should be open, given Facebook’s current terms, opening that social graph should only be done with the consent of the owners of that data – Facebook’s users.

In many parts of the world, governments are now creating legislation embodying the four principles of this Privacy Manifesto. Citizens of those countries have responded favorably, rewarding businesses that assure their privacy, and penalizing those that don’t. In Canada, for example, personal information is protected by something known as the Personal Information Protection and Electronic Documents Act (PIPEDA) and as a result, it’s not unheard of for customers to patronize businesses that store their data locally. Many Europeans are equally sensitive.

Not only are the four principles of the Privacy Manifesto good for individuals, they’re good for business.

  1. Hi Alex – fantastic post.

    Can I suggest you contribute to this conversation (http://groups.google.com/group/dataportability/browse_thread/thread/b099ea6c8be2da87) so we can codify these principals into the DataPortability Policy Reference Design moving forward.

    Cheers,

    Chris

    Share
  2. While reading the article I realized that privacy and copyright are basically the same question: Someone owns something that became extremely easy to steal.

    In the case of copyright, the music industry own the informational good (that is digitized music), and the users would like to “steal” it (resample and/or download).

    In the case of privacy the individuals own their informational good (that is their privacy), and the industry would like to “misuse” it (share it with third parties, and abuse the users based on the information it has).

    Interestingly though, it seems that today we would like to give different answers to these two questions:
    * copyright: the music industry should change itself as the video gaming industry did 30 years ago, and it should focus on the experience of its customers to survive, but should allow music lowers to produce (and resample or download?) their own music. (http://gigaom.com/2008/01/07/what-the-video-arcade-tells-us-about-the-recording-industry/)
    * privacy: the web2.0 industry should change itself , and it should restrict himself from using our data as it own property

    One reason behind the different answers might be the relation of costs and benefits. Seemingly we think that the music industry will survive (and even flourish) and that intellectual property is less stringent than “privacy property”. That is, it is more costly for the society to abuse someone’s private life than someone’s intellectual products.

    But one might ask the question the other way around, and for the moment we don’t know who is right. That is, the music industry is fine today (just like we are with our privacy), and wants to save its property. On the other hand it’s the listener who should adopt, and focus on

    I think this seems to be reasonable, but not obvious, and as such the point should be made clearly.

    Share
  3. [...] also suspected I’d see him comment on Alec Saunders’ contribution to GigaOM – the topic of Alec’s post being an attempt to crystallise a Privacy Manifesto for [...]

    Share
  4. Good morning all.

    Chris – I’d be happy to drop by and contribute.

    Viktor – you’re right that both copyright and privacy are about control of data. They’re different, however, in that as individuals we’re not trying to build business around the sale of our personal data. The music industry, by comparison, is actively working on having me consume their product.

    Cheers, A

    Share
  5. I think mobile web 2.0 is coming soon.

    ——–
    http://www.bywifi.com — Mobile Transcoding of Videos and Web Pages for Mobile Phone and PDA

    Share
  6. Rich Kulawiec Tuesday, January 8, 2008

    Plaxo’s also well-known as a spam source, so I hardly
    think they should be commended for their “privacy policy”.

    Share
  7. [...] Manifiesto para la era web 2.0 [...]

    Share
  8. [...] Om’s convalescence. I was asked if I would contribute a guest post, which I did.  Titled A Privacy Manifesto for the Web 2.0 Era, my post deals with the guarantees which entities that collect our personal information should give [...]

    Share
  9. Hi Rich,

    I wouldn’t care to defend Plaxo’s past. There’s no doubt that they were egregious spammers in their early days. However, in the development of our own company’s privacy policy I:
    - engaged academics in the field
    - researched privacy policies of various companies
    - interviewed chief privacy officers at various companies, including companies like Plaxo who were known as violators.

    Plaxo’s policy is probably one of the best I’ve seen. It makes substantive guarantees, and states them in plain language. At this point, I’ll cut them some slack, because they look to me like they’re doing all the right things. Their biggest problem right now is public perception, and unfortunately the stunt with Robert Scoble doesn’t help that.

    Share
  10. Rich Kulawiec Tuesday, January 8, 2008

    Hmmm…Plaxo’s past appears from here to be its present: I logged
    rejected spam from them six days ago. And as far as I can tell –
    from monitoring a pretty decent cross-section of anti-spam mailing
    lists, newsgroups and web sites, they haven’t bothered to consult
    with the people who are arguably the leading experts in the field.
    Nor have they taken one of the fundamental steps required to
    rehabilitate their reputation: publicly apologizing.

    So, yes, I’m very, very skeptical. I hope you’re right; it would
    be nice to see the world’s first example of an ex-spammer. But
    experience (long bitter experience) suggests that this is unlikely.

    Share

Comments have been disabled for this post