Privacy: How to Avoid the “Third Rail” of Online Services

Social Security has been called the “third rail” of American politics — the idea being that the issue is so charged anyone going near it risks being severely shocked and possibly electrocuted. The issue of online privacy has arguably become a similar kind of topic; whenever a service like Facebook or Google (s goog) oversteps what users and privacy advocates see as the boundary between data collection and invasion of privacy — something that seems to be happening more and more frequently — all hell breaks loose. If anything, privacy is likely to become an even more explosive issue as the line between our online and offline lives continues to blur. I looked at some of the implications in a recent report for GigaOM Pro (subscription required).

The most recent flash point for online privacy was a series of reports from the Wall Street Journal about sites like Facebook and MySpace sending “personally identifiable information” to third-party service providers. The crux of the issue uncovered by the reports was that some Facebook apps — including popular games like FarmVille and Texas HoldEm Poker — have been transmitting a person’s unique user ID, and in some cases friends’ user IDs, to the likes of advertising networks and data aggregators. This is an issue Facebook has wrestled with in the past.

Personal data mining

Pieces of any given Internet user’s personal information — credit history, shopping profile, criminal records, tax and voting records, etc. — exist in a myriad of different databases; the potential for that information to be aggregated and mined to generate marketing profiles is not new. What makes the online version done by companies such as Rapleaf (which Om discussed in a recent post) different from the real-world version is that in many cases, this data is updated in real-time. In other words, it reflects your behavior right now, rather than taking months to get added to some database, the way similar real-world data does. Facebook’s leaking of user IDs helped companies like Rapleaf do that (although Rapleaf says it did so inadvertently).

The future of online privacy

The kind of profiling Rapleaf and other companies do is just the beginning when it comes to potential digital privacy issues. An iPhone (s aapl) and Android app released this week called Sex Offender Tracker shows what’s possible when databases of public information like criminal records are merged with location-based technology and “augmented reality,” or layering online data onto physical locations. It’s not just augmented reality that has some users of social networks concerned; Facebook got in some hot water recently when it launched Facebook Places, which allows users to tag others at a specific location in the same way they would tag someone in a photo.

How should companies respond?

Dealing with issues of privacy is something every company that has a consumer-facing application or service is likely going to have to do at some point, so it’s worth looking at some of the best practices that have come out of the past behavior of Facebook, Google and other companies that have been in the spotlight. Here are two of them:

  • Make settings visible and easy to use. Facebook has made a series of changes to its privacy settings over the past year, but one of the risks is that the more complex and difficult to find the settings become, the less likely people are to go in and change them.
  • Allow users to opt in. Facebook takes a substantial amount of criticism because it chooses to automatically opt users in to new settings and features. The giant social network can get away with this thanks to its sheer size, but smaller companies and services run the risk of alienating their users.

For more details on recent developments around online privacy and best practices on how to deal with it, please read my full GigaOM Pro report.

Related content from GigaOM Pro (sub req’d):

Post and thumbnail photos courtesy of Flickr user Moonsheep