Most of the media coverage of Facebook’s latest proposed revisions to its legal agreements with users has focused on one change: the proposed elimination of users’ right to vote. The reality, however, is that this change probably won’t have any practical effect because a vote by users would almost certainly never have been binding on Facebook anyway.
Another change the company has made, despite being more significant, has received relatively little attention. It will add a clause that says it can now share your information with its affiliates. This underscores an important trend: Facebook is now one of several companies that shares your information among its various different services. As the range of services offered by consumer internet heavyweights like Facebook and Google continues to expand, this means that your personal data will end up being used by in ways you could never predict.
The trend towards internal data sharing
- Google’s unified terms of service (introduced on March 1) allows it to combine your data across products like Gmail, Google+ and Google Docs, as well as YouTube, Picasa and scores of other Google properties.
- Microsoft updated its services agreement effective Oct. 19 to allow it to use your content to “provide, protect and improve” all “Microsoft products and services.” The agreement had previously allowed the company to use your data only to provide the particular service in question.
- eBay and PayPal can share your data among all “members of the eBay Inc. corporate family,” which also includes Shopping.com.
Facebook’s ability to use customer data benefits users by allowing for innovation. Its existing Data Use Policy says that you allow the company develop “innovative features and services” by using “the information we receive about you in new ways.” But when its proposed revisions go into effect later this month, its ability to share users’ data will increase further. The following new paragraph will be added:
We may share information we receive with businesses that are legally part of the same group of companies that Facebook is part of, or that become part of that group (often these companies are called affiliates). Likewise, our affiliates may share information with us as well. We and our affiliates may use shared information to help provide, understand, and improve our services and their own services.
The Facebook affiliate that first comes to mind is Instagram. And one of the most immediate applications of this new provision could be that Facebook starts to serve ads on Instagram. But Instagram is just one of many Facebook affiliates. It has numerous subsidiaries, including one it created earlier this year to handle its payments business. And its publicly stated expansion plans mean that it will likely be acquiring other companies, forming new business units, and entering new markets in the near future.
How worried should we be about internal data sharing?
The ability of internet companies that operate in multiple verticals to share your data among their different services has potentially far-reaching consequences. Microsoft could use your Outlook.com email messages or your online Office documents to push targeted ads to you on Bing. eBay could use your shopping history to recommend financial services on PayPal. Facebook could use data you expose by taking Instagram snaps to customize your experience on its web or mobile apps.
Not all of these scenarios may be objectionable to everyone– and in fact, some people may find none of them objectionable. And increased internal sharing can be a good thing not only for the companies themselves but also for users. Being able to tightly integrate our experience across all Google products, for example, offers an efficiency as well as functionality boon. For the service providers, being able to increase the effectiveness of targeted advertising means that they can improve their bottom line (and ultimately invest in developing new services and improving existing ones).
But the point remains that we are increasingly allowing personal data to be used in ways that are not obviously related to the action we initially took in order to generate that data. To an ordinary Instagram user, it is not obvious that using the Instagram app will have any impact at all on their Facebook experience. When we think about data privacy, we normally think about a company giving or selling our information to someone else. But a single company using our information in ways that we did not anticipate raises privacy concerns that are just as significant.
What should we do about it?
Internal data sharing of some kind is for all practical purposes an inevitability. This need not be a bad thing if users are sufficiently well informed about how their data is being used and if they can opt-out of uses that they find objectionable. I propose three principles to guide us going forward:
- Better disclosure It should not be enough for a company to say that data can be shared across its services and among its affiliates. We should be given much more specific guidance. Whether disclosure is necessary should depend on how unexpected the sharing would be to an intended user. Some forms of internal sharing are obvious and need not be disclosed. We should assume that our data will be transferred to a company’s customer service department in order to handle our customer service inquiries. But if sharing is between unrelated products or services, users should be notified. This is especially the case if they are between separately branded services that do not reveal their common corporate affiliation (e.g. to an ordinary user, Instagram is not obviously owned by Facebook).
- More granular controls for users Users should be able to opt-out of internal sharing as a whole and also be given control to turn on and off particular kinds of sharing.
- Sensible defaults Despite the obvious benefit they offer, in practice many people simply won’t take the time to navigate through granular privacy controls. As a result, it is important for default settings to offer users a reasonable amount of protection.
As an increasing amount of the data we expose online is handled by a small number of companies that operate across multiple verticals, sharing between companies (external data sharing) could ultimately be less of a privacy concern than sharing within companies (internal data sharing). We should be concerned not only about who controls our data but also what they can do with it.
Andrew Nicol is an entrepreneur and attorney based in New York City. He runs Clickwrapped, a not-for-profit service that rates leading consumer technology companies according to how well they respect their users’ rights. Follow him on Twitter @aknicol.
Photo courtesy of Muellek Josef/Shutterstock.