[Infowarrior] - A Privacy Manifesto for the Web 2.0 Era

Richard Forno rforno at infowarrior.org
Tue Jan 8 13:12:24 UTC 2008 

 A Privacy Manifesto for the Web 2.0 Era
Guest Column, Tuesday, January 8, 2008 at 12:00 AM PT Comments (3)

http://gigaom.com/2008/01/08/a-privacy-manifesto-for-the-web-20-era/

Written by Alec Saunders, co-founder and CEO of iotum, creators of the first
conference calling service for Facebook. Alec¹s personal blog is about VoIP
and web products, technologies and businesses.

    * In October, Verizon revealed that it would share customers¹ calling
records, including numbers of incoming and outgoing calls and time spent on
each call, with third parties. Customers were informed that they could opt
out of the new practice by telephoning a 1-800 number within 30 days of
having received notification from Verizon; failure to object was deemed by
the company to be consent.
    * An ongoing practice of credit agencies is to charge consumers to see
their own credit scores. Transunion, for example, charges a whopping $14.95
for a basic credit report.
    * In early January, Robert Scoble attempted to liberate his social graph
from Facebook via the use of a prohibited automated script provided by
Plaxo, prompting the social networking site to ban him. He was reinstated
after the ban provoked a blogstorm. Scoble¹s explanation boiled down to
³What? I was just trying to migrate my social graph to another
networkŠshouldn¹t that be allowed?²

These three points highlight the disregard many corporations have for
customers¹ privacy. Corporations collect vast amounts of data, assert
ownership over the data they collect, restrict access by customers to their
own data, and cavalierly exchange that data with third parties. The
misunderstanding of the basic guarantees corporations should offer is
profound, and as consumers we all suffer.

Let¹s start by defining what we mean by personal information. Personal
information includes any factual or subjective information, recorded or not,
in any form, about an individual. For example: name, address, telephone
number, gender, identification numbers, income, blood type, credit records,
loan records, existence of a dispute between a consumer and a merchant ‹
even intentions to acquire particular goods or services. And let¹s not
forget health, medical history, political opinions, religious beliefs, trade
union membership, financial information and sexual preferences!

Now, what rights should you have? Here are four principles that form a
Privacy Manifesto for the Web 2.0 Era.

   1.

      Every customer has the right to know what private information is being
collected. That rules out any secret data collection schemes, as well as
monitoring regimes that the customer hasn¹t agreed to in advance. It also
rules out any advertising scheme that relies on leaving cookies on a
customer¹s hard disk without the customer¹s consent.
   2.

      Every customer has the right to know the purpose for which the data is
being collected, in advance. Corporations must spell out their intent, in
advance, and not deviate from that intent. Reasonable limits must be imposed
on the collection of personal information that are consistent with the
purpose for which it is being collected. Furthermore, the common practice of
inserting language into privacy policies stating that the terms may be
modified without notice should be banned. If the corporation collecting data
wishes to change its policy then it¹s incumbent upon the corporation to
obtain the consent of customers in advance.
   3.

      Each customer owns his or her personal information. Corporations may
not sell that information to others without the customer¹s consent.
Customers may ask, at any time, to review the personal information
collected; to have the information corrected, if that information is in
error; and to have the information removed from the corporation¹s database.
   4.

      Customers have a right to expect that those collecting their personal
information will store it securely. Employees and other individuals who have
access to that data must treat it with the same level of care as the
organization collecting it is expected to.

Viewed through the lens of these four principles:

    * Verizon should have asked customers¹ permission before sharing their
information, and should have assumed that permission was denied until
informed otherwise.
    * Credit agencies should, upon request, share an individual¹s
information with them; should require consent from the individual before
sharing their information with a third party; and should allow an individual
to opt out of the credit reporting processes altogether.
    * Facebook comes up smelling like a rose. The guarantee that they made
to their users was that they wouldn¹t share personal information with third
parties. Facebook banned the use of automated scripts to prevent that
information from being taken from the site. And Facebook explicitly
recognizes in their terms of service that a user¹s personal information is
owned by the user, not Facebook, and the company is merely a licensee.
Facebook¹s privacy policy, however, contains a paragraph allowing them to
unilaterally change the promises they make to their customers. Facebook
should remove these weasel words.

Plaxo¹s role in the Scoble incident is both surprising and disappointing.
The company has one of the best privacy policies on the web today. However,
it¹s also seeking to advance an agenda that would create an open social
graph with CTO Joseph Smarr¹s Bill of Rights for Users of the Social Web,
which is the source of the conflict. Surely the Plaxo team can see how
Facebook couldn¹t permit such a flagrant abuse of its terms and conditions.
While one can make a good case that the social graph should be open, given
Facebook¹s current terms, opening that social graph should only be done with
the consent of the owners of that data ­ Facebook¹s users.

In many parts of the world, governments are now creating legislation
embodying the four principles of this Privacy Manifesto. Citizens of those
countries have responded favorably, rewarding businesses that assure their
privacy, and penalizing those that don¹t. In Canada, for example, personal
information is protected by something known as the Personal Information
Protection and Electronic Documents Act (PIPEDA) and as a result, it¹s not
unheard of for customers to patronize businesses that store their data
locally. Many Europeans are equally sensitive.

Not only are the four principles of the Privacy Manifesto good for
individuals, they¹re good for business.

More information about the Infowarrior mailing list