 |
|
Call for A Social Networking Bill of Rights
Duncan Work
A social software pioneer suggests how "six degrees" websites ought to treat personal information.
[continued from Call for A Social Networking Bill of Rights, page 1]
1. The Right of Individuals to Know Who Is Collecting What and Why
Without knowing who is collecting information and how it is being used, it becomes impossible for anyone to know if his or her privacy is vulnerable or is being violated.
In the case of social networking systems, people who willingly join these systems can read the systems' privacy policies before deciding what information to share, and they can also use the system to see what others can see about them.
However, unlike many other online sites, social networking systems don't just collect and make use of personally identifiable information of users. They also collect information about the contacts of those users. Those contacts (a) may or may not know that information about them and their relationships is being shared in a social networking system, and (b) may or may not want to participate in the system, or have information about them stored there.
Some systems not only collect names and email addresses of people who have sent users messages, but also automatically collect the "cc" information in emails sent to users – that is, the email addresses of people that the users' contacts presumably know, but may not actually know (e.g., if they pressed "reply to all" when responding to a message sent to a list of people). Thus, such systems are collecting names of non-user contacts of users, and also the names of non-user contacts of non-users. Some of these same systems then make all of these names searchable by users (and even by non-users).
On the plus side, this is an excellent way to build a gigantic database of names and potential connections between people. Many companies are interested in accessing such databases for the purpose of generating sales leads, collecting competitive intelligence, etc. On the negative side, not only is much of this data of questionable value to most users – because the connection strengths are usually extremely weak – but this is also an intrusive collection of information about people who are for the most part unaware that their information is being collected.
We believe that all social networking systems have a responsibility to protect the privacy and rights of both users and non-users. The most fundamental right is the right to choose to participate or not. Users have obviously made the decision to participate. People who are invited to participate by users also have a chance to choose, as well as a chance to evaluate the site's privacy policy, etc., in order to understand what personal data is collected and how it will be used and not used. But non-users have no opportunity to choose to participate if they have no awareness of what is happening, i.e., that the data they have sent to some of their contacts can now be used to help strangers find them through some of their contacts, or find some of their contacts through them.
With some systems (including LinkedIn) now collecting data on literally millions of people who may not know that their data is being collected, this is becoming a critical issue. Some colleagues from other social networking providers have stated their belief that non-user data contributed by users (from their address books) is not the property of the non-users, but the property of the users who contributed it, and thus of the social networking system as a whole when that data is shared with the system.[2]
We would like to take a deeper look at this question. Is openness and access for those who use the social networking systems worth the loss of privacy of the people who aren't participating in the system? If we're going to say, "Let's give up some privacy in order to get extra benefits," then the people who give up the privacy should also be getting the benefits, and should also have a direct say in how much privacy they're willing to give up. This is especially significant since, as mentioned earlier, often the percent who are actual users is a tiny fraction of the millions who are non-users.
There are at least a couple of instances where it seems broadly legitimate that individuals do not have this right to know who is collecting data on them. First, when laws give government agencies the right to collect information about individuals suspected of crimes. Second, when individuals and organizations privately keep records and notes on their contacts or others they're interested in – this information is considered to be the property of those individuals and organizations.
Individuals and organizations certainly do have some rights to collect information on others, even without their knowledge. However, a very important line appears to be crossed when data collected by individuals or organizations becomes widely searchable and findable by people other than those who collected the data.
The distinction seems to be this: If I send you information about myself, then I know that you have that information and can store it and use it as you see fit, unless I've otherwise given you clear restrictions. But I don't expect you to publish the information in an automated, semi-public search and retrieval system where it can potentially be found by thousands or hundreds of thousands of people without my knowledge. Preventing broad search of such material and keeping it in control of the user who contributed it prevents the material from being used in ways that the original sender never intended.
Only now is the need for more sophisticated privacy becoming urgent, as social networks grow in size and more "mainstream" professionals begin to use them.
|
In LinkedIn's case, although we let users store their address books on our servers, we keep that data in private areas only accessible to the address book owners, and we aren't making non-user data searchable within the system. We believe that if the data becomes searchable, then non-users should be notified and should have a right to opt out or to ask for extra protections (such as being searchable only anonymously with the person who listed them as a contact acting as a gatekeeper).
There is another issue related to the right to know which has to do with the use of automated collection and analysis of user contributed information. The main point here is that there is a need for these systems to be extremely clear about what is being collected and what assumptions are being used to trigger what actions. Anytime an analytic system is either inside a "black box" or is extremely complex, then many users can easily be unaware of what is happening. When these systems also affect non-users, the situation becomes even more important. (These points can also benefit from industry-wide discussion and will be taken up again in a separate article.)
2. The Right to Opt In or Out
Once someone has been notified about both the potential benefits and about what information is being collected and how it is used, then many will opt-in. But they also have the right to opt-out, which can mean the right to be assured of removal of all information they have contributed or that has been contributed by others. Ideally, the right to opt-out can be more selective; that is, if I discover that certain of my information may be used in certain way, then I have the right to opt-out of that particular use, or to remove that particular information about me and my contacts from the system. Also, if I am a non-user and I discover that certain individuals can act as gatekeepers to my usable data, then I should have the right to indicate which of those users I do and don't want to act as a gatekeeper for me.
Again, U.S. laws may not guarantee this right to individuals. However, rather than making this an issue for courts to decide, we believe that social networking tools have to be based on individual trust and permissions, and that those permissions should extend to non-users and not just to users.
3. The Right to Clear Privacy Policies and Effective Notice of Changes
This right to have understandable privacy policies is of course related to the right to know. Most online privacy policies give a nod to the principle, but privacy policies alone don't guarantee this right. The two biggest problems with many privacy policies are: (1) lack of adequate notification; (2) lack of clarity in general; and (3) a specific lack of clarity regarding what policies can be changed and which can't be changed at the sole discretion of the site owner or operator.
Regarding notification of changes, privacy policies often indicate that whenever there is a change in the policy that the change will be posted on the provider's website. I recently read the privacy policy of a doctor which said that changes would be posted in their office; obviously, clearly posting changes on a website is better than that. However, even for users who are willing to read privacy policies, posting notification on a website is inadequate, since users' data is likely to stay on the system much longer than users actively participate. Users should have an option to receive email notification of changes in the privacy policy (e.g., through an opt-in subscription to email notifications).
Regarding clarity, privacy policies are written both to legally protect the online host as well as to inform users. These duel purposes often lead to legalese that gets in the way of understandable disclosure. Sometimes the legalese also appears to be "weaselese," language that seems to promise to protect privacy, but with loopholes that can weaken or even take away the protection.
One of the biggest and most widely used loopholes is a statement, usually at the end of a privacy policy, stating that the privacy policies are changeable at the discretion of the service operator – and at the discretion of any new organization that may acquire the service provider's assets. Whenever such a statement is included in a privacy policy we recommend that the policy also include the provision for opt-in email notification of changes, plus the following (which we will be including in pending changes to LinkedIn's policy):
a. The policy should make clear what promises made, if any, are irrevocable by the service provider or future owners, and
b. The policy should give users the right to opt-out of any changes, either before or after they are made. At minimum, the opt-out should include the ability to change or delete any portion of the data the user has contributed at any time, including the possibility of terminating the account and removing all contributed data. The best privacy policies will not only provide users with an opt-out, but will also require an opt-in by users to any changes in the policies that affect the privacy of their data contributed prior to the changes.
It is important for social networking systems to recognize users' rights to opt-out of future changes to privacy policies. But it's also important to recognize that many users are making a significant investment by choosing to participate in a social networking system: they are investing their time and social capital by recruiting as many of their colleagues as possible into the system. In exchange for their investment they deserve strong assurance that the social networking system won't lure them in with privacy policies and other features that they like, and then morph into something they no longer feel they can participate in.
4. The Right to Control Access to Information Contributed
Social networks are dynamic and complex; the exchange and management of trust is much more complex than exchanging information or engaging in commercial transactions. In information and ecommerce systems, people mainly need the ability to keep their IDs and sensitive information private and secure. In social networking systems, people need to be able to make complex decisions about who can have access to what information about themselves and their contacts, and for what purposes. This includes decisions about who can access their attention for various purposes by making requests, etc. These decisions may change dramatically based on particular circumstances (nuances), as well as on changes that occur in relationships over time.
Users need the ability to give instructions to the system regarding who can see what parts of their data, and under what circumstances. Then they need to be assured that their instructions will be carried out exactly as they expect them to be, until they personally make changes in those instructions.
As social networking systems grow in size, this right will become more obvious and important. However, the right of each user to control access to information that they contribute is fundamental to all of the preceding rights mentioned above. This is basic: Each individual must have control over his or her own information.
5. The Right to Participate
In addition to the right to "not participate," many (including myself) believe that it is in the interest of both providers and users of social networking systems to also guarantee that users have the right to participate without restrictive barriers, such as prohibitive fees, or other special requirements. Instead, the only restrictive requirement should be agreement to adhere to the letter and sprit of a common user agreement designed to prevent abusive or annoying uses of the system. However, removing barriers to general participation need not limit individual and group access controls. This is because in a social networking system, each individual, and likewise each participating group, has the ability to restrict who can access their data and attention.
One rational for not restricting participation is related to the basic human right of equal opportunity. However, an "enlightened self-interest' type of rationale also exists, since the most effective social network will be the biggest and most inclusive, so ideally anyone should have the ability to participate, if he or she wants to.
To understand the "human rights" rationale better, let's assume that a few years from now there are one or more enormous social networking systems on the planet. There is good reason to believe the advantages of participating in these global social networks will be compelling. It is even quite likely that social networking technology will become an essential part of filtering and access control, woven into many different communication forms and media.
But this is not simply a matter of basic human rights, because it is also true that social networks are most effective when they have broad participation. People are connected in surprising ways (as revealed in Granovetter's landmark article, "Strength of Weak Ties"[3]). social network that mainly includes sales people or consultants would be less effective than one that includes a wide range of occupations – in both for-profit and not-for-profit organizations and including independent, free agents. Similarly, allowing only people with a certain level of seniority or wealth into the system would also diminish the system's effectiveness. For example, senior people are often connected by junior people who they respect in common.
Accordingly, bridging this "digital divide" doesn't mean that the "haves" will have to fend off the "have-nots." Since a good social networking system uses connections based on trust, trusted connections and adequate access controls insure that individuals in the system can only be contacted by people they want to be contacted by.
In keeping with these principles, LinkedIn intends to always provide free services, even when we begin charging for premium services. When the need arises we will also make available a "Social Purpose License" that will offer free use of our services that directly benefit social causes, and for individuals who are unable to pay, for example people who are unemployed and looking for jobs, or social entrepreneurs everywhere.
The right to participate also raises questions related to interoperability between social networking systems. Interoperability would insure maximum benefit to users of all participating systems, by reducing the need to duplicate and update data in multiple systems, and at the same time by making it possible for individuals to reach the maximum number of people from any participating system. For example, if user A wants to reach user C via their mutual contact, user B, and if A, B, and C are all registered with different social networking systems, it would be impossible to facilitate this connection without some type of interoperability. Interoperability is extremely interesting for social networking systems. However, it is also a huge issue that requires significant exploration, and is outside the scope of this article.
A Social Networking Bill of Rights
Taking these basic principles and issues into account, here is LinkedIn's suggested "Social Networking Bill of Rights," which we plan to implement in the near future in user agreements, privacy policies and procedures, and effective design. We welcome feedback and discussion to improve them. (If you have comments now or in the future, please send them to me at privacy@linkedin.com.)
__________________
The following rights shall be guaranteed to all LinkedIn users who have signed and are abiding by the terms of the LinkedIn User Agreement. These rights are irrevocable, regardless of changes in LinkedIn's management or changes in ownership of data placed in LinkedIn's trust, except where otherwise required by governing laws.
1. All data contributed by users shall be used only for the purposes of providing our primary services and will never be provided to another party for marketing or other purposes not permitted by users.
2. All users shall have the right to determine who can view or receive a copy of data they have provided about themselves or about their contacts, within the scope of tools provided by the system.
3. All users shall have the right to change or delete any part of the data they have contributed.
4. In addition to assurance that the rights above shall not be changed, all users have the right to receive email notification of any changes to LinkedIn's privacy policies at least within 30 days prior to those changes taking effect.
The following rights shall be guaranteed to all individuals whose data is stored on LinkedIn's servers and can be found by others. These rights pertain to both users and non-users of the system regarding data about them that has been contributed by others.
5. All persons shall have the right to know upon request what data about them may be found by others via LinkedIn's services
6. All persons shall have the right to challenge and correct inaccurate or misleading information about themselves added by others
7. All persons shall have the right of assured permanent removal of their data from the system upon request.
Footnotes
[2] Here is a relevant excerpt from a white paper on privacy from Spoke (http://www.spoke.com/wp/pandc – registration required): "Rational minds can and do disagree about what it means to keep relationships private. The right wing of the debate maintains that data you hold, even data about other people—even sensitive data about other people—is your property to share or conceal as you see fit. The far left maintains that data you hold about other people, even benign data like their company’s name – even data they gave you themselves – is nevertheless their property, and you may not utter it without their explicit permission.… Spoke has planted its stake on the moderate right, because we believe the benefits of greater network reach are overwhelming."
[3] M. Granovetter, "The Strength of Weak Ties," American Journal of Sociology, 78(6), 1360-1380 (1973). http://web.media.mit.edu/~tanzeem/cohn/granovetter73.pdf
|
