Web Companies Should Practice 'Data Stewardship'
People are talking about privacy here at South by Southwest. The general sense is that Facebook has played it fast and loose with the privacy of our personal data, and this has raised interest in the issue among developers, many of whom develop apps that are intrinsically social. There's also a sense that we can do privacy better. But we might need a new way of thinking and talking about it.
A Friday panel here discussed a "Social Network Users' Bill of Rights" that would contain a series of protections for users of social networking sites. (You can read the Twitter stream for the event here.) One of the major themes of the discussion was the idea that, in a very real sense, we pay to use free services like Facebook and Google by surrendering some of our personal information. If we begin refusing to hand over our data, or deny social networking sites the right to use it, we may find ourselves having to pay to use the sites.
If there's any issue that is more sensitive among Internet users than their personal privacy, it's the prospect of having to pay. We have been trained to expect "free" on the web, and we don't want that to change.
I have been thinking about this privacy thing again lately. I've been looking at it not in terms of privacy, but in terms of the "stewardship" of the personal data on the part of the social networks, ad networks and data brokers who use it to make money.
Firstly, I think the word "privacy" has become a loaded, politically charged term. I think the collection and use of personal data can have two different end results -- one beneficial and the other coercive and potentially harmful. Company A might study my personal and friend data and deliver ads to me that are worth looking at, and not just random garbage. Company B, on the other hand, might collect my personal, sensitive information, go out of business, and then allow my data and the data of millions of others to fall into the hands of people who would use it in unscrupulous or illegal ways.
The data collected by social sites doesn't seem to die easily, and can live on after the company who collected it is gone. I think we need a set of rules that talks about web companies' stewardship responsibilities both today and into the future. We need rules that apply directly to the web companies themselves, and not so much a vague set of privacy rules about consumers. For example, we need explicit rules around what Internet companies must do with someone's personal data after the user quits the site or even dies (this is actually becoming a big issue).
Social networking companies like Facebook and Google would like to set the rules and police themselves on privacy, without a law. But, as USC law professor Jack Lerner points out, we have laws about just about every other kind of data -- financial data and healthcare data, for example -- but not around the data in the social graph.
I think we need a law, and one that has international reach (although I'm not sure how to do that), because the Internet knows no borders. But I think the new law should focus on the data stewardship responsibilities of Internet companies.
Senators John McCain and John Kerry are said to be circulating an online privacy bill that would require companies to get permission from users to collect personal data and allow users to see exactly what data has already been collected. The potential legislation is being taken more seriously than earlier, similar attempts because the two sponsors -- each a high-ranking member in his party -- represent a bipartisan effort that has a chance of gaining broad support. On the other hand, this pair has promoted privacy legislation for at least ten years.
I hope they get it right, because the law will set the tone for the way sites like Facebook and Google (and a host of other "social marketing" and online advertising firms) treat our personal information well into the future.