Special Issue on "Issues and Challenges of the Diffusion of Web 2.0 and User Privacy and Security”
Journal of Information Privacy and Security
http://jips.cob.tamucc.edu/
interview with Rainey Reitman
Director of Communications
Privacy Rights Clearinghouse
How has societal perspective on privacy transformed with the evolution of web 2.0?
Web 2.0, or the social web, means two things for the world of privacy:
- The end of forgetting. The information posted on the Internet has the potential to exist in perpetuity. As individuals live increasingly in cyberspace, scholars like Jeffrey Rosen and Viktor Mayer-Schönberger point out that the unforgetting and often unforgiving eye of the Internet may create a hyper-vigilant society and suppress free expression. The Internet, some have postulated, could become a modern Panopticon.
- Casual documentation. With the rise of easily accessible social media, consumers have become content producers en masse. Consumers are not only providing location data, photographs, videos and biographical details, but they are providing to-the-moment insight into their thoughts and feelings. The community of hyper-sharing encourages others to share by example. The result? Individuals posting their every moment with what some might call narcissistic abandon.
It is the combination of these two emerging issues – that humans are casually documenting detailed personal data and that this information is stored forever – that is transforming how we define the personal and the private. Among other trends, this has helped spur the rise of the anonymous/pseudonymous sharer – one who provides intimate details to the Internet while attempting to separate this public persona from his or her real identity. Others may have varying levels of pseudonymity and intertwining public and private lives, while still others have adopted rampant public sharing regardless of the publicity.
Each of these user types can (and often do) suffer consequences as a result of oversharing, either from self-publishing or having others publish something attached to their names. One’s digital identity can be used by a potential employer when making a hiring decision, subpoenaed in a court of law, tracked by the government or abused by individuals with unethical motives. On a more innocuous level, one’s digital identity may just fail to evolve as a user changes politically, socially and emotionally over his or her lifetime. Unfortunately, many consumers have to suffer a consequence before they begin to carefully monitor and restrict their online personas.
Writing this in September of 2010, the social web and our cultural conception of privacy are in a state of flux. We could make predictions about the long-term impact of social networking on informational privacy, but most of those predictions would be wrong. What we can say for certain is that we are in an age of self-sharing and that we have developed social networking sites that facilitate the efficient collection and sharing of information and then maintain that information in perpetuity. It is certain that oversharing can have consequences for individuals.
What remains to be seen is whether consequences suffered by individuals will result in societal, regulatory and/or legal changes in our protection of personal privacy.
Earlier this year Facebook founder and CEO Mark Zuckerberg commented that public is the new Social Norm. What is your opinion?
What Zuckerberg considers public I would instead call sharing. This is in fact not a new social norm. Human beings have always found ways to connect and interact with one another, to share their stories and their lives. It’s one of the driving forces behind art and literature – to tell one’s story in a way that others will understand, to connect and to share.
Online technology facilitates sharing, and widespread access to social networking via online technology facilitates widespread sharing. But this is not necessarily the same thing as ‘public.’
As users become increasingly comfortable with online technology and as social networks evolve to be more accessible to consumers, sharing becomes easier. Users today aren’t merely posting content online – they are tagging it and categorizing it in ways that make it easy for others to find for years to come, and they are connecting this wealth of data to their own unique and complex online personas.
Many individuals and companies have interpreted the human urge to share as a lack of interest in privacy, but in fact the two are not exclusive. This is the nature of life in the digital age – that users can and do share an enormous amount of information freely. But millions proactively restrict access to different data elements in their online social networking profiles. Users have shown time and again that they do want control over their data – the ability to share it in some circumstances and restrict it in others.
“Public is the new Social Norm” is an oversimplification. It fails to reflect the nuances of sharing and data restriction that social network users engage in.
In recent times there have been several cases where users and social networking sites (SNSs) have differed in their views on privacy. Do you believe that SNSs are doing a good job of informing users about their privacy policies and practices?
This is something social networking sites can and should improve. The typical privacy policy is rife with complex legalese that is primarily intended to deflect responsibility in the event of a lawsuit. This doesn’t help the average consumer. Most consumers want simple answers to basic questions. Many users never read the terms of service or privacy policy because they assume they’ve got basic rights. The truth is that the average privacy policy provides users with scant rights, is nearly incomprehensible and is subject to change at any time.
However, social networks can adopt user-centric privacy policies and methods of educating users that can close the gap between what users expect from a social networking site and what they are receiving.
As to the structure of the rights a user has on a social network, I’d recommend the Social Network Users’ Bill of Rights as adopted at the annual Computers, Freedom and Privacy conference in June 2010. http://cfp.acm.org/wordpress/?p=495 This Bill of Rights is user-focused. It does not impose specific technological or policy changes, but rather offers guiding principles such as freedom of speech and data portability.
I also think it is imperative that social networks proactively educate users about available privacy choices. Some websites use educational videos to explain how information is collected and shared, These videos may be easier to understand than the privacy policy itself, though it’s important that the video conveys the details of the written text.
Social networks should specifically take steps to educate and empower younger users. A recent study found that while younger and older Americans show agreement on the importance of online privacy, younger Americans are far less informed about the reality of their online privacy choices and rights. (How Different Are Young Adults from Older Adults When It Comes to Information Privacy Attitudes &Policies? Hoofnagle, King, Li and Turow, 2010, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864).
To summarize, every social network needs to find creative ways to raise awareness about privacy and security within the networks themselves.
Sharing of data is a critical element of the business model that SNSs use for economic gain. In your view how can SNSs balance the need to share user data for economic gain and maintain privacy of their users’ information?
There exists a concern that giving users control of their personal data (the ability to limit who accesses it and to delete it if they so choose) will be the death knell for profitability on social networking sites. In my opinion, this is unfounded. Most people on a social network are there to share information in one form or another. Many of them are willing to share it with the general public and/or with advertisers, especially if the advertisers can provide valuable or interesting content in a way that does not compromise users’ privacy.
We need to respect the right to share data in much the same way that we must protect the right to privacy – and allow users to choose their degree of sharing through easy-to-understand and meaningful choices.
A user-centric, straight-forward approach to privacy has the potential to increase site usage – and with it revenue for social networking sites. As with sites such as Blippy and Twitter, users have shown that they like sharing information widely. That’s not going to stop, even if social networking sites adopt intelligent, honest and understandable controls over the data collected.
What unique challenges would increased use of SNSs around the world create for these organizations and what steps can they take to prepare themselves?
Technology is evolving so quickly and social networking sites are being adopted so rapidly by users across the globe that it’s impossible to make specific predictions about how social networking will look in five years. We can, however, provide suggestions on how to deal with these coming changes.
Dr. Ann Cavoukian, the Information and Privacy Commissioner of the Province of Ontario, has fostered the concept of “privacy by design.” http://www.privacybydesign.ca/ This means adopting respect for users, transparency and default privacy protection into every aspect of product design and implementation. This is a vital concept for social networking sites, both those that exist today and those that we’ll see launched in the coming years. No matter how quickly social networking evolves or how swiftly it is adopted by users, privacy and user control of data should be front and center in the principles guiding social networking sites.
Do you believe that governmental policies and guidelines are adequate or should the government create new legislation to protect user privacy?
This is a difficult question. So much of Internet privacy today is self-regulated by industries that stand to profit by the loss of consumer privacy. Self-regulation has proven inadequate at providing consumers with meaningful control over data.
The solution may seem to be government regulation – but government regulation of the Internet must be approached with great caution. Heavy-handed government regulation of the Internet may hamper free speech or could favor the interests of Internet giants with large lobbying budgets.
So, the question is not whether the government should create new legislation to safeguard user privacy, but how can the government create intelligent legislation that provides meaningful control for users without squelching civil liberties or promoting industry interests at the expense of individual rights?
Legislation must be enforceable, realistic and appropriate for an industry in which technology is evolving at break-neck speed. This is going to be one of the great challenges of the coming years. If self-regulation continues to fall short of user expectations and provides individuals with no legal recourse for privacy abuses, the implementation of user-centric legislation and/or agency regulation will be necessary.
A good starting place for such legislation is the Fair Information Principles set forth in the Organisation of Economic Cooperation and Development (OECD) in 1980, long supported by privacy advocates including the Privacy Rights Clearinghouse. These eight governing principles for data policies are:
- Collection limitation
- Data quality
- Purpose specification
- Use limitation
- Security safeguard
- Openness
- Individual participation
- Accountability
See Privacy Rights Clearinghouse’s A Review of the Fair Information Principles: the Foundation of Privacy Public Policy”