8 Jan 2008

Your information. Your choice.

Increasingly, we are putting our personal information online in order to gain access to the benefits of Web 2.0: We list and rank our favourite books on vendor sites, and in return we get recommendations for books we might never have heard of otherwise. We indicate which high school we attended on our Facebook profiles, and in return we reconnect with long-lost friends.

But after we hand over that information, is it still ours? Can we change it, take it back, move it somewhere else?

Alec Saunders has drafted a Privacy Manifesto for the Web 2.0 Era that spells out four fundamental principles:

“Every customer has the right to know what private information is being collected….
Every customer has the right to know the purpose for which data is being collected, in advance….
Each customer owns his or her own information….
Customers have a right to expect that those collecting their personal information will store it securely.”

Imagine if we all took these principles to heart whenever we’re online – wouldn’t companies need to respond?

At present, while most businesses have usually been criticized for their disregard when it comes to their customers’ information, some companies are responding to customers’ desire for more control over their personal information. In fact, these companies are recognizing that handing control of personal information back to the customer could benefit the company as well.

Data portability, the idea that you can take your data from websites you currently use and transfer it seamlessly to another website, is gaining ground. The DataPortability Workgroup announced today that Google and Facebook, two companies which hold a remarkable amount of consumer data, have just signed on.

For the data portability movement, the participation of Google and Facebook means the idea has legs. Not surprisingly, we at the Office of the Privacy Commissioner are interested to see where it goes from here.

5 Responses

Tyler Says:

Hi guys, good article. I’ll be checking out the Dataportability movement to see if it has any legs for the little guys too.

As you probably know, it can be difficult for a smaller startup site to provide the same tools for user privacy and information control as the big guys. What gets on my nerves is when the big guys still don’t do anything to help their users control their own data.

A couple of examples:
Flickr – A great site. I love it, however it recently came to light that they do not regard privacy-related complaints/take-down requests as a an “infringement issue,” and require that I take up any issue with another’s photos with the user themself. Sounds like a cop-out to me.With the resources of Yahoo behind them are they not able to devote support time to privacy issues? Or perhaps the problem is jurisdictional (they’re American… now).

Spock.com: Spcck uses a spider to crawl websites specifically for personal information. They then post this collected data together in one place, optimize it for search engines and wait till you google yourself (or get googled) for you to sign up and manage that data.

Their privacy policy specifically states that they will not go out of their way to remove your data or account from their publicly accessible database. If it’s convenient then they will try to comply, otherwise they may not. Furthermore this data is NOT removed from their archived dataset. All personal information is covered by a transfer/selling clause allowing them to sell the data and/or the company at any time. If it’s in the archives then your information can be sold and used by another company anyway. I see little difference between this policy and the very same policy that gave rise to SPAM (now made illegal by the CAN-SPAM Act).

So, is it “your information”, “your choice?” Not really. They buy and sell it for profit and no matter what you choose to do about it you’re powerless.

Where’s the equivalent of a spammer’s blacklist of companies with a poor privacy record or lack of policy?

Daphne Guerrero Says:

Hi Tyler,
Thanks for your comments. While there isn’t a “privacy blacklist” as such, there is the PIPWatch toolbar which helps Canadian Internet users determine whether website they visit comply with Canadian privacy legislation. (We’ve blogged about it before.)
As well, the other piece to this puzzle is informed engagement and discussion which people like you are already doing.

Frank Says:

Mr Saunders’ Web 2.0 privacy principles are merely a subset of broader and more robust international FIPs developed over a generation ago. They may sound empowering, but they are in fact much weaker than the FIPs which unerpin privacy laws and rights in Canada, including PIPEDA.

One major exception is the idea that individuals “own” their own data. This is a facile concept that reflects a U.S. bias to property rights, and which has little currency just about anywhere else in the world, where (data) privacy is expressed as a right or ability of individuals to exercise *a measure of control* over the collection, use, retetniona nd disclosure of their personal information by others.

That is, privacy rights should not be confused with property rights. In practice, custody, control and use
of personal information is a shared exercise. .

A serious consequence of people truly owning their own personal information is that they can too easily cede their ownership rights to others in exchange for access, personalization, a discount, a discount of some sort, personalization –or indeed: for nothing or no good reason at all.

Just my $0.02

Bob Domain Says:

nice initiative and privacy paradigma. After 50 years this will be quite normal, but yet not. governments are adapting slow, also here in the Netherlands

Frank Says:

Follow-up: Let’s hope that the data portability movement recognixes that the right or ability of individuals to ‘port’ personal data from one platform to another is not absolute.

I, for one, don’t want my online friends and contacts to ‘port’ *my* online prrfiles and personal data to other platforms, for other purposes and uses, without my informed consent and, if possible control.

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.

To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.