Re: [Air-l] social network migration
Michael Zimmer wrote: "Returning to this discussion, Google is (surprise) working on a social networking platform called Socialstream, which would "draw content from a variety of sources. Socialstream would be based on a unified social network (USN), a single network that provides social data to other sites as a service. A service model allows many social networks to be linked together, letting them share both content and the nature of the relationships of the people who use them." I'm wondering whether Michael might share some insights about legal issues that will need to be addressed by businesses who enter into agreements with others businesses to share personal information about their users and online practices. In reading through information presented about the Google product, it was suggested that user actions would be regulated by business agreements. many decisions are going to be made for individual users would be made for the user by the business owners and operators. It was suggested that users would only need to specify, "as an afterthought", who would be able to see personal informaton and what services would host it. This is a major change in practice from the manner in which users are currently using Google services, particularly those related to the capture and exchange of personal information with other entities (government agencies including law enforcement, public and private sector businesses, private citizens). /Gail --------------------------------------- Gail D. Taylor, M.Ed. University of Illinois Urbana-Champaign Human Resource Education Ph.D. Student Educational Psychology Teaching Assistant Library & Information Science Research Assistant "Technology enables man to gain control over everything except technology." -- Unknown
Thanks for the question, Gail. Before I tackle it, two things to get out of the way: (1) I was imprecise when I said "Google is...working on a social networking platform...". The work is being done by grad students at CMU (thus the URL I linked to), and Google is sponsoring the work. Based on the CMU site, they seem to be taking some kind of "direction" from our friends in Mountain View ("Directed to help improve the online community orkut..."), but the research & demo is the fruit of CMU's labor, not Google's. If anyone know what the nature of these kinds of relationships are (contractual?), I'd love to learn more. (Thanks, Eszter, for pointing out my error) (2) As a preface to my response to Gail's question below, I am not a lawyer. I'm just lucky to be able to work alongside some great legal (as well as other non-legal) minds up at Yale's ISP. Further, I haven't had the time to spend a lot of intellectual energy on these ideas, so my answer will be kinda rough around the edges... Those said... The notion of businesses entering into agreements with other businesses to share personal information about their users (and online practices) is nothing new. I recently bought some items from Babies R Us, and they required my phone number in order to process the transaction. I decided to give it to them, and suddenly I'm on the mailing list for a dozen various baby retailers (power of reverse look-up directories). Businesses have been selling customer lists and purchasing habits long before Amazon or Google got into the game. In terms of legal issues, it seems that business (contractual) agreements are often the ONLY thing regulating the flow of personal information in these contexts. There are very few (U.S.) laws limiting the flow of personal information among companies, and those that do exist are for very specific data sets (library records, medical records, video rental records, etc). The only limits are self- imposed by the companies themselves, and more often than not, the "privacy policies" and EULAs we sign off on are much more about how they WILL share our information as opposed to how they will PROTECT our privacy. IE, when we sign up for our "frequent shopper cards" we're signing a business agreement that includes in the fine print our acceptance of the fact that the data will be shared with "trusted partners" or some fluff like that. Facebook has similar language in their Privacy Policy: "We may offer stores or provide services jointly with other companies on Facebook. ...and we may share customer information with that company in connection with your use of that store or service." Unfortunately the norm is for the flow of personal information to be much more in the control of business interests than the individuals themselves. We have little choice in the matter that Choicepoint has aggregated all of our financial information, and once we sign up for our Facebook account we allow that business agreement to dictate how Facebook will handle our information as well. Gail seems to suggest that Socialstream's aggregation of social network information from other services via "business agreements" among the parties constitutes a "major change in practice from the manner in which users are currently using Google services." Well, I suppose so, but maybe not in the way Gail is suggesting. As more and more users migrate to "Planet Google" to fulfill their needs for information seeking, shopping, news, blogging, browsing, spreadsheets, e-mail, chat, and so on, we provide Google singular access to all that information in about our lives. Rather than being dispersed among various services (both online and off), for many people, all such activities are linked through a common Google Account and/or cookie.[1] So, it seems that for users currently using Google services, acquiescence in the collection of personal information by Google has already taken place. Perhaps Socialstream is Google's attempt to gain access to even more of "all the world's information" that is currently beyond their reach. While users of Facebook might presume that their actions aren't visible to Google's crawlers (see [2] for a possible exception), a service like Socialstream would mean even actions on non-Google properties could be captured by Larry & Sergey. This leads to what I see as the real possible danger here. Users of various social networking services might be working on the assumption that their activities on a particular site remain there - that they are bound by the context of that environment and culture. By allowing all that activity to be aggregated by some third party, any contextual integrity of those actions might be violated. This is similar to concerns about Facebook opening up their databases via an API framework.[3] (A key design feature to avoid this is allow individual users to opt-in to such an aggregation of their site- specific activities by off-site services). In general, I can see two different situations emerging form such a social network aggregation schema as Socialstream: (a) users gain more control of their social networking data. They have a single repository of all their personal information, and selectively dole out which sites get what pieces of data, etc. ; or (b) Single entities (such as Google) obtain the power to aggregate users activities that are currently dispersed across numerous platforms, threatening the ability of users to control who has access to their personal information. Which way the bottle will point once it stops spinning, I don't know.... I feel I am now officially rambling, so I'll cut myself off at this point. Not even sure if I've truly addressed Gail's concerns, but that's my initial stream of consciousness rant on the issues.... -michael. [1] Google isn't alone in capturing a wide array of user data for their benefit. See this on Yahoo's recent SmartAds launch: http:// michaelzimmer.org/2007/07/04/with-smartads-yahoo-finally-joins- googleas-a-threat-to-privacy/ [2] http://michaelzimmer.org/2007/05/29/facebook-allowing-profiles-to- be-crawled-by-google/ [3] As discussed by me at http://michaelzimmer.org/2007/05/25/ personal-data-flows-and-apis/ and by Fred Stutzman at http:// chimprawk.blogspot.com/2007/05/facebook-platform-analysis.html ----- Michael Zimmer, PhD Microsoft Fellow, Information Society Project, Yale Law School e: michael.zimmer@nyu.edu w: http://michaelzimmer.org On Jul 9, 2007, at 10:01 AM, 'Gail Taylor wrote:
Michael Zimmer wrote: "Returning to this discussion, Google is (surprise) working on a social networking platform called Socialstream, which would "draw content from a variety of sources. Socialstream would be based on a unified social network (USN), a single network that provides social data to other sites as a service. A service model allows many social networks to be linked together, letting them share both content and the nature of the relationships of the people who use them."
I'm wondering whether Michael might share some insights about legal issues that will need to be addressed by businesses who enter into agreements with others businesses to share personal information about their users and online practices. In reading through information presented about the Google product, it was suggested that user actions would be regulated by business agreements. many decisions are going to be made for individual users would be made for the user by the business owners and operators. It was suggested that users would only need to specify, "as an afterthought", who would be able to see personal informaton and what services would host it. This is a major change in practice from the manner in which users are currently using Google services, particularly those related to the capture and exchange of personal information with other entities (government agencies including law enforcement, public and private sector businesses, private citizens).
/Gail
--------------------------------------- Gail D. Taylor, M.Ed. University of Illinois Urbana-Champaign Human Resource Education Ph.D. Student Educational Psychology Teaching Assistant Library & Information Science Research Assistant
"Technology enables man to gain control over everything except technology." -- Unknown _______________________________________________ The air-l@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http:// listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
In general, I can see two different situations emerging form such a social network aggregation schema as Socialstream: (a) users gain more control of their social networking data. They have a single repository of all their personal information, and selectively dole out which sites get what pieces of data, etc. ;
There's a flip side to this danger; perhaps it is even more dangerous than the obvious problem. There's nothing currently stopping anyone from injecting huge masses of falsified FOAF or RDF data into the web, allowing it to be picked up by crawlers, spiders, whatever. Imagine the chaos that one could cause by introducing a set of records that claim X false premise about Y persons, where X is something fairly serious and Y are a group of important people. [Maybe not so bad as "senator A sleeps with intern B", but the possibilities seem rather endless. 'Judy got picked up for underage drinking on 12-15-2003' might be a better example, and one more likely to affect the Facebook/Livejournal crowd, as aggregation services improve.] Personal data **desperately** needs bottom-up protection from potential baddies. I'm not aware of a single service that is really working on this - the bulk of them seem to be relying on "do no overt harm" sorts of principles to protect users. This just doesn't work. What we probably need, I think, is something like a "credit bureau" service for personal information. With encryption from top-to-bottom, some real guarantees about reliability of the data included (e.g., the darn thing shouldn't have screen-scraped data in it that doesn't have a very clear path of provenance back to the originator or the user...), and mechanisms for invalidating stored data that becomes defunct or is shown to be more questionable than reliable. I suppose that OpenID is a step in this direction, but even that has some flaws in it - avenues for deception are still available through e.g. DNS poisoning. This is fun stuff to talk about, especially when we start thinking about the supporting infrastructure. Bits and pieces of what would be necessary are already out there, but not glued together in quite the right ways, yet..... I'd love to hear what others have to say. :-) --elijah
participants (3)
-
'Gail Taylor -
elw@stderr.org -
Michael Zimmer