≡ Menu

Transitive Privacy Guarantees

A call went out earlier this week for a few of us in the blogging community to help pick up a little of the slack at GigaOm caused by Om's convalescence. I was asked if I would contribute a guest post, which I did.  Titled A Privacy Manifesto for the Web 2.0 Era, my post deals with the guarantees which entities that collect our personal information should give us in exchange for our trust.

The post was sparked by the now infamous Scoble / Facebook fracas from last week in which Robert Scoble scraped his social graph out of Facebook in violation of their terms of service.  Facebook shut his account down, and rightly so, given the guarantees that they make to their users.  Scoble was clearly violating the Facebook terms of service, and also the trust that every person who places their personal information on Facebook expecting Facebook to abide by their own rules.

Scoble's goal — the unification of his social graph — is desirable.  Consumers ought to have the ability to choose how much of their social graph to share, and with whom, and on what sites.  Given the current state of privacy on the web, Facebook's policy is sensible, but also an impediment to achieving that goal.  Facebook must do this, however, because they cannot predict how users personal information will be used outside the boundaries of Facebook's own service.

What if there were a way for web sites to automatically determine the privacy policies of other sites?  For example, what if Facebook could allow me to specify the privacy conditions under which I might agree to share my personal information with others, just as I can specify who has access to my full profile and limited profile today? As part of my user settings at Facebook, I would simply state that sites receiving my data must make at least the same guarantees as Facebook makes in order for me to agree to share my personal information.  I might also be able to specify which elements of my personal information would be shared, depending on the privacy guarantees being offered.  For instance, if Robert Scoble wanted to download my contact information into a less secure service, I might state that only my name and business email address would be accessible.

It's not so far fetched.  In fact, a number of standardization efforts do exist, including the mostly defunct P3P, Prime and the Policy Aware Web.  P3P, for example, specifies an XML document that can be read by another site or by a user agent in order to ascertain the privacy characteristics of web sites supporting the standard.

Not only would these "transitive privacy guarantees" put to rest the issue of how personal information might be used by other sites on the web, they potentially might raise the bar on privacy standards across the entire web.  If one big player were to insist that other sites support such a model, and offer data exchange as an inducement for that support, others would quickly follow.  Not only would that be a concrete benefit for consumers, it would also be a tangible step in the creation of a utility company to manage the social graph.

{ 3 comments… add one }

  • Paul Sweeney January 8, 2008, 7:02 am

    And a great post it was too.

  • Alec January 8, 2008, 8:25 am

    Thank Paul! Appreciate it.

  • /pd January 11, 2008, 7:42 am

    Yes, that article was brillent- a gem !! This issue needs to be addressed for the web2.0 to mature into a robust platform.

    However, I refrained from commenting for a couple of days as I am still thinking about the "sharing is caring" -syndrome

    One thing is certain, users need to be educated on the pitfalls of TOS / EULA. Tell me how many time do you ever read a TOS / EULA when you sign up for a service or install a new app ? User's just enter their data into the system , thinking that everything is "protected" – as rightfully they should.

    you are correct, companies should have the opt in/out on whether this data and what data can be shared or not. However, this does not stop Mr.Spammollliza to screen scrap /harverst data from unspecting users and then use that info for malicious intent and therein lies the issue. The root issue is that they have 'stolen' data- either for good use or bad use- thats a fact. What is lacking is the legislation across the board which can deal with this scenario. The laws needs to clamp down on such behavior .

    All companies and All users may in all good intentions- "share" their data because they "Care" too with one another. Needless to say "Ms.Manners" sometimes steps out of the door and a user will then give the data out to marketers and whomever. This is an infringement of trust between users- and this is a social thing. No amount of manifesto's can solve this issue. How does a social community know when and how trust has been broken ? There is no set grievence sounding board for such . E.g If I suspect Alex has given my personal info to XYZ.inc – who do I yell to ?? Alex or XYZ.inc ? what action is XYC legally board to take ? how do I share the info that trust has been broken within my community ? Will this not open doors for personal litigation too ??

    The issue is not just a technical in nature , its also about humanity being a lot more "responsible" and "response able" to themselves and to the community.

    Not sure, if I am articulating my thoughts perfectly, but one thing I know,is this issue is here to stay and profound action needed. from all quarters, governments, business and users and only when that happens will there be a maturity of humans into HumanityV2.0 :)-

Leave a Comment