A call went out earlier this week for a few of us in the blogging community to help pick up a little of the slack at GigaOm caused by Om's convalescence. I was asked if I would contribute a guest post, which I did. Titled A Privacy Manifesto for the Web 2.0 Era, my post deals with the guarantees which entities that collect our personal information should give us in exchange for our trust.
The post was sparked by the now infamous Scoble / Facebook fracas from last week in which Robert Scoble scraped his social graph out of Facebook in violation of their terms of service. Facebook shut his account down, and rightly so, given the guarantees that they make to their users. Scoble was clearly violating the Facebook terms of service, and also the trust that every person who places their personal information on Facebook expecting Facebook to abide by their own rules.
Scoble's goal — the unification of his social graph — is desirable. Consumers ought to have the ability to choose how much of their social graph to share, and with whom, and on what sites. Given the current state of privacy on the web, Facebook's policy is sensible, but also an impediment to achieving that goal. Facebook must do this, however, because they cannot predict how users personal information will be used outside the boundaries of Facebook's own service.
What if there were a way for web sites to automatically determine the privacy policies of other sites? For example, what if Facebook could allow me to specify the privacy conditions under which I might agree to share my personal information with others, just as I can specify who has access to my full profile and limited profile today? As part of my user settings at Facebook, I would simply state that sites receiving my data must make at least the same guarantees as Facebook makes in order for me to agree to share my personal information. I might also be able to specify which elements of my personal information would be shared, depending on the privacy guarantees being offered. For instance, if Robert Scoble wanted to download my contact information into a less secure service, I might state that only my name and business email address would be accessible.
It's not so far fetched. In fact, a number of standardization efforts do exist, including the mostly defunct P3P, Prime and the Policy Aware Web. P3P, for example, specifies an XML document that can be read by another site or by a user agent in order to ascertain the privacy characteristics of web sites supporting the standard.
Not only would these "transitive privacy guarantees" put to rest the issue of how personal information might be used by other sites on the web, they potentially might raise the bar on privacy standards across the entire web. If one big player were to insist that other sites support such a model, and offer data exchange as an inducement for that support, others would quickly follow. Not only would that be a concrete benefit for consumers, it would also be a tangible step in the creation of a utility company to manage the social graph.