Privacy: How to Avoid the Third Rail of Online Services

by
1Executive Summary

Social Security has often been called the “third rail” of American politics, the idea being that the issue is so charged anyone going near it risks being severely shocked and possibly even electrocuted. The issue of online privacy has arguably become a similar kind of topic: Whenever a service like Facebook or Google oversteps what users and privacy advocates see as the boundary between data collection and invasion of privacy, all hell breaks loose. And if anything, privacy will become an even more electrically charged issue as the line between our online and offline lives continues to blur.

As David Card noted this week, the most recent flash point for online privacy was a series of reports from the Wall Street Journal about sites like Facebook and MySpace sending “personally identifiable information” to third-party service providers. The crux of the issue uncovered by the reports was that some Facebook apps — including popular games like Farmville and Texas HoldEm Poker — have been transmitting a person’s unique user ID, and in some cases friends’ user IDs, to the likes of advertising networks and data aggregators. This, of course, is an issue Facebook has wrestled with in the past. But why is it an issue at all? Because it further confuses the boundary of what’s acceptable information to share and what is a violation of privacy, since that personal data can be mined by advertisers and others using such a process.

Does personal data mining violate privacy?

Pieces of any given Internet user’s personal information — credit history, shopping profile, criminal records, tax and voting records, etc. — exist in a myriad of different databases; the potential for that information to be aggregated and mined to generate marketing profiles is not a new issue. What makes the online version of this mining produced by companies such as Rapleaf (which Om discussed in a recent post) different from the real-world version is that in many cases this data is updated in real-time. In other words, it reflects your behavior right now, rather than taking months to get added to some database, the way similar real-world data does. This is done using click data from web site browsing history, social activity on Facebook and other user behavior.

Facebook took pains to point out that the user ID information gleaned couldn’t be used for much beyond viewing a person’s profile, which only includes information a user has already made public — location, educational background, age, marital status, etc. But what seemed to bother many users was the idea that their user ID could be connected to other databases, such as that maintained by Rapleaf (who claims to have gathered the data inadvertently). And users weren’t alone; government observers have shown concern, including two congressmen who sent Facebook a letter asking for it to clarify its approach.

Many users aren’t aware of the kind of information their credit card company has on them. They might not even be concerned if they knew. The idea of someone watching over their shoulder as they surf the web, however, seems deeply disturbing because of the potential outcomes. For instance, what if a person’s bank knew they were gambling online and denied a credit application? Even if a person’s behavior is totally innocuous, most don’t want that information shared with just anyone.

The “augmented reality” future

The kind of profiling Rapleaf and other companies do is just the beginning when it comes to potential digital privacy issues. An iPhone and Android app released this week called Sex Offender Tracker shows what is possible when databases of public information like criminal records are merged with location-based technology and “augmented reality,” or layering online data onto physical locations. While this technology is potentially valuable in the case of showing people registered sex offenders in their neighborhood, it raises the question of what such apps could show us in the future: People who haven’t voted? People who haven’t paid their taxes or have drunk driving charges? Where does it end?

And it’s not just augmented reality that has some users of social networks concerned: Facebook got in some hot water recently when it launched Facebook Places, which allows users to tag others at a specific location in the same way they would tag someone in a photo. Although the network pointed out that users could easily decline a tag, and could even turn the entire feature off, the idea that someone could publicize another person’s real-world location so easily makes many nervous. This is particularly true for those who have been the victims of stalking or harassment incidents in the past.

How should social networks and online companies respond?

When it comes to online privacy, Facebook is by far the biggest lightning rod for dissatisfaction. Google, too, has had run-ins with privacy authorities in a number of countries as a result of its Street View technology and the collection of personal data from open wireless networks. And while these missteps are highly publicized due to the sheer size of the players, smaller social networking sites and online businesses would do well to learn from their larger counterpart’s mistakes. Here are some key points to consider:

  • Make settings visible and easy to use: Facebook has made a series of changes to the way it handles privacy over the past year so users can more easily see and modify their settings. The problem with that approach, however, is that the more complex the settings, the less likely people are to go in and change them. Many can’t (or won’t) spend the time to get familiar with the options. It’s good to offer users lots of choice, but don’t offer so much that they get confused.
  • Allow users to opt in: Facebook takes a substantial amount of criticism because it chooses to automatically opt users in to new settings and features. Facebook Places is a good example of this: Automatically opting a user into the service requires them to take an additional step to stop being included, rather than making it opt-out by default. Facebook can get away with this thanks to its sheer size; smaller companies and services don’t have the luxury of 500 million users, however. Opting people in by default could cost a smaller network users — and, potentially, revenue.
  • Make it obvious what you are doing: One of the biggest concerns related to the Facebook apps passing along user IDs was that it seemed to be happening behind-the-scenes; no one appeared to know about it until the Wall Street Journal’s report surfaced. The best approach for online networks is to be upfront about what your system involves and where the data is stored, how it is handled and by whom, and where it ends up. If you have partners that take some of that data, you should know what they are doing with it, then make that fact clear to your users.
  • Communicate, communicate, communicate: Perhaps the biggest tool that social networks or online services have is the ability to talk to their users and communicate what they are doing (although that isn’t easy when the discussion quickly turns into a debate over how browsers pass referring URLs in the header info they send to other web sites). Companies who make use of personal data — including Facebook and Google and third parties such as Rapleaf — must make their approach to privacy as clear as possible. They should also respond to user outrage in a direct and personal way, rather than just poo-poohing the concerns of users or trying to pretend there is nothing to be concerned about.

As David noted in his weekly update, “the whole consumer Internet and media industry had better get its collective act together on the privacy front or get ready to face serious consumer backlash and, perhaps worse, government regulation.” And companies like Facebook and Google are not only in danger of potential action from Washington — the European Union is considering criminal penalties and sanctions for privacy breaches by corporations, and Britain recently got expanded powers to levy hefty fines for that kind of infraction as well. Earlier this year in Italy, three Google executives were convicted of breaching someone’s privacy because videos of the individual (a child) were uploaded to the company’s YouTube service.

Online privacy will become an even more explosive topic in the future as location-based services proliferate and as augmented reality produces apps that can mine databases and use GPS technology to bring online data into the real world. People may know that various information about them exists in online databases that are theoretically public, but what happens when all of that information is available to anyone on their phone and can be superimposed on their face as they walk their dog around the neighborhood? The third rail is going to look mild by comparison. But smart companies who deal in personal data and take some or all of the steps recommended here could stand a better chance of winning — and keeping — their users, and of navigating the privacy minefield without touching off an explosion.

www.smartgridtoday.com
Relevant analyst in marketing
RDym8

Richard Dym

Principal | Chief Marketing Officer BondiGroup | GageIn

Do you want to speak with Richard Dym about marketing?

Learn More
You must be logged in to post a comment.
1 Comment Subscribers to comment
Explore Related Topics
Tags
Rapleaf, online privacy, marketing
Companies inside
Facebook, Google
Technologies Inside
social media marketing, Social Media, Android

Learn about our services or Contact us: Email / 800-906-8098