Facebook and The “New Privacy” (Response to Readers II)
I think this week’s TPM discussion of Facebook and privacy demonstrates how the basic conception of privacy is evolving. So for starters, before the public decides whether this change is good, we have to figure out what defines the “new privacy.” Otherwise people will just talk past eachother in these debates.
A simple baseline for traditional privacy is that information is only private until you share it. In this model, privacy is binary. Secrets are either kept or disclosed. In “The Right To Privacy,” a seminal 1890 article in the Harvard Law Review, Louis Brandeis and Samuel Warren declare:
…disclosure is the one immutable limit on privacy. The right is lost only when the author himself communicates his production to the public – in other words, publishes it.
So you could slap that rule on the whole Internet and be done. If all web posting is treated as “publishing,” then the posted information has zero privacy protections. TPM reader Reece comes closest to applying that standard, in disputing my depiction of the illegitimate use of information from a user’s social networking profile:
What putatively private information are we talking about? Facebook is effectively a public place. What I put in my facebook profile is just like what I say out loud in a public space like town square or a restaurant. We can't pretend that facebook is like having a private conversation in your house or over the phone. It just isn't. A facebook profile is fundamentally different from many of the other information that can be tracked online or through online sources because it is information the individual provides voluntarily with the intent of making it public to other people.
I think that may be a legitimate description of how Facebook actually operates for most people. After all, 80 percent of users don't use privacy settings, so their information is viewable by hundreds of thousands of people in their networks. But that is not how many users conceive of their privacy on Facebook. The fights over the Feed and Beacon showed that many users do not understand how their information is being circulated, which raises core questions about true "consent" and the ethics of monetizing personal information. To declare that users are out of luck because they posted "voluntarily with the intent of making [information] public to other people" simply leads us back to defining "voluntary." Sharing with 20 trusted friends is not absolutely equal to posting to a network of 20,000, even though both carry the risk of losing control over the information (thus failing the traditional conception of privacy). And there is no good reason to incentivize corporate practices that treat ignorance as voluntary intent.
In response this TPM discussion, Jon at the Liminal States blog contends that advancing user knowledge is not only vital to empower meaningful privacy choices; it's also in the long-term interest of social networking companies. He likes proposals that explain "the likely size of the audience so that people are conscious of it before posting pictures" and force "organizations who track users to disclose" the practice, which stem from "the Notice and Choice prongs of fair information practices." And Jon has a background in the tech business:
Improved user awareness is ... important, and increasingly large web services like Facebook are going to realize it’s in their interests to be proactive here — not least to avoid the possibility of well-intended but disastrous legislation.
Facebook currently faces the prospect of legislation and regulation -- the Center for Digital Democracy will file a complaint with the FTC about social advertising in January. (It already has one pending about behavioral targeting.) People can continue to organize online for better privacy protections, from individual Facebook protest groups to MoveOn's centralized effort, and grow a constituency that could actually define the new privacy with industry norms and public policy.
Finally, a theme that often recurs in these debates is some variation of "blame the victim." Now it's true, many people make bad decisions online, and they have to handle the blowback. But as I've tried to report, there is huge confusion about how social networking actually works. The learning curve is steeper than users realize -- even for supposedly tech-savvy students who grow up online. From a legal perspective, these policies often turn on the habits and choices of minors, which can trigger a different set of safegaurds. Teenagers live out meaningful life experiences on these sites, under both intense social pressure -- see Danah Boyd --and the shadow of a business model that seizes ownership of their photos, videos, writings and digital identity for advertising, behavioral targeting and future monetization innovations. Meanwhile, few parents are equipped to "lead by example" on a site like Facebook. So while I agree that people of all ages should protect themselves by posting less in the first place, that imperative does not resolve the obligations of corporations and government to apply responsible new rules to a new landscape.
Or Facebook could do the right thing and stop claiming ownership of everything ever posted on Facebook.
In their claims of ownership, do they also support the poster in cases of liability? For instance, suppose I post a piece of fiction that doesn't belong to me on Facebook, and I get sued by the author. Isn't Facebook liable, since they claim ownership of what I post? Or do they only own the stuff that makes them money?
If they say, no, it's against our rules to post things that don't belong to you, therefore we are not liable for what you post in violation of our policies, then what's to stop me from suing them for using a photo of me that someone else posts?
The only true way to own content is to create it. Just because you say you own it doesn't mean you own it. It's like landlords claiming ownership of every piece of art created in their apartments. I don't see how Facebook or anybody else can make such a claim.
December 28, 2007 2:47 PM | Reply | Permalink
These claims are made all the time. Yet, the only way a claim of ownership can be transferred between parties is through an agreement. Artists give up ownership every time they sell a piece. This does not strip them of their intellectual rights/ownership over their creations, but these agreements assign the use of them to another. In the case of the likes of Facebook, these rights are assigned to others every time the subscriber clicks that little box or acknowledges acceptance of the "Terms of Use" - they enter an agreement. I am guilty of blindly accepting these agreements much too often. As embarrassing as this might be, it does not allow me to deny transference of ownership or claim false duress through ignorance.
As a point of reference, you assigned your right of ownership to your posts and comments to TPM in perpetuity when you signed up for your account. That is unless you register everything you post for copyright protections to gain a level of fairness over its use; but who wants to do that.
I wonder if anyone knows of any web posting sites who do not subscribe to such claims of ownership? It seems to be a standard clause everywhere. It might also be interesting to here from TPM listing their reasons for having such a claim. Personally, it doesn't bother me. If I produce any original content, I certainly register it to protect my work. Are TPM's claims just an act of cut-and-paste, a universal form they use for ease? Or are there legal of financial gains to be made because of the claims? I am sure there are other TPM agreements over ownership depending on the differing contributors' relationships.
Your question about liability is always dependent on the circumstances. Although you couldn't sue Facebook for your picture's misuse, you could certainly sue the poster of such picture. Unlike newspapers or other like media which assume the editorial responsibility of its content, social or blog websites assume no editorial responsibility outside of their expressed rights. I think this is important to the openness of the Web in exchanging ideas.
December 30, 2007 4:25 AM | Reply | Permalink
This is exactly my point. The only way to actually own the content is to assume editorial responsibility for it. In my opinion, it's ridiculous for a site to say, we own everything you post, but then turn around and deny ownership of anything posted on their site that might get them into legal or financial trouble.
If you are going to claim ownership of something, ownership is a two way street. You have to take the good with the bad. This is what I would argue in court if I were suing Facebook or TPM for something posted on their site. Given the current court system, I doubt I'd win, but it is the logical conclusion of any claim of ownership.
December 30, 2007 6:55 PM | Reply | Permalink
I guess this just falls under what laws of Intellectual Property tries to cover. I think you would find their claim of ownership does not go as far as demanding exclusive rights. They would have to establish copyright protection over these posts to make this claim.
Their claim of non-exclusive rights of ownership allows them to "shop" your work out. In essence, this protects both parties. It allows you to hold the claim over and responsibility for your ideas and work and allows the servers to have free course to disseminate those things, which is what the web is supposed to be about. It also loosens the more restrictive transferable rights over work in traditionally published mediums, which in our case allows us to appropriate others work with less restrictions.
On top of this, there is the umbrella concept of "fair use" which protects all original work in respect to its purpose or character. Of course, this is where the understanding of what "fair use" means and interesting legal arguments in court follow. This covers works under copyright or not.
I tried to find a good source outside of my old textbooks, and this is what I found EFF
January 1, 2008 12:45 AM | Reply | Permalink
I think your comments on the scope and nature of consent are on the right track. Consider more work on the purposes of consent; whether the power to exploit information posted is presumed to equal consent to technological powers people aren't familiar with; and the impossibility of consent, whether subjective or objective.
It may be argued all day that eventually everything not destroyed will be discovered. And those who want power to intrude will argue this means that consent has been waived to the exploitation of all communication that is not destroyed.
December 28, 2007 4:43 PM | Reply | Permalink
"[T]he power to exploit" is the potent action which determines the appropriateness of the concerns raised in these posts. Exploitation, void of the usual negative connotation, is a necessary part of social or market contracts. Simply, it is how we use our assets. The positive or negative effect of "the power to exploit," lies not in the act of exploitation but in the genesis of the power.
In order for someone to have an assumed power, there has to be consent between the parties. And for the consent to be solid, the purpose behind one's consent has to be equivalently accepted. So, for there to be a positive exploitation of a person's information, the purpose of this exploitation has to be what was originally accepted.
Concerning our conversation about Facebook, it is reasonable to accept that the subscriber's purpose behind their consent to post personal information was for social networking only; therefore, any use of this information outside of the social realm (ie marketing models) would not be used in consent. "[T]he power to exploit" in this case would be misappropriated by being in conflict with the original, reasonable purpose.
December 30, 2007 6:23 AM | Reply | Permalink
Sorry, but I don't see the difference between posting to 20 people and posting to 20,000. There are ways to have private discussions--you have them individually.
Look at it this way: When you post something on facebook, you essentially become passive with respect to who actually reads it. It is "out there" for anyone to read in the same way that a book is "out there" for anyone to read. If someone restricts their privacy controls so that only their facebook friends can read their profile, they are still passive about those people viewing the profile. Insofar as they are passive, they are not putting any restrictions on how the limited viewership uses the information. I can't post something on my facebook profile, limit access to my friends, and then tell my friends not to tell anyone else. Posting on facebook is essentially un-private. By posting on facebook you are tacitly giving permission to access your information to all the people authorized to read your profile. In other words, it's public.
Restricting access to your profile doesn't make it private. It only ensures that people you don't know won't bother you or steal your email address. Posting information to a restricted profile is not the same thing as sitting in your house with a few close friends and saying, "Please, let's keep this between us."
It is not merely a description of how facebook "actually" operates for most people. It is a description of how facebook legally operates for all it's users. I don't see anything wrong with that. Again, I return to my original position: I am worried when the government tries to collect this information, not when people give it up on their own to private companies.
December 29, 2007 5:50 PM | Reply | Permalink
Reece, you make some good points about the operation of Facebook.
We may disagree as to the effect of posting on Facebook. You should know that the Deputy Director of the DNI is already using a similar argument to the one you made above to justify the notion that Americans must surrender their anonymity completely because they have already waived it via Facebook, Google, forums and a thousand other means online.
See the DNI website for Dr. Donald Kerr's speech to a intelligence symposium.
One especially egregious abuse of publicly available information in Kerr's premises is that registry and court information made available by local and county jurisdictions only, has been gathered by national companies that scan them in and use them for profit in a consolidated form. The purpose of this has been to expedite and empower background investigations of individuals by companies and by other individuals. However, because this information is made available for a fee by a company does not mean the records they are holding are public records in their consolidated form. In other words, the governments did not agree among themselves to make the records available in a centralized form. Companies obtained access to these records and created an entirely new animal: consolidated dossiers on individuals. It is these dossiers that we refer to when we say, "you wouldn't believe what is available about you out there on the internet." Well, we don't believe it because we were never asked if someone could take our public records in their variously placed jurisdictions and turn them into a national private dossier for sale to the public (and the government).
Much of what websites warn people about in their policies is not visible unless one clicks on it, and even then, consists of legalese that people often gloss over. This goes to the old paper contract issue of conspicuousness and unreasonable tangles of legal disclaimer that people simply do not want to read.
December 30, 2007 11:00 AM | Reply | Permalink
I believe it. I've done a little work that required using private reporting companies to check criminal backgrounds. But what are you worried about? Public records are public records. What you are describing is a problem of efficiency, not a problem of access. You seem to be worried that private companies are making access to information easier, not that they are making private information public.
All the information amassed by these companies is accessible to anyone in any case. It would take more time for an individual to collect it, but that doesn't make it less public.
Look, if you go into court, anything happening in that case is going to be public. I'm sorry, but it is. That's why people need to stay out of court. Don't commit crimes. Don't do stupid shit that will lead to a case. But I think you will realize that it kind of has to be that way. We have to have public proceedings. So, ultimately, information made public through the result of a court case doesn't concern me.
December 30, 2007 12:10 PM | Reply | Permalink
Public records are those you consent to make public in the specific jurisdiction in which you make them public.
The consent also says specific governments may charge for copies or certified copies of these records. Nothing in our registration processes says that we must consent to our registry information being used for profit by a company we cannot forsee, with business purposes we can't consent to, and which are actually using our information outside of the scope of the reasonable purpose for which we gave the information.
If someone appropriates your image and sells it for profit, they must get your permission and compensate you. Otherwise it is an actionable invasion of privacy tort. However, if someone acquires your disparate data and makes an information "image" or dossier of you that is not sanctioned by due process, then they sell the damn thing to amoral corporations, many of whose execs rarely prove more ethical than pimps, I say they must pay invasion of privacy damages if they didn't get permission from the person depicted.
The information is not readily accessible to individuals or companies, because it is very expensive to hire someone to do the research. This is a check on the dossier business. Another problem with the dossier business is that it also associates your family members to your name, thus giving those who may have a reason to come after you an easy route to discovering the names and locations of your family members. I don't know why this does not bother the younger generations except to say that to them, WWII, the Holocaust, the Soviet gulags and other purges are just so much the subjects of video games that glorify the violence and drama without any real cost to the player other than their deadened consciences and sense of liberty.
January 1, 2008 12:50 PM | Reply | Permalink
snip duplicate
January 1, 2008 12:39 PM | Reply | Permalink
I always thought that because of how the Internet works, no communication should ever be considered private. Your data bounces between half a dozen servers or more on its way to the final receiver, and it's not exactly predictable which half dozen. There's nothing stopping people from intercepting your packets and reading them.
I thought this was the reason for Secure Socket Layers and 128 bit encryption keys and Security Certificates and little padlocks on the web browser, and whatnot.
December 30, 2007 12:17 AM | Reply | Permalink
Are there any safegaurds for minors on how their information is gathered and profiled? It does not seem appropriate for any collection of data and subsequent related or directed business models for minors. By reasons of immaturity and innocence, I thought it was unable for a minor to actually give such consent. Or are these actions forbidden? For good reasons, it is necessary for minors to have stronger standards of privacy.
December 30, 2007 5:05 AM | Reply | Permalink
So I did a little searching to answer my concerns about internet profiling and database collections of minors and identified the Children's Online Privacy Protection Act (COPPA) as the Fed's response.
A few concerns I have is that it only covers 13 year olds and younger. This leaves open the population age group that has ever increasingly designed their culture around the web and wireless markets. My argument is that teenagers do not have the maturity to understand the ramifications that unfettered dissemination and collection of their personal information might have on them. They do not have the ability to give appropriate or reasonable consent.
This leaves the responsibility of privacy protection to the parents, and rightly so. By no means do I think that parents should not be vigilant or relinquish that responsibility. At the same time, it is our public responsibility to protect them in the possible failure of their guardians.
This being an exploratory post, what would it mean to the openness of the web if all such information gatherings be allowable only after an opt-in acceptance every time? This would create a plain, visible action and place the responsibility of disclosure in higher value than the responsibility of protection.
Immediately I cringe at the thought that this might only be a condom to protect the addle brained; promoting ignorance or blindness is a curse on society. But with the sometimes predatory tendencies that arise, those in control of the "system" can skew the environment to be camouflaged in their favor. Beware of the Man and all that stuff. I use the unfavorable mortgage agreements some have gotten themselves in trouble with as an example (here again I raise concern over "tax the stupid," as my wanton role model Eddy Monsoon temptingly promotes).
The professionals have a higher burden to make sure a reasonable consent is possible. The developers behind the technology have to make it accessible to any reasonable adult. Just as the mortgage companies should produce cloudless agreements, internet marketing collections should be just as clear. As I argued above, solid consent can only be given in a reasonably clear environment. I am not looking for an Hippocratic Oath where exploitation of the patient is never allowed, because in social and business markets, exploitation is how they survive. Is there such a thing as fair-exploitation and doesn't that sound like a Utopian concept that only a dual Econ-Philosophy major from Harvard could come up with?
And now I have digressed exponentially from the original post.
December 31, 2007 11:26 PM | Reply | Permalink
Richard Esguerra, Electronic Frontier Foundation's Activist, provides information and advice concerning Facebook in his post Facebook Beacon Roundup: Data Collection Methods Still Troubling.
December 30, 2007 6:07 PM | Reply | Permalink
After remarking on Facebook's Beacon program at Info/Law blog, William McGeveran speaks of his concerns about Facebook's Social Ads program.
Social networking enterprises are learning that not everyone will roll over for them when it comes to privacy, information, and legal issues, social norms notwithstanding.
December 30, 2007 7:56 PM | Reply | Permalink
The issues surrounding privacy have undergone a serious transistion in late years. Privacy is no longer principally about privacy. In its present incarnation, privacy has changed and today is more about money.
There is not a single thing you might do that requires any form of communication with a business entity that does not result in a flood of unsolicited snail mail, email and or cold calls offering a service or product. Businesses have written legal contractual language into agreements with consumers that effectively says this is the way we are going to do business and if you need this service that is the way it is going to be. In many cases we are talking about essential services that are required to accomplish some form of mandated legal requirement wherein the terms of the agreement effectively strips the consumer of any rights whatsoever. These kinds of agreements have been shot down by the courts but the cost of pursuing this is prohibitive.
Don't kid yourself. We have no privacy. It has either been sold to the highest bidder or confiscated by government itself. Informationally, the bidders I refer to are the same powerful business and financial concerns that contribute or cause to be contributed the lions share of money to political campaigns. For this reason, Congress will never legislate ironclad protections for private information. Over time, the video cameras being put into use all over the nation will record even the simple act of walking down the street. The term, 'private citizen' is decidedly antiquated.
RIP privacy.
January 3, 2008 12:15 AM | Reply | Permalink
Also: don't call it "the New Privacy." That's code for, privacy controlled by the NDI.
January 7, 2008 4:20 PM | Reply | Permalink
A couple of years ago, I went to a dinner party at the house of a sociologist who studies online behavior. It was mostly a boomer-aged, New Left sort of crowd, of the type that have a healthy dose of paranoia remaining after the exposure of FBI spying in the 70s, and who take civil liberties very seriously.
The host was talking about her research indicating how easy it is to find virtually any piece of information posted online, and how easily hacked our email is, etc.. “When I was a young person,” she said, “and I put a letter in the mailbox, I knew that the seal on that letter was sacrosanct.” “These kids today,” someone else more or less said, “just don’t seem to care about their privacy.”
I suggested that the operative concept in understanding online behavior was not privacy but anonymity, and that there was something entirely rational about it when viewed in this way. When you post something to your blog or Facebook page (e.g.), you do so with the recognition that it is but one in tens of millions of entries, a few in billions of bits of data posted each day. There is a risk that this information will be found (this was before googling prospective employees had caught on), but on balance, the chances that your data will fall into unwanted hands are within the realm of acceptable risk. It’s just a numbers game. But the notion of privacy implies a set of shared values, essentially between you and every single person who handles your mail (email, resume, etc.). It’s a lot more comfortable betting on anonymity than privacy.
This argument did not impress the assembled guests very much. But I do think that it is key to understanding the shift here, and perhaps why Facebook users don’t fiddle with their privacy settings. People post at all because they feel that the chances of being bitten by what they reveal is an acceptably low risk, not because they have different standards of privacy. Or, to the extent that they do, it’s not a ‘new privacy’ so much as a sense, in the post USA PATRIOT Act world, that privacy is no longer really any guarantee.January 8, 2008 7:19 PM | Reply | Permalink