P2P Foundation

In a post on Tech Crunch, Rohit Khare, award-winning researcher in the fields of Internet protocols and decentralized systems, charges that when social networks tell us they are protecting our privacy, much of it is make-believe. Rohit calls it a theater they play for out benefit. His article

Privacy Theater: Why Social Networks Only Pretend To Protect You

has many pertinent references to bring an important issue to our attention. The Tech Crunch editor notes that “Building his latest project, social address book Knx.to, gives Rohit a deep familiarity with the privacy policies of all the major social networks.

Here are some quotes, but I do recommend you read the whole article.

As long as the same information that social networks piously prohibit their own customers from using is being bought and sold on the open market by giant marketing companies, social networks are only pretending protect your privacy

- - -

Last week’s headlines brought news that RockYou had accumulated 32,603,388 identities over the past few years — and negligently stored them in plaintext in an incompetently protected database.

- - -

In an ideal world, a third party developer shouldn’t have to store any personally-identifiable information (PII). In many jurisdictions, PII is akin to toxic waste, because of the regulatory burdens and civil, even criminal, liability for acquiring and disposing of it.

- - -

If PII is so hard to protect, then the only way for social networks to protect their users’ privacy must be to prohibit partners from accessing contact information in the first place. I might not be able to export my holiday card mailing list from my favorite social network — but giant marketing corporations can buy and sell our private information with impunity.

I could go to Rapleaf right now to buy an analysis of any list of email addresses to learn its makeup by gender, income, residence, and all manner of other demographic data. Who’s to say how short that list could be—it’s a slippery slope from aggregate info to personal info. Or I could shop at one of Intelius’ many fronts and affiliates who are selling PII explicitly (TRUSTe-certified!). Or I could barter some of the stray business cards on my desk on Jigsaw to fill in the rest of the puzzle. All of these businesses depend on PII data harvested from social networks.

How is that possible? None of the social networks that we’ve integrated with has an API for reading email addresses — but all of them have no problem asking you to “Invite your friends!”

- - -

I also claim that social networks are engaging in Privacy Theater because there’s no shortage of examples of organizations on the Web that process vast quantities of PII while providing real privacy protection. Do you think that the “bad guys” haven’t gone after Webmail services to phish passwords and harvest contact information? Aren’t e-commerce sites sharing product information and reviews out to legions of affiliates without leaking your purchase history? How long do you think RockYou would have gotten away with it if they were asking for your online banking username instead of your email address?

Social network sites have not (yet) demonstrated the high degree of proactive surveillance and enforcement characteristic of other organizations that deal with PII on the Internet.

- - -

I’d argue that the hapless state of ToS enforcement by the major social network platforms only provides the feeling of improved privacy while doing little or nothing to actually improve privacy: that’s privacy theater.

Most of the comments to this article are quite positive. One points to an omission:

Decent article however blatantly omits Google from the discussion. While it is focused on “Social Networks” any discussion on privacy and the Web should include Google. The average consumer is blind to the implications of what is occurring and instead are enamored of this company that will soon be so intertwined into their individual web experience and “life” (in general) that when they take notice it will be too late…or they may not notice since with so much collected data they can easily massage the “message” and persuade “you” in which ever direction they please.

And another comment I would like to draw attention to points up a solution to the privacy quandary we find ourselves in:

Rohit,

great start, weak finish.

I think the only actual countermeasure to what you brilliantly call privacy theater is to not only give people access to their data, but to also give them open source software to manage such data.

What good would it be to have all the relationship data from linkedin, and then look at it in a text file?

I think groupware with a little social might help a long way, hence what we are working on at OX. It is early days, but it sure seems promising.

With all kinds of social and commercial sites vying for, buying and selling our personal data in the hopes of better “serving” us with information that will induce us to buy a new gadget or to acquire some information of value to us, why should users of the net not be in control of what they allow to be known about their habits and desires? A simple tool that allows us to check what already is public knowledge is a necessary first step to empower users to make meaningful decisions. The tool should not be controlled by those commercial interests that collect and make use of our personal data in the first place.

Would it be too much to suggest we might consider the need for an open-source implementation of popular social software, where every important setting is under user control and all data remain ours to share or not, as we desire.