Wednesday, June 23, 2010

Do We Need a Social Media Bill of Rights?

I received an outreach email from the authors of Wild West 2.0 detailing their proposed social media bill of rights. Here's the summary followed by my analysis:

The Social Media Bill of Rights
By Michael Fertik & David Thompson, Authors of Wild West 2.0: How to Protect and Restore Your Online Reputation on the Untamed Social Frontier

As social networks have grown in importance, ReputationDefender has seen a shocking pattern of privacy violations, ranging from inappropriate data sharing to attempts to trick users into revealing their personal information.


It is time users took back control of their online privacy. ReputationDefender presents this draft Social Media Bill of Rights to provoke thought about how social networking sites -- like Facebook, MySpace, Twitter, and others -- should treat users and protect privacy. We strongly believe that social networking sites should recognize and grant each of these rights to users in an open and transparent way.

Social Media Users Have These Rights

1) The right to privacy.

When in doubt, privacy comes first.

By default, users should not expose information to the world, to data brokers, to corporations, or to anyone else.

Users have the right to share as much or as little as they want. They are in charge of their privacy, and all data sharing comes only after user consent.

2) The right to choose.

Privacy settings must be easy and understandable. If your parents can't use it, then it's not simple enough.

Privacy controls should be easy to find. Social networks should put privacy controls next to where they are needed; near photos, near data collection portals, and other places where users expect to find them.

If taking an action (installing an app, using a new feature, etc) will expose or share data, users deserve to know before they commit. Social networks should explain the privacy cost of each new feature, and let them make an informed choice.

Interfaces should not be evil. Each interface should clearly communicate the privacy consequences of each action. Interfaces that collect or use data in a non-intuitive way should be clearly labeled and explained.

Any kind of external data sharing should be opt-in, not opt-out. If it's so useful, it will be easy to convince users to sign up. Outside corporations don't have a right to user information without clear user consent.

3) The right to data minimization.

Just because a social network can, collect information doesn't mean it should. Social networks should strive to collect no more information about users than what is required to present social functions.

Storing "click stream," "search history," and other data that is not directly tied to social functions is often an invitation to privacy invasions. Storing this data does not directly enhance user experiences and often violates user expectations.

When in doubt, aggregate. Aggregated data often fulfills the same function without the privacy risks.

We don't know the long-term consequences of mass-scale data collection and storage; it is better to err on the side of caution and data minimization.

4) The right to honest communication.

Users have a right to know how their information is being used. Tell them. Use language you'd use with friends, not language used by lawyers. Agreements should be easy to understand and not contain hidden legalese.

If something goes wrong, tell users openly and honestly so that they may protect themselves.

If aggregated data turns out to not be anonymous (like the Netflix Prize data set), tell affected users. Openness today will save headaches tomorrow.

Even if the lawyers can find a legal loophole, users deserve to be treated with respect; social networks should treat users as they expect to be treated, not at the minimum possible legal threshold.

5) The right to delete.

Users have a right to leave social networks. When they do, they should be able to easily take back their data too.

The right to delete includes deleting any marketing information or dossier that has been compiled about them, including any behavioral advertising data.

Exceptions are permitted for financial transactions and other records that must be kept for legal compliance.

6) The right to know.

Users have the right to know:

* how information about them is being collected;
* to whom their data is being sold;
* how their data is secured;
* how many people can see their personal information;
* when there are data security incidents, even if they don't trigger existing notification laws.

Disclosures should be in plain language.

If data is being collected in non-obvious ways (click patterns, through offline sources, etc) then it requires special notice.

7) The right to dignity.

Some information is too personal for social networks to demand or share. Even if it is possible to find out intimate secrets of users' lives, it is usually best to not.

There are limits on the wisdom of behavioral and contextual advertising, even if users have agreed to it. Social networks should think twice before trying to profit from their users' grief, weaknesses, or personal failings.

Social networking engineers should always ask themselves, "would I want my data to be used this way?" If not, don't code it and don't implement it.

Sites should not encourage users to debase, defame, or abuse each other. There is always another person at the other computer; remind users to treat each other with dignity.

8 ) The right to accountability.

Social networking sites should be willing to undergo regular privacy audits to prove they are using data only in approved ways. Sites that don't allow privacy audits should be considered suspect.

Leaders of social sites should accept personal responsibility for the security and privacy practices of their sites. If they make a false promise, they should be held personally accountable.

9) The right to not participate.

Users have the right to not participate in social networking. If they choose not to, social sites should not compile a dossier or file about them, even if friends volunteer that data.

Non-users should be able to find out how personal information about them is being shared or discussed (including "tagged" photos or facially-recognizable photos) without providing further personal information.

10) The right to social privacy.

Social networks should make it easy for users to help friends be respectful of privacy.

Social networks should not encourage users to violate each others' privacy. Interfaces that encourage prying or over-sharing are disfavored.

Social networks should allow users to contact each other about potential privacy violations and privacy requests. A simple "I'd prefer this photo not be online" notification system can help friends communicate their preferences without threatening free expression or creativity.

I generally agree that social networks have shady privacy practices. We've all seen the recent Facebook privacy gaffs (probably the tip of the iceberg). But do consumers really care? Are Millennials, for example, overly concerned how the data they voluntarily upload using social technologies is used by advertisers? Tell me what you think.

Nick Kinports (follow him on Twitter @ADMAVEN) has worked in the interactive technology world for over 9 years, and helps the Fortune 100 identify unmet consumer needs, create ideas to fill those needs, and bring them into market. He currently works at Maddock Douglas.
blog comments powered by Disqus