Did you know January 28 is Data Privacy Day in the United States, Canada, and the European Union? The intention behind Data Privacy Day is to raise awareness of the importance of protecting the privacy of personal information—not just amongst individual users of things like social networking, but also amongst businesses, organizations, and corporations that collect, retain, and access information about their clients, customers, and users. Companies like Facebook, Google, Microsoft, and Yahoo have been drawing the attention of privacy advocates and regulators in recent years, but the reality is that there are tens of thousands of companies out there collecting, processing, and distributing personal information about individuals all the time. Increasingly, those companies are looking to things like social networking for cues about individuals’ behaviors, lifestyle, interests, and activities.
Facebook CEO Mark Zuckerberg — Time’s 2010 Man of the Year — once famously declared privacy is not a “social norm,” and Facebook and other companies have consistently borne out that idea in the online world, collecting increasing amount of information about individuals and hiding behind privacy policies longer than the U.S. Constitution. Clauses of implied consent decree that users legally agree to having their information gathered and tracked, so long as they continue using accounts or services. In other words: Users can either agree to be tracked, or they can agree not to use a service. However, this cavalier approach to data collection and user profiling is drawing increased scrutiny not just from consumer and privacy advocates, but by governments and everyday people. The European Commission has just proposed new data protection laws that would enshrine a “right to be forgotten” for individuals, and the U.S. Federal Trade Commission has forced Facebook to toe the line on sharing user information with third parties. Google’s recent ground-up revamp of its privacy policies and user tracking is almost certain to draw FTC scrutiny as well.
In observance of Data Privacy Day, Microsoft—which has a major stake in how data protection plays out, has released data from a survey of 5,000 people examining how they approach their online profiles and reputations. Overall, the survey found that 91 percent of respondents have taken some action to manage their overall online profile at some point in time, while about two thirds of respondents feel they are actually in control of their online reputations. However, only 44 percent indicated they actively consider the potential long-term consequences of their online actions; that means a surprising 56 percent do not consider any consequences from their online activity. Further, a surprising 14 percent believe they have been negatively impacted by the online activities of others. In this survey, “negative impact” means things like being fired from a job, being denied a mortgage, losing health insurance, or losing out on being accepted to a college or a job.
It’s well-known that most employers these days commonly vet job candidates by checking out their social media postings: Pictures from a drunken party in college could come back to haunt job-seekers later in life, particularly as things like Facebook’s now-mandatory Timeline expose more of people’s online histories. Similarly, employers and others can easily trawl through someone’s postings to Twitter and other social media services. Someone who regularly uses insulting or demeaning language in their public tweets or fuels flame wars with strangers in forums might now be an employer’s first choice for a job that entails dealing with the public or customers politely. By the same token, tweeting “Mainstreet offramp at 90mph, flipped off ugly minivan that honked at me!!” is probably a fast way to lose a job as a delivery driver.
Messages, files, photos, videos and other things marked as private or shared with a small group on a social networking site are only private in a very limited sense. If someone you’ve shared with takes the material public, it’s out there for the whole world to see, forever, just like any other social media posting. Also remember that discovery processes for civil and criminal cases treat social networking posts just like any other communication: They can be subpoenaed, and providers have to turn them over the data regardless of whether that information was free for the whole world or intended for just a selected few. And those subpoenas don’t have to be about you specifically: they might be about one of your online “friends” or related to a fan page, group, discussion list, or blog you happen to like.
Do not track
Back in December 2010 the FTC fielded a do-not-track proposal that essentially extends the notion behind the the well-received U.S. do-not-call list for telephone solicitation to the Web. Consumers would be able to tell online advertisers that they do not want to be tracked or have data about their online data collected about them and used to target advertising. Although all the major Web browsers implemented support for the do-not-track behavior during 2011 (and Microsoft even submitted a version to the W3C as a standard), the bottom line is that, even if consumers enable the feature on all their browsers, sites and services must explicitly support it. It doesn’t work automatically, and there is no regulatory requirement that any site support it.
Of course, there is a negative consequence for high-profile companies (the Googles, Microsofts, and Facebooks of the world) if they fail to support something like the do-not-track technology: They can be publicly humiliated, which could impact their usership and, ultimately, the amount of money they can earn via their online advertising businesses. However, FTC commissioner Julie Brill, speaking at the George Washington University law school in observance of Data Privacy Day, noted a entirely different aspect of the industry: Low-profile data brokers who specialize in scraping and collecting information about Internet users—and then, of course, sell it to others. Like, perhaps, the Facebooks, Googles, and Microsofts of the world.
Brill indicated the FTC intends to take a much closer look at these sorts of data brokers, particularly since the data they collect is essentially unverified and hidden away. Internet users have no way of knowing, reviewing, or correcting what data brokers are saying about them, and similarly have no way to opt out of the data collection. In much the same ways inaccurate credit reports can have a severe negative impact on an individual’s finances (and can take months or even years of effort to correct, even in cases of fraud and identity theft), material collected about individuals via the Internet could have an impact on people’s everyday lives.
“Analysts are undoubtedly working right now to identify certain Facebook or Twitter habits or activities as predictive of behaviors relevant to whether a person is a good or trustworthy employee, or is likely to pay back a loan,” Brill said in her remarks. “Might there not be a day very soon when these analysts offer to sell information scraped from social networks to current and potential employers to be used to determine whether you’ll get a job or promotion?”
Brill outright admitted the FTC doesn’t even know who many of these data brokers are.
The FTC is expected to release its final report early next year, outlining policy principles and urging the industry to adopt and implement transparency principles that put consumers in control of the personal data being distributed about them. Unfortunately, these will be nonbinding recommendations: The FTC doesn’t have much in the way of enforcement power without assistance from Congress, and about the only thing the FTC can bring to bear right now is the Fair Credit Reporting Act, which only applies to credit reporting agencies (CRAs), defined as companies assembling and selling credit and financial information about individuals. It’s not clear whether scrapings from the Internet and social networking services would fall within that definition. And the final policy report is expected to fall far short of the EU’s proposed “right to be forgotten,” which itself is not above criticism.
It’s not all about you
There are essentially three classes of information that impact people’s online reputations:
- Items posted by a user for the whole world to see
- Items posted by a user intended only for a select group
- Items posted about a user by a third party
This last case is noteworthy because it’s singularly outside of a users’ control. In the same way we can’t control what people say when we leave a room, we can’t control what people say about us on social networking services. Unfortunately, people have a tendency to say things online they would never say in real life; equally unfortunately, those kinds of insensitive or outright untrue comments can have an impact on our real lives. The day may come when it’s possible to negatively impact someone’s credit score just by saying enough negative things about them online.
To combat this possibility, industry leaders like Microsoft and Google recommend users be proactive and keep an eye on what’s being said about them online. Both companies recommend regularly searching for all variations on their names in popular search engines to see what turns up. Microsoft’s survey found that only 37 percent of Internet users do this. (Among other things, Google recommends automating these types of searches with a Google Alert. (Unfortunately, you have to have a Google account to do that, and will be subject to Google’s we-track-everything policies.) If you find your online reputation is less flattering than you’d hoped, there’s not much you can do about it: Once something is published on the Internet, it’s essentially available to anyone, forever.
One tactic for maintaining some online privacy can be to keep your personal and professional lives separate. Maybe have one profile that’s public and available to the world — including employers, schools, government agencies and others. Then, have separate profiles, screen names, and email addresses that handle your personal business, and keep those under tighter control, utilizing the privacy tools available on most social networking services and sites. (Bearing in mind that nothing available on the Internet is truly private.) If you do separate personal and professional roles, don’t cross-pollinate the two! There’s no point to having separate setups if you’re just going to link back and forth between them.
Keep a lid on it
A little over a two years ago, current Google chairman Eric Schmidt opined on CNBC that if people were doing something they didn’t want anyone to know, maybe they shouldn’t be doing it in the first place; Schmidt has also frequently expressed disdain for anonymity online, once declaring it “too dangerous.” Comments like these from a top executive at one of the world’s most pervasive providers of online services — and advertising — should be troubling to anyone who doesn’t feel all the details of their lives ought to be accessible to anyone at any time
Although we can’t control what others say about us, or what companies are compiling about us, we do have control over what we do ourselves. A good rule of thumb for managing online privacy and reputation is “think before you post.” If you’ve separated your personal and professional online lives, make sure you’re logged into the right account. And before posting a candid photo or hot-under-the-collar remark, think “Is this something I really want associated with me for years?” Because whether you answer yes or no, it will be.