As I muddle my way through yet another iteration of my outline, and think about the issues raised in my recent ephemeral/eternal post, it seems apparent to me that as a culture we are nowhere near consensus on what rights, if any, a person has with regard to the data we create and/or provide to third party applications like A9, Gmail, Plaxo, and the like. Clearly we are touchy about all of this, as the reaction to Gmail proves. In the process of my research, I started reading the terms of service and privacy policies for various services, and found them inconsistent, often vague, and in general difficult to understand.
Now, I know there is a vocal contingent of folks who believe that we should simply assume we have no privacy online, and assume the quid pro quo for any service that we use is loss of control over the metadata/personal information we create along the way. I certainly understand this line of thinking, but…it strikes me as a cop out. In the end, I’d warrant that business models are going to evolve to the point where services will spring up that offers consumers access to their own clickstreams in new and powerful ways, and I’m going to predict that we will want that access as a right. I’d prefer we not have early lockdown on this issue, if we can at all avoid it.
The nice thing about doing a book is that people help you. I have had and continue to have help from a lot of smart folks, and one of them is Abigail Phillips, a lawyer who has worked with the CDT and the Berkman Center. Abigail is helping me pull together a little research project that will compare the policies of several well known platform players as they relate to what I’m calling “clickstream/stored information” – the data exhaust we all create when we interact with web-based services.
Now, I imagine this kind of work is ongoing at lots of places, and hopefully this lazyweb request will point me toward that work, if indeed it exists, as well as pertinent case law from the real world. In any case, we’ve tried to outline what the major issues are in the form of what we hope are clarifying questions. Below, I submit them to this readership for feedback and input. Once we get a good sample set – and we’re trying to keep it simple, and avoid overly focused, complicated, specific or situational questions – we intend to review the Terms Of Service and Privacy Policies of four major services (we plan to start with an email provider, a major ecommerce player, a search site, and a social networking/contact site), and see what we learn.
If nothing else, we hope that we can report out a clearer sense of how each site “scores” on issues of consumer data protection and usage. That said, here are the questions, laid out in three rough categories of Ownership, Privacy/Usage, and Account Modification/Deletion. If you’re into this kind of thing, please give them a read and post your responses. If not, stay tuned, and we’ll report what we find out.
Thanks in advance!
Who owns the information-trail (clickstream) and/or stored personal information or profiles (stored information) created while using the service?
If the service owns it, does the user have any rights to view and/or edit that clickstream/stored information? Does the user have any rights to republish, aggregate, or profit from that information in other venues apart from the service where it was created?
Can the user transfer his or her clickstream/stored information to another web-based service? If so, can it be done easily, or is it a difficult and time-consuming task?
Does the service make it easy or difficult to access, edit, and/or retrieve copies of the user’s clickstream/stored information?
Who has access to the clickstream/stored information that a user posts or creates on the site?
Is there a place where the service outlines and regularly updates exactly how it uses this information? Is there a reasonable mechanism for the user to request and receive information on such use?
What is the strategic role of such information in the ongoing business/service, both specifically to the service and more generally to the larger business?
Does the site transfer to third parties personal data that the user submits to or creates on the site? If so, is it connected to specific user profiles, or is it delivered in aggregate form?
Under what circumstances (request, subpoena, etc) will the clickstream/stored information be released to law enforcement or government entities?
Does the service have the right to delete an account and all related information without notice to the affected user?
When a user deletes information from an account, is it deleted from the service’s servers and any backups the service may have? If not, does the user have recourse to insure permanent deletion?
If the user closes an account, does the service delete all copies of the information that is stored in the account? Do all third parties that have received user information through the service delete that information?
What happens to user information in the event the user dies while the account is still active? If the user owns that information, or has rights to that information, can those rights be transferred those rights to others, such as an estate or family?
What guarantees do users have that their information will be protected if the service is sold to another company?
What is the service’s policy as it relates to altering its terms of service/privacy policies? Will a user be notified prior to such changes, and will the users have a period of time to react prior to those changes taking effect?