The repeated unwelcome publication of people’s
online personal information has spawned a movement concerned about online freedom
and online privacy; including the right not to be tracked online and the “right
to be forgotten.” Recently, both the U.S. Federal Trade Commission (FTC) and the
European Union issued papers addressing how our online behavior is tracked. The
European working paper, “A
Comprehensive Approach on Personal Data Protection in the European Union”
states that “individuals should always be able to access, rectify, delete or
block their data, unless there are legitimate reasons, provided by law, for
preventing this.” The current U.S. working paper, “Protecting
Consumer Privacy in an Era of Rapid Change,” is currently in preliminary
draft format; it does not offer any recommendations.
If you think it is easy to control
your personal information and delete items or photos you have posted online,
consider the following:
• Who owns the data? If you and I are friends on a social network, does that
information belong to you or me? Can you pass that information on to someone
else without my permission? Can you delete it without my permission? In many
cases the legal case is simple, but what happens if I post information about other
people? What if those people are suspected sex offenders, public figures, and
minors? Do they have the right to remove the information?
• Information sharing across online services and applications makes it virtually impossible
to completely delete anything. For example, Facebook applications that extract personal
information from Facebook may retain remnants when a profile is deleted from
Facebook. This is particularly worrisome
considering that a study at the University of Virginia
found that 90% of Facebook applications request more personal information than
they need. While the same study showed that there are technical ways to
mitigate this problem, online sites have not implemented these and there is
little impetus for their doing so.
• Lack of comprehensive information-privacy statutes in the U.S. means it is easy to
collect personal information; no provision yet exists mandating the right to
delete such information. The situation is not much better in Canada, in the European
Union or elsewhere.
• Information ‘lurches’ happen periodically. Lurches occur when information is
unintentionally leaked to third-parties. This can happen during product/service
lapses, caused for example, by bugs in a social network. It can happen when
information privacy policies flip-flop, such as when Facebook made identity
information temporarily available to marketers in 2007, through its Beacon
service, before it was forced by public pressure to cancel the service.
However, lurches happen most often when people post information or approve the
sharing of information with other applications, without understanding the
implications. Retrieving or deleting this information is practically impossible.
The online data collector is usually not liable for lurches, due to the absence
of comprehensive data collection statutes for social (as opposed to commercial)
purposes. Since the online information has often been posted by individual
themselves, it is impossible to later claim the information is untrue or it was
posted unintentionally. In the online world–“if you posted it, it’s your
problem.” Trying to claim the information was not intended to be public is becoming
an increasingly tough sell.
networks like Facebook may retain personal data for a period of time after a
that upon profile deletion, “we may retain certain
information to prevent identity theft and other misconduct even if deletion has
been requested.” Furthermore, “removed and deleted information may persist in backup
copies for up to 90 days, but will not be available to others.” Even Facebook concedes however, that
information shared with applications or third-parties will continue to exist.
Next post … some ideas about what works
(and doesn’t work) to protect ourselves and others online.