Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2013
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.
Visiting Professor, E-Commerce Programme, University of Hong Kong
Visiting Fellow, Department of Computer Science, Australian National University
Draft of 4 February 2004
© Xamax Consultancy Pty Ltd, 2004
This document is at http://www.rogerclarke.com/DV/ContactPITs.html
This is one of an occasional series of papers on PITs and PETs, for the Privacy Law & Policy Reporter. PITs are 'privacy-invasive technologies', and PETs are 'privacy-enhancing technologies'. The foundation article for the series is in Privacy Law & Policy Reporter 7, 9 (March 2001) 181-183, 188.
It was reported on in The Register of 10 February 2004.
Technology and human ingenuity continue to pose new privacy challenges. During 2003, a new dot.com fashion arose from an odd amalgam of Rolodex address-books, e-communities and dating. Users of these services store personal data on a central server, which can be accessed by other people, and, potentially at least, exploited by the service-operator. There are privacy concerns, of a kind that has been analysed many times before.
The new dimension that these services bring is that they entice users to disclose personal data about their friends, business contacts or acquaintances. That is a disturbing feature, and it requires careful analysis.
People have long kept lists of the names and contact-points of other people. Since the arrival of consumer computing in the late 1970s, many of these lists have migrated from 'little black books' to 'address-books' and 'contacts databases' on personal computers (PCs), and more recently on personal digital assistants (PDAs) and mobile/cell-phones.
As the variety of consumer appliances has multiplied, people have come to use several devices rather than just one. They need to either maintain a single address-book that is accessible from all devices, or maintain multiple copies but keep them synchronised, such that an addition or modification in one copy is replicated in the others in a timely manner.
Through the 1990s, there was a recurring piece of pop-anthropology verging on an urban myth, referred to as 'six degrees of separation' (e.g. Matthews 2000). During 2003, apparently inspired by this idea, a number of companies released services to assist people to 'network'.
Many of these services encourage or even require that users provide information not only about themselves, but also about their friends or contacts. In some cases, users' address-books may be stored on the company's server, which is accessible over the Internet, and therefore from any Internet-connected device.
This paper provides a brief privacy impact assessment of such services. Its primary concern is not the privacy of the users who sign up for such schemes. That is a legitimate topic for an article as well; but those users are providing data about themselves consensually, and the risks and (lack of) protections are reasonably well-understood. This article instead focusses on a matter that is new, and of great concern: the privacy of other individuals whose data is volunteered to such services by its users.
People's contact-points are privacy-sensitive data. This is especially so in the case of the many categories of persons-at-risk, but it also applies to the majority of the population. Anyone can be subjected to the interest of a stalker; and marketers abuse mailboxes, telephones and email-boxes at will, subject to very limited regulatory controls.
An address-book contains the contact-points of multiple people, and is therefore attractive to marketers, and to miscreants generally. Access to multiple address-books is a yet greater threat to the privacy of the people whose data is recorded in them. This is because a rich enough collection enables the construction of social networks of individuals. This is a wonderful research tool for sociologists, epidemiologists and criminologists, and an attractive investigatory tool for law enforcement and national security agencies.
But social networks constructed from a database of address-books are a very substantial threat to the privacy of the individuals whose data is recorded in the address-books. The threat goes far beyond the physical dimension of being located and tracked. And it also far more than the psychological aspect of "'they' know a lot about me".
The respite from extremist-conservatism after the end of the Cold War was brief, and people everywhere are under the twin clouds of terrorism and dangerously powerful and unregulated national security and law enforcement agencies. Social networks are a primary way in which suspicion is generated about individuals. Acquaintances of terrorists, terrorism suspects, terrorism financiers, terrorist supporters and terrorist sympathisers are at risk of being allocated into a grey zone of terrorist associates. A tag of that kind is potentially as harmful to a person as have been negative categorisations made in previous contexts, such as 'etranger', 'subversive' and 'unamerican'.
The threat involved in consolidations of address-books therefore has an important social dimension, and if it affects a person's employability or career advancement, then an economic dimension as well. And it reaches out to the chilling of democratic speech and action.
A range of services has been launched, with varying philosophies, target-markets, and degrees of sophistication. Many of them are still at an early stage of maturation. There does not yet appear to be a critical literature on the topic, but a valuable overview of some of the services is in Allen (2003).
They are usefully classified into two groups:
The investment base varies, with most being start-ups on the lookout for capital (Glasner 2003). Others may already have strategic relationships. For example, Orkut advertises an unexplained association with Google, which is seriously problematical given the very considerable interest-profile that Google could associate with individuals if its users had consistent identifiers.
The products also vary greatly in the extent to which a user exposes information about other people. For example:
As regards contact details, even the disclosure of an email-address represents a risk exposure for a third party who, at that point in the process, has demonstrated no interest whatsoever in the undertaking. But home-address, home phone-number and mobile/cell-phone number would be regarded by most people as being much more sensitive disclosures than email-address. Extension to interests. and especially to household-structure and family-names would be of a great deal of concern to very many people.
Many of the schemes invite, stimulate or perhaps even require the user to provide additional comments about people, in some cases referred to as 'testimonials'. In the SNS services, it would be difficult to mistake this for information; but it could result in some embarrassment at times, and potentially also unwarranted suspicions of a more serious nature.
Interactions between users and the service-provider of course generate trails that both parties have an interest in. In some schemes, interactions among users may also give rise to additional information stored on the service-provider's site. But this can be argued to be part of the deal that the individuals concerned consented to when they decided to participate in the scheme.
But there can be no sense in which third parties have expressly consented to, or opted into, such arrangements. The 'viral marketing' or auto-expansion nature of most of the services involves non-consensual capture, storage, and in at least some circumstances also disclosure, of personal data about third parties.
Generally, the statements focus on the privacy interests of the user who is signing up, and in many cases pay no attention at all to the interests of the user's associates.
Several of the sites display the Trust-e 'meta-brand'. Meta-brands were examined in an earlier article in this series (Clarke 2001), and their value was shown to be very close to zero.
Judging by web-log entries on this topic, some awareness exists about the exposure of one's email-address, and the arrival of unsolicited requests to update one's address-book.
Some correspondents, and some commentators, report that they have contacted the service-providers and accused them of sending spam (e.g. Chirgwin 2003, 2004a, 2004b). Several circumstances arise:
In the instance discussed in Chirgwin's series of Comments, the service-provider responded by creating an opt-out mechanism (but one whose URL was incorrectly advised, and which does not appear to be discoverable on the web-site). In that case, it also appears that the service-provider maintains a database of the email-addresses that it harvests in this way, for use as a marketing tool.
Spam is merely the digital equivalent of unsolicited brochures and letters stuffed in one's letterbox: they are annoying, but not directly harmful. The real privacy impacts are far more substantial, and yet they appear to have been overlooked during the initial, enthusiastic and insufficiently sceptical phase of these new services.
Because of the diversity that exists among the services, it is difficult to conduct a generic study. The most well-developed product would appear to be Plaxo, and this assessment accordingly focusses on it.
Plaxo is a service whereby people store their address book data on Plaxo's servers, and encourage their friends and business associates to at least update their contact information, and preferably become users as well. The web-site provides an outline of the service (in PDF), and makes the Terms of Service available, which in turn incorporates a Privacy Statement.
It is feasible for a new user to upload their address-book to Plaxo at the outset, in order to set the process in motion, but then ask for it to be deleted. If the storage is only temporary, the Terms of Service state that "This information will be deleted as soon as the temporary copy is no longer needed". This seems unlikely to be a true statement, because in the normal course of events logs, audit trails and backups make copies of whatever temporary files exist at the time. The expression in the Privacy Statement is more circumspect: "As soon as the email request has been processed, this information is deleted from these servers". The key word 'deletion' is qualified by 'these servers'. Hence it appears that the company has permitted itself to retain all logs, audit trails and backups. If so, it is open to at least the accusation of constructive misinformation.
The statement is of course false. There are circumstances in which Plaxo may be required to disclose; or it may have a legal discretion to disclose, and may choose to do so (possibly on quite reasonable grounds). And they might do so without informing, and in some cases without even being able to lawfully inform, the user in whose files the data is stored and/or the person to whom the data relates.
The formal Privacy Statement is much closer to the truth when it says "we do not sell, exchange or give Your Information to any third-parties ... We may need to disclose personally identifiable information when required by law wherein we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on Plaxo and/or the Site". But even that is silent as to whether the company will communicate the fact of disclosure to the user, and/or to the individuals whose personal data is thereby disclosed.
The Privacy Statement also states that "In the event Plaxo goes through a business transition, such as a merger, acquisition or the sale of a portion of its assets, Your Information and your membership in the Plaxo Contact Networks will, in most instances, be part of the assets transferred. You will be notified of an ownership change pursuant to Notification of Changes section of the privacy statement".
The first issue arising from that statement is that Plaxo has declared that personal data provided by one person about another person becomes their property. This is very dubious, because data is not subject to property law (although representations of it may be subject to rights under copyright law).
The Privacy Statement confuses the matter still further, by stating that "Your Information is your own and you decide who will have access to it". The expression 'Your Information' is not expressly defined, but appears to encompass 'Your Account Information', a sub-set of that data referred to as 'Your Plaxo Cards', and 'Your Contact List'.
To create yet another layer of confusion, the Terms of Service state that "Title, ownership rights and intellectual property rights in and to the content accessed through the Services shall be retained by the applicable content owner and may be protected by applicable privacy, copyright or other laws". The term 'content' is clearly intended to refer to the text and images in files like 'How Plaxo Works' and its Terms of Service. But it may well also apply to the personal data stored in Plaxo's system.
Various categories of personal data arise within the scheme, including:
It is completely unclear who has what rights in relation to these categories of personal data. The parties who may have rights include Plaxo, the user, the person to whom the data relates, and any party that had rights in relation to the data prior to it arriving in the Plaxo database. What the company thinks and declares is of course secondary to what the courts might determine in each particular circumstance that comes before them; but that is a very open question.
A further serious concern is that none of the limited undertakings that Plaxo provides apply to personal data that arises during the course of the service's operation. Every IP-address, every email, and every social-network relationship that arises appears to be entirely free of any express contractual constraints.
The user's personal data is protected by only the flimsiest of contractual terms, and hence the user is forced to rely on such protections as may be provided by the law. But whether any legal protections at all apply is a wide open question. Plaxo appears to be a U.S. corporation operating in Silicon Valley. Neither the U.S.A. nor California have generic data protection laws, and quite possibly no specific laws that apply to these circumstances.
From a consumer protection viewpoint, the contract is an unmitigated disaster, even for users, before consideration is given to the concerns of third parties.
The "Terms of Service are governed by the laws of California", but subject to the qualifications:
Moreover, "Plaxo may seek injunctive relief, or any other appropriate relief, in any court of competent jurisdiction" (i.e. not only in Santa Clara County), but nothing in the contract confirms that a user can do the same.
The statements in the Terms of Service probably determine jurisdiction for actions in contract law; but not necessarily for actions under other heads of law such as consumer law or privacy law, depending on the relevant court's determination as to jurisdiction.
Under the doctrine of privity, a contract creates rights and responsibilities for the parties to the contract, but for no-one else. Hence there are no rights whatsoever under the contract for the individuals to whom the data relates.
The pop-up box declares the following undertaking by Plaxo to their client: "we respect the privacy of your contacts and maintain a strict policy of not sharing their contact information (received as a result of responding to your update requests) with other Plaxo users who are asking for this information" (my emphasis). The emphasised words appear to exclude the data that is provided by the user when they upload their adress-book, and hence the undertaking does not apply to the data about other people that users gift to the company.
Further, "We may receive requests from such individuals to remove their personal information from Your Contact List. In such event, we may encourage them to contact you directly or we may relay such request to you on behalf of such individuals. We will not alter or remove any information regarding such individuals from Your Contact List without your consent".
The terms therefore seek to preclude Plaxo from complying with a request by an individual for alteration or deletion of their personal data. It is to be hoped that a mere term of contract would be overridden by the contrary requirements that exist in almost all data protection laws around the world. But Plaxo has made every endeavour to be subject only to the laws of the U.S.A. and California; and both of those jurisdictions lack generic data protection law. In short, the company might well be successful in its attempt to deny all rights to the individuals whose data is stored on their servers.
European juridictions, on the other hand, provide their citizens with legislative protections. The acquisition of personal data in this manner would appear to be disallowed under Article 7 of the Directive 95/46/EC. Articles 11 and 12 provide an aggrieved third party with a substantial, although qualified, right in relation to access and deletion. This is reflected in national laws, e.g. Schedule 2 and s.11 of the U.K. Data Protection Act. If Plaxo were to operate in Western European countries as it does in California, it would probably be in breach of their data protection laws.
Australia makes an interesting case study, because it is far less protective of its citizens against U.S. corporate power than are European jurisdictions. All data protection laws have a host of exemptions and exceptions, but Australia's Privacy Amendment (Private Sector) Act 2000 was devised so as to give active protection to businesses that breach consumers' privacy expectations, especially in the context of direct marketing. In particular, Plaxo would appear to be authorised to apply to direct marketing purposes the data that it acquired from users about third parties, because of the exceptions in Principle 2.1(c). It is possible that Principle 6 provides some rights in relation to subject access and correction (although because of the complexity of the text, it is difficult to be sure). But Plaxo would be permitted to charge a fee for access, to refuse to delete or change data that someone else had provided, and to decline to provide reasons for the refusal; and hence Plaxo would be authorised by law to refuse to delete data about a person once they had acquired it from one of their users. In short, Australia offers an alternative haven for privacy-invasive services like Plaxo.
Services of the kind discussed in this paper are presenting challenges to data protection laws of a kind seldom seen before. This final section considers the nature of the changes.
All existing data protection legislation is based on the Fair Information Practices (FIPs) model. That model was motivated by the need for something to be seen to be done about privacy, without actually constraining the processes of business and government. As a result, protections have been weak from the beginning. Moreover, information technology has advanced rapidly. And exemptions, exceptions and authorised abuses of the privacy principles have accumulated. The data protection laws enacted in the 1970s, the codification in the OECD Guidelines of 1980, and the later statutes enacted since then, offer only a fraction of the protection that people need in the twenty-first century (Clarke 2000).
But at least FIPs-style legislation has established some kind of framework, which applies to government agencies in almost all leading nations, and to large and medium-sized corporations in most of them. Those organisations are aware of the basic guidelines, the activities of some of them are subject to regulation, and a few are even subject to sanctions. It has always been assumed, however, that the threats arise from large datasets that are collected, maintained, used and disclosed by corporations and government agencies. Small business enterprises are often exempted, on the rationale that the threat that they represent is limited and the compliance costs would be disproportionately high.
Pursuing that argument further, private individuals who store data in a private capacity have always been exempt. It would have seemed extreme and unnecessary to regulate people's collection, storage, use and disclosure of data about other people. For the drafters of most reports and Guidelines, this was self-evident, and hence seldom-discussed. For example, the EU Directive simply defines the scope of data protection laws as being "personal data in the public and private sectors" (Article 3).
An exception is an early set of Guidelines of which I was the primary drafter. This specifically excluded from scope "uncirculated personal notes, papers and records which are retained or discarded at the author's discretion and over which the system operator has no control, e.g. personal telephone lists and notes on blotters" (NSWPC 1977, p. 26).
What centralised address-book services highlight is that the sensitive personal data held by individuals is increasingly maintained on computers, and is increasingly becoming more widely accessible. In many cases, these new services are doing more than merely centralising storage. They are facilitating, and encouraging, the escape of the data into networks of people, devices and virtual data stores. NSWPC (1977) recognised the potential for data held by individuals to harbour threats to privacy. With advances in technology, that potential has now come to fruition.
Disclosure of personal data has caused problems in the past, in such contexts as health care reporting, and referees' reports for job applicants. But the disclosures involved in centrally-stored address-books and 'testimonials' throws into serious question the blanket exemption from data protection laws of personal data in the possession of private individuals.
In general, people would be well-advised firstly to stay well clear of all address-book and 'social networking systems', and secondly to prevail upon their friends, colleagues and acquaintances that they should avoid making any data about them available to service-operators like Plaxo.
There are two qualifications to that general statement. Firstly, a service that was subject to reasonable data protection laws would be less objectionable than services located in the U.S.A. or other havens such as Australia or a third world country. Secondly, it is feasible to design a privacy-sensitive address-book service or social networking service. Unfortunately, none of the services referred to in this paper have demonstrated sufficient understanding of the issues to suggest that they could mature in that direction.
Note that these services vary widely in their approaches, sales-pitch, target-markets, consumer relations, and privacy-invasiveness:
Allen C. (2003) 'Evaluating Social Network Services', 16 December 2003, at http://www.lifewithalacrity.com/2003/12/evaluating_soci.html
Chirgwin R. (2003) 'Is Plaxo Legal? - Wandering Around the Spam Legislation' CommsWorld, 09 December 2003
Chirgwin R. (2004a) 'Plaxo's Response - We're Not Spammers...' CommsWorld, 06 January 2004
Chirgwin R. (2004b) 'Plaxo: Case Closed (For Now!)' - CommsWorld, 09 January 2004
Clarke R. (2000) 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century' Xamax Consultancy Pty Ltd, January 2000, at http://www.rogerclarke.com/DV/PP21C.html
Clarke R. (2001) 'MetaBrands' Privacy Law & Policy Reporter 7, 11 (May 2001), at http://www.rogerclarke.com/DV/MetaBrands.html
Gertner J. (2003) 'Social Networks', New York Times Magazine, 14 December 2003, at http://www.nytimes.com/2003/12/14/magazine/14SOCIAL.html?ei=5070&en=ce515a6cce610cb8&ex=1075784400&pagewanted=print&position=
Glasner J. (2003) 'Social Nets Find Friends in VCs' Wired News, 17 November 2003, at http://www.wired.com/news/culture/0,1284,61227,00.html?tw=wn_story_related
Hopkins J. (2003) 'Investors court social-networking sites' USA Today, 9 December 2003, at http://www.usatoday.com/tech/news/2003-12-09-meet_x.htm
Matthews R. (2000) 'Six Degrees of Separation', WorldLink, January/February 2000, at http://backissues.worldlink.co.uk/articles/250100180310/22.htmNSWPC (1977) 'Guidelines for the Operation of Personal Data Systems' N.S.W. Privacy Commitee, Sydney, BP 31, April 1977
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916
Created: 1 February 2004 - Last Amended: 4 February 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/ContactPITs.html