Privacy and User Generated Content Lauren Gelman Center for Internet and Society Stanford Law School cyberlaw.stanford.edu
“Web 2.0 Is About Controlling Data” -Tim O'Reilly, Wired News, 4.13.07 • [Web 2.0] It's really about data and who owns and controls, or gives the best access to, a class of data. • As far as I'm concerned, web 2.0 is still in it's really early stages, and the reason is because the data isn't all owned yet.
Overview • User’s privacy experience is a combination of law and technology • Nothing inherently bad for privacy in providing services that people want • Concern is deployment • Development of “user expectation”
Defining the Privacy issue for Web 2.0 • Use of PI information you provide to one entity for one purpose by another entity for another purpose. • Commodification of digital dossier • Webcrawlers, search, and sales • Permanence of the data. • User generated or company collected • Link between online and offline identity • Market demand is not be best way to evaluate user privacy concerns absent adequate notice.
Massive Change in the nature of advertising • “Ad networks and search engines such as Google can now target banner ads to customers who have demonstrated an interest in content related to the ad, even if the page has nothing to do with the advertiser's product.” • -Businessweek.com 4.14.07
Massive Societal Change • Distorts boundary between • public and private spaces • Intimate and extended networks • Public and private time • What we do is influenced by who else knows what we’re doing. • Eliminates opportunity to experiment while young (myspace vs. basement/diary) • Loss of Control (who owns transactional data) • Pecuniary harm (identity theft)
The Law • Constitutional- “expectation of privacy” • Statutory- “silo approach” treats different kinds of information differently • Medical (HIPPA) • Financial (GLB) • Video (VPPA) • Cable (Cable Act) • Policy- privacy and other policies • Dmca notice and takedown • CDA limitation on liability
Top-Level Privacy Questions • What information do you collect, is it PII, how long is it held for? • Who do you share it with and under what circumstances? • Do you augment this information with data from other sources? • What internal protections do you have to prevent disclosures?
Building Privacy In • Interface • How do you know if you’re “live” • Opt in/opt out • Collection of information • Who holds it • How long is it kept • Is it personalized • Third party access • In what country?
Think about these things early! • What does the user want? • What do your partners “really” need? • What might third parties come looking for? • What kind of press can you look forward to? • Where might the law go? • Innovate in privacy!
Part of a Joint Project • Generator for • Terms of Service • Privacy Policies • Participants • David Hornik, August Capital • Cyberlaw Clinic at Stanford Law School • Berkman Center at Harvard Law School
Previous initiatives • P3P (http://www.w3.org/P3P) • Privacy Bird(http://www.privacyfinder.org) • OECD - Privacy Statement Generator(http://www2.oecd.org/pwv3) • Others (see http://www.w3.org/P3P/implementations.html)
Improvements • informed choice • educational explanations • explanations of the provisions which may be chosen • graphical tags • Creative commons model • Technical architecture • „EFF approved“
Potential • Useful tool to reduce repetitive work • Educational benefit • Point of reference to learn about best practice • Retrievability (chicken and egg problem with privacy bird) • Data about companies‘ preferences
Conclusion • There is a lot of good in this space, coupled with both positive and negative externalities. • Who is the party best able to address them? • Government(s)? • Lawyers? • Technologists? • -innovators?
Privacy and User Generated Content Lauren Gelman Center for Internet and Society Stanford Law School cyberlaw.stanford.edu email@example.com