Over the past two weeks there have been another series of high profile headlines around internet privacy.
To some this is a generational issue – old foggies (Boomers and even Gen-Xers), like yours truly, are far more worried about privacy than Gen Y or Millennials.
I made the point in a series of tweets during the WIT conference in Singapore and I am surprised that more people didn’t pick up on it.
But the lightening rod issue of the moment was the revelation that Facebook and MySpace apps were regularly pushing identifiable personal data out to basically anyone who wanted it via a company called Rapleaf.
Both social network sites immediately acted and shut down several of the offending apps.
On digging further it became apparent that the actual source of the identified personal data being handled was Rapleaf.
Earlier this week, the Wall Street Journal (with a full time team focused on the issue under the banner “What do they know?”) published an expose on Rapleaf and its customers.
Covering a page and a column in print – it makes for some sobering reading.
I genuinely believe that Rapleaf, which has become something of a bête noir in all of this, THINKS that it is doing good things.
However it's very much like the Googleplex. If they can do wrong they will. However, shed no tear for Rapleaf – they just took a large chunk of VC cash.
What I recommend you do is to read the Rapleaf Privacy Policy, and check out its Terms of Service. More sobering reading.
The WSJ picked on one of the companies using the RapLeaf service. Twitpic, a photo sharing plug in for social networks, which should be a relatively harmless application.
However on close examination there is a lot that should worry everyone. In its privacy statement, Twitpic has a number of interesting clauses. Admirable individually, but when you look at the context of what is written, you might think again. For example check out the opt out clauses:
“Business Transfers. In some cases, we may choose to buy or sell assets. In these types of transactions, customer information is typically one of the business assets that is transferred. Moreover, if Twitpic, or substantially all of its assets, were acquired, or in the unlikely event that Twitpic goes out of business or enters bankruptcy, customer information would be one of the assets that is transferred to or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of Twitpic may continue to use your personal information as set forth in this policy.”
Pretty much boilerplate. But then look at the context of another few clauses:
“This Privacy Policy may be updated from time to time for any reason; each version will apply to information collected while it was in place. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Site. You are advised to consult this Privacy Policy regularly for any changes. This policy does not apply to the practices of third parties that Twitpic does not own or control, including but not limited to third party services you access though Twitpic, or to individuals that Twitpic does not employ or manage.”
If that doesn’t scare you, then I don’t know what will. How many other sites have these types of clauses?
In fact, in travel we find many clauses like this.
So following the advice of the WSJ, I set about learning how to control my life online.
I contacted RapLeaf and they directed me to the website, where I put in three separate email addresses.
Two matched, the other didn’t. Understanding what the company knows and how they can push that out to interested parties is just scary to me.
I have long suspected that Google has this data on me as well, but probably far deeper. The moralist in me says that capturing data about me in an anonymous fashion is okay but identifying me directly is just plain wrong unless I am in control.
Clearly I am not. Data are being sold about me that I have no real control over. Indeed the arrogance of Rapleaf and others is that the onus must be on me to protect my own identity online with few, if any, tools.
The companies buying and selling my data (indeed mining it in all forms of ways) have the right to do this with impunity just by writing some funky words in their policy. The European model is far safer but still relies on the user to uncover the abuse.
Did my reading of my profile at Rapleaf make me feel uncomfortable? Darn right it did. However the helplessness I feel is palpable.
My advice is go and check out the information they have on you. Register here.
It is a bit naughty – for example it will not automatically log a user out – so data are just sitting on the IP for more scammers to come along and obtain it.
Not allowing the activity to be tracked via cookies means that you will miss out on the overall experience of a site.
Controlling your personal identity or rather controlling the image of your persona online is a new field. I think some people will want to do this aggressively but the vast majority will passively accept it.
In that case, governments must step in and address some of the abuses.
In travel, where there is such a huge component, behavioural targeting can be good but also bad.
Now understanding how Google could take that data and create targeted offers is scary. Not having a clear way to protect one’s identity should make all of us be very worried.