Abstract:
The unprecedented sharing of private information on the Internet is leading some to herald the demise of privacy. It is far too facile, however, to conclude that because people are sharing private data online, they should expect no privacy. The need for confidential disclosure is no more prevalent than when sensitive information such as dating profiles, candid thoughts and past substance abuse is revealed in online communities. What happens when information leaks outside these communities? Traditional remedies will likely fail to protect people when members of an online community violate the confidentiality of other members. In this article, I contend that the law can ensure confidentiality for members of online communities through promissory estoppel. This is the first article proposing the application of promissory estoppel via a website’s terms of use as a method for protecting disclosure in online communities. Under the third-party beneficiary doctrine or the concept of dual agency, these agreements could create a safe place to disclose information due to mutual availability of promissory estoppel.

Hartzog goes on to quote Professor Daniel Solove in a passage on practical implications:

The use of promissory estoppel to protect self-disclosure in online communities is consistent with many legal and public policy considerations besides privacy. Additionally, it could help create a stronger normative culture of confidentiality to protect the well-being of online community denizens. Professor Daniel Solove has asserted that “[p]rivacy, in the form of protection against disclosure, regulates the way people relate to others in society…[I]t promotes one’s ability to engage in social affairs, form friendships and human relationships, communicate with others and associate with groups of people sharing similar value.” … His conclusion underscores the need to create a safe place for disclosure online.

The four part analysis of whether a promissory estoppel should be applied is proposed as:

1) Was there a clear and definite promise?
2) Did the promisor intend to induce reliance on the part of the promisee, and did such reliance occur to the promisee’s detriment?
3) Must the promise be enforced to prevent an injustice?
4) What are the damages?

Hartzog ends his paper:

The proposed theory of recovery advances privacy as control over personal information, one of the foundations of information privacy law. It focuses on reliance instead of a commercial-based bargain theory. It also encourages speech by offering a safe place for sensitive self-disclosure and an easier process by which potential disseminators of information disclosed within a community can determine the appropriate level of discretion to apply to accessed information.

Ideally, if utilized over a significant period of time, the promissory estoppel remedy could create a stronger normative culture of confidentiality through improved channels of internalization of duties of discretion. Additionally, the solution is likely compliant with the First Amendment, as analyzed under the Cohen standard. Finally, although the available damages under promissory estoppel are less than that in tort, the theory could potentially have an effect on other torts, such as the tort for breach of confidentiality.

It is difficult to predict the full impact adoption of the promissory estoppel remedy would have for online communities, but the provision of a safe place for users to disclose personal information online would likely promote both speech and the personal well being of online community denizens.

A few years ago it was very hard to do so, but possible, because nearly all the stuff being hosted was simple text with an occasional image or graphic. Then, our bandwidth increased and digital media creation tools were delivered into the hands of ‘the rest of us’. We quickly outstripped our ability to host and manage all our content and a market for hosted applications was born. It hit its stride with Web 2.0.

The boom created a fantastic amount of opportunity. It also stripped us of control. While we were distracted by all the shiny new toys being offered over AJAX, we forgot that owning our own stuff was important.

Today, we’re back to the time when most of the people on the web were seeing it through the AOL lens. Our data lives in silos and some of these silos even claim that your stuff is actually their stuff (have YOU read the Facebook Terms of Use?).

When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content. Facebook does not assert any ownership over your User Content; rather, as between us and you, subject to the rights granted to us in these Terms, you retain full ownership of all of your User Content and any intellectual property rights or other proprietary rights associated with your User Content.

We need to swing the pendulum back the other way. We need to be able to host ALL our own stuff, or at least, be the proxy whereby we manage access to all our own stuff (even if it’s hosted on a vetted, corporate-backed network in a large datacenter somewhere in the ‘cloud’).

When you come to see my pictures, you come through gallery.terrellrussell.com – but the images could actually be served from Flickr via API. And if/when I change that arrangement and move to smugmug.com via API, you’d still access them through gallery.terrellrussell.com.

I want dynamic sharing. I want to be able to put all my bits in one place (for sanity, for ease of backup, etc.) but I want some control over how those bits are shared with others (if at all).

I want dynamic privacy based on a set of rules. These rules can be simple. These rules can be complex. There can be sets of rules that seem to cover 80% of the people 80% of the time. The flexibility in a system like that would be paramount – how we deal with that flexibility is a different problem to be solved.

I want sharing rulesets that determine which stuff is visible and which stuff isn’t. I want to have rulesets that determine this visibility by viewer, type of data (pictures/video/status), viewer tags, tags on the data, reputation from a third party, time of day, time passed since the creation of the stuff… Let it be whatever – that’s the point. A rules engine that can handle arbitrary rules and apply them on the fly.

The graphic above is a first attempt at drawing what I want. People will come to get stuff from me (or send stuff to me). Their request will be processed through a set of rules I’ve put in place, identified as coming from a person/device I know, and then filtered through whatever authorizations that person/device has been granted. If they are then allowed to see or receive what they’ve requested, I’ll send it to them.

This has to be done with open source tools and protocols and we’ve already got two of them in the wild. OpenID for authentication and OAuth for authorization. Additionally, we have XRDS-Simple for service discovery. We need an Open SharingRulesEngine (OShaRE?).

I want to have a full audit of how my stuff is getting accessed. I want the ability to drill down and figure out what’s going on. Not that I’ll use it very often – but I want to know that I can.

I want to be in control of who sees my content. If you see a photo I took, embedded somewhere else, I’d like to know that happened. I’d like to have a feel for where the edge of my ‘influence’ lies and how it’s interacting with the rest of the world.

We’ve seen rules engines and rulesets and recipes before. They exist for business and email (procmail) and distributed archival infrastructure (iRODS). Help me build one for granting access to my stuff!

This could all be a pipe dream. I’m not convinced one way or the other (the current sticking point is the realization that the gatekeeper software has to know about every piece of content I create/store… complex… but doable…). But I do know that if the option for individuals to host their own identity and their own content is available, the market for innovation will move that much faster. And that’s almost always a good thing.

Whaddya say? 2 years for basic infrastructure that can do this? 5-7 years before it’s polished and anyone is using it but me?

- Lots of people post things to social network sites.
- Some of these things are private (friends/family type of private).
- The users understand and follow the rules, and protect themselves.
- There is a bug in the system.
- Their private stuff is now available to anyone.
- Someone grabs the content.
- Then redistributes it anonymously and efficiently.

What we’ve not seen yet…

- Talking heads blowing it out of proportion.
- Reactionary bad law passed to ‘fix’ it.

Hopefully, with more mainstream news coverage and widespread understanding and adoption of better privacy practices and controls, we won’t get to the point where we have any more bad law. But I wouldn’t bet on that happening.

As of this writing, there are 4 seeders and 340 downloaders on thepiratebay torrent link. 17GB of photos. 567,000 images.

Yes, I’d say this has blown up.

Word of Caution

We sometimes forget we’re in uncharted territory. We are playing with the new shiny toys of the internet and not necessarily understanding the implications. These tools provide great power across the board. Users gain abilities to connect, find, sort, and publish in ways never before available. Conversely, companies gain abilities to monitor, gather, and sell more personal information than ever before. Additionally, third party observers gain the ability to observe at a distance and in numbers never possible in the physical world.

And we don’t yet know all the rules.

With all these new powers, our nuanced understanding of how we interact and the ramifications of our various ‘digital’ actions have not kept up with our abilities. We don’t know how these things “break” yet.

I would argue that this MySpace leak (as well as the Facebook minifeeds and Beacon) are examples of how these systems can break in explosive ways – ways that were not possible, and on a scale that was not possible before we were ‘hyperconnected’ and ‘always on’.

Please pay attention to what you post. Please think through what happens when it is made public. Please consider how our systems break – because it’s rather a question of “when and how” than a question of “if”.

Update: Fred weighs in, referencing this post
Update: Michael Zimmer referencing Fred

As I wrote over at claimID, we had an incredible few days. There was a new energy in the air this time as interoperability was assumed and a focus on services began to take centerstage. There was a lot of talk about Reputation, OpenID 2.0, and OAuth 1.0. We’ve got the pieces now to begin building compelling applications and services. The business models will be appearing in May at the next conference.

We even had an impromptu OAuth party on Tuesday night in honor of the spec being released. Smarr/Recordon/Wachob/Hammer-Lahav/Messina and myself.

I ran a session on Tuesday morning on OpenLifeBits (thanks to John Panzer for the wiki notes) – and had some excellent feedback as well as discussion around what we should be building to house/manage our personal information. How do we define these bits and who owns this content? Is the information we have housed in the corporate silos our own? If someone else is involved in the creation of a particular piece of data – do we both own it? Do we own it jointly with the company as well? A friend request on Facebook – who’s is that to share? Mine? Hers? Facebook’s? Legally, today, it’s Facebook’s.

I’ll take credit here for two quotes captured on the wiki:

“Stalkers were on MySpace, now Facebook _is_ the stalker.”

A little over the top – but definitely something I feel strongly about. We’re seeing individuals post more and more personal information into corporate repositories willingly and without due consideration for where their information is visible and/or to be used under the terms of service.

I see Beacon as part of a greater slippery slope – we’ll all be living, publicly documented, without recourse.

“It’s a good thing that a bad thing became public” — on FB Beacon.

I feel strongly that Beacon is only the first public-facing version of what these large corporations have been doing for years. It is completely naive to think that companies will give away their services for free to the consumer without trying to leverage what they learn through statistics and demographics to make money. They have to have a bottom line, or they go out of business. Free or not, this stuff costs money to run.

When Facebook shows the public what is possible with their data, at first we squirm and yell, then we realize that we like more targeted information – it becomes less about SPAM and more about information we actually wanted.

The tricky part lies in where that fuzzy line of ‘worth it’ is drawn. Is it worth it for me to give my information to a company so I can get a free burger or $5 off my next box of detergent? For most consumers, the answer is clearly yes – or we wouldn’t continue to see these types of offers.

A quote from Alison Black:

Getting inside people’s decision-making, to inject caution before commitment is likely to be extremely difficult (even with well-understood hazards, such as smoking and alcohol, health educators have difficulty getting their message across). But given that there is a likelihood that many people will continue to act humanly and, therefore, incautiously, there is an opportunity for companies to commit openly to respectful data handling. It may cramp their style for trading data in the future, but as more companies commit themselves to rigorous standards, those that don’t will stand out. Maybe this contrast could pique people’s consciousness just enough for them to ask ‘whatever they’re offering, do I want to hand my data over to them?’

When things like Facebook Beacon force us to realize what is happening behind the scenes, we’re more likely to have informed opinions in the future (which is a good thing). That said, I’m not holding my breath for when we’ll see all these companies go with opt-in as their default. In today’s market, it just doesn’t pay nearly as well.

This is exactly what they should do and what they should have provided at the time of the launch of Mini-Feed and News Feed.

Both Fred and danah have weighed in and for the most part, I think this will be a truly pivotal moment for Facebook. They’ve messed up, said as much, and provided a set of tools to win back the trust of their community. The students will not flee – and the next Friendster has yet to be identified.

Good job Facebook.

And like I said, they do get it and they will change things to make it work. The fact that they knew they were racing the clock is a good indication of how they’ll fare. Don’t count them out yet.

An Open Letter from Mark Zuckerberg:

We really messed this one up. When we launched News Feed and Mini-Feed we were trying to provide you with a stream of information about your social world. Instead, we did a bad job of explaining what the new features were and an even worse job of giving you control of them. I’d like to try to correct those errors now.

When I made Facebook two years ago my goal was to help people understand what was going on in their world a little better. I wanted to create an environment where people could share whatever information they wanted, but also have control over whom they shared that information with. I think a lot of the success we’ve seen is because of these basic principles.

We made the site so that all of our members are a part of smaller networks like schools, companies or regions, so you can only see the profiles of people who are in your networks and your friends. We did this to make sure you could share information with the people you care about. This is the same reason we have built extensive privacy settings – to give you even more control over who you share your information with.

Somehow we missed this point with Feed and we didn’t build in the proper privacy controls right away. This was a big mistake on our part, and I’m sorry for it. But apologizing isn’t enough. I wanted to make sure we did something about it, and quickly. So we have been coding nonstop for two days to get you better privacy controls. This new privacy page will allow you to choose which types of stories go into your Mini-Feed and your friends’ News Feeds, and it also lists the type of actions Facebook will never let any other person know about. If you have more comments, please send them over.

This may sound silly, but I want to thank all of you who have written in and created groups and protested. Even though I wish I hadn’t made so many of you angry, I am glad we got to hear you. And I am also glad that News Feed highlighted all these groups so people could find them and share their opinions with each other as well.

About a week ago I created a group called Free Flow of Information on the Internet, because that’s what I believe in – helping people share information with the people they want to share it with. I’d encourage you to check it out to learn more about what guides those of us who make Facebook. Tomorrow at 4pm est, I will be in that group with a bunch of people from Facebook, and we would love to discuss all of this with you. It would be great to see you there.

Thanks for taking the time to read this,

Mark

Update: Just found Charlie O’Donnell’s post. Sharing a mind is a tough assignment.

Search data recently released from AOL allows anyone with some intrepid follow-up skills and some social engineering to quickly narrow in on unique individuals – individuals who never considered their independent searches were being aggregated by their ISP. A recent flurry of activity designed to protect us from the search engines signals a slumbering uneasiness with this situation. Something dark has been uncovered and in the short term there is much handwaving and interest. However, as time passes, we’ll fall back into our ‘normal’ ways and continue to put our most personal information-seeking into that gloriously simple bare single box. “It’s just too convenient”, you say. “They’ve done nothing wrong.”

And here’s where the discussion changes. It’s not about Google. Or MSN. Or Yahoo. It’s about one person. Or one subpeona. The fact that it’s all being aggregated is the problem. The fact that there’s a potential for negligence, court-order or simple employee curiosity has profound implications for a great number of people. That is what makes this discussion so important.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone’s wallet.

Centralized databases worry me way more than any other aspect of this technology.

- Kim Cameron

We need to understand that our daily breadcrumbs – our attention – our personal interests in where we’re going and what we’re looking for and what we’re buying, are all being sucked up and stored with a unique identifier. We need to realize we’re broadcasting our attention and that it has great value to those who would suck it up. Inform yourself and make a conscious decision about where you spend your time and what you look for. You’re not alone while you surf. AOL has shown us the light.

And onto IM…

Most users think they’re anonymous behind their instant messenger accounts. They think their words aren’t being recorded. You think your friend on the other end of the IM doesn’t have her auto-logging turned on? And that it’s not fully searchable later? Severe paranoia and tin-foil hats notwithstanding, you’re being very naive.

And that’s just your friends. How about when the person on the other end reports you?

Earlier this week the UK government-funded Child Exploitation & Online Protection Centre announced a partnership with Microsoft Messenger. Messenger will be putting a button on the toolbar to allow any user to ‘report abuse’ to the authorities. This is a dangerous precedent. How is this any different than the Terrorist Information and Prevention System (TIPS) program proposed by the US back in 2002?

How much money will be tied up in the next 12 months because of this trigger being too easy to pull? How many prank reports will eat through the government funding? How will danah boyd react to the feeding frenzy this will create once the first one is ‘caught’?

Be aware of what you project. Be aware that this is a global medium. Be aware that it’s being broadcast and recorded. This Internet thing will be around for a while.

My firm belief is that the net effect of the Web 2.0 movement will be a marked loss of privacy on the internet, one which leads to big business knowing more about you than it ever did before.

He then moves quickly into talking about how these conglomerates will eventually own all the marketing data it can buy and proceed to advertise, advertise, advertise.

When the Web 2.0 bubble bursts – when the massive buyouts are done, the millionaires are made and the sites we love today are in the hands of big business – the innovation will grind to a halt, and what’s left will be the endless grinding of the marketeering machine.

If anything, I think this is the blunt end of the stick.

The other end is much more dangerous as, once this data is aggregated and compiled, it can be singularly lost or sold to more unscrupulous characters. Big business being what it is – is not the boogeyman here. I am concerned, same as Will, about large corporations feeling they can advertise personally to me whenever and wherever they want – but I’m much more concerned about their potentially cavalier tossing around of all this personally aggregated data without scrubbing it for merely statistical purposes.

Ideally, we move to an identity metasystem (with identity providers and identity brokers) and these companies only know what we let them know about us. Arguably, we can do that today without more software or more technical tools to trickle into mass adoption, simply by not playing – not participating – but that kind of defeats the point of having the conversation, doesn’t it? We need tools to protect us AND that let us do what we want to do online – buy, sell, communicate.

Eventually, online life and offline life will be a blurry distinction that nobody bothers to make. It will just be life.