The Age of Consent

Post co-authored with Oded Cnaan, Director Innovation Business Development.

As I said in a previous post, the topic of social media is one I’ll be returning to often.

“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time.”

George Orwell from “1984”

In the “old days”, before social media sites governed the earth, people were passive spectators in the great “WWW” show. Surfing the Web was about searching and consuming content with very little personal exposure. Back then, passionate discussions were held about the potential danger of cookies as they could reveal your IP address, and most people did not even consider disclosing their email address in public sites.

But this is all water under the bridge. Today, with more than 500 million Facebook registered users and 105 million Twitter users and 370,000 added daily, the rules of the game have definitely changed: most social network sites require users to provide personal profiles. Some sites, like Twitter, ask for only basic information while other, like LinkedIn and Facebook, offer a very detailed profile that includes personal details, employment and education history, likes and interests and more.

Many service providers are already exploring ways for leveraging social media in their business but still hesitate to harness its full power due to privacy limitations. As usual, technology advances much faster than laws. The existing legal and regulatory frameworks in Europe and the US date back to the 1980s and 1990s, and do not provide the necessary means to handle the new era of communications.

European laws and regulations are far more restrictive than those found in the US. Unlike the US which has adopted the “opt-out” model, where people need to explicitly opt-out of services, European legislators have taken the opposite approach of “opt-in”. In Europe for example, it is forbidden to collect or store sensitive private data without specific user consent. Moreover, European laws prohibit the transfer of private information about EU citizens outside of the EU (except for several exceptions like authorized territories and Safe Harbor agreements).

Recently, a new bill, submitted in the US on July 2010, suggested adopting the EU approach and restricting the collection, storage and transfer of information without explicit user consent. It’s not clear when (or if) the bill will pass, but it certainly brings a different and more consumer oriented approach to privacy laws in the US.

To add to the headache, privacy laws are very much territory-sensitive. Although there are federal privacy laws in the US, more than 40 states have legislated their own laws, sometimes adding limitations to protect their residents. In the EU, each country may develop a local set of laws in addition to EU regulations.

Impact on Service Providers

Currently, service providers are using social media primarily to engage with their customers via Facebook pages and applications, broadcast new offers and services, publish real-time service problems, and even receive care requests. Although it is possible to harness social media for more advanced services while complying with relevant laws and regulations, service providers are taking a very prudent approach as social media attracts a lot of public attention.

There is huge potential value in integrating social awareness into service providers’ systems and business processes. Social media creates rich data about users as they plug in information about themselves, their interests and activities, and their friends. It also exposes social insights that can be leveraged to improve user experiences that drive real business value. These social insights can be used by service providers to better identify and understand customer problems, improve offerings based on their actual interests and needs, and identify those who are at risk for switching providers. Insights can be translated into targeted promotions and advertising, by offering each customer suggestions or ads on the service provider’s website based on what they have, and what they need. And this is just the tip of the iceberg. Service providers can use social media to leverage the “wisdom of the crowd”— not only for support and care, but also for customer feedback and innovation. It can become a major channel for communications with customers in a way that humanizes service providers and creates new service experiences that combine content and social awareness.

The Bottom Line

When investigating international privacy principles, it seems to us that the key to socially aware applications lies in user consent. In most cases, if the user has expressed his explicit approval to what the service provider plans to do with his or her data, and if the user has a clear view into what type of data is being collected, then the provider is in the clear. On top of that, users should be offered a simple way to opt-out of the service (and have all their data erased) even after they’ve consented. Adopting this approach will open up a wealth of opportunities to service providers and allow them to tightly integrate social media applications and insights into their business processes.

Important disclaimer: Oded nor I are lawyers – it’s just what we have discovered, as layman, about the legal issues that surround the domain. Therefore, don’t use this or misunderstand it as a legal opinion – get your own, if needed.

Incidentally, as background, I (Tal) am active in a working group of the World Economic Forum concerned with “rethinking personal information” – attempting to create a win-win-win situation for government, business, and individuals, in this new era of personal information. Oded is in charge of our strategy regarding social media solutions.

Now, it’s your turn

Do you think it’s possible to reconcile the geographic differences and find a universally workable (and legal) solution to harnessing personal information?

If so, how?

17 thoughts on “The Age of Consent”

  1. There should be one global organization like the InterPol or the UN, which will have personal information of everyone working on the net.
    Each one would have to register himself/herself with this organization and they in turn will provide a unique net ID (like the SSN (US) ).
    So whoever needs to see personal info, will go to the central organization and request, this request in turn will be sent back to the owner or the government (or both) and after proper permissions the requester would be able to view the info..

    This will solve the issue of generating user_name too. Everybody can use their unique net ids as user_names.

  2. This post is healthy and good diet for thought process for people like me who are consumer of social media. Anyways the question at the end is something that in my opinion can never be addressed. Nor in today’s world neither in tomorrow’s more higher fidelity world we can bridge the cultural gaps that we have over the geography. I believe we must come up to define what minimum is expected to be part of social media as a consumer or a provider. And then any of ‘opt-in’ or ‘opt-out’ would work. Rest is up to people to think if not decide.

  3. IMO, there should first be a law for complete disclosures of personal data storage & sharing by companies.
    All social media & eCommerce companies should disclose – in layman’s terms – to their users exactly how much of their peronal infomation is being stored and shared with third party. Something like the following statement, rather than the hard-to-understand & vague legalese, in up-to-date Privacy statements:

    “We are sharing the following of your personal details with X, Y,Z companies:
    1. Your name
    2. Your email ID
    3. Your past purchases/tags/favorites

    This will help users better understand a company’s privacy policy, & decide whether to opt out or not. Somewhat like Twitter’s Security settings, where one can decide which third-party app can access user’s twitter a/c.

  4. Appreciate the food for thought!

    I particularly liked the section “Impact on Service Providers” and would like to add that, if analysed closely, one would realize that not only Service Providers there are others running the race for “personal” information. To start with, INQ Social Mobile has been attempting to consolidate all the social media’s together with native apps on the phone. It launched the first cell-phone to have the twitter feed on the home screen in the native mode. I understand the fact that INQ has not been able to actively capture the market share but on a second note, the rumored Facebook Mobile is a concept on the similar lines.

    The main motive of Google behind the Andriod platform is also considered to “accumulate as much personal information and usage habits (interests, activities, likes, dislikes, geo-positioning, application habits, friends & social circle) as possible” and what better a device than cellphone which a person is gonna carry 365x24x7.

    Coming back to the original argument, I’d want to add that it’s not Service Providers who alone stand to be benefited.. The impact could be much more wide-spread than our imagination 🙂

    Regarding the Opt-In and Opt-Out.. Mugdha, I agree to your point about Twitter’s security settings about application access. Twitter excessively uses the OAuth and XAuth for integration with external services. Facebook also abides to this form of authentication (Facebook Connect), however Facebook/LinkedIn has data on different levels and different types and that is where the humble unaware end-user gets confused. The sample statement you added actually would solve the mess to a huge extent..

    Till then, we all are aware the risks of putting things up on the internet / on the cloud.. Call it ol’ fashioned, but I do believe that the best security would come only when the internet user understands the good, the bad and the ugly of the online world and takes care of his/her own virtual privacy..

  5. User privacy in the digital age is truly a complicated issue. Consent goes against the interests of corporates and brands, and a major argument against regulation would be the potential damage to the healthy turn of much larger economic wheels.

    Consider these three examples. how would regulation treat them, separately or as part of the same principle?
    1. A credit card provider presents 3rd party offers to consumers on their monthly statement, based on analysis of their purchasing behavior.
    2. A communications service provider presents various offers to its customers based on analysis of their usage behavior.
    3. A social network provider presents ads to its users based on analysis of their social graph and click behavior.

    Or consider this: as a consumer, I HATE the fact that Google profiles the heck out of me based on the many searches I run on their engine. But as an advertiser, I LOVE the advertising interface and the powerful segmentation options they present to me. I don’t envy the regulators who need to sort out the balance in these multisided relationships.

  6. A little thought on the consumer in all of this. First of all, great post, and very thoughtful, not to mention realistic. It’s very easy to get sucked into the hype about social media and it’s a rude awakening to discover just how legally challenging it can be.

    However, the key thing that stands out for me is that the end consumer is fast becoming the broker for internet based commerce. Discussion of ‘opt in’ and ‘opt out’ is critical, but has really come about because of companies’ historic knack for getting hold of consumer date purely for marketing and spam purposes. Obviously this is annoying for consumers.

    It seems to me that we’re fast approaching an enlightened age of commerce where it’s much more of a relationship between company and consumer, and one of ‘I agree to give you data about myself, in exchange for x’. Where ‘x’ equals improved service, targetted offers that are strictly relevant etc etc. And this privilege can just as easily be withdrawn.

    If the consumer is king of all this, it’s worth considering how the business model might evolve. I wonder if we’re likely to see 3rd party companies that specialise in data brokerage – a customer signs up with a ‘hub’ type of service and agrees what data will be shared with what types of company. Companies can then say to consumers ‘do you agree for me to contact the hub for information about you’. This will make life a whole lot easier for consumers.

    Finally, the bit problem as I see it at the moment is that I am quite a crowd – I have so many profiles on so many sites that I can’t keep track of it all. I’m personally crying out for a kind of centralised approach to it.

    But will the authorities agree to such an approach – obviously there’s a long way to go….

  7. Interesting idea about registering with Interpol.

    On 15 September 2010 Ronald K. Noble, INTERPOL Secretary Gen, speaking in Hong Kong at 1st INTERPOL Information Security Conference, revealed:

    that recently “INTERPOL’s Information Security Incident Response Team discovered two
    Facebook profiles attempting to assume my identity as INTERPOL’s Secretary General.
    One of the impersonators was using this profile to try to obtain information on fugitives
    targeted during our recent Operation Infra Red. This Operation was bringing investigators
    from 29 member countries at the INTERPOL General Secretariat to exchange information on
    international fugitives and lead to more than 130 arrests in 32 countries.”

    And the obvious question is how can INTERPOL secure information be obtained via FaceBook? Food for thought.

  8. Great post.

    There is some implicit assumption that laws should be economic and serve the international business giants. This is not the case.

    Laws drive behaviour and correct market failures. This is why there’s no need for a law that enforces people to eat icecream and why, on the other hand, there are laws that ask us to pay taxes. Left to their own devices, companies would have acted in ways that might be economic for them but harmful to the public – thus the existance of anti-trust law (price coordination), of labor and employment law, etc. as well as the charm of Google’s ‘don’t be evil’ slogan.

    Since socio-economic conditions, behavior and norms are different from one country to the other, so are laws different to guide the local behavior given the local conditions. Moreover, our wish to influence the laws that apply to us (if we’re fortunate to live in a democracy) would contradict with a global law that would be imposed on us and deminish the sovernity of the state.

    This is why complexity in law is here to stay.
    However complexity is not all bad – lawyers love it and some companies make a fortune from managing complexities… 🙂

  9. There was a nice interview with Geert Lovink (who can be considered expert in social media) on why Facebook will be decentralized and/or disappear.
    Don’t know if you can find english version, see google translate link below.

    Anyway, I don’t see why “global privacy” should be of a concern to service providers. Once user expresses his consent to use the service and exposes personal data up to a certain level, there can’t be possibly any expectation that the data won’t be used. There is local law enforcement, hackers, opt-in third-parties, insider information trading an so on. The people just need to realize that this is the new world and those are the rules.
    Service provider should only care not to expose information beyond the agreement with the users.

    And where those totalitarian ideas about everyone registering to Interpol come from? 🙂 Who are you people?

  10. We live in a world where everybody wants power, and everybody fears power, now we all know knowledge is power, so by giving someone knowledge over our private life we are actually giving that someone power over us.
    Unless that someone uses my data against me, I should be fine with it, like in life. There are things I would keep to myself, and things I would share with others because it serves a certain purpose for me. When sharing things, I do not expect that someone to use what I told them against me, sometimes it involves taking a risk that they will 🙂
    Because we are all people, and we could be easily biased by everything we hear, there will always be a chance that the information we provide anywhere would be used against us.
    This brings me to the conclusion, that legislation should stay out of social networks, let people learn from their mistakes – just like in life – there is no law that prevents me to share my private info with a guy I bump into in a conference or at a bar, why should this be different on the web???

  11. Thanks for all the valuable feedback!

    Ronak, the idea of building a central broker for profiles that will be managed by profile owners themselves is already making its first steps, although not by organizations like the UN or Interpol but by commercial companies. The idea of profile brokerage (see great comment #6 from John Oswald) is currently being tested (see for example) but gets strong opposition as it’s accused of peddling inaccurate information and violating consumer protection laws.

    The brokerage concept, if implemented correctly, is very strong as it empowers people with control over what they are willing to reveal about themselves. However, this model has its limitations. For example, such a brokerage entity cannot store or transfer information about Europeans outside of Europe, which fragments the DB into territories.

    if we try to learn from other initiatives, such as OpenID, we realize that only a small fraction would register to such services which makes them less appealing to advertisers and companies.

    Mugdha, you are right and some countries have laws that mandate them to disclose which info was kept and even erase it if required. True, not all companies comply…

    Sanchit, you are right. Many companies nowadays provide applications that consolidate social media apps with local apps (like the phone’s address book) but they are doing it only for the users’ friends so the footprint is low. Service providers can do it on a larger scale (for example, all users that add their Facebook application) and in a centralized DB (unlike the phone) which puts it under much severe legal constraints.

    Idan, all 3 examples you gave are already available today and implemented by service providers. For example, there are service providers that offer targeted & personalized promotions on the monthly bill. The question is how the information was gathered and treated. Companies that offer such a service use data mining techniques and have no way of identifying the person behind the transactions. Another example (to your 3rd option) is Twitter that provides targeted ads on its site but this is allowed as they are using info already available on their servers and not sharing it with anyone else.

    Avive, you need to consider that many people (not to mention kids) that use social media sites are not aware of the consequences of revealing private info and the laws should protect them. A country cannot leave it only to individuals to take care of their privacy but has to offer mechanisms that would protect the Innocence user.

  12. Just found this interview of Google CEO Eric Schmidt.

    Though the interview is about multiple topics, most interesting is the statement of Eric at the very end:

    “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”

    That sure hits home the truth that too much of our personal information is already online.

  13. Replying as a private individual (and therefore disclaiming any association of my employer with this opinion), I suspect that no amount of attempts to organize, constrain, punish, or track this activity will have a significant impact on the internetworked community’s appetite for or their ability to connect and socialize. Even the Soviet Union couldn’t stop it, with smuggled-in fax machines overlaying official channels. Whatever technical means are employed to stem this tide, someone will figure out a way around it.

  14. Yes, as privacy is for all intents and purposes, dead. I’m not one to be paranoid, however, what happens to the email address I input in order to make this comment? Just a thought. It’s also not clear to me that we even want one governing ruling body for something like this. The tech savvy among us know not to give out personal information, but the rest of us, probably not. The opt-in model is probably a better call for the rest of you.

    When I clicked on this, I thought this was indeed about the age of consent, and my original thought still holds, meaning, it really depends on what you’re consenting to, for something that may require proof of age.

  15. I think sometimes that the web is being taken over by advertisers, and unknowingly users are being used to propogate that message.

    It’s great to be part of a world community, but we shouldn’t be naive when it comes to exhibiting ourselves and our profiles on the net – there’s certainly a web of deceit out there.

    The idea of having a thought police is akin somewhat to having a store place scan readers instead of people at their checkouts.

    Isn’t it about time that people realised that there is a time for leisure and a time for life – and that there’s a button called turn off.

    1. Hi,

      It’s great to see such terrific response. Obviously, this hits on a “nerve” common to all that use the Internet – which is everybody. We expose ourselves and are, obviously, a bit concerned about what information is gathered about us as we are online (and not).

      I want to thank all who commented – I think you’ve made this a very interesting discussion!

      Some of my feedback to the comments (adding to Oded’s comments in some cases):

      Ronak, it would be great if one could create a single identity – the issue is that that stifles innovation. Most uses of the data, that can, potentially, be in the best interest of both individuals, governments, and businesses would, obviously, be prevented. Thus enormous value would not be exploited by any. Also, the real-time nature of the use and the need to aggregate it and create intelligence from it, make such an entity difficult.

      Mugda, as you say, it’s clear that individuals really want a simple way to understand the implications of using a service. However, more and more it is obscured. Look at Facebook now – paradoxically, the more control individuals get, the less in control they are and the less control they feel they have. A simple agreement would certainly help.

      John, data brokerage is already happening – in real-time. Cookies continuously track what we do everywhere we go and report this. A great way to learn of this is to listen to this NPR radio show. Beware, it might make you consider becoming a monk… but – none of these services do much to notify the user. Some allow you to “opt out” – if you figure out how to do so (which is VERY difficult). The fact that you have multiple online personas doesn’t mean that what you did in the last five minutes isn’t the most meaningful thing about you for many purposes…

      Avive, indeed, information is power. One of the problems is that the information you share with X and with Y can be combined by party Z to create the power wielded against you by party W. Realize that social networks are not just “virtual” – there are real-world implications. Identity theft has HUGE economic impact – in fact, there are about 10 million new victims in the US each year. That means 10 million new people whose identity gets stolen and used illegally – and that means they begin purchasing, taking loans, making commitments, etc. Then it is impossible to recover the economic impact of this from the individuals, not to mention that they have to sort out their issues, which could be painful in many ways.

      Steve, certainly not easy to “get a grip on”…

      Matches, the email you enter is used by ME to screen whether you are a spammer or not. Also, I might want to touch base with you offline. Sorry for misleading you in terms of the “Age” word in the title. Obviously, we meant “age” as synonymous to “era”.

      Lawrence, the interesting thing is that mostly, the Internet provides individuals and many corporations enormous value – otherwise, we wouldn’t use it. The fact that much of this value is “free” is mostly funded through advertising, in one way or another. By the way, that button “turn off” is no longer there, really. You must become a monk/hermit if you want to avoid being tracked. Whenever you seek information, whenever you answer or make a call or send a message, wherever you are with your mobile phone – someone knows about this… what is done with that information is subject of this discussion.

      Thanks again for all the terrific comments and lively discussion – you are all adding value to this.

Leave a Reply

Your email address will not be published. Required fields are marked *


Please type the characters of this captcha image in the input box

Please type the characters of this captcha image in the input box

This site uses Akismet to reduce spam. Learn how your comment data is processed.