user control

Hi. We're your new overlords.


Hi. We're Apple.


We are delighted to inform you that regulations require you to carry a device that:

a. Tells us where you are at all times;

b. Records who you talk with, and for how long;

c. Can be used to record exactly what you say, and the responses of other participants in these conversations;

d. Collects email and text messages sent by you and to you.

You will never be informed when this information is examined by anyone.

Buy a phone. It's cool.


You must tell us everything you do, no matter how trivial. Identify your friends and acquaintances, and how you know them. We expect you to check in with us at least several times a day, every day.


Install apps for Facebook, Twitter, and Foursquare.


Tell us everything you are curious about.


Install apps for Google and/or Bing.


Pay us, because tracking you and sorting through all the information you give us takes time and we need to pay people to do it. Additionally, we need to sell your data to advertisers, marketers, or possibly just hand it over to law enforcement regardless of whether or not they have any legal right to have it, and your data doesn't package itself. Your data is worth money, and you must pay us because we value your data. We value it so much that we will sell it, because that lets us make more money. So pay us. We need to continue watching you.


You will be charged a reasonable monthly fee for these services.

Thank you,

Your new overlords

All of the recent discussion about Facebook's change to its privacy policy obscures one frequently minimized point: privacy doesn't really exist on Facebook. While there is minimal control over what appears onscreen, this should not be confused with real, actual privacy, or the ability to control what is known about you. Facebook has your information, and by virtue of using their site, you have provided them a degree of control over your personal information.

This becomes particularly apparent when looking at Third Party Application developers. These external applications can access data in ways that are not immediately obvious to the end user, and in some cases this seems to work against people's obvious desires. In short: third party applications get the same access as the account that installed them, so if your privacy settings are set to friends only, and a third party app installed by a friend requests your information, it can get it. So, your privacy is as good as your least discrete friend's judgment.

But issues around abusing privacy aren't new for Facebook. They have these types of issues a few times a year, every year. Flash back to the launch of Beacon:

"Facebook still collects your data. Whether or not they show it onscreen or not is only marginally relevant. They have records of how you have used their site, and that information is valuable to people who want to sell you things."

Facebook has a well worn track record of disastrous handling of user data. In the beginning of 2009, Facebook pre-emptively changed their ToS. People were not happy, but people should not be surprised, as this is normal behavior for Facebook.

And Facebook's current "privacy policy" has some gems -- really, there are too many to list, but my favorite is probably from Section 3: Information You Share With Third Parties: "We take steps to ensure that others use information that you share on Facebook in a manner consistent with your privacy settings, but we cannot guarantee that they will follow our rules." Translation: People will get your information through our site, and we don't really have much/any control over what they do with your information.

And, of course, Facebook can change their privacy settings at will, thus eliminating the illusory value of these settings in the first place, as illustrated by this very conversation.

Some other good reads on this:

• The Facebook Blog: http://blog.facebook.com/blog.php?post=197943902130
• Electronic Frontier Foundation: http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-...
• From ReadWriteWeb: http://www.readwriteweb.com/archives/facebooks_privacy_move_violates_con...

I came across another discussion on the use of Google Apps within K12 organizations -- this is a lightly edited version of my reply in that thread:

With Google Apps, the real value for Google isn't in "owning" your content. The value for them is in mining it, and then using that information to hone their business selling ads and working with affiliate advertisers -- and their privacy policy expressly states that your data will be used in this way.

From Google's Privacy Policy, at http://www.google.com/privacypolicy.html

Log information – When you access Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

So, they can track a request for a specific web site to a specific user, and can keep track of what an individual does over time.

Affiliated Google Services on other sites – We offer some of our services on or through other web sites. Personal information that you provide to those sites may be sent to Google in order to deliver the service. We process such information under this Privacy Policy. The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies.

The approximate translation: when using Google Apps, you might get sent to another site, and this site might have a different privacy policy, and this site might share a different set of your private information with us. You may or may not know when this is happening, but it's your responsibility to know when to check for the privacy policy of these sites.

Then, the policy goes on to list why Google is collecting this information:

• Providing our services, including the display of customized content and advertising;
• Auditing, research and analysis in order to maintain, protect and improve our services;

I've chosen a very small section of the privacy policy here, but the full policy goes into much more detail, including info about geographical data.

For a sense of what can be inferred from even very rough user data, take a look at the fallout that occurred when AOL released search data from it's userbase. This search data is nowhere near as precise as what Google collects, but it still revealed an astonishing range of information about its users.

So, when schools are using Google Apps, every member of that community is participating in unpaid marketing research. If you are buying Google Apps as part of a service, you are paying to participate in market research.

As a closing thought, I'd like to hear the conversation that ensued if a person walked into the head of school's/principal's office and said the following:

"I'd like to enroll all of our Middle School students in an unpaid marketing research program. They'll never know it's going on, and every facet of their online collaboration will be tracked as part of the study. Oh, and it comes with email."

In an earlier post this year, I held out hope that 2009 would finally be the year where people started taking data ownership and data portability seriously.

As Facebook often does, they help illustrate why this is relevant, and why this is something people should care about.

The fun began a few weeks ago, when Facebook changed their Terms of Service. Last weekend, Consumerist described the specifics of the changes:

Facebook's terms of service (TOS) used to say that when you closed an account on their network, any rights they claimed to the original content you uploaded would expire. Not anymore.

Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later. Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your old content. They can even sublicense it if they want.

To summarize, the old version of Facebook's Terms of Service used to specify that, when a person deleted their account, their content went with them (and never mind that the process of deleting an account has proven, well, troublesome for some).

Facebook founder Mark Zuckerberg initially defended the change (does this remind anyone else of the response to Beacon?), but 24 hours later Facebook announced that they would revert to the original terms of service.

But really, the hue and cry over Facebook's terms of service misses the larger point: when you put your data into a hosted service, you are allowing it to slide outside of your control. This is true of most hosted services, including Facebook, Ning, MySpace, etc. Facebook's change of the license terms illustrates a larger point: they control your data. More importantly, sites like Facebook and Ning allow people who have no ties to either company to access your data via third party apps. A quick read through the Developers Terms of Service for both Facebook and Ning show that developers of these apps can access user data and content, but this creates an enormous gray area: if someone deletes their account, what happens to any data collected by these third party application developers? I would love to hear of the mechanisms in place that measure how application developers abide by the rules concerning user data.

So, when evaluating a platform for use by you, by your class, or within your school, department, district, or organization, make sure to read the privacy policy, terms of service, and any applicable third party developer terms of service. All of these affect how the work of people within your site will be treated, and potentially used -- which is especially relevant given that most of these sites include terms that allow for indiscriminate resuse and republication of content posted in the site.

At the risk of stating the obvious, none of these are concerns for sites built using open source tools.

And for those curious about where this ends, it looks like Facebook's interest in user data extends beyond the grave.