As Mark Zuckerberg's deep-held desire to tell the whole world about your relationship status becomes ever clearer, four Democratic Senators have written him a letter with a few complaints and a few requests about Facebook's privacy policies. Specifically, they're concerned about information that can no longer be kept private, information that is stored indefinitely by third parties (advertisers), and the default privacy settings which are very, very open, allowing partner sites to personalize their offerings to creepy levels.
I'll admit that I've given some thought to shutting down my Facebook account, simply because their convoluted and constantly-shifting privacy policies feel invasive and make it very difficult even to understand who can see what. Facebook is pretty dominant in social networking market, and their privacy problems (Gawker has a roundup of the problems here, and the EFF covers the most recent changes) are to be taken seriously. But it's only a part of a bigger conversation about how, in our networked, information-rich society, we will balance privacy with security, with free speech, and with our desire for a personalized, responsive world.
With all the information about us that is now available online in social networks, government databases, and cloud computing resources (like webmail, web-based documents, etc.), the practical expectation of any kind of obscurity or anonymity is increasingly suspect. Last week, Google shed some light on just how un-private our information is, by revealing the number of government requests for user information they had received by country. Brazil and the U.S. topped the list, with each government making more than 3,000 requests in the second half of 2009 (usually for law enforcement). A decade ago, much of this information could only have been discovered via wiretap-- which requires judicial intervention-- and now it's all available the government, upon request.
A big part of the problem here is legal ambiguity. The most up-to-date law on the books is the 1986 Electronic Communications Privacy Act (ECPA) which, though forward-looking at the time, is hilariously out of date now. In 1986, the only e-mail was MCI Mail, which allowed you to download mail directly computer, whereupon it was deleted from their servers. Now, we're living in a world in which much of our e-mail is stored in remote servers indefinitely. Needless to say, nobody saw this coming in 1986, and now all our data-- in Gmail, in Facebook, and elsewhere in the cloud-- is legally unprotected. Put another way, it's highly ambiguous who owns your e-mail: it might be you, but it might just as easily be Google or Yahoo. Fortunately, there are people trying to answer these questions, particularly the individuals, institutions, and companies behind Digital Due Process.
So when the government comes knocking on Google or Facebook's door, how much information should Google provide about you? How much should they be allowed to provide? Does the government need a warrant? How much are we entitled to know about these activities? Can Google be held responsible for user content they host-- as in the recent case in Italy? What about the ISPs, like Comcast and Verizon-- To what degree are they responsible for retaining data about where you go on the internet? To what degree are they allowed to retain this data?
These questions of "intermediary liability" will dominate the privacy debate in the coming years. On balance, I'm of the firm belief that this flood of information is a boon. A more data- and information-rich world is a better world. But we'll need to manage the flood in a way that upholds our Fourth Amendment protections against unreasonable search and seizure and maintains our right to privacy. For better or worse, we've probably lost a degree of privacy that we won't be getting back-- but really Mark, must you tell the whole world about my heartbreak?
UPDATE: Check out a recent post by Melody on Transcapitalist in which she rounds up a recent win, a loss, and a tie in the effort by intermediaries like Yahoo, Google, and the ISPs to avoid liability. It sounds to me like mostly good news, in that the government seems inclined to think that they ought to have a warrant if they're asking intermediaries for your data. Even if they don't actually need one.