Communications - March 2010

A social network includes lots of information not directly about you. The information is implicit, but network analysis makes it explicit. The evidence of a network is circumstantial, but an important basis for profiling. For example, if you have a high percentage of gay friends does that mean you are gay? Many people—gay or straight—would find that inference embarrassing.

We do not own our networks. In January 2008, blogger Robert Scoble automatically harvested the names and email addresses of his several thousand Facebook friends, and exported them to another account. The row was resolved amicably in the end—but the outcome was that Scoble’s network was not his to harvest.

Given the benefits of wide access to data, it is appropriate to ask whether “ownership” is the concept needed. In the first place, legal frameworks that define a type of data ownership for the subject are absent—these are facts about a person, not copyright material, intellectual property, or trade secrets.

Second, the most important power of ownership is denial of access: if I own something, I can stop you using it. But this undermines the potential of the Web of linked data. In the old days of paper and practical obscurity, the value of information was in its scarcity, but on the Data Web value comes from abundance, the ability to place information in new and unexpected contexts, facilitating what Tim Berners-Lee calls “serendipitous reuse.” 9 Ensuring data is correct is more valuable than preventing its use. We should also not ignore the opposite pull from rights of access to information, as a corollary to rights of freedom of expression, 7 while many people and organizations have legitimate interests in access to data.

This is the rationale for data protection, whose aim is not exclusively to protect individuals’ privacy, but rather to balance privacy with the maintenance of the free flow of information, as well as other desirable things for individuals like quality and accessibility. 10 Under a data protection regime, individuals have the right to inspect and correct information being held about them, in theory allowing them to address issues of incorrectness, inappropriateness, excessiveness, and so on.

It also has the effect of bringing
rules into the area directly—data pro-
tection provides controls adminis-
tered by a regulatory body over how
data should be handled. On the other
hand, one’s privacy can only be ad-
dressed under an ownership regime
in court after a tort or legal injury had
occurred as a result of misuse.

Given the benefits
of wide access to
data, it is appropriate
to ask whether
“ownership” is the
concept needed.

tion laws, such as Germany, could well lose out to those in jurisdictions with less protection, such as the U.K.

Different regimes offer different levels of protection. Consider for instance the definition of personal data. Belgium has incorporated the wording of Directive 95/46/EC directly into law, covering anyone who can be identified directly or indirectly from the data, while the U.K. has altered the wording to cover only those who could be identified by the data controller from the data. Data that can be used to identify one (such as an IP address) can be collected without data protection legislation in the U.K. as long as the controller has no way of going from IP address to an individual. 8

Nevertheless, the Web is an opaque place, especially to non-expert users. Putting the onus on the data subject to ask for details of how personal data is being used ensures that much will be missed—how many know the right questions to ask about cookies, ISPs, search engines, or browsers? Will it pay regulators to take a stronger stance?

Regulation of the Web is a complex matter, crossing jurisdictions and pos-ing problems for the W3C’s consen-sus-based standards approach. Regulation generally leverages normality, and is premised on common behavior and shared interpretations of a situation. 4, 11 It is more effective if it goes with the grain of a society’s norms, but online there is no “normal” behavior, as work on the scale-free aspects of the Web has repeatedly demonstrated (recently in Meiss et al. 5), while user understanding of online situations is highly heterogeneous.

The Web moves so quickly that regulation is risky. It takes time and coordination across borders; by the time rules are in place, behavioral patterns may likely have changed, and all that is left is unintended consequences. 6 Directive 95/46/EC dates back to 1995, with key updates to cover traffic and location data introduced in 2002. The scale and speed of the Web’s evolution means that carefully considered regulation is rarely timely; the whole pri-vacy-threatening phenomenon of Web 2.0 has arisen since those directives. For example, in social network sites friends sometimes take information that a user had originally character-

CI
CII
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
CIII
CIV

one page

share

print

SlideShow

fullscreen

Open Article

article text for page

< previous story | next story >

add comment | read comments

Share this page with a friend
Save to “My Stuff”
Subscribe to this magazine
Search
Help