The demise of Detroit Mayor Kwame Kilpatrick’s political career illustrates the perils of thinking we’re not being watched. Of course, it also illustrates the perils of arrogance and stupidity, which usually fell the mighty well before technology or privacy implications kick in. Nevertheless, privacy kicked in.

In a PC World story last week discussing social media in the context of e-discovery rules, technology writer Kim Nash opined on the bemoaning implications for privacy of Mayor Kilpatrick’s plight. In social media we talk about privacy usually in the context of personal publicity, and the privacy complaints about Facebook commonly focus on questions of access to personal information: Who gets to see what we post about our lives and the lives of others. The focus is on the author, not the subject, and usually we don’t worry too much things like truth or falsity, or the impact on third parties. For that matter, presumably, we take it as a given that statements are true when not written for a public audience.

Things get dicey when the presumptions break down and social media speech can be used against us. So, for example, what if it’s not true? Put aside defamation, although freedom of expression and the unfettered nakedness of social media have in no way done away with the law of libel. Just look at this past summer’s craziness in England, “UK businessman wins Facebook libel case.”
Also, the problems with social media’s use in employment screening have been long known. You’d have to be living under a rock to think that your real or claimed sexual exploits and opinions on explosives will remain uncovered by potential employers.

I write employment contracts for new media and technology companies and lots of other companies. These contracts and company personnel policies typically contain some statement about how computer usage is subject to company oversight and “your telephone, cell phone, blackberry, and email are not yours”, or statements to that effect. Pretty standard stuff.

But what about corporate usage of Twitter and other social media? In the case that toppled Detroit Mayor Kilpatrick, the police officers who sued for wrongful discharge weren’t seeking the Mayor’s private thoughts for the sake of embarrassment. They definitely achieved that, but as collateral damage while trying to demonstrate wrongful termination of employment. Privacy is a lot like many other rights in this respect.

Its scope can be limited by other competing and legitimate public policy concerns. In the Detroit case, the litigants had pursued their rights under law to obtain information relevant to a vindication of their labor and civil rights. They were seeking to impugn the truth of statements made by the mayor and his chief of staff. Along the way, of course, they ruined the political careers of 2 public officials and sent the Mayor to prison. But it’s not that your Facebook wall will be subpoenaed.

That’s out there anyway for anybody to see and use. In litigation, companies and government agencies are subject to e-discovery orders, which require preservation and production of all relevant electronic communications. This includes email, but also instant messages, text, video, and the detritus from company social media applications – blogs, wikis, and other social media materials. From an employer’s perspective, IM and cell texts of employees are particularly vulnerable because of their popularity and usage, as well as the general inability of companies to truly regulate their usage by employees.

As a user of their employer’s technology, the individual employee is nearly completely exposed to disclosure. These attacks on privacy come up in the context of broader litigation not specifically targeting you as an individual – but rather your employer or agency or group. Worse, it seems just as likely to come up in unrelated government audit and regulatory actions as well. For example, a Department of Labor workplace audit.

In the PC World story, Nash cites an interesting 2008 California federal case, also involving police officers, but explicitly claiming privacy violations in suing the city’s wireless provider for providing the city with transcripts of the officers’ sexually explicit text messages. While Mayor Kilpatrick in Detroit was subject to Michigan’s view that no “expectation of privacy” existed in use of city-provided technology, the California court ruled otherwise, particularly where the city was consistently inconsistent in its enforcement of published usage and monitoring policies.

The California officers sued under a federal privacy statute preventing electronic communications companies from disclosing private messages, overcoming a defense that the service was merely a storage service rather than a communications medium covered by the privacy law. That was helpful to the California officers based on the facts at hand, but also highlights the limitations of this particular privacy view, which depends on who is seeking protection.

Privacy will never be an absolute, and never has been under the law. Privacy in social media is no different, and will be subject to balancing tests with competing public policy subjects such as court discovery demands and different states’ concepts of what one has an “expectation of privacy”.

What’s next is the overlay of social media, company and government privacy policies, which are contracts between you and the social media host: The expectation of privacy under the law can be contractually improved or reduced, depending on the applicable state law and the specific contract terms. How does your contract with Twitter or Facebook change what you should expect? More on this to come.

Andrew Mirsky is principal of Mirsky and Company, a new media and technology law firm based in Washington, DC with an office in New York City. Andrew advises media and technology clients on all legal aspects of business operations, including corporate and finance, intellectual property, contracts, and human resources. Andrew is also founder of Media Future Now, a (roughly) monthly gathering of DC professionals, focused on finding ways to keep media-centric businesses agile, innovative and future-focused.

Last week Law.com published an article highlighting a lawsuit filed by Facebook’s lawyers “against Adam Guerbuez, accusing the Canadian man of hijacking users’ accounts, impersonating them to send more than 4 million messages in March and April that market ‘offensive’ and ‘embarrassing’ products such as marijuana and penis enlargement pills.”

The Social Network Spam Problem

While there is no word on the amount Facebook is suing for, this is a continuing trend in the industry in which MySpace has been leading the charge against spammers. Users of social networks have not only been under attack by outside spammers though. Some social networks have even gone so far as to spam their own users. The most recent of the offenders is Reunion.com but many more have been offenders as well. The only difference is that the social networks have been able to avoid large settlements so far.

Spam is a critical issue on all social networks as it has been known to drive users away from the sites. The top social networks have increasingly dedicated more employees to fighting spam, some of which has actually compromised users’ privacy as I describe below.

Facebook’s Increasing Spam Challenge

The chief spammers that have been blasting out inappropriate content became more prevalent on Facebook in recent months. Facebook has been extremely aggressive in patrolling spammers though and this most recent lawsuit emphasizes how the company isn’t cutting any slack. Fighting spam is one of Facebook’s priorities and it isn’t surprising given the backlash that MySpace users had after receiving countless fake friend requests.

In the past few weeks spam has increased on Facebook and as Adam Rifkin wrote, even Matt Cohler had two spam posts on his wall. What is this new type of spam? Through effectively hijacking user accounts, spammers go and post wall posts that include a link which redirects users to insecure sites that request personal information.

I posted about this problem back in January but apparently the problem isn’t over. If you can’t shut the spammers down through technical methods, you might as well the sue them until they quit!

Yesterday afternoon both Bebo and MySpace announced updates and made clarifications surrounding their terms of service for developers. MySpace wanted to give developers an overview of what really amounts to a three strikes and your out policy. Applications will be temporarily suspended after 48 hours following a violation warning for the first time and the punishments increase incrementally from then on.

Rather than state the punishments for violations, Bebo instead opted to give developers until September 4th to update their applications to be in compliance with Bebo’s Platform Policies and Guidelines for Developers. Bebo has also listed possible actions they will take. For more details check out the Bebo application guidelines page. It’s clear that both platforms are having challenges with terms of service violations.

Is Reactive Protection Sufficient?

One thing that has become increasingly clear to me is that on the web, policy changes are typically much more reactive than proactive. This tends to reflect a similar process that takes place within our own political system. The question that I’ve begun to wonder is: does this really protect the users? If your data is available or there are flaws in the system which increase the likelihood of abuse, who’s responsible?

Ultimately we are in a nascent industry and as such it is the job of all parties to work together to develop the best practices. Unfortunately it is frequently user privacy which is at stake. Should users be more protected? Not necessarily given that it is ultimately their own decision to take actions which put their own privacy at risk. The only concern I have is that users don’t realize the implications of the digital decisions they make.

Does Anybody Else Care?

There’s definitely increasing digital privacy advocacy taking place on Capital Hill and I’m guessing that this will only continue. As Congress becomes more aware of what is taking place online they will begin deeper investigations which ultimately should result in a digital privacy bill of rights. Joseph Smarr has already outlined a basic level of these rights.

Unfortunately none of the participants that discussed the creation of this bill of rights are based in D.C. While I seem to be continuously covering the privacy situation for users, it doesn’t appear that the users really care or are aware to what’s taking place. I’m not sure if that’s good or not but the real question is who are the representatives that are going to speak for user privacy rights when the discussion heats up on the hill?

Does anybody really care about user privacy or have we given up?

One of the primary issues facing consumers in the digital era is control of their private data. Yesterday I wrote about the Peter Jennings special “No Place to Hide” which covered a lot of the issues facing consumers. The reality is that munch of our transactional data is already tracked and used to create custom profiles of our identities. Online there is currently no way to manage that data and all one can rationally conclude is that somewhere along the line our data is being sold.

Give the Users Control

Facebook could provide an interesting solution: enable users to sell their data to advertisers. The pinnacle of this system has been discussed for years. A single system in which users can grant and revoke advertisers’ access to personal data at the user’s discretion. The reality is that such a theoretically beautiful system can’t compete with existing systems. That’s because advertisers can currently purchase your data and then they are free to do as they please.

With the assistance of personal privacy laws, Facebook could potentially give the consumers back control. With Facebook Connect, the users have control which contrasts to the first iteration of Facebook Beacon. In this new system, the users really do have control of the data that remote services can access. As one developer told me though “there is the terms of service and then there’s the laws of physics”.

Challenges Ahead

In other words the system makes a lot of sense as long as the developers abide by Facebook’s rules. Facebook has already had issues with this on the existing Facebook platform. We saw this issue arise when it became clear that users that had used Slide’s Fun Wall application had their entire profiles exposed to other users. Eventually Facebook realized the problem and shut down the application until Slide resolved the issue.

Policing the net isn’t scalable though. Automated systems are important in digital enforcement which means Facebook must focus on automating their policing activities. Facebook is being careful as they roll out Facebook Connect because any flaws in the system could prove catastrophic. Luckily for Facebook (and potentially not so lucky for the developer) users’ personally identifiable data is still protected by Facebook.

Taking One Step Forward

While we may not have complete control of our data in which we can grant and revoke access to advertisers, Facebook Connect is one step in the right direction. The reality is that users must have control of their data. Even Facebook doesn’t give users complete control yet though: users still have their personal data locked within Facebook’s databases and it’s not coming out anytime soon.

There is clearly a competitive rationale behind not giving users’ complete control. Is it possible to give users complete control of data access while limiting data ownership? Definitely and that’s exactly what Facebook is attempting to do. This doesn’t work as a long-term strategy but in the short-run it will most definitely help move toward giving the users back control.

For now we must accept that this is a step in the right direction yet still remain critical of future moves. Privacy is something that consumers lost control of long ago. Perhaps these new social services can begin to give the control back to the users.

Yesterday I watched an interesting show produced by Peter Jennings about the future of digital privacy sparked by a book, “No Place to Hide”, written by Robert O’Harrow, Jr., a reporter at the Washington Post. I was driven to Ted Leonsis’ Snag Films site thanks to an article in the Washbiz Blog. The film focuses on the future of digital privacy and is an informative piece which opened my eyes.

Over the past few months my focus on digital privacy has increased as I’ve begun to realize the flaws with the existing systems and that we are in the process of defining privacy standards. For the past few months my digital privacy exploration has been relatively limited to social networks and when I saw the video embedded below, I realized how big of a deal this really is.

The thing that struck me the most is how the same dynamic in which the private sector is able to act without interference from the public sector for the most part exists across most technology organizations within the U.S. I’m not sure that this is completely shocking but it is substantial. One of my personal goals over the coming months is to continue exploring the impact of social technology on privacy.

In the process, I hope that we can interact with and that readers of this site can learn from some of the policy makers who are helping to shape the future of digital privacy. As the film below highlights, the government remains to be ill-suited to handle the oversight of companies that oversee the management of our digital identities. For the past few months I have expressed the need for the creation of a formal organization that oversees digital privacy.

Whether or not this is a sufficient solution, it is important that this publication as well as others continue to explore this area. Without continuing coverage I fear that social technology could soon become as infamous as credit card companies when it comes to the trading of our digital identities without our explicit consent. This could be an unwarranted fear but without exploration of the issue I believe that we risk having our digital identities compromised further.

What do you believe the implications of social technology to be on digital privacy? Do you think an organization that oversees digital privacy is justifiable?

Recently I’ve begun discussing privacy more regularly and this is going to increase as Congress continues to discuss new measures that could have a significant impact on a number of large companies in the industry. Last week I discussed how your offline life could soon be public thanks to the combination of Facebook Connect and RFID technology. This is taking place in the not so distant future and even Amiando, an event registration software, has stated their intention to leverage Facebook Connect.

Over the next 12 months, digital privacy is going to move to the center stage as activities that have gone unmonitored for the past decade are being debated in Congress. Yesterday, a BusinessWeek article revealed more details about at least one bill being ushered by Representative Edward Markey:

Dubbed the Online Privacy Bill of Rights, the law may require companies to get approval from consumers before collecting information about their Web-surfing habits, a process known as behavioral targeting that helps Web sites more strategically place ads. The legislation may also demand that companies disclose more information on how they collect and use people’s Web-use data.

Behavioral targeting is the primary concern for Congress but further investigation will most definitely lead to new policies. As such, large companies from Facebook to Google are beginning to perk up as Congress prods around. Some of the investigations have even driven Yahoo!, Google, Microsoft, and AOL to enable users to opt-out of advertising all together.

As the debate begins to heat up over user privacy rights, Social Times will be increasing our coverage of the topic. This is an issue of critical importance. I have even gone so far as to success the formation of an organization that oversees digital privacy and handles investigations related to digital privacy rights. Do you think digital privacy requires the creation of a formal organization?

Within our individual lives there is currently a division between the activities we do online and the activities we do when we aren’t connected. Just as online privacy is beginning to fade away we will soon witness the destruction of offline privacy. Last night I was speaking with a friend of mine from Webster Hall in New York City when an idea clicked.

If all of your general activities at an event could be tracked back through Facebook (or alternative social media services), there would be a huge advertising potential. Imagine reading your Facebook News Feed and seeing a story that says “Nick and 3 of your friends just entered the Smirnoff Vodka booth at the Everclear concert.” With the power of Facebook connect and competing services, we will soon see these types of activities become public.

Rather than just accepting a terms of service and privacy policy when you register for a site, you will begin to do the same thing when you register for events. How will this work? Through leveraging readily accessible technologies you can track the locations of people attending an event. This means that ads being displayed to them can be targeted and it also means you will soon be able to target those ads toward their friends.

Some of these concepts begin to sound like those out of recent science fiction movies. Malls for instance will soon become entire branded experiences. The moment you enter a store, your friends on Facebook and other social platforms will immediately see that you’ve entered. There are clear privacy issues with these forms of broadcast advertising. There are also questionable business practices at hand.

Should individuals be paid for this new form of referral-based advertising? Also, shouldn’t the consumer be able to opt-in to the public display of this information? The concept of the “social web” eventually begins to fade away as all of our offline and online activities become merged. We are only months into the launching of Facebook Connect, MySpace Data Availability and Google Friend Connect.

The recent “Congressional scrutiny over the intrusiveness of online advertising and behavioral targeting” that Erick Schonfeld points out will become increasingly important as the technologies transform advertising. So when has advertising gone to far? While many of those focused on monetizing the “social web” are willing to try anything to increase ad revenue, consumer interests may become a secondary concern.

Is there a line to be drawn when it comes to new advertising techniques? Will Congress be able to stop many of these activities prior to a multi-billion dollar industry being built around this?

Today I received a press release from Reunion.com notifying me that they had successfully added a whopping 1.6 million new members in June, beating out LinkedIn according to comScore. This is nothing compared to the more 9 million added by Facebook in the same month but Reunion.com is in another class. So how did they get the boost in traffic?

As I’ve previously covered, Reunion.com spams the friends of everybody that joins the site. It encourages users to check their email contact list to see if their friends are on the site. If their friends aren’t on the site it automatically sends an email to their contact list without notifying the users. This is a standard tactic which has been used countless times including by Plaxo which initially grew their user base with aggressive spam tactics.

As I wrote earlier this month, this isn’t the only violation of privacy that Reunion.com has made. As one article put it, “Reunion.com’s privacy policy says the site ‘prohibits registration by and will not knowingly collect personally identifiable information from anyone under 13.’ But that doesn’t address the site’s own data-gathering.”

There is a very good chance that all of these privacy violations, regardless of the company’s remarkable growth is going to result in a lawsuit. According to sources of mine, there are individuals that are looking to sue the company for overly aggressive marketing techniques. The funny thing is how public Reunion.com’s tactics are. Perhaps this is one thing that would protect them in court.

If you Google “Reunion.com”, the first page contains multiple articles referencing the company’s email spam tactics. Growth is great for the company but sacrificing user privacy and user trust to grow your company isn’t a solid long-term strategy.

Privacy is increasingly becoming a topic of discussion in the world of online advertising. As new tools emerge to target advertising based on user behavior as well as provide social relevance, privacy is becoming a critical issue. Whether it’s the tracking of users via cookies or the monitoring of their activities throughout “the social graph”, we are in a new era in which the lines between personal and public lives have become blurred if not eliminated.

Today, Chris Kelly, the Chief Privacy Officer of Facebook spoke to the United States Senate Committee on Commerce, Science and Transportation about the “Privacy Implications of Online Advertising.” A full transcript of Chris Kelly’s testimony is available on the Senate’s website. On the topic of differentiating between personally identifiable information and non-personally identifiable information, Chris Kelley stated:

The critical distinction that we embrace in our policies and practices, and that we want our users to understand, is between the use of personal information for advertisements in personally-identifiable form, and the use, dissemination, or sharing of information with advertisers in non-personally-identifiable form. Ad targeting that shares or sells personal information to advertisers (name, email, other contact oriented information) without user control is fundamentally different from targeting that only gives advertisers the ability to present their ads based on aggregate data.

Chris Kelly also gave an overview of Facebook’s SocialAds and their Beacon program. From the initial glance at this hearing, there is not much significant revealed. What is clear is that the govenment is actively involved in discussing the privacy of internet users and this arrives at a critical time. Advertising networks are racing to develop systems that target users based on their friends and activities and in some cases it is pushing the limits of privacy standards.

I frequently discuss the privacy of social network users on this site and the implications that these new advertising systems have in regards to their privacy. It is excellent to see that the govenment is quickly to discuss what it taking place. Personally, I hope that we see a global set of privacy standards and rights developed in the near future.

I’d imagine that one day we will have an enforcement organization that monitors the activities of many of these companies.

Targeted advertising has become a hot button topic in the social advertising industry. New advertising models have been introduced to target users based on their gender, age and interests as well as tools that target based on their online behavior. Caroline McCarthy posted today about a new eMarketer study released called “Behavioral Targeting Attitudes: The Privacy Issue.”

The new report examines consumers’ attitudes toward targeted advertising and the data being collected about them online. The conclusion is that only 23 percent of users are comfortable with having their online behavior tracked for the purpose of serving more relevant advertisements online. I’m not quite sure whether or not this information is surprising or not but it definitely emphasizes that advertisers need to do a better job of educating consumers about their advertising programs.

I cover privacy issues on this site on a regular basis but readers of this blog are more educated than the average consumer. Just the other day I ran into someone who had heard about the risk presented by Facebook applications through a Washington Post article. He said that he no longer installs the applications. Clearly mainstream media coverage will assist in educating consumers about privacy issues and advertising practices.

For the time being we’ll have to expect many users to be uneducated on the issues leaving the discussion to industry professionals. Not exactly the type of discussion that I’d hope to see but I guess it will have to do for now!