It’s very similar to standing in the middle of the park and screaming. Do you want to scream good things or do you want to scream crazy things? You’re talking about the debt you have or you’re not going to pay your bills. That information is out there and it could be used for you or it could be used maybe against you.

Banks are relying on companies like RapLeaf to do the dirty (or not so dirty) job of providing them with information about clients from social sites like Facebook, Twitter, or LinkedIn.

The start and evolution of RapLeaf is an interesting story in itself. In 2005, veteran blogger Michael Arrington wrote an inspiring article titled “Companies I’d like to Profile (but don’t exist)”. In the article, Arrington listed ten startups or services that should exist, and if someone decides to create such a service he would be more than willing to profile it on TechCrunch. One of those services was Portable Reputations, according to Arrington:

eBay’s Feedback system is arguably their biggest asset. Even with its flaws, it is one the biggest drivers of trust between two people buying and selling who’ve never met and never will. But it’s a closed system, usable only within eBay and only for eBay transactions. We need an internet-wide identity and feedback system that any reputable application can tap into, both pulling and pushing data.

RapLeaf  was thereby envisioned as a startup that could perhaps be a hub for reputation of online buyers and sellers, which could be used by anyone across the web to conduct commerce. Somewhere down the line, perhaps around the mid of 2008, RapLeaf realized that it would be far more rewarding to use the digital reputations for credit score determination. In July 2008, Rapleaf changed its interface so that it was no longer possible for anonymous or registered users to see the reputation of other users – which was the entire point of the service. So Rapleaf essentially stopped being a portable reputation and instead switched to an archive of user’s financial reputation – that was available to be accessed by banks or anyone willing to pay for it.

Rapleaf now has “social profiles” of 388 million users, according to the declaration on their own site and sells this data to banks and other organizations. According to Rapleaf spokesman Joel Jewitt, banks are using this information for marketing purposes only, however, Jewitt declined to come on ABC News to make this statement.

Rapleaf continues to maintain that user postings on social sites like Twitter and Facebook are not used to determine the credit score. However, there are reports suggesting that social profiling do play some role in credit decisions, such as offering a better or worse financial package to a user depending on his social profile.

The report from ABC News, regarding Banks trying to spy on users financial status, is not a one off event. In Dec, last year Roger Thompson, a security veteran over at AVG came to the forefront with the smoking gun that Banks are using shadowy Facebook apps to gather user details. Rogers reached this conclusion based on a personal experience, while on a visit to attend a conference in London. Apparently Rogers’s credit card got suspended on the trip, as he tried to make hotel payments. This usually happens because the banks in an attempt to weed out fraud block credit cards if they are being used randomly across the globe.

When Rogers called the bank to unblock his card, the bank asked him personal identifying questions such as the last four digits of his social security number and other such details. Things got weird, when the representative on phone started to ask him questions about his daugther-in-law, using her maiden name. The representative, in his defense, claimed that the bank knows these details from publicly available information.

However, after returning home Rogers went through his bank documents, but couldn’t find any document in which he provided information about his son or daughter-in-law to the bank. The uglier part of the entire incident is that Rogers’ daughter-in-law has been married for nine years and hasn’t used her maiden name ever since. The only place on earth, where she still uses her maiden name is her Facebook profile. Rogers thinks that its this publicly available information that the Bank was talking about.

The incident prompted Rogers to conduct an internal research at AVG that concluded that Facebook is awash with apps that exists for no useful reason except to access the personal information of all the users who approve these apps. Rogers believe that there is a high likely hood that majority of these apps are being used for financial espionage.

Representatives from financial institutions or from companies like Rapleaf might have explanations of their own, but incidents such as the one with Rogers suggest that all is not clean. As for us users, who cant stop using sites like Facebook, I could only say that “If you dont want someone to know something about you – dont post it on Facebook, or Twitter or anywhere around the Web”.

Millersville did end up giving Snyder a degree in English, but Snyder decided to sue the University after her appeal was denied. Yet Snyder lost the court case as well. The fact of the matter is, Snyder had already been banned from campus before the photo became part of the equation. So why was the photo so pertinent in the grand scheme of things?

I’m liable to think that the public reference made to Snyder’s supervisor pushed matters over the top. Especially as Snyder’s case plead that it was her first amendment right to free speech that allowed her to make such a statement about her supervisor, and this plea was denied since the statement was work related.

Now, I have a handful of friends that work in the education sector or in a field that implies a bad reputation online means a bad evaluation at work. They all have to monitor their photo uploads, captions, wall postings, and comments on their social networking profiles. It’s par for the course, given the mainstream permeation of online social networks. But should we be more concerned about Snyder, her student-teaching program at Millersville, or MySpace?

Granted, Facebook has done its part to aide users in avoiding these types of situations, as opposed to MySpace. That doesn’t mean that Snyder’s MySpace activity should become the scapegoat here. People fear social networks because they don’t fully understand how they operate, and unfortunately such fear merely gives MySpace more power as an influence over our culture.

Well, yes and no. As the New York Times reported last week, “Online Age Verification for Children Brings Privacy Worries” since the cost of doing this kind of business can be kind of steep – at least under current proposals. The Times discussed one company in particular, eGuardian of Ontario, CA, which “asks a parent to submit the birth date, address, school and gender of a child, then it asks schools to confirm the information.”

All very well intentioned and quite realistically achieving the basic purpose of confirming identities among a user group that doesn’t necessarily have – or is restricted from disclosing – social security and credit card numbers.

The security of data repositories is no doubt improving by leaps and bounds (I really have no idea, but I would certainly hope so), and the idea that the collected profiles on 750,000 eGuardian members are vulnerable to hacking or, worse, the vicissitudes of rogue employees is presumably a diminishing concern. Nonetheless, part 1 of the privacy problem always seems to come down to the control of information, much more so than its ultimate use or misuse. Privacy is a burgeoning area of the law – and for that matter, of life in the social media universe – precisely because of this problem of having to give up in order to get.

Except that vulnerability in a public space has never been something that’s REALLY new. I don’t really like the “quiet car” in the Amtrak train or the “family section” at Yankee Stadium, mostly because I sort of miss the point of going to the game in the first place if you can’t always be at risk of getting beer thrown on you. But that’s me.

But it’s also true that the offline marketplace has adapted in those and other ways to stated and unstated consumer concerns about safety and security, and privacy. The Washington, DC Metro in has been mildly – but only mildly – pilloried for its newly announced policy of random bag-checking on metro cars and buses. (“If James Madison was waiting for an Orange Line train from Vienna, he might boil [the 4th Amendment] down to: The government better have a pretty good reason for wanting to know what’s in my knapsack, because otherwise, it’s none of their business. (Maybe first he’d ask why the escalator didn’t work.)”) Why so mild a public outcry? I’m not sure it’s apathy, more than adaptation, but also the sense that PUBLIC travel in transportation can and should be better secured.

Online social media – a non-governmental organization, of course – seems a medium uniquely market-driven to make these things work. Based on anecdotal experience of breaches of public and private databases, I’d honestly be concerned about giving some random startup access to my child’s most important information. But I’d also be hopeful that the solid experience of secure transactional services like PayPal would bode well for the development of an effective and safe online privacy mechanism for social media age-verification.

Actually, the immediate hackles with companies like eGuardian apparently came from their unabashed intent to sell their collected user data to marketing firms for use in targeted online advertising. The usual qualifiers are rolled out about providing “no specific information about users” and opt-outs, and other arguments are touted like this one from Ron Zayas of eGuardian, quoted in the NY Times story: “When children go to Web sites today, they are already exposed to ads. We make sure the ads are appropriate for children. We do not increase the volume of ads shown, nor do we ‘sell them out’ in any way to advertisers.”

Not ridiculous points, true, and one might have sympathy for a company trying to build a technology with an actually viable business model. So who can say whether the “Good Housekeeping” or “etrust” seals of approval approach – the (theoretically) independent credentialing authority approach – are necessarily better ways to go, but they do seem to better stave off the expected privacy attacks like those discussed by the Times.

Andrew Mirsky is principal of Mirsky and Company, a new media and technology law firm based in Washington, DC with an office in New York City. Andrew advises media and technology clients on all legal aspects of business operations, including corporate and finance, intellectual property, contracts, and human resources. Andrew is also founder of Media Future Now, a (roughly) monthly gathering of DC professionals, focused on finding ways to keep media-centric businesses agile, innovative and future-focused.

In a PC World story last week discussing social media in the context of e-discovery rules, technology writer Kim Nash opined on the bemoaning implications for privacy of Mayor Kilpatrick’s plight. In social media we talk about privacy usually in the context of personal publicity, and the privacy complaints about Facebook commonly focus on questions of access to personal information: Who gets to see what we post about our lives and the lives of others. The focus is on the author, not the subject, and usually we don’t worry too much things like truth or falsity, or the impact on third parties. For that matter, presumably, we take it as a given that statements are true when not written for a public audience.

Things get dicey when the presumptions break down and social media speech can be used against us. So, for example, what if it’s not true? Put aside defamation, although freedom of expression and the unfettered nakedness of social media have in no way done away with the law of libel. Just look at this past summer’s craziness in England, “UK businessman wins Facebook libel case.”
Also, the problems with social media’s use in employment screening have been long known. You’d have to be living under a rock to think that your real or claimed sexual exploits and opinions on explosives will remain uncovered by potential employers.

I write employment contracts for new media and technology companies and lots of other companies. These contracts and company personnel policies typically contain some statement about how computer usage is subject to company oversight and “your telephone, cell phone, blackberry, and email are not yours”, or statements to that effect. Pretty standard stuff.

But what about corporate usage of Twitter and other social media? In the case that toppled Detroit Mayor Kilpatrick, the police officers who sued for wrongful discharge weren’t seeking the Mayor’s private thoughts for the sake of embarrassment. They definitely achieved that, but as collateral damage while trying to demonstrate wrongful termination of employment. Privacy is a lot like many other rights in this respect.

Its scope can be limited by other competing and legitimate public policy concerns. In the Detroit case, the litigants had pursued their rights under law to obtain information relevant to a vindication of their labor and civil rights. They were seeking to impugn the truth of statements made by the mayor and his chief of staff. Along the way, of course, they ruined the political careers of 2 public officials and sent the Mayor to prison. But it’s not that your Facebook wall will be subpoenaed.

That’s out there anyway for anybody to see and use. In litigation, companies and government agencies are subject to e-discovery orders, which require preservation and production of all relevant electronic communications. This includes email, but also instant messages, text, video, and the detritus from company social media applications – blogs, wikis, and other social media materials. From an employer’s perspective, IM and cell texts of employees are particularly vulnerable because of their popularity and usage, as well as the general inability of companies to truly regulate their usage by employees.

As a user of their employer’s technology, the individual employee is nearly completely exposed to disclosure. These attacks on privacy come up in the context of broader litigation not specifically targeting you as an individual – but rather your employer or agency or group. Worse, it seems just as likely to come up in unrelated government audit and regulatory actions as well. For example, a Department of Labor workplace audit.

In the PC World story, Nash cites an interesting 2008 California federal case, also involving police officers, but explicitly claiming privacy violations in suing the city’s wireless provider for providing the city with transcripts of the officers’ sexually explicit text messages. While Mayor Kilpatrick in Detroit was subject to Michigan’s view that no “expectation of privacy” existed in use of city-provided technology, the California court ruled otherwise, particularly where the city was consistently inconsistent in its enforcement of published usage and monitoring policies.

The California officers sued under a federal privacy statute preventing electronic communications companies from disclosing private messages, overcoming a defense that the service was merely a storage service rather than a communications medium covered by the privacy law. That was helpful to the California officers based on the facts at hand, but also highlights the limitations of this particular privacy view, which depends on who is seeking protection.

Privacy will never be an absolute, and never has been under the law. Privacy in social media is no different, and will be subject to balancing tests with competing public policy subjects such as court discovery demands and different states’ concepts of what one has an “expectation of privacy”.

What’s next is the overlay of social media, company and government privacy policies, which are contracts between you and the social media host: The expectation of privacy under the law can be contractually improved or reduced, depending on the applicable state law and the specific contract terms. How does your contract with Twitter or Facebook change what you should expect? More on this to come.

Andrew Mirsky is principal of Mirsky and Company, a new media and technology law firm based in Washington, DC with an office in New York City. Andrew advises media and technology clients on all legal aspects of business operations, including corporate and finance, intellectual property, contracts, and human resources. Andrew is also founder of Media Future Now, a (roughly) monthly gathering of DC professionals, focused on finding ways to keep media-centric businesses agile, innovative and future-focused.

The Social Network Spam Problem

While there is no word on the amount Facebook is suing for, this is a continuing trend in the industry in which MySpace has been leading the charge against spammers. Users of social networks have not only been under attack by outside spammers though. Some social networks have even gone so far as to spam their own users. The most recent of the offenders is Reunion.com but many more have been offenders as well. The only difference is that the social networks have been able to avoid large settlements so far.

Spam is a critical issue on all social networks as it has been known to drive users away from the sites. The top social networks have increasingly dedicated more employees to fighting spam, some of which has actually compromised users’ privacy as I describe below.

Facebook’s Increasing Spam Challenge

The chief spammers that have been blasting out inappropriate content became more prevalent on Facebook in recent months. Facebook has been extremely aggressive in patrolling spammers though and this most recent lawsuit emphasizes how the company isn’t cutting any slack. Fighting spam is one of Facebook’s priorities and it isn’t surprising given the backlash that MySpace users had after receiving countless fake friend requests.

In the past few weeks spam has increased on Facebook and as Adam Rifkin wrote, even Matt Cohler had two spam posts on his wall. What is this new type of spam? Through effectively hijacking user accounts, spammers go and post wall posts that include a link which redirects users to insecure sites that request personal information.

I posted about this problem back in January but apparently the problem isn’t over. If you can’t shut the spammers down through technical methods, you might as well the sue them until they quit!

Rather than state the punishments for violations, Bebo instead opted to give developers until September 4th to update their applications to be in compliance with Bebo’s Platform Policies and Guidelines for Developers. Bebo has also listed possible actions they will take. For more details check out the Bebo application guidelines page. It’s clear that both platforms are having challenges with terms of service violations.

Is Reactive Protection Sufficient?

One thing that has become increasingly clear to me is that on the web, policy changes are typically much more reactive than proactive. This tends to reflect a similar process that takes place within our own political system. The question that I’ve begun to wonder is: does this really protect the users? If your data is available or there are flaws in the system which increase the likelihood of abuse, who’s responsible?

Ultimately we are in a nascent industry and as such it is the job of all parties to work together to develop the best practices. Unfortunately it is frequently user privacy which is at stake. Should users be more protected? Not necessarily given that it is ultimately their own decision to take actions which put their own privacy at risk. The only concern I have is that users don’t realize the implications of the digital decisions they make.

Does Anybody Else Care?

There’s definitely increasing digital privacy advocacy taking place on Capital Hill and I’m guessing that this will only continue. As Congress becomes more aware of what is taking place online they will begin deeper investigations which ultimately should result in a digital privacy bill of rights. Joseph Smarr has already outlined a basic level of these rights.

Unfortunately none of the participants that discussed the creation of this bill of rights are based in D.C. While I seem to be continuously covering the privacy situation for users, it doesn’t appear that the users really care or are aware to what’s taking place. I’m not sure if that’s good or not but the real question is who are the representatives that are going to speak for user privacy rights when the discussion heats up on the hill?

Does anybody really care about user privacy or have we given up?

Give the Users Control

Facebook could provide an interesting solution: enable users to sell their data to advertisers. The pinnacle of this system has been discussed for years. A single system in which users can grant and revoke advertisers’ access to personal data at the user’s discretion. The reality is that such a theoretically beautiful system can’t compete with existing systems. That’s because advertisers can currently purchase your data and then they are free to do as they please.

With the assistance of personal privacy laws, Facebook could potentially give the consumers back control. With Facebook Connect, the users have control which contrasts to the first iteration of Facebook Beacon. In this new system, the users really do have control of the data that remote services can access. As one developer told me though “there is the terms of service and then there’s the laws of physics”.

Challenges Ahead

In other words the system makes a lot of sense as long as the developers abide by Facebook’s rules. Facebook has already had issues with this on the existing Facebook platform. We saw this issue arise when it became clear that users that had used Slide’s Fun Wall application had their entire profiles exposed to other users. Eventually Facebook realized the problem and shut down the application until Slide resolved the issue.

Policing the net isn’t scalable though. Automated systems are important in digital enforcement which means Facebook must focus on automating their policing activities. Facebook is being careful as they roll out Facebook Connect because any flaws in the system could prove catastrophic. Luckily for Facebook (and potentially not so lucky for the developer) users’ personally identifiable data is still protected by Facebook.

Taking One Step Forward

While we may not have complete control of our data in which we can grant and revoke access to advertisers, Facebook Connect is one step in the right direction. The reality is that users must have control of their data. Even Facebook doesn’t give users complete control yet though: users still have their personal data locked within Facebook’s databases and it’s not coming out anytime soon.

There is clearly a competitive rationale behind not giving users’ complete control. Is it possible to give users complete control of data access while limiting data ownership? Definitely and that’s exactly what Facebook is attempting to do. This doesn’t work as a long-term strategy but in the short-run it will most definitely help move toward giving the users back control.

For now we must accept that this is a step in the right direction yet still remain critical of future moves. Privacy is something that consumers lost control of long ago. Perhaps these new social services can begin to give the control back to the users.

Over the past few months my focus on digital privacy has increased as I’ve begun to realize the flaws with the existing systems and that we are in the process of defining privacy standards. For the past few months my digital privacy exploration has been relatively limited to social networks and when I saw the video embedded below, I realized how big of a deal this really is.

The thing that struck me the most is how the same dynamic in which the private sector is able to act without interference from the public sector for the most part exists across most technology organizations within the U.S. I’m not sure that this is completely shocking but it is substantial. One of my personal goals over the coming months is to continue exploring the impact of social technology on privacy.

In the process, I hope that we can interact with and that readers of this site can learn from some of the policy makers who are helping to shape the future of digital privacy. As the film below highlights, the government remains to be ill-suited to handle the oversight of companies that oversee the management of our digital identities. For the past few months I have expressed the need for the creation of a formal organization that oversees digital privacy.

Whether or not this is a sufficient solution, it is important that this publication as well as others continue to explore this area. Without continuing coverage I fear that social technology could soon become as infamous as credit card companies when it comes to the trading of our digital identities without our explicit consent. This could be an unwarranted fear but without exploration of the issue I believe that we risk having our digital identities compromised further.

What do you believe the implications of social technology to be on digital privacy? Do you think an organization that oversees digital privacy is justifiable?

Over the next 12 months, digital privacy is going to move to the center stage as activities that have gone unmonitored for the past decade are being debated in Congress. Yesterday, a BusinessWeek article revealed more details about at least one bill being ushered by Representative Edward Markey:

Dubbed the Online Privacy Bill of Rights, the law may require companies to get approval from consumers before collecting information about their Web-surfing habits, a process known as behavioral targeting that helps Web sites more strategically place ads. The legislation may also demand that companies disclose more information on how they collect and use people’s Web-use data.

Behavioral targeting is the primary concern for Congress but further investigation will most definitely lead to new policies. As such, large companies from Facebook to Google are beginning to perk up as Congress prods around. Some of the investigations have even driven Yahoo!, Google, Microsoft, and AOL to enable users to opt-out of advertising all together.

As the debate begins to heat up over user privacy rights, Social Times will be increasing our coverage of the topic. This is an issue of critical importance. I have even gone so far as to success the formation of an organization that oversees digital privacy and handles investigations related to digital privacy rights. Do you think digital privacy requires the creation of a formal organization?

If all of your general activities at an event could be tracked back through Facebook (or alternative social media services), there would be a huge advertising potential. Imagine reading your Facebook News Feed and seeing a story that says “Nick and 3 of your friends just entered the Smirnoff Vodka booth at the Everclear concert.” With the power of Facebook connect and competing services, we will soon see these types of activities become public.

Rather than just accepting a terms of service and privacy policy when you register for a site, you will begin to do the same thing when you register for events. How will this work? Through leveraging readily accessible technologies you can track the locations of people attending an event. This means that ads being displayed to them can be targeted and it also means you will soon be able to target those ads toward their friends.

Some of these concepts begin to sound like those out of recent science fiction movies. Malls for instance will soon become entire branded experiences. The moment you enter a store, your friends on Facebook and other social platforms will immediately see that you’ve entered. There are clear privacy issues with these forms of broadcast advertising. There are also questionable business practices at hand.

Should individuals be paid for this new form of referral-based advertising? Also, shouldn’t the consumer be able to opt-in to the public display of this information? The concept of the “social web” eventually begins to fade away as all of our offline and online activities become merged. We are only months into the launching of Facebook Connect, MySpace Data Availability and Google Friend Connect.

The recent “Congressional scrutiny over the intrusiveness of online advertising and behavioral targeting” that Erick Schonfeld points out will become increasingly important as the technologies transform advertising. So when has advertising gone to far? While many of those focused on monetizing the “social web” are willing to try anything to increase ad revenue, consumer interests may become a secondary concern.

Is there a line to be drawn when it comes to new advertising techniques? Will Congress be able to stop many of these activities prior to a multi-billion dollar industry being built around this?