Saturday, November 21, 2009

A Taxonomy of Social Networking Data

Via Schneier on Security -

At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data.
  1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.
  2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
  3. Entrusted data. This is what you post on other people's pages. It's basically the same stuff as disclosed data, but the difference is that you don't have control over the data -- someone else does.
  4. Incidental data. Incidental data is data the other people post about you. Again, it's basically same same stuff as disclosed data, but the difference is that 1) you don't have control over it, and 2) you didn't create it in the first place.
  5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Different social networking sites give users different rights for each data type. Some are always private, some can be made private, and some are always public. Some can be edited or deleted -- I know one site that allows entrusted data to be edited or deleted within a 24-hour period -- and some cannot. Some can be viewed and some cannot.

And people should have different rights with respect to each data type. It's clear that people should be allowed to change and delete their disclosed data. It's less clear what rights they have for their entrusted data. And far less clear for their incidental data. If you post pictures of a party with me in them, can I demand you remove those pictures -- or at least blur out my face? And what about behavioral data? It's often a critical part of a social networking site's business model. We often don't mind if they use it to target advertisements, but are probably less sanguine about them selling it to third parties.

As we continue our conversations about what sorts of fundamental rights people have with respect to their data, this taxonomy will be useful.

1 comment:

  1. 1st of all thx for the link. Vy intersting blog btw.

    Am not sure whether the categories are quite precise but a lot better than just blather about data.

    Incidental data: the example (party photograph) depends upon jurisdiction. Under German law I cd vy probably ask to have it removed if my mug is pictured distinctly and I have not consented to be photographed. Of course these legal provisions antedate the net and pose all sorts of problems now.

    It wd make rather a nice law exam p.ex. the service provider is located in France, Jim (a Brit) pictures me at an office party in Italy with my arm around the fair Anna from Oslo branch office and puts the pic up. Now assume I am resident in Germany, married to a jealous wife and demand deletion / change of the pic. Also, can I ask the service provider directly if you refuse ? Flesh it out a bit and there is yr exam, and not an easy one I assure you.

    Googlemaps is interesting in that respect, too. I "wandered" through the streets of Belfast near Shankill Rd. once and was surprised at the kind of personal info you can garner there. Not what I wd welcome if I had to live in this area.