Are we liable for what others say on Facebook?

Interesting case in which a student who was shadowing a medical employee observed some concerning behavior. She asked her family how to proceed with the problem but gave out no personally identifying details of the employee. The family members then told a friend, who told a friend, and so on, until someone posted it on Facebook. The school administration then claimed that the student had breached a code of ethics because the information had ended up on Facebook even though the student themselves did not post it. The student is now suing the school for wrongfully forcing her to withdraw from her program.

Current online privacy laws

The service DeleteMe (@_DeleteMe_) has a nice Your Privacy Rights page about current and upcoming laws concerning computer related privacy.

DeleteMe is a service that assists people with deleting information online. Their webpage lists Facebook accounts and Myspace accounts as common requests along with getting added to the US national Do Not Call list.

Email for authentication

Many sites online are starting to use email as a type of identity authentication but this only works if your email hasn’t been compromised too.

A Pittsburgh girl found this out when her Facebook account was compromised by a person who put up vulgar posts. She tried re-setting her password only to find that she couldn’t get into her email either. Eventually Facebook deleted her account but that was after weeks of someone pretending to be her online.

Researchers such as Stuart Schechter of Microsoft have done some interesting work looking at how to get back into compromised accounts.

The Boucher Bill

Issues of behavioral advertising and online collection of personally identifiable information have been major issues of late. I previously blogged about behavioral advertising and the different ways online advertisers can track you as you move around the internet. But behavioral advertisers aren’t the only source of concern.

Large social networking sites have access to a bewildering amount of personally identifiable and potentially very private data. Sure they have privacy policies in which they claim to respect your privacy but most of the policies also state that the company can change their privacy policy at any time and the new policy immediately applies to all exiting data they have on you. The EFF recently posted a nice time lapse of Facebook’s privacy policy changes from 2005 to 2010 and the New York times recently showed that the current Facebook privacy policy is longer than the US Constitution.   Amongst its many clauses is the fact that other websites are automatically given access to your data when you use Facebook Connect, developers can infinitely store your data, and any applications your friends use have the right to access and store your data too.

The Boucher Bill is an attempt by law makers to force organizations who collect data online and off to provide informed consent to their consumers. The information law group has an excellent breakdown of the Boucher Bill which is definitely worth a read.

Some major points from the bill:

  • Organizations need to provide privacy policies but they can assume that users who use the service have implicitly consented to the policy (opt-out).
  • The bill requires companies to have users opt-in to major privacy policy changes.
  • Express affirmative consent (opt-in) must be obtained before personal data can be sold to other organizations.
  • Organizations can share personally identifiable information with parents and affiliates without notifying users provided the information is not used for marketing purposes.
  • Organizations must provide the policy and get express consent (opt-in) from customers before collecting any sensitive information such as medial information.
  • Consumers must opt-in to any sharing of location information.
  • Organizations cannot collect information about consumer’s browsing across site behavior unless they obtain express consent from the consumer before collecting information (0pt-in).
  • Organizations collecting information from less than 5,000 people per year are exempt.

Update: The CDT has a set of comments on the Boucher Bill.

Value of “who is stalking me” functionality

The Register has an interesting story today on a Facebook app which claims to offer the ability to see who is looking at your profile information but really is just a spam application. The claim is of course bogus as Facebook doesn’t give any application information about who has viewed your profile. Instead the application posts all over your wall and sends out spam messages with the goal of getting ad revenue from people visiting the site and adding the application.

What is interesting about this is that people are intrigued enough by an app that offers feedback on who has viewed their profile that they are continuously falling for the scam. In fact there are at least 25 different versions of this application on Facebook.

City jobs require surender of logins and passwords

As part of their job application process the city of Bozeman Montana requires applicants to surrender login names and passwords to all social networking sites they are involved with. The list of sites includes Google, Yahoo, MySpace and Facebook. Supposedly this is so that the city can do a background check and determine that “the people that we hire have the highest moral character.” Read the article for full details but here is my favorite quote:

“You know, I can understand that concern. One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those. We’re not putting out this broad brush stroke of trying to find out all kinds of information about the person that we’re not able to use or shouldn’t use in the hiring process,” Sullivan said.

Update: Bozeman has decided to change their hiring practices and has apologized for the “honest mistake.”

Update: Looks like North Carolina does the same thing.