‘So what?’ many would ask. After all, the users have published this information themselves. But in doing so, they published with an expectation of how that information might be used. We’ve talked before about the risks of social networking data coming back to bite users (for example, job applicants being rejected because of drunken photos on their facebook profiles). But it’s very different if the site is using automated methods to analyse and process that data; if it is tying in geolocation data with that information; if it is analysing a user’s links, applications and friends to better understand how to sell to them; or if it is extracting that data and selling it on to other organisations to do the same.
The problem is that of data ownership, something which is very poorly handled in law. If I publish information on Facebook, who owns that information? Is it me, or Facebook, or is it in the public domain? If it’s in the public domain, what rights do I retain over it? How do I correct or remove that data? The Data Protection Act provides little control over these issues, particularly if the hosting site is not in the EU.
Facebook’s founder, Mark Zuckerberg, is quoted as saying “We wouldn’t share your information in a way you wouldn’t want.” The problem is Facebook has never asked its users how they would want their information shared, and the current available mechanisms for consent and revocation are poor, with research still in its early days.
Facebook has come under considerable pressure, and as a result has – for the time being – has now agreed to revert to its previous Terms of Service.
There is a moral to this story: when databases are retasked to different purposes, or suffer significant function creep, things start to go wrong. Unfortunately, such an approach seems to be standard in so many different public-sector programmes. Those responsible for HM Government IT policy should take heed.