Legal policy about storing the Social Graph

[victorc]

Hi all,

I hope this is he right and good place to ask such question (if not
please tell me where I can discuss about such subject) :
If I am a user with some social network data (let say social graph
with my friends list) somewhere in a specifc format (CSV, TXT, XML,
RDF ...), can I ask a Web site to store it for me ?
Another way to ask the question : can I copy my social graph from a
social network and then store it somewhere else ? is it legal ? can I
ask a Web to do this for me ?
What is the legal message I have to read and agree for such
dataportability process ?

Thanks in advance for your advice
Victor

[Elias Bizannes]

Hi Victor,

This is the right place to ask the question.

Ideally with dataoprtability, you can do exactly this. However as for
the current situation, companies are happy to suck in your graph
(import contacts via gmail), but a bit more hesitant to let you export
it.

Cheers,
Elias

[Brady BD]

I think this question speaks to the larger legal ramifications of
portable data, and exactly what organizations that support data
portability will have to do to their 'terms of use' to accommodate
this kind of interoperability.

Out of curiosity, who on this mailing-list is passionate about
tackling the data portability question from the legal perspective?

-Brady

[Danny Ayers]

On 10/04/2008, Brady BD <bra...@gmail.com> wrote:

I think this question speaks to the larger legal ramifications of
portable data, and exactly what organizations that support data
portability will have to do to their 'terms of use' to accommodate
this kind of interoperability.

Right. It seems to me that there's a big education task here - both for end-users and service providers.

For end-users, we can't assume it's obvious that anything they put on the public web is public knowledge, especially when it comes to data. I forget the details (Julian might remember) but there was a social graph aggregator a year or two back - Plink (?) - that harvested FOAF. Not sure what interface it had, but whatever, the person running it decided to shut it down after loads of unpleasant mail along the lines of "how dare you steal my information".

danbri has a good post around this issue, in particular in relation to privacy and the SG API:
http://danbri.org/words/2008/02/05/267

In it he says: "There's a danger here of technologists seeming to blame those we're causing pain for." - indeed, but there's also a danger of the blame being redirected to technologists from elsewhere, see:
http://iandavis.com/blog/2008/04/identity-theft-its-not-your-problem

(personally I wouldn't weep at the death of "privacy by obscurity", but still don't think we should be inflicting pain if we can avoid it)

Back to danbri again, he has some good suggestions:

[[

• Best practice codes for those who expose, and those who aggregate, social Web data
• Improved media literacy education for those who are unwittingly exposing too much of themselves online
• Technology development around decentralised, non-public record communication and community tools (eg. via Jabber/XMPP)

]]

I mentioned education of service providers - I really don't think they're anything like geared up to provide interactions for end-users that would give them a chance of informed choice.  A terms of service doc might be adequate for walled garden environments, but those walls are crumbling. I don't think the ramifications have occurred to the service providers any more than anyone else.

Technically it isn't that difficult to provide granular access control to data, but without conventions for identifying different kinds of data in a way that would make sense to Auntie Edith, the user interface is a non-starter.
(Considering such conventions might well be in scope for this group).

Out of curiosity, who on this mailing-list is passionate about
tackling the data portability question from the legal perspective?

I passionately hope someone else is willing to tackle it :-)

Incidentally, one of the easier bits has been addressed:
http://www.opendatacommons.org/
 

Cheers,
Danny.

--
http://dannyayers.com
~
http://blogs.talis.com/nodalities/this_weeks_semantic_web/

[Mark L]

I am passionate about the legal aspects but not a practising legal professional. In this respect there is something which I have through about that may have some relevance to this discussion and has been a hobby of mine to think about. 

 A few years ago I started articulating something I now call a Master Data Controller Access Framework. To address the perspective that contemporary data problems and privacy ultimatetly come down to access control. 

The idea here is to create a policy Hierarchy called ' Master Controller' signifying the originator of the data by adding just one word to existing law.

In this hierarchy there could a delegated infrastructure.   Each delegate with different access rights and legal responsibilities.  For instance.

1. Master Controller

2. Trusted Third Party Controller

3. Pseudo Controller

4. Guest Controller

Then these two suggestions could be a managed expectation through access control:

• Best practice codes for those who expose, and those who aggregate, social Web data
• Improved media literacy education for those who are unwittingly exposing too much of themselves online

As an idea for instances, these practices could be measured out of 10 to give a controller competency rating and appropriate access control.

 

On 10 Apr 2008, at 21:11, Danny Ayers wrote:

On 10/04/2008, Brady BD <bra...@gmail.com> wrote:

I think this question speaks to the larger legal ramifications of
portable data, and exactly what organizations that support data
portability will have to do to their 'terms of use' to accommodate
this kind of interoperability.

Right. It seems to me that there's a big education task here - both for end-users and service providers.

For end-users, we can't assume it's obvious that anything they put on the public web is public knowledge, especially when it comes to data. I forget the details (Julian might remember) but there was a social graph aggregator a year or two back - Plink (?) - that harvested FOAF. Not sure what interface it had, but whatever, the person running it decided to shut it down after loads of unpleasant mail along the lines of "how dare you steal my information".

Is there a stance that data portability can take which is very aggressive for the 'Data Controller Owner and Originator'?  -Where we all have 'prince' like control over our own personal information to start with.  Call it something like  Data Hegemony?

danbri has a good post around this issue, in particular in relation to privacy and the SG API:
http://danbri.org/words/2008/02/05/267

In it he says: "There's a danger here of technologists seeming to blame those we're causing pain for." - indeed, but there's also a danger of the blame being redirected to technologists from elsewhere, see:
http://iandavis.com/blog/2008/04/identity-theft-its-not-your-problem

(personally I wouldn't weep at the death of "privacy by obscurity", but still don't think we should be inflicting pain if we can avoid it)

Does anyone else feel that privacy is an old village word which doesnt suit a good forward facing discussion?  Education that we are now being tracked but dont have access to this information or  are afraid of tracking our selves due to privacy breaches should be developed to get rid of data portability myths.  How else will we counter words like privacy which reference a time and place where a different type of personal security was referred to and digital data portability nearly impossible.  Perhaps those days are gone?

Legally I think its time for a revolution.   Take the discussion about code being law to a practice that entrenches personal data in constitutional law. 

As an idea of where to start legally, something Published on Friday I think would be a great document to start with. The long-anticipated set of recommendations for how European data protection

laws should be applied to Web search services can be found at www.tinyurl.com/5yukzm.  

- Mark

[Mark L]

• Technology development around decentralised, non-public record communication and community tools (eg. via Jabber/XMPP)

The idea of a non-public agency(technology) is really encouraging.  Does anyone know if there something like this happening?  Are there people interested in messaging technology on a peer to peer basis in a non-public record way? (is that possible?) with at least 4 levels of access?  Would need to be able to search the comms stream based on access level and display results.  This is great food for thought.

On 10 Apr 2008, at 21:11, Danny Ayers wrote:

[Danny Ayers]

Couple of refs. I overlooked:

The W3C's P3P work was in this general area:
http://www.w3.org/P3P/

more current is:
http://www.policyawareweb.org

[Steve Holcombe]

> Out of curiosity, who on this mailing-list is passionate about
> tackling the data portability question from the legal perspective?

Are there any Dataportability.org members associated with the
Electronic Frontier Foundation?

No need re-doing privacy research that has already been done ....

See their Privacy page at http://www.eff.org/issues/privacy

[victorc]

Hi all,

Thanks very much for all your answers, I understand that it is a "big"
subject, not easy to solve it and answer it with one simple answer.
However I understand that I have to be very carefull with the way I
can store social data.

In fact my project is here : http://www.osocial.net/network : Open,
Free, Export and Browse your social network graph ... and why not then
store it into another place to share it, to consolidate it or to play
with it ?
And so I have to think on my TOS and privcay policy .... any ideas or
help are welcome ;)

This is the begin of the social data portability game ! :)

Victor