Media Influencer

helping people break out of pigeonholes since 2003

Privacy ain’t dead yet

Tags: , , , ,

Last couple of months I have found myself giving several talks on privacy. This isn’t exactly news as I have been banging on that drum for ages, but there does seem to be more interest in privacy and requests to talk about the topic.

This may be because people are realising how elusive privacy becomes as the web platforms are turning the screws on user data they have accumulated. I am looking at you, Facebook, though Facebook is not the only perp in town…

The first talk on the topic, which I enjoyed very much was the one I gave in June to the Oxford Libertarian Society. I tried to cover various notions of privacy and argued that privacy is to identity what freedom is to morality – the latter can’t exist without the former. Here’s the text in full.

Oxford Libertarian Society talk on privacy

My second recent talk on privacy was at LIFT France 2010, as part of the session called Privacy Revisited, Protect and Project with Daniel Kaplan, the founder of FING and Alma Whitten, Google’s Engineering Lead for Privacy. It is a sign of a good session where one learns much from the other speakers. After watching Alma’s interesting presentation, it occurred to me that in the world of web platforms and clouds, even ones that are trying to be benign, privacy boils down to something I should have opened my talk with…

Privacy is never having to delete things you don’t want anyone to see.

LIFT France Privacy

LIFT Privacy Talk

The creepiness factor

TAGS: None

Yesterday at one of my client workshops I was explaining the benefits of Twitter – I use the term ’synchronicity maximised’ to describe the ad hoc organisation of encounters, connectivity and sharing that makes Twitter so useful and addictive. I mentioned an example of twittering my location – let’s say I am in New York having brunch with a friend and I let the ‘world’ know about it. One of the attendees remarked how creepy this seemed to her. And here we have the ‘creepiness factor’ – which usually refers to someone not necessarily violating our privacy legally but to the ability of others to gather our public details (as private data would be a privacy violation), piece together data and information about us that allow them to act in ways we don’t expect. It is the realisation that someone knows so much about us by deliberately gathering information and using to behave in a way that implies familiarity. It feel like a violation of autonomy and privacy, even though existence of either is a delusion in our mind.

There is a difference between me ‘broadcasting’ on Twitter that I am having brunch with a friend plus the exact location, and learning the hard way that someone is ’scraping’ or gleaning such information from places that I, probably very foolishly, consider private or even semi-private, such as Facebook. It comes down to me knowing what happens to my data. The creepiness comes from realising that someone is gathering and piecing together information about me for purposes that don’t directly involve me and/or are not in my interest. Twittering my location is not a problem if I am doing it with awareness of my network and audience.

Sometimes it seem that the vision of web of document turning into web of people has gone the other way around. It is turning the web of people into the web of information about those people without their ability to do much about it.

And of course, all this contributes to all the talk about privacy. And the view that the web is eroding it and that the younger generation don’t appreciate or value it or give it away and, and, and… I have a different view. I am a privacy freak myself and value my privacy highly although I have considerable online presence. That is because privacy is behaviour according to your own preferences – it’s a policy, not a system.

Below is my response to an overly legal approach to privacy on the project VRM mail list thread, where privacy was seen as a legal agreement and to be guaranteed by a contract. Here is what I said:

Yes, the whole legal thing is not addressing or even originating from the way people interact. Bemoaning the fact and trying to build systems, processes or tools that force people to ‘behave in their best interest’ or to ‘protect their privacy’ is not going to work and/or deal with the problem.

Privacy is a policy, not a system. ToS is a creature of systems, platforms and silos not of the individual/user/customer.

I, as an autonomous individual, am the best judge of my privacy requirements. When I talk to my friends, I know what to tell them and what not to share – and if I mess up, I suffer the consequences and learn not to gossip with those who betray confidences.

In a larger context, beyond my immediate social circles and when money or reputation or other value is at stake, in order to manage my privacy I need to understand the context and consequences of information I share or other have about me. But if my privacy is not up to me to manage, there can be no reasons or demand for such knowledge to be available or for me to find out easily. Hence, many people have no idea about how their data is used and abused. So that will is part of the challenge in which the web has helped enormously – it is now possible for a dedicated or persistent person to find out what’s going on most of time.

But there is little they can do to act on that knowledge – and I have said this elsewhere many times before – our privacy options are rather binary. Either you participate in transactions, exchanges, communities, etc and you give up some of your privacy or you don’t. However unacceptable I find the former, the latter is not the way to live either.

The best ‘privacy settings’ are in my head, but I need ways/tools that help me to ‘execute’ my privacy policy. And as it’s been pointed out these are not necessarily of the legal world. It helps not to assume it and start building tools that help individuals manage their data and help them to determine their privacy behaviour themselves.

On email, logins, idenfiers and identity

TAGS: None

David Cushman asked for my thoughts on his post about finding a way to express our id and metadata outwardly just as broadly and effectively as your email account can collate it centrally.

My first impression was that the question might be about logins or GUID* management based on this:

So if I asked you to write a list detailing what and where, you wouldn’t be able to complete one. And if I asked you to confirm your username and password for each of these – you’d struggle even more.

For the sake of order, let me run through some implications of using email as your GUID to log on everywhere.

  1. your email accesses all web services a la google, which allows me to use gmail to sign in to greader, gdocs etc with the same email/password combo. That’s possible because it comes from the same provider and relatively safer. Obviously, this can’t easily be scaled to other providers of web services or platforms.
  2. I could use my gmail/email as a handle for single sign-on a la OpenID but unless I have a similar infrastructure as OpenID (i.e. a bit of magic in the URL, with my password management under my control) I’d still have passwords stored on other sites and would be back to the same problem as now – too many usernames and passwords… apart from the fact that we eliminate usernames (and have just email instead) and have (potentially) just too many passwords.

But I think David might be trying to get at something else here. I am not sure I see email as my identity or identifier in the sense he describes. It’s certainly a store of my communications and important information from my contacts etc. But to paraphrase an ubergeek: “all applications progress to the point where they can send e-mail”. Danny O’Brien talked about this in the first lifehacking presentation and he had the corollary that people use e-mail for everything, including to-do lists, and even as virtual hard-drives. Resources get used for other than their intention – so looking at e-mail as a “hub”, some sort of nexus of your information might be wrong way around. Instead it’s a resource and it exhibits properties that are useful for many tasks. Your e-mail repository is no more a badge of your identity than is your car or your house.

The closest thing to my ‘identity’ is a mesh of my blogs/blog posts/flickr photos/twitter/dopplr/friendfeed/socnet de jour etc etc. Alas, this ‘identity’ is all fractured across many platforms and in my view needs a unifying point. And those who read my blog already know what my solution to the problem is.

I am not sure a handle (whether URL, username or email) would fundamentally fix my online identity as it’s the stuff I create and distribute that is my identity. I see usernames/passwords/handles/GUID in general as meta-identity or shortcuts to my identity. Just like passport or driving license is not my identity, merely a proxy for it vis-a-vis a particular kind of system or record.

And finally, there seems to be an implicit assumption in what David (and not just him I hasten to add) is saying and that is that my existence on the internet requires a GUID. I don’t think that’s necessarily true but that’s a topic for another post…

*GUID = global unique identifier

Truly social software?

TAGS: None

I have been thinking about how social software and social networking platforms actually limits my ability to be social…

But isn’t social networking all about being social? Not quite. At the moment, I don’t drive who gets to see what beyond simple decisions about who is ‘in’ and who is ‘out’. Social interactions and relationships are far more granular than social networks allow them to be. Usually, this is seen as a privacy issues and results in a complicated access management e.g. Facebook privacy settings.

Why do we have our relationships pre-determined by others such as Facebook, Flickr, Plaxo etc.? Presumably to give us more ‘control’ over our social network and contacts in it. But how is lumping people into categories imposed by an application helping me to be social? By determining the types of relationships I am able to have – business contact or colleague, family or friend, I am not able to reflect relationships I already have. The best social software is not online, it is loaded on to my cortex. And no software can fully map the relationships, let alone replace our natural ability to create and maintain them.

Privacy is merely the other side of the coin of complexity in human relationships. My ‘privacy settings’ are inherent in my behaviour. My privacy policy should not be embedded in any software. In that sense, software cannot be social (or antisocial), though it can help me be more or less social. Software privacy settings limit my ability to be truly social i.e. capable of maintaining complex relationships and interactions with others – arguably the purpose of such tools.

For context of the argument see the Mine! project blog.

cross-posted from VRM Hub

Whose data is it anyway?

TAGS: None

Follow up on previous thoughts on data and ownership… as cross-posted from VRM Hub.

Talking about ownership of data online in terms of control is fairly pointless. Once your data is out, it’s out. So instead of delving into the meaning of ownership and what it means in a decentralised, distributed and open network where sharing and transparency are default, let’s look at how the data is generated by the individual and shared through interactions with others.

Data as generated online is akin to a positive externality for the vendors and platforms that capture our data. Positive externality* is something that is not part of the value traded in market exchanges. It is something one of the parties in the trade benefits from, without having to pay for it. For illustration, pollution is considered a negative externality as it is

a) a by-product of manufacturing processes and,
b) is not included in the cost or price of the products.

So, when I am buying something from Amazon or Virgin Atlantic site, the explicit value exchange is the goods they provide and the money I pay for those goods. My data is external to that value exchange – the vendor is not paying for it and I am not being paid for it. In the current set-up (no pun intended), the vendors benefit by using the data in ways that help their business, from mining to selling it on. I, on the other hand, have scant legal protection against that and even with all the laws in place such as Data Protection Act and other restrictions on those who capture my data, a large portion of data collected from me is for marketing purposes.. and usually way above the threshold of legally required data to complete transactions.

The advent of the ‘free’ web has mightily confused the distinction between data as part of a value exchange and data as a positive externality – simply because most platforms with web services have turned what is essentially an external benefit from other exchanges to foundations of their business models. The ‘free services’ I receive are ‘paid for’ by my attention and/or my data – both eagerly gathered by various platforms. Advertising is a way to monetise my attention aka eyeball and the race to monetising my data (short of crude selling on) is still on.

In this context I own my data (in a way I own my attention) and neither should be considered a payment for the (free) web services unless it is specified in the terms of the exchange or service. It is merely a shift from one business model – online retail such as Amazon – to another where data becomes the value exchanged tacitly and without clear understanding. This is another reason why privacy remains an issue with such web services and platforms. As long as I have to depend on a third party to protect my privacy, it will be exposed by accident (incompetence), force (authorities) or abuse (marketing & advertising).

The tensions between the data created and managed by us and the tools we use belonging to someone else, are becoming obvious on the social web. Mike Arrington’s outrage a few months back when Facebook was turning its back on FriendConnect is justified.

The fact is, this isn’t Facebook’s data. It’s my data. And if I give Google permission to do stuff with it, I’m damned well within my rights to do so. By blocking Google, Facebook has blocked ME. And that, frankly, kind of frustrates me.

Let me put this another way. How dare Facebook tell ME that I cannot give Google access to this data!

Arrington also condemns Scoble’s early attempts at ‘data portability’:

Scoble has been on the wrong side of this issue before, when he tried to scrape his friend’s contact information out of Facebook and export it to Plaxo. In that case, it wasn’t his data and he didn’t have the right to make it portable. It’s MY data, once again, and only I should be allowed to make that decision. He thinks his new position shows that he gets the importance of privacy, but once again he isn’t thinking in terms of who really owns the data and should be allowed to make decisions around it.

Here we go, ownership of data again. So when I add someone to my network, together with his photo and other profile details, I do not ‘own’ that data. It seems pretty pointless to debate that as whenever I sign-up to a social network platform, I am agreeing to the terms and conditions of their relationship with me and to what happens to my data, privacy etc. All my agreements are with the platforms and the way I enter those agreements is definitely lacking in balance of power. We do live in the early days of individual empowerement… but even so, there is a distinct lack of tools that will allow me to be a node in a network independent of someone else’s silo or a platform. I have the same question as Danny O’Brien:

When you want to make a private picture or note available only to your friends, why do you hand it over to a multi-national corporation first?

Moreover, within social networking platforms, there is no corresponding agreement with other users. The terms of service are between me and Facebook, me and MySpace, me and Twitter, me and Flickr, me and Plaxo, me and LinkedIn, me and the socnet du jour… but they do not extend to my relationships with other individuals on the same platform. Relationships are pre-defined, much the same way terms & conditions are, from the point of the platoform, not from the point of the individual. So ironically, social networking platforms designed to help me connect with others, to create and maintain relationships with them, are not allowing me to define those very relationships…

In other words, there is no way to interact with others within the silos based on what I call P2P terms and conditions. These could be privacy agreements, if we so wish, ranging from simply not-bothered-about-what-happens-to-my-contact -details-in-your-social-graph all the way to granulated preferences for different people in my contact list. So just like in the real world – there are people I’d trust with my address book and there are some I wouldn’t trust with my address. Instead of building complicated systems and using technology to make such nuances in relationships explicit, I need tools to help me manage the complexity of human relationships. I need tools to reflect what is already in my head implicitly and defines me as a social animal. Do not tie me up in legal pretzels over various policies, creating permissions and access management nightmares in the process. In the words of Kevin Marks as paraphrased from his Social Cloud talk at Lift08:

Software cannot match out ability to sort out our friends and contact, establish how much we trust them and how we arrive at that trust. No software can fully map the relationships, let alone replace our natural ability to create and maintain them The implication is that therefore software should support the kind of cloud abstraction we have around the internet, also around our social relationships. You can feed it (the social networking app) relationships that are in the ’software in your head’, feed the stuff related to people in your network to software online. Users will assume that your software (this is aimed at developers) will be able to see the information that they have already fed into the software and be able to use it.

Indeed! By I digress. To recap, my data is a kind of externality to purchasing transactions, just like attention is an externality to my reading, watching or listening to something else. Marketing lives off my data, advertising lives off my attention. My data (and by extension me) is not respected because companies can trade it as a commodity without paying for it. The way to address this is not to make them pay for the data (and create many snake oil intermediaries in the process) but to make it possible for companies to enter into relationships with the true owners of the data.

So what is to be done? How to internalise the externality? How do I regain control over something that originates from me and is used in my transactions with others? This is the stuff of VRM.

Broadly speaking, it is about finding tools & technology to give the individual sovereignty over his data, so he can exercise choice over who gets to see it and under what circumstances. This will change the balance of powers and eventually demonstrate to companies that respecting people’s data (and by extension them), they can make more money.

* Definition of externality: Economic theory considers any voluntary exchange to be mutually beneficial to both parties, for example a buyer and seller. Any exchange, however, can result in additional positive or negative effects on third parties. Those who suffer from external costs do so involuntarily, while those who enjoy external benefits do so at no cost. Data is an externality without the third party, where the afffected party is also participating in the transaction. So not an exact theoretical match, but perhaps still helpful in understanding how we got to the point where ‘free services’ feel entitled to their users data.

Ownership of data, privacy policies and other VRM creatures

TAGS: None

Here are some thoughts based on what I posted to the Project VRM mailing list on the discussion about data ownership:

The ownership of data, whatever that means, is merely a starting point of VRM and our attempts to redress the balance of power between vendors and customers. I might volunteer information – to me that means I share it on my own terms – but I also need the ability to establish and
maintain relationships. For that I (others may not) need and want
the following ‘functionality’:

  1. take charge of my data (content, relationships, transactions, knowledge),
  2. arrange (analyse, manipulate, combine, mash-up) it according to my needs and preferences and
  3. share it on my own terms
  4. whilst connected and networked on the web.

That’s what I mean when I talk about turning the individual into a platform, etc etc.

This does not happen by creating a database or a data store, however personal. Store implies passive and static, even with some sort of distribution. The objective is equipping individuals with analytical and other tools to help them understand themselves better and give them an online spring board to relationships with others (in VRM context this includes vendors).

I think it’s the user who should define the nature of the data stored/shared/analysed and what data is called what – whether confidential or premium or whatever. The crucial point is being able to share it (as well as do all sorts of groovy things with it, independently of third party and without the data being hijacked, er, harvested by third parties in the process.)

In the spirit of user-driven-ness, it should be the user who determines the ‘policies’ by which his or her data is managed and shared. I don’t see why they need to be standard(ised) as my sharing preferences and tolerance are a matter of my policy* – just like security and privacy are policies, not systems, i.e. what’s secure or private to me is not necessarily the same to you and vice versa.

What happens after information/data/whatever is shared is partly provenance of the law but mostly of a relationship I have with those the data is shared with… The main issue with the latter is that it can become meaningful only if the user is the most authoritative source of his or her data. Hence I call the means of doing this the Mine!

*My take on privacy is that it is a policy of the individual, not in a sense of privacy policy for the individual selected from a given selection, in the style of Creative Commons. Huge difference. For instance, I have a policy about who I let into my house. I don’t need to display it on my doors or attach it to my address or business cards. It is far more convenient and flexible for me to decide there and then, when someone’s knocking at the door. It is my implicit privacy policy that kicks in. Sure, I don’t want junk mail or door-to-door salesmen but just because I can display notices to that effect, doesn’t mean that is the way to deal with the rest of the humankind. So online, it is about creating tools that help the individual control the data to the point that he/she decides practically and directly who gets to see what – without a third party or intermediary…

cross-posted from VRM Hub

Quote to remember

TAGS: None

When you want to make a private picture or note available only to your friends, why do you hand it over to a multi-national corporation first? What use is a mobile phone running Apache? Does IPv6 really exist? Can we be ecologically-sound and still run our terabyte home servers? Please?
- Danny O’Brien in Living on the Edge (of Network)

Whit Diffie’s honorary doctorate at Holloway College

TAGS: None

Yesterday, I had the priviledge to attend the graduation ceremony at the Royal Holloway College as a guest of Whit Diffie who received an honorary doctorate for his achievements in the field of cryptography, namely, his pioneering work on the public private key. Wired article from 1994 on the topic sums it up:

Whitfield Diffie took cryptography out of the hands of the spooks and made privacy possible in the digital age – by inventing the most revolutionary concept in encryption since the Renaissance.

The ceremony started at 10.30am in the splendid college Chapel. Alas, as my flight from Boston was delayed by 3 hours the night before, I arrived too late to see whole thing. However, thanks to Alec I got there in time for Whit’s award and his acceptance speech and managed to record all but the first 10-15 seconds of it. Apologies for the quality, as this is recorded with my normal camera, from a screen outside the chapel.

…open to the opportunity to take risks and do things in unexpected ways and do what you want to but not what people recommend. On the other hand I think I can be said to have overdone this so they, when they give my resume, they normally, they gloss over details. I managed to graduate from MIT and I was later immatriculated at Standford university. Alumni register very tactfully shows me as having “graduated” in 1987, that is to say that have lost track of me. And I have two doctorates both kindly given by universities, both kindly given by universities that recognise quality of the work. And so, I find myself, you know, my work doesn’t seem that impressive to me, but fortunately it seems to have made a better impression on other people. So I found this eaxmple of the fact that it is possible to have a successful career without following the socially recommended paths. But I can also tell you that it must be much… easier to do it in the standard forms. As I can hardly say, I cannot say I don’t regret not having been more capable of a more sustained study and having been able to learn what I needed to learn rather than any given moment merely what I happened to be interested in. Thank you very much.

Diffie hasn’t just refused to fit into an educational system or innovate in structured ways. It was the thinking, Damned-if-I-follow-some-of-your-stupid-rules. Because some of them are stupid. As Steven Levy puts in his book Crypto:

Ultimately, it was only by questioning the conventional rules of cryptography and finding some of them “stupid” that Diffie made his breakthroughs. A case in point: the belief that the workings of a secure cryptosystem had to be treated with utmost secrecy. That might have held true for military organisations, but in the computer age, that didn’t make sense. There would be unlimited users who needed a system for privacy; obviously, such a system would have to be distributed so widely that potential crackers would have no trouble getting their hands on it and would have plenty of opportunity to practice attacking it. Instead, the secrecy had to rest somewhere else in the system.

The issue of privacy, boiled down for Whit Diffie to: How do you deal with a trustworthy person in the midst of a world full of untrustworthy people?

Diffie also believed in what he called “a decentralised view of authority”. By creating the proper cryptographic tools, he felt, you could solve the problem – by transferring the data protection from a disinterested third party to the actual user, the one whose privacy was actually at risk.

And this, in my view, applies not only to privacy and cryptographic tools but also to all the other tools that have made the web social and empowering to the individual. To that end, I want to look for ways to build tools that transfer the the data created by the individual in pursuit of his own goals (whether it involves conversations, relationships or transactions) from an abusive or exploitative party (vendor, platform and potentially any third party) to the actual user, the one who benefits from the data, communication and relationships directly.

Whit Diffie’s challenging of accepted rules, whether Doctor of Science or not, has been an inspiration to me, which couldn’t have come at a better time as I see several assumptions about the web ripe for such challenge…

Here are more photos from the event.

Whit Diffie in Holloway Chapel

On data shadows and giving up control

TAGS: None

Bruce Schneier on what keeps me awake these days.

In the information age, we all have a data shadow.

What happens to our data happens to ourselves.

Who controls our data controls our lives.

We need to take back our data.

This is a tall order, and it will take years for us to get there. It’s easy to do nothing and let the market take over. But as we see with things like grocery store club cards and click-through privacy policies on websites, most people either don’t realize the extent their privacy is being violated or don’t have any real choice. And businesses, of course, are more than happy to collect, buy, and sell our most intimate information. But the long-term effects of this on society are toxic; we give up control of ourselves.

This is why I want the Mine! and why I have designed it as a place where you can reclaim your data, without abandoning the goodness of connectivity and benefits of the network. As I keep saying in my email signature: The network is always stronger than the node… but a network starts with a node.

The individual needs to be stronger, more in charge of their domain. I believe that will improve relationships and transactions with others as well as bring benefits to the whole network.

BBC, iPlayer and Microsoft

TAGS: None

From Grocklaw interview with Mark Taylor, president of the Open Source Consortium in the UK.

…it’s a Verisign Kontiki architecture, it’s peer-to-peer, and in fact one of the more worrying aspects is that you have no control over your node. It loads at boot time under Windows, the BBC can use as much of your bandwidth as they please (laughter), in fact I think OFCOM, you know, made some kind of estimate as to how many hundreds of millions of pounds that would cost everyone [Ed: see this video interview with Verisign Kontiki executive, and this one], there is a hidden directory called “My Deliveries” which pre-caches large preview files, it phones home to the Microsoft DRM servers of course, it logs all the iPlayer activity and errors with identifiers in an unencrypted file.

there’s a lot of pain going on in the user forums, and some of the main technical support questions in there are “how do I remove Kontiki from my computer?” See, it’s not just while iPlayer is running that Kontiki is going, it’s booted up. When the machine boots up, it runs in the background, and it’s eating people’s bandwidth all the time. (laughter) In the UK we still have massive amounts of people who’ve got bandwidth capping from their ISPs and we’ve got poor users on the online forums saying, “Well, my internet connection has just finished, my ISP tells me I’ve used up all of my bandwidth.”

No, they can’t throttle it. It really is. It’s malware as well as spyware.

Before you start wondering about BBC conspiracies, which would undoubtedly require the level of efficiency that the BBC Trust has been aiming for, let’s see who’s behind the iPlayer.

…the BBC management team who are responsible for the iPlayer are a checklist of senior employees from Microsoft who were involved with Windows Media. A gentleman called Erik Huggers who’s responsible for the iPlayer project in the BBC, his immediately previous job was director at Microsoft for Europe, Middle East & Africa responsible for Windows Media. He presided over the division of Windows Media when it was the subject of the European Commission’s antitrust case. He was the senior director responsible. He’s now shown up responsible for the iPlayer project.

This is getting worn out by now, Windows-only platform alone is asking for trouble, then there is the ET-phone-home behaviour of the iPlayer itself, then the caving-in of the BBC to the ‘rights holders requirements’ regarding DRM that read like a checklist of Microsoft DRM (I am shocked! shocked! at the DRM abuse going on here!) and finally the lack of clarity and rationale of the whole process. Oh, and fraternisation with a corporate monopolist to the tune of £130 million over the four years, paid by the taxpayer licence fee payer.

via Ben

Bonus link: Use MacOS? Linux? Solaris? Stop the BBC becoming Microsoft slaves!

Quote to remember

TAGS: None

But rather than grieving over what BigCos do with our privacy, or getting straight exactly what Facebook is up to, I’d prefer to create tools that give us — each of us, natively — selective disclosure policies that we can pass along to the membership organizations of the world.

We’re so used to living in vendor habitats that we can barely imagine having real power and control in our relationships with them — for their good as well as our own. Selective disclosure has always been a basic tenet of VRM.

Power needs to start with the individual. In a pure VRM context, it’s about my relationship with FaceBook, or Peets Coffee, or United Airlines, or the corner cleaners.

- Doc Searls in Power to the person

Falling on swords

TAGS: None

Rapleaf is contrite.

We made lots of mistakes. And this is a long post that, in great detail, goes over our mistakes and what we plan to do about them.

They explain what they do, why it’s scary and how to make it less scary, in their opinion:

There is a lot of information about people living on pockets all over the web. Everyone has an online/web footprint. And it is accessible if someone really wants to research someone – the information is publicly available – but it takes a lot of time to find.

Rapleaf automates this search process. We search billions of pages on blogs, social networks, forums, etc. for information on people. And a little over a month ago, we started making this information public on

Some people did not understand how we found their info and were worried that this info was going to be public, even though the info was already public. Others were concerned that their info was just plain wrong. The common denominator was not understanding where this info was coming from.

Yesterday we cooked up an idea to solve this – we are going to tell you where we obtained the info. Essentially all info will be attributed to a source and that way you can correct it at the source. We haven’t started coding this yet, but look for this change in the next few weeks.

And here is the falling on sword bit:

Last week we also made a decision to send the “you’ve been searched” emails to people that were searched for in Upscoop, a service we run that allows you to upload all your friends and find out what social networks they are on. In retrospect, this was really stupid and very wrong for doing this without any controls. Very very wrong. But at the time, it seemed like a really good idea for some reason. The problem is many people who use Upscoop were unaware that their contacts would receive a courtesy email.

Again, we were wrong. Now we iterate. And we ask for forgiveness.

So, admission of being wrong, check, apology, check, but what it is that they sell and make money out of? This is the bit that got me foaming at the mouth last week:

Rapleaf sweeps up all the publicly available but sometimes hard-to-get information it can find about you on the Web, via social networks, other sites and, soon to be added, blogs. At the other end of the business, TrustFuse packages information culled from sites in a profile and sells the profile to marketers. All three companies appear to operate within the scope of their stated privacy policies, which say they do “not sell, rent or lease e-mail addresses to third parties.”

And that’s right. Marketers bring TrustFuse their own list of e-mail addresses to buy access to demographic, behavioral and Internet usage data on those people, according to the company’s privacy policy and sales documents.

So are Rapleaf, Upscoop and TrustFuse doing evil or not? From their blog post:

People that are doing lots of searches on a monthly basis pay a little bit of money per lookup. This is how we generate revenue.

And we’ll even give heavy users the ability to do batch lookups and provide aggregate reports of the information. And yes, these heavy users and companies may use this information for marketing purposes to give their users and better offers when they visit their sites.

In the post Auren demonstrates he understands the importance of context. My problem is that I am not seeing the context of Rapleaf, their products and services. Who are they aimed at? If at companies and their marketers for the purposes of matching their email lists with online profiles than the whole mea culpa exercise doesn’t address my original objection.

But to be fair to Rapleaf and the likes of them, they are merely tapping into the demand they see from companies to ‘regain control over the consumer’. It is about collecting data and information on the elusive demographics. At arms-length and without any intention to treat their customers as individuals. And that is my gripe.

© 2009 Media Influencer. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.