Accidental dossiers: privacy and security in the new web | Social Signal

At last week's 2006 Nonprofit Technology Conference in Seattle, I sat on a terrific panel led by Matt Blair, with Marnie Webb and Marshall Kirkpatrick, on the security implications of the new web. It was one of those amazing sessions where the audience was so engaged from the start that we had no need for the usual opening-presentations-plus-Q&A structure; we got right into a very cool 90-minute conversation.

I don't think anyone was recording the session, but I thought I'd share the notes I'd prepared for my presentation.

Think about Web 2.0 – the loose collection of new technologies like blogs, news feeds and the like – and one of the key things that jumps to mind is aggregation. These new technologies allow us to take raw information from disparate sources, and mix and match and mash-up until a whole new picture emerges.

Funny thing: there’s another field where that’s important, where people combine information from different sources to create a new synthesized perspective on a person, issue, organization or event.

It’s called OSINT – open-source intelligence. That term has nothing to do with Linux or the GPL. It’s the practice by intelligence agencies of collecting and analyzing information from publicly available sources.

In the past, that’s been newspapers, phone books, magazines, journals, speeches by officials and the like. That didn’t expose everyday individuals to much in the way of privacy concerns.

But today, the web offers a whole new set of information conduits, and a lot of the data flowing through them is highly personal. Web 2 technologies make it easy for people to post information about themselves:

• their comings and goings,
• the names and pictures of friends and their kids,
• their opinions and beliefs,
• their daily routines,
• the books they’re reading,
• the music they listen to,
• birthdays, parties and events they’re planning on attending...

And these technologies also make it very easy to knit that information together into a detailed, cohesive picture – the kind of dossier that a decade ago would have required a pretty intensive bit of digging to compile. Subject to interpretation and not necessarily all accurate. But thorough.

Let me give you a simple example: a Canadian student born in Iran.

His name’s Hossein Derakhshan, and here’s how he tells his story. Last October, he was spending a month with a friend in New York City. He interrupted that visit with a brief, overnight trip home to Toronto.

On the return trip to the U.S., he was stopped at the border. The customs officials Googled his name. And up popped his blog, which mentioned his stay in New York. That got the guards’ undivided attention. They started poring over his posts, and asking him a lot of questions about his politics – which, incidentally, are pretty mainstream.

They noted a clearly sarcastic post of  his suggesting he was taking money from the CIA, dealing illegal drugs and dating Natalie Portman. Lots and lots of questions ensued.

Finally, the guards discovered a copy of Newsweek in his luggage bearing his name and the New York address. Hossein had redirected his subscription for the month.

That, the guards decided, was reason enough to decide he was at risk of overstaying his welcome in the US. And they denied him entry for at least the next six months.

Yes, it was a magazine that ultimately did him in, but it was his blog that got the whole juggernaut rolling in the first place.

Here’s my point.

We’re used to thinking about security concerns in terms of what happens when someone breaks in, steals data and misuses it. In other words, we often think of security concerns in terms of the technology failing.

Not in terms of when it works.

But it’s the exposure and aggregation of information that happens when Web 2 technology is working flawlessly that gives rise to these personal security and privacy concerns.

And the more information we ask people to share through community web sites – the more we invite them to tell us – the more exposed they are.

That’s true whether it’s someone blogging a picture of their cat on Friday... or reporting a human rights violation they experienced under a repressive government.

Those concerns become magnified if we’re also collecting private information linked to public information, that then becomes compromised – illegally through hacking, or legally through the sweeping new powers that governments have adopted post-9-11.

And this isn’t just governments I’m talking about. Think about employers and HMOs who can now gain a whole new window on individuals’ personal lives and medical backgrounds.

Think about individuals who disagree violently with your views on something like abortion... who can tie those views to a name, a face, an address, the names of kids and daily routines.

I don’t want to encourage paranoia here. These tools are magnificent; the prospects for self-expression are unlimited; the promise for non-profit organization are boundless. I can pound back the Web 2 Kool-Aid as well as anyone.

But I do think we have to start thinking about how we can protect the privacy of members and users in this new, aggregated world.

Let me suggest three avenues.

1. Self-assessment: How much of the information that we collect do we really need? How much of it helps to drive conversation and community, and how much are we just gathering out of force of habit? And how much of that information is exposed to the outside world?
2. Persistence: How long do we need to keep this information? At what point do archives cease to be contributing to a dialogue, and just become a data mine for intruding on privacy?
3. Education: How can we talk with our members and users about these issues in a way that allows them to make informed decisions about what information they share, how and why?

I don’t want to discourage transparency and authenticity. They’re the lifeblood of  the new web. But ultimately the new technologies we’re discussing are about empowering people to share their experiences, their wisdom, their lives with others. So let’s empower them to share only what they want, when they want.