Rules of online privacy etiquette

This is a modified version of an opinion piece from my ITPro column originally published in The Age.

So you’ve been careful with your online profile. Obfuscating your details, giving false birth dates, leaving all the fields as blank or nonsensical. You have kept your posts on blogs professional and free of private life tidbits. If you belong to a social network your status updates have been moderate and cryptic. 

Then one day you sign into Facebook and see that your family and friends have wished you a happy birthday, or congratulated you on your new job or worse, tagged you in a photo. Suddenly your data, which you’ve carefully curated, is slowly exposed by what is ultimately accidental politeness and social convention.

It would be fairly trivial (for who? who is doing this?) to backfill missing data points (such as day and month of birth) by searching for the right congratulatory key phrases. Even more devastating if someone actually says “Happy 21st” because now they have your year of birth. 

We are social creatures, it is in our nature to create connections and then use our knowledge and shared experiences as a kind of social currency. The digital community member that shares nothing about themselves, just watching and not participating (called lurking) is viewed with an element of suspicion.

Digital communities aren’t bad, they are good and healthy extensions of human society. An Internet without community forming tools and services would be a dull and dark place. We know the positive power of the Web’s ability to create spaces free from censorship and geographical constraints to give voice and a place to belong.

The darker side of this belonging to a community is that it is easy to be lulled into a sense of complacency about your private information. Ill framed, throw away comments or that photo or slip of detail about yourself or loved ones can have lasting unintended consequences. There are no take backs on the Internet.

There are plenty of cases in recent history in caches of leaked documents, communications and memos from private intelligence agencies showing that data dredging (finding relationships in large volumes of data) is alive and well and can be sold to governments and big businesses. It is also standard fare for security researchers and tech savvy marketers to continually come up with better strategies for identifying individuals in last generations anonymized data sets.

So while the bulletin boards, chat sites and social networks that you frequent may be run with the best intentions and by people you trust, third party “intelligence” gathering and surveillance can still discover facts that you never intended to go beyond that small circle.

You may think “but I’m not important enough to worry”. That is not the point. If say, you are an active member of a sporting message board, that also has as a person of interest to some foreign multinational, you may find that by association, your details are dredged and relationships inferred by lazy statistical models. There are more than a few instances of these inferred relationships between innocent people and criminal activity in internet search results.

Gossip, especially on the Internet, has powerful and far reaching implications. Even if it’s done in good fun or would be considered otherwise harmless that information may become yet another data point against someone in a dredging exercise.

A colleague remembers that in her mother’s Family Circle magazines there was always some kind of brag column or agony aunt which enabled readers to write in and boast or gossip about their “DH” (dear husband) or Little Wife, condescending naming practices that is still alive and well. Imagine if intelligent semantic web engines could link “DH” to your profile?

Remember when it was the norm to put a notice in the paper announcing the birth of a child or marriage etc? Well these papers may one day be digitised and put on the web and made discoverable through search engines. Little Jane Doe, who is now 16 years old has her date of birth, suburb and parent’s name now ripe for collection. That funny little thing that you wrote into the magazine is now internationally searchable and it probably has at least your first name and suburb tagged against it.

It doesn’t even really matter if the details aren’t complete enough to identify you. Data mining techniques are very good at looking for correlations in large and diverse sets of information. Relationships can be inferred, correctly or incorrectly,  that might follow you about even in benign ways.

Digital community service providers, be they social networks or even a tiny message board, absolutely have the onus of protecting their users privacy, no ifs or buts. However even the greatest levels of privacy protection can’t protect you when you or your peers leak your own information.

I will leave you with a few points that I think should become a kind of privacy etiquette.

  1. Don’t offer other peoples’ information, even inadvertently. Before you wish someone a happy birthday or anniversary, check to see if they have set that in their profile. If in doubt say nothing.
  2. Don’t get specific. 
  3. Don’t tag photographs. Leave it up to the person to tag themselves if they wish.
  4. Don’t break the scope of the message (No Gossip clause). If a story or piece of information was shared between a small group do not re-share or cut and paste it into other networks.
  5. Check your profile regularly and see if any fields that you have set as empty have since been “helpfully” filled in by the software making inferences.
  6. Agitate against the rule that real names must be used.

A common refrain is “Don’t join the network in the first place”, to which it is my opinion that I would rather know what people are saying about me so that I can correct it or obfuscate it rather than just hide my head and hope that no one is talking about me. At the very least I’d rather claim my name or handle to stop others from using it maliciously.