Tuesday, April 26, 2011

Forget Me Not/Forget Me Now


I've written about internet privacy concerns several times before on my blog, and I recently ran across another privacy issue that I hadn't seen pop up before: the right to be "forgotten." It poses some interesting questions for organizations, especially those that own and operate social networking communities.

It turns out that the European Union has some rather interesting views on a person’s data privacy rights; the EU long ago laid down directives pertaining to what conditions under which personal data may be collected, how it must be secured, and how citizens have the right to correct erroneous data. (Although codified, the directives are non-binding, and privacy laws in Europe still do vary from country to country.)

Spain, for instance, has established a Data Protection Agency to monitor and enforce their data privacy laws.  Recently, it ordered Google to remove links to material about 90 or so people (Google gets asked to remove links all the time and generally ignores them).  This "right to be forgotten" has just surfaced in the last few years as search engines have become more effective at collecting and indexing information on the web.  Information (both old information and erroneous information) is now much more easy to find, so people in Spain at least are starting to bring lawsuits to have search engines remove links to the information that they find objectionable.

This poses some interesting issues for organizations that run social networking sites.  If people register as members, participate for a while, and then decide to leave a community, do they have the right to tell the community to delete all their information?  This would include not only their username and other personal information they shared, but also all of the content they had ever generated (forum posts, blog posts, comments, funny cat pictures, links to YouTube videos, etc.) while they were a member of the community? 

I'm pretty sure that people in Spain (and probably most of Europe) would unequivocally say "yes," while people in the United States would most likely say "no."  After all, there are disclaimers on most social media sites (Facebook, Twitter, MySpace, Quora, etc.) that basically state that any content you choose to share with the community is owned by the community, and by posting the content you are implicitly giving the community the right to collect it and use it as they see fit. (Privacy policies are continually evolving, but pretty much all the social media sites I've seen take the position that if you post it, they own it.)

It also poses some interesting challenges for operators of commercial social networking sites domiciled in the United States.  What if someone from Europe joins your community? After all, most sites don't go to the trouble—yet—of figuring out where someone is accessing their community from so they can apply different privacy rules (plus, even if you try there are lots of tools that let people “spoof” or hide which country they are from).  Big sites like Google and Facebook who do a massive amount of business internationally may be willing to bend over backwards to appease local laws (assuming they wish to continue to do business in those countries (cough, cough, Google, cough China).  But I doubt commercial owners of social sites (intended for customers in the United States, for instance) that don't do business in Europe will be overly concerned if they receive a notice that someone in Spain is suing them.

Just for fun the next time you log into your social networking site, see if you can figure out if they’ll let you delete all your content when you leave.  If they don’t already, social networking sites might someday have to transition from their current “forget me not” attitude to “forget me now.”

Friday, April 15, 2011

Failure and Success at Social Customer Support

Lots of companies now employ people to regularly monitor the major social media sites for complaints.  I know a few months ago when I tweeted something on Twitter (where else does one tweet) about the poor service I had received from my cell phone carrier, a support representative from the carrier tweeted me back within minutes offering to help.  This surprised me at the time, since it hadn’t occurred to me that companies were actually paying any attention to rants on Twitter (or any other social media sites, for that matter) looking for opportunities to provide support.

I had another opportunity to interact with a social media customer support representative recently, and was left both pleased and disappointed with the experience.  Allow me to explain:  Like so many people in the last few months, my wife’s email account (which she’s had for over a decade) was hacked.  The hacker registered a name very similar to hers, and started by sending all of her contacts the now-infamous “I’m stuck in London after losing my wallet please send me money” scam (an approach generically known as a 419 scam).  Since most of her friends (and I) knew she wasn’t in London and wouldn’t have sent such an email even if she had lost her wallet, I wasn’t too concerned when I first got the email.  But the hacker had not only broken into her account, he/she/it had also changed her password, so she could no longer even log in. A big problem, needless to say.  So we searched through the “what to do if you can’t get into your account” links at the provider’s site looking for an email address or a phone number to contact.  Nada. Zip. Nothing. Instead, we could only find a “fill out this form and we’ll get back to you in 24 hours,”  which was not at all what we were hoping to find.  So without any other recourse we filled out the form, and almost exactly 24 hours later got the password reset and she got back into her account.  End of story, or so I thought.

When it happened again two weeks later, I was determined to get a more timely response out of the email provider.  So instead of filling out a “we’ll get back to you with an automated response within 24 hours” form, I fired up Twitter and started to tweet one or two reasonably snarky (I know you are shocked…me??  Snarky??) remarks hoping to draw out a customer support representative from the company (and yes, I tried searching for the handle of a Twitter representative before I ever started ranting).  No response whatsoever from the Twitterverse until the next morning, when a random follower suggested a handle I could try to contact the company.  So I tried that, also apparently without any luck.

However, the handle I tried turned out to be one that apparently was being looked at (occasionally) by a Twitter customer service representative for the company, who upon noticing it contacted me asking for relevant details.  Details were provided, and an actual human person made an actual telephone call to my wife the next day to straighten out the problem.

So the whole experience was very much a good news/bad news affair.  On the bad news side, the provider’s website was totally useless with respect to customer service: no email, no phone, no way at all (other than a form) to contact someone at the company who might be able to solve the problem.  One would think if a company is going to go the social media customer support route, they might even have a “contact us via Twitter or Facebook” button, but no. If I hadn’t gone to Twitter and started ranting about the lack of service, I’m sure I’d still be exchanging form-based trouble tickets with someone or live-chatting with a person who isn’t authorized to help.  On the good news side, once the right support person got involved the problem was resolved quite quickly.

So kudos to the company for providing support via Twitter; boos to the company for not making easier for someone who *isn’t* on Twitter to get support.  I think there’s a lesson here: If you are going to provide customer support by monitoring a social media venue, you might want to make it easier to find your CSR there.  Otherwise, the CSR is probably going to be dealing with angry and frustrated customers, who have probably already publicly bashed your company.

Sunday, April 10, 2011

Social Networking Bill of Rights

As you probably know, the last year or so has been challenging for organizations like Facebook and Google (with their Buzz feature) with respect to keeping member’s data private.  At the Computers, Freedom and Privacy Conference  held last year in San Jose, CA, a draft “Social Network Users Bill of Rights” was created. (I found it curious that the bill is posted on Facebook, and you vote by “liking” the page…when the pervasive and public use of “liking” is one of the things privacy experts complain about.)  The bill is as follows:

We the users expect social network sites to provide us the following rights in their Terms of Service, Privacy Policies, and implementations of their system:
1. Honesty: Honor your privacy policy and terms of service.
2. Clarity: Make sure that policies, terms of service, and settings are easy to find and understand.
3. Freedom of speech: Do not delete or modify my data without a clear policy and justification.
4. Empowerment: Support assistive technologies and universal accessibility
5. Self-protection: Support privacy-enhancing technologies.
6. Data minimization: Minimize the information I am required to provide and share with others.
7. Control: Let me control my data, and don’t facilitate sharing it unless I agree first.
8. Predictability: Obtain my prior consent before significantly changing who can see my data.
9. Data portability: Make it easy for me to obtain a copy of my data.
10. Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised.
11. Right to know: Show me how you are using my data and allow me to see who and what has access to it.
12. Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.
13. Right to appeal: Allow me to appeal punitive actions.
14. Right to withdraw: Allow me to delete my account, and remove my data.

While I think the idea of a social networking users “bill of rights” is an interesting one, I also think the chances of any social networking platform adopting it at this time are realistically zero.  I’ve written on data privacy several times before. And as I’ve previously explained the problem isn’t so much that social web sites are collecting too much data or that they are making too much data available outside the network: the problem is that--without government protections--the data is going to be used in inappropriate ways. 

An example: Let’s say you have a friend who is trying to quit smoking.  You might visit a web site on how to stop smoking, to get some tips on how to help them or at least be supportive.  How would you feel if your insurance company cancelled your non-smoker discount the next day, assuming that your visit to the stop smoking site was an indication that you secretly smoked (and hid this fact from the insurance company) and that you were looking for ways to stop.

Far fetched?  Not at all.  There are lots of examples of insurance companies abusing private data, and those companies aren’t alone.  While there have been numerous protections put in place regarding the dissemination and permitted uses of data (particularly health data), organizations with a financial incentive will continue to push the data privacy envelope as long as they are permitted to.  Tools that use sophisticated data mining techniques to discover correlations between otherwise innocuous data are readily available to large organizations, and they’ve repeatedly shown a willingness to use public data in “creative” ways.

The most effective social networking bill of rights I can think of can be expressed in one line:

I have the right to prohibit organizations (including government) from using my public data in ways for which it was not intended.

That’s a petition I would sign. (Not that I think that petition has any better chances than the other one.)

Friday, April 1, 2011

Cloud Music

As you probably read, this week Amazon announced a new option for music aficionados. Their Cloud Drive service allows people to store files (including music) on Amazon’s servers, and their Cloud Player allows people to stream their music files to either Android devices (phones or tablets) or their favorite browser.

It’s an interesting idea to be sure, and certainly has advantages and disadvantages over the conventional approach to keeping your music locally on your MP3 player or smart phone.  But do the advantages outweigh the disadvantages? Here’s my take.

First let’s start with the advantages (from my perspective).
·        
1) You no longer have to worry about keeping your music collection synchronized across several devices. I currently have an iPhone, an MP3 player for my car, three iPods and three PC’s that I occasionally use for listening to music.  I certainly try to keep the music on all these sync’d, but in practice it’s a royal pain.  For instance, if I buy a CD (which I do about once a year these days) I have to rip it on one of my PC’s, then transfer it to all my other devices (I haven’t “played” a CD in years—the first time it comes out of the jewel case it gets ripped, then it goes back into the case and into a storage bin).  Basically the same thing is true if I buy an album off of iTunes or Amazon, for instance.  It initially gets saved to the PC I synch my iPhone and iPods to, then has to get transferred to all the other devices and PC’s.

2) You no longer have to worry about storage space on your music player.  If your music collection is bigger than the storage space on your player (or your phone) you have to constantly decide what music you want to take with you vs. what music you want to leave behind.  With Amazon’s new Cloud Player, it doesn’t matter how much local storage your device has: as long as it can connect to the internet, it can play any of the music you have stored in the cloud.  And you can store as much as you want (for a price, of course).  So another advantage is that you might be able to save some money the next time you buy a phone by buying a cheaper model with less memory, but still be able to access and listen to all of your music.

To be fair, there are some rather severe disadvantages (in my humble opinion) as well.
·        
1) To be able to listen to your music, your music player (or PC) must be connected to the internet.  Not so much a problem if you are listening to your music on your phone (unless you are on an airplane; or in an area where you have no service; or you are bandwidth-capped by your phone company; or if streaming your music kicks you into a higher bandwidth billing rate for the month, etc.).  But none of the iPods or other MP3 players I own connect to the internet, so a bit of a disadvantage there.  Not a big deal: future devices will if this takes off.  Perhaps a bigger concern is the following.

2) You have to trust that the cloud won’t eat your data.  There are numerous examples out there of organizations starting a cloud-based storage solution for various data, only to shut down and delete all the data months or years later.  Granted, “the cloud” is a lot less risky as a storage locker than it used to be, but ultimately your data is beyond your physical control.  I can see keeping a copy of my music in the cloud for convenience sake, but not my *only* copy.

The biggest problem is that, at least the way it works today, it might be illegal. Not illegal for you to store your music on Amazon’s servers and not illegal for Amazon to store your music for you, but illegal for Amazon to *stream* your music to your device.  If you’ve been around for a while you might recall a similar offering by a company called MP3.com over a decade ago: it was promptly sued into oblivion by the music industry.  Now granted, Amazon offering a similar service is a much different proposition. And I would think they will be able to sufficiently license rights to stream music from the music industry (What? You don’t want to license us the rights? Ok, no problem.  We’ll just stop selling your CD’s). And it appears that other big players also want to enter this “cloud music storage” model (such as Apple and/or Google), so the music industry will likely get the deal done whether they like the idea or not.

So as a convenience, the advantages might outweigh the disadvantages for some people.  But personally I think I’ll hold off for a while.  At least until everyone figures out how I can use the service on an airplane.