new thinking on privacy and data portability

I’ve argued here (and elsewhere) that privacy in network services is a problem best solved by data portability. The resultant competition, which would let people migrate from services with worse privacy policies to services with better privacy policies. Of course, the issue isn’t that simple- in particular, there are complex questions about who can export what data. If someone comments on your wall, can you take that with you? If you comment on their wall? What if they put up a picture of you? A picture of you, and someone else? I don’t pretend to have a solution to that, but my sense has always been that once a reasonable line was drawn, it’d got a long way towards helping resolve the privacy problems that have plagued Facebook.
James Grimmelman has a new paper out on privacy in social networks that suggests I might be wrong. In short, Prof. Grimmelman argues that data portability is not a solution to the privacy problem, because privacy is determined not just by who controls data, but by what code controls and interprets the data. Of course, the code won’t follow ‘ported’ data. For example, if a friend shares a picture with you, they aren’t deciding ‘just’ to share that picture with you, they are deciding to share it under the specific rules of the social network they are sharing it through. They may not fully understand those rules, but the rules are discoverable, choosable, and maybe even predictable. If that picture is taken elsewhere the rules may be better- but they may well be worse. Using the example of Scoble getting banned from Facebook for importing information into the notorious Plaxo, Grimmelman points out that this helped Scoble’s independence- but may well have violated the privacy expectations of anyone who had shared data with Scoble, assuming that Facebook would enforce certain rules on the use of the data. Or to put it more abstractly: “data portability may reduce vertical power imbalances between users and social network sites, it creates horizontal privacy trouble.” I think I’d known this before reading this paper, but Grimmelman laid the problem out so clearly that I will be forced to revisit the question.
(Tangentially, Grimmelman notes that this problem is in part a side-effect of the use of notions of ‘ownership’ to describe personal data, when property norms may well be the wrong metaphor for personal data. Certainly we’ve been guilty of that mistake here from time to time.)
Grimmelman does suggest a slew of other approaches that might lessen the privacy issues in modern social networks, and critiques a slew of others that he thinks won’t work – so for anyone thinking about privacy and network services the paper is well worth a read. In the meantime, I’ll be mulling what it means for free/autonomous social networks, and invite others to do the same.