In the mix...Facebook "breach" of public data, data-mining for everyone, thinking through the Panton Principles, and BEST PRACTICES Act in Congress
1) Facebook's in privacy trouble again. Ron Bowes created a downloadable file containing information on 100 million searchable Facebook profiles, including the URL, name, and unique ID. What's interesting is that it's not exactly a breach. As Facebook pointed out, the information was already public. What Facebook will likely never admit, though, is that there is a qualitative difference between information that is publicly available, and information that is organized into an easily searchable database. This is what we as a society are struggling to define -- if "public" means more public than ever before, how do we balance our societal interests in both privacy and disclosure?2) Can data mining go mainstream? The article doesn't actually say much, but it does at least raise an important question. The value of data and data-mining is immense, as corporations and large government agencies know well. Will those tools every be available to individuals? Smaller businesses and organizations? And what would that mean for them? It's a big motivator for us at the Common Data Project -- if data doesn't belong to anyone, and it's been collected from us, shouldn't we all be benefiting from data?3) In the same vein is a new blog by Peter Murray-Rust discussing open knowledge/open data issues, focusing on the Panton Principles for open science data.4) A new data privacy bill has been introduced in Congress called "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act, aka "BEST PRACTICES Act." The Information Law Group has posted Part One of FAQs on this proposed bill.Although the bill is still being debated and rewritten, some of its provisions indicate that the author of the bill knows a bit more about data and privacy issues than many other Congressional representatives.
- The information regulated by the Act goes beyond the traditional, American definition of personally identifiable information. "The definition of “covered information” in the Act does not require such a combination – each data element stands on its own and may not need to be tied to or identify a specific person. If I, as an individual, had an email address that was wildwolf432@hotmail.com, that would would appear to satisfy the definition of covered information even if my name was not associated with it."
- Notice is required when information will be merged or combined with other data.
- There's some limited push to making more information accessible to users: "covered entities, upon request, must provide individuals with access to their personal files." However, they only have to if "the entity stores such file in a manner that makes it accessible in the normal course of business," which I'm guessing would apply to much of the data collected by internet companies.