Last week, I read the notes from a talk about the state of the modern internet given by Maciej Ceglowski. The talk is a bit depressing – how large, faceless corporations have access to huge amounts of data about us, the disconnect from the real world, and the implications for our privacy. The whole thing is worth a read, but especially the eight action points at the end. The first three state that companies need to limit what they capture, how long they keep it for, and who they share it with.
But the fourth and fifth are two that I feel the most strongly about. Point four is ‘Enforce the right to download’. In other words, all web sites that collect user data, should have a way of allowing users to request all of the data that the site holds about them. Across the EU, web sites are actually legally mandated to do this – in the UK, for example, this is a key part of the Data Protection Act. You have a legal right to contact any company that is based in the UK, and ask them to send you all of the data they have about you, for a charge of no more than £10.
However, many web sites, even those based here in the UK, don’t easily facilitate this. Which is a shame – it’s our data, and we should be able to see it and keep our own copies of it. Every site should have a data export facility, and the data offered should be in a documented format, to avoid problems like those encountered with the BBC Domesday Project. There’s no point in having data if it’s impossible to interpret what it actually means.
The fifth point is ‘Enforce the right to delete’. This is actually quite topical in Europe, where the European Union Court of Justice has ruled that we have a right to be ‘forgotten’ on the internet. But primarily this is about user accounts and their deletion. If you sign up for an account on a web site, then you should also be able to delete that account as well. The fact that sites like Account Killer (previously mentioned) and justdelete.me exist shows that this is often far from easy, or even impossible. Some web sites will not let you delete accounts at all, or require you to do so via a customer service request, rather than a few links in the site’s Account Settings.
This, in particular, has annoyed me of late. I’m still working through my 1Password keychain to change passwords on lesser-used sites after the Heartbleed vulnerability came to light. Some of these I haven’t used for years and I have no need in which to keep an account active, but I’m offered no easy way of getting rid of it. You can’t delete a WordPress.com account, for example. Others, like eMusic, perversely only let you delete an account with an active paid subscription.
Whilst I don’t want to sound anti-American here, I feel that America’s inadequate laws on the protection of personal data are mainly to blame here. As a Brit dealing with a web site in my own country, or elsewhere in the EU, I can be assured that there are various legal safeguards for my data. But this doesn’t apply outside of the EU’s borders, and I’m at the mercy of whatever laws that country has, or indeed the lack thereof. Whilst there are ‘safe harbour’ agreements in place for some companies which operate both inside and outside the EU, this is hardly the norm.
Ironically, it’s the bigger companies that actually lead the way when it comes to these two points. Google Takeout lets you export your data from most of its services and you can delete your account if you wish. Similarly, both Facebook and Twitter let you download all of your data, including photos, and permit account closure without having to jump through hoops with customer services. You may not like what these companies do with your data, but at least you have some control over it, and can withdraw from them at any time.
But Google, Facebook and Twitter should not be some kind of ‘gold standard’. This should, instead, be the bare minimum. We should be petitioning those sites without export and account deletion facilities to add them. And, in those countries without strong data protection laws, we should be petitioning lawmakers for more privacy and data control. After all, it’s our data.