Research, Networks & Privacy
Research, in whatever field of endeavour, is considered to have a useful societal purpose. But, in the case of people using networks, at what point does it cross the line into violations of personal privacy?
According to this press report last week, Pete Warden has amassed details on 215 million profiles on Facebook and plans to make Friend, Fan page and name data (but not URLs) available to the academic research community.
Mr. Warden’s not alone in his interest in accessing a pool of network-based data. In July 2008, it was reported that researchers from the Universities of Colorado and Washington “eavesdropped” on users of the Tor anonymous proxy network, permitting the identification of traffic crossing the network and what remote websites Tor users were visiting. I’ve also recently had the occasion to read a soon-to-be-published paper looking at the inadvertent disclosure of personal health information through peer-to-peer file sharing programs.
While the networks and facts are different, each example involves the harvesting of data from the users of networks. Should the purpose of conducting “research” permit such widespread, indiscriminate harvesting? Does such harvesting constitute a violation of data protection (or in some cases criminal) laws? Does network-related research meet the “reasonable purpose” threshold of the data protection laws in Canada? Does permitting access to personal information on a network constitute consent to its use for other purposes? If consent is “given”, what reasonable expectations of privacy do (or should) users of networks have? And at what point would these expectations of privacy be violated?
I’m reminded of the words of Mr. Justice Binnie of the Supreme Court of Canada in 2004 decision of R. v. Tessling:
“It is true that a person can have no reasonable expectation of privacy in what he or she knowingly exposes to the public, or to a section of the public, or abandons in a public place.”
Harsh words for people who use social or P2P networks today. They may believe they are allowing only “friends” to see their data but it’s arguably “public” and fair game for researchers. Perhaps Mr. Warden has inadvertently done us a great service. If people become outraged enough then the academic and privacy communities may pay more attention to the legal and ethical boundaries of network-related research and the use of personal information. I certainly hope so.