I just read an interesting post on the Michalsons site about 3rd parties processing personal information on behalf of companies that may be collecting it from you. The post reminds me about an issue I’ve been thinking about for a little while now and have been chatting to one or two of my clients about. It relates largely to the growing online reputation management (also referred to as “ORM”) market. You may not be familiar with these tools so here is a video by one of South Africa’s ORM services, SaidWot (disclosure: SaidWot is one of this firm’s clients) explaining how its service works:
The question I have is what the privacy implications are for ORM providers who monitor mentions and keywords on the Web for their clients? These providers may also find themselves profiling influential individuals as part of their monitoring activities in addition to generally collecting bits of personal information about and by anyone who falls into their net. It is helpful to look at how “personal information” is defined in the Protection of Personal Information Bill which is making its way through our legislative process:
The definition is fairly broad and when it comes to ORM, parts (e) and (g) and particularly relevant to ORM services which track brand mentions in blog posts, tweets and elsewhere on the largely social Web. These mentions and tweets generally represent their authors’ opinions about brands and brand owners use these ORM services to help them understand brand perception and identify areas of concern (in fact, both Brandseye and SaidWot will likely pick up on mentions of their brand in this post as part of their monitoring process).
The immediate challenge for ORM service providers is that they collect personal information pertaining to people who may not even be aware that the service exists, let alone is being used to collect their personal information. One reason why this is a challenge is that being unaware of the ORM service means that these users have quite possibly not consented to their personal information being collected. Consent to having your personal information collected is one way to address people’s legitimate expectation of privacy.
One answer is simply that the blog posts, tweets and other mentions these ORM services pick up on are published on the public Web and their authors can’t legitimately claim their works should be private. If they were meant to be private, they should not have been published on the public Web and these authors have no legitimate expectation that their content should be kept private. There is therefore no need for ORM service providers to obtain their consent, provided they only monitor the publicly available Web (as opposed to hypothetically hacking into semi-private or private Web ecosystems).
Another, more interesting challenge, is the potential for profiling through ORM services over time. Profiling is already a potential privacy problem depending on how it is handled (the Electronic Privacy Information Centre in the United States has some interesting information about how profiling is regarded in the United States). Many of us have fallen prey to bogus competitions and promotions, frequently at the hands of 3rd parties we never agreed may collect our personal information. When it comes to consumer facing profiling, the Consumer Protection Act has quite a bit to say about that and we should see some changes to how personal information is collected and used by these parties in the next 6 months to a year as key provisions of the Consumer Protection Act come into force.
I’m not really referring to that sort of consumer oriented profiling in this context of ORM services (although there is some overlap). Instead I am talking more about how ORM services could potentially assemble disparate aspects of a person’s personal information into a more coherent profile and somehow make use of that profile in the provision of their services. Many people keep their social media activities split between different identities, spheres of activity or some other criteria. I tend to use my Facebook profile for personal social networking and my Twitter profile for business and generally public social networking. An ORM service may pick up mentions about a brand on both services and tie them together into a more complete profile of me despite my desire to keep my Facebook and Twitter personas separate.
This may not be an issue where each extension of your online identity is public but it could be an issue where a person has compelling reasons for keeping certain personas separate. An astute ORM service user could arguably connect the dots between seemingly disparate social services and associate them with a single individual, much to that individual’s chagrin or even severe prejudice. While we are yet to see a practical example of how this could be problematic, it does raise some interesting questions. At the same time there are some answers and these lie with how users use the privacy settings available to them. Facebook, for example, has a fairly granular set of privacy controls that enable users to hide their profiles and activities from the public Web. Setting these privacy controls appropriately could help address some of the concerns I have alluded to.
ORM services are becoming smarter and while they provide valuable market intelligence to their users, they also raise some novel and very interesting questions. The same can be said for developments on the social Web generally. What matters more and more is how social Web users manage their privacy online (or whether they do it in the first place). It is also increasingly important for companies collecting personal information to pay careful attention to what is being collected, how it will be used and what the possible ramifications are.