Over on another channel, I’ve been writing about some of the grumblings towards the EU’s proposed changes to their landmark Data Protection Directive. The grumbles have come mostly, but not exclusively, from US social media companies–Facebook, Google, Yahoo, et. al.–who are finding the new “right-to-be-forgotten” rule to be more than just another annoyance crafted by EU technocrats.
The 1995 directive may not be most familiar legislation, but thanks to the efforts of Facebook and Google it has found its way into more than a few business headlines over the last few months. The original DPD law did in fact have a data deletion obligation in that “data controllers”–EU term for anyone who collects consumer data- were told not to keep data longer than was necessary “for the purposes for which the data were collected “.
Sensible advice. And anyone in the IT business with security in their title will cite best practices saying as much–if you want to reduce risks of a breach, for example, don’t store credit card numbers.
But with this new proposal, from the Article 29 Working Party–the cozy name given to the regulators charged with keeping the DPD fresh and lively–have raised the security bar a little higher. Data controllers are now responsible for ensuring that personal data has been made “public” must be erased from third party sites or databases containing a copy or link on request from the “data subject”–EU talk for you and me.
Facebook has been especially critical of this proposed rule. After looking through two of their offiicial comments on the subject, it appears their position has evolved or perhaps revealed itself over time.
In one comment to the EU from 2011, they made the point that Facebook subscribers expect data to be long lived, having described a power that the EU regulators never even claimed: deleting subscriber data withou their permission. Other socual media players (Yahoo and Ebay) had comments that were closer to being legitimate gripes: we should’t be asked to delete everything about a customer, especially for fraud purposes.
Closer to the truth is a letter (from March 2012) to the EU that the The Next Web folks dug up in their research. In it Facebook talks about the technical impossibility of tracking or monitoring posts and images that have been taken off Facebook’s walled garden and republished on the Intertoobz.
No exactly technically impossible, but Facebook is absolutely right when they say in their response that it’s not the way the Internet works. However, there are already companies, such as Tigertext, that encrypt text messaging and enforce an expiration date on content. It’s easy to understand Facebook’s protests: would be asked to implement tokens with time expiration dates–i.e., Kerboros or something like it–that would be used to decrypt and authenticate data among Facebook subscribers. Yikes!
The right-to-be-forgotten obligation would add another wall to Facebook’s garden–maybe something they wouldn’t entirely mind. While not completely foolproof, this centralized token-granting approach to privacy would certainly make it more difficult to casually reproduce content outside Facebook. And yes, this is not the way the Internet was supposed to work–URLs that require tokens. I suppose you could say its digital rights management for the rest of us.
Criticized by Facebook as standing in the way of innovation, the EU’s proposed erasure rule may just spur a new kind of social networking, with privacy as a foundation, and encourage a new breed of startups that will realize this vision.
Photo credit: Wikimedia