jillybinks (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
jillybinks) wrote2008-03-15 05:21 pm
jillybinks) wrote2008-03-15 05:21 pm
Entry tags:
Spokeo PSA - Specific Legal Information
My task this weekend was to spend as much time as possible researching data privacy laws. This may have been the perfect time to make a questionable decision regarding the release of personal data.
As I may have mentioned in the last post, I'm seriously considering making a complaint to the Federal Trade Commission. The FTC has governance over a majority of the issues regarding US data privacy rules and regulations. I have several reasons for placing a complaint.
1. I believe that the lack of information given when signing up for the program is deceptive and does not state what data will be given and how it will be used.
Section 5 of the U.S. Federal Trade Commission Act declares that "unfair or deceptive acts or practices in or affecting commerce" are illegal. Specifically, the FTC has taken the position that misrepresenting why information is being collected from consumers or how the information will be used constitutes a deceptive practice.
I received two emails from Spokeo, one that said that "[Username] has invited you to Spokeo." This is the email that I followed. Once I followed the link, I was under the impression that I was creating a new account. However, I was indeed accidentally giving the site my email logon information. The only message on the site that stated this is this wording placed in smaller print on the logon site. "Your email and password are required to retrieve your email contacts, and will not be used again to access your email account. Concerned about your privacy? So are we! Read more."
While this did state that my email address was to be used, it did not say that it would access my email account, download every email address in my address book and then send out the ominous, "Someone has been searching for you on Spokeo" to everyone in my address book. At no time was I ever informed that these actions would be taken and I still have not found a disclosure. I've only been able to discover this while investigating the site.
2. The site does not have procedures in place to keep from gathering data from children (under the age of 13) or from members of the EU countries.
The Children's Online Privacy Protection Act of 2000 ("COPPA") requires, among other things, that any website that gathers personal information from children under the age of 13 must obtain verifiable parental consent before collecting the personal information. They also must provide a privacy policy specifically geared towards the collection of minor's data. There are exceptions to the site's collection of a child's name and email address, but this site does not fall into any of those exceptions.
The EU Data Privacy Directive gives much more restrictive requirements for the use of data belonging to those people who reside in the EU. Name and email address are both considered personally identifiable data and while they could be considered public data in the US, they are not in the EU.
Specifically, the Directive states that an entity must give EU members notice of the data being collected, the uses for that data, the third-parties that will be sent that data and so on. Also, depending on the specific laws of member's country, consent of the data subject must be gathered prior to the collection of the data. In addition, databases that hold personally identifiable data must be registered with certain data protection authorities before the data is collected. Also, the EU Directive has strict laws regarding the transfer of data across country lines, including transfers to the US.
At no point, was I able to select the members of my address book that were included or not included in the information gathering process. The site did not differentiate between American adults, members of the EU countries and/or children. The site does not seem to provide any additional processes to address the specific needs of these two groups.
3. The site is, for lack of a better word, skeezy.
I placed my full name into my account at Amazon, since I wanted my relatives to be able to search my wishlist. I only put information into that wishlist with that information in mind. However, when I created my Picasa account and filled it with my picture and the pictures of many others, I purposefully did not link it to my full name. This site links the two together and now you have my face, my name, my friend's faces, my shopping interests, so on. This site seems to provide the perfect arena for stalking and harassment via the internet.
While working on a project, I gained, with his permission, the email address of a small celebrity. I now have access to way more information about that celebrity than I ever wanted or think that I should have access to.
The emails that were sent out without my permission seem to threaten consumers into joining the program.
4. Spokeo plans to offer services to advertisers.
Per the Spokeo Advertising Policy, "Tell us the blog you want to promote, and we will insert it into our users’ friend lists. To better spotlight you and to uphold our user experience, we will insert no more than 5 sponsored friends per user. The insertion will happen only upon new user registration. Once inserted, your blog will forever become those users’ friends, until users manually remove it." US laws state that this sort of Opt-Out consent is legal for marketing to people. However, in the EU, consumers have to Opt-in, namely specifically consenting to this sort of marketing.
Also, the policy provides no rules regarding the use of the data gathered from consumers on the site. I have no assurances that my data shown in my Amazon wish list or any other data on the site will not be given to advertisers.
5. Overall impressions.
So far, I've not been able to find any breaches of private information. I also agree that the data being collected is publicly available. What I do have issues with is the procedures for gathering this data, the emails sent to promote the site and the general lack of clarity in the sign up process. This is not a witch hunt, I don't necessary want the site shut down, but I do think that someone in authority needs to look at their procedures. Considering the privacy issues that Myspace and Facebook have had recently, I think the FTC will be very interested in this site.
This is just a preliminary list of my thoughts. Feel free to question my assertions, to add your own concerns and so on. Also, feel free to let me know if you have questions or if you want more information on a specific law or issue.
Also, by request, I am unlocking these posts, since this Spokeo thing seems to be effecting far more users that I have access to. Please feel free to link to these posts. However, I ask that you not repost this data elsewhere for the time being. I'm trying to gather as much data as possible before I commit to any actions and I would like to keep this information on the downlow until I decide the best course of action.
However, I do want to make sure that people are able to get this information from somewhere. Right now, this site seems to be spreading like a virus and more and more people are being sucked in. It's really shameful.
ETA: The EU Privacy and Electronic Communications Directive (2002/58/EC) states that Individuals must give prior consent in the form of an opt-in prior to receiving email. The only exception to this rule is in the case of an existing customer relationship, which does not exist in this case.
As I may have mentioned in the last post, I'm seriously considering making a complaint to the Federal Trade Commission. The FTC has governance over a majority of the issues regarding US data privacy rules and regulations. I have several reasons for placing a complaint.
1. I believe that the lack of information given when signing up for the program is deceptive and does not state what data will be given and how it will be used.
Section 5 of the U.S. Federal Trade Commission Act declares that "unfair or deceptive acts or practices in or affecting commerce" are illegal. Specifically, the FTC has taken the position that misrepresenting why information is being collected from consumers or how the information will be used constitutes a deceptive practice.
I received two emails from Spokeo, one that said that "[Username] has invited you to Spokeo." This is the email that I followed. Once I followed the link, I was under the impression that I was creating a new account. However, I was indeed accidentally giving the site my email logon information. The only message on the site that stated this is this wording placed in smaller print on the logon site. "Your email and password are required to retrieve your email contacts, and will not be used again to access your email account. Concerned about your privacy? So are we! Read more."
While this did state that my email address was to be used, it did not say that it would access my email account, download every email address in my address book and then send out the ominous, "Someone has been searching for you on Spokeo" to everyone in my address book. At no time was I ever informed that these actions would be taken and I still have not found a disclosure. I've only been able to discover this while investigating the site.
2. The site does not have procedures in place to keep from gathering data from children (under the age of 13) or from members of the EU countries.
The Children's Online Privacy Protection Act of 2000 ("COPPA") requires, among other things, that any website that gathers personal information from children under the age of 13 must obtain verifiable parental consent before collecting the personal information. They also must provide a privacy policy specifically geared towards the collection of minor's data. There are exceptions to the site's collection of a child's name and email address, but this site does not fall into any of those exceptions.
The EU Data Privacy Directive gives much more restrictive requirements for the use of data belonging to those people who reside in the EU. Name and email address are both considered personally identifiable data and while they could be considered public data in the US, they are not in the EU.
Specifically, the Directive states that an entity must give EU members notice of the data being collected, the uses for that data, the third-parties that will be sent that data and so on. Also, depending on the specific laws of member's country, consent of the data subject must be gathered prior to the collection of the data. In addition, databases that hold personally identifiable data must be registered with certain data protection authorities before the data is collected. Also, the EU Directive has strict laws regarding the transfer of data across country lines, including transfers to the US.
At no point, was I able to select the members of my address book that were included or not included in the information gathering process. The site did not differentiate between American adults, members of the EU countries and/or children. The site does not seem to provide any additional processes to address the specific needs of these two groups.
3. The site is, for lack of a better word, skeezy.
I placed my full name into my account at Amazon, since I wanted my relatives to be able to search my wishlist. I only put information into that wishlist with that information in mind. However, when I created my Picasa account and filled it with my picture and the pictures of many others, I purposefully did not link it to my full name. This site links the two together and now you have my face, my name, my friend's faces, my shopping interests, so on. This site seems to provide the perfect arena for stalking and harassment via the internet.
While working on a project, I gained, with his permission, the email address of a small celebrity. I now have access to way more information about that celebrity than I ever wanted or think that I should have access to.
The emails that were sent out without my permission seem to threaten consumers into joining the program.
4. Spokeo plans to offer services to advertisers.
Per the Spokeo Advertising Policy, "Tell us the blog you want to promote, and we will insert it into our users’ friend lists. To better spotlight you and to uphold our user experience, we will insert no more than 5 sponsored friends per user. The insertion will happen only upon new user registration. Once inserted, your blog will forever become those users’ friends, until users manually remove it." US laws state that this sort of Opt-Out consent is legal for marketing to people. However, in the EU, consumers have to Opt-in, namely specifically consenting to this sort of marketing.
Also, the policy provides no rules regarding the use of the data gathered from consumers on the site. I have no assurances that my data shown in my Amazon wish list or any other data on the site will not be given to advertisers.
5. Overall impressions.
So far, I've not been able to find any breaches of private information. I also agree that the data being collected is publicly available. What I do have issues with is the procedures for gathering this data, the emails sent to promote the site and the general lack of clarity in the sign up process. This is not a witch hunt, I don't necessary want the site shut down, but I do think that someone in authority needs to look at their procedures. Considering the privacy issues that Myspace and Facebook have had recently, I think the FTC will be very interested in this site.
This is just a preliminary list of my thoughts. Feel free to question my assertions, to add your own concerns and so on. Also, feel free to let me know if you have questions or if you want more information on a specific law or issue.
Also, by request, I am unlocking these posts, since this Spokeo thing seems to be effecting far more users that I have access to. Please feel free to link to these posts. However, I ask that you not repost this data elsewhere for the time being. I'm trying to gather as much data as possible before I commit to any actions and I would like to keep this information on the downlow until I decide the best course of action.
However, I do want to make sure that people are able to get this information from somewhere. Right now, this site seems to be spreading like a virus and more and more people are being sucked in. It's really shameful.
ETA: The EU Privacy and Electronic Communications Directive (2002/58/EC) states that Individuals must give prior consent in the form of an opt-in prior to receiving email. The only exception to this rule is in the case of an existing customer relationship, which does not exist in this case.
no subject
no subject
I'm glad that you didn't join up. However, I still have access to data on you. Email me at jillybinks at gmail dot com if you would like to know what I can see.
no subject
no subject
no subject
no subject
That's it.
no subject
Thanks for your help!
no subject
no subject
i'm still kind of confused about what/how it presents data to you - so you're able to see things now that are different from what someone googling a person's name would see?
no subject
Edited for English.
no subject
no subject