I don't think this has to be as hard as it seems on the surface. (Creating a whole new legal regime out of whole cloth that hasn't been woven, from threads not yet made, of fibers not yet harvested.)
Doc, it is not as hard as it seems on the surface. The law, regulators, companies etc, know that the current legal calf cow notice and consent is not fair and reasonable.
The FTC has said many times that privacy policies, which may or may not be an agreement but are at least always representations by the publisher, cannot be retroactively materially changed without notice and consent. E.g. the Zappos case
The courts in the US also believe that notice and consent is meaningful when a person reads and agrees to a change in terms. In fact in California law its a requirement to "(3)Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.”
There are also other technical requirement in other jurisdictions, like the EU, that state that company must, inform"- whether replies to the questions are obligatory or voluntary,” and "Inform of Rights to Access & Rectify”. So often by law a company will be non-compliant with the law and mis lead people on purpose and do so illegally. These protections are jurisdictionally specific, but this does not mean that if companies want to do business with people in other jurisdictions that they do not have to comply to their laws
In the news just this week not specific to changes in policy but a good example of data protection law being relent is —> Six South Korean activists from the Citizens' Coalition for Economic Justice (CCEJ), the Korean Progressive Network Center and the South Korean chapter of Amnesty International have filed a suit demanding Google "disclose whether it shared their personal information with a third party," Yonhap reports. "Even if Google has servers in the U.S. or other countries, it must abide by South Korean law when dealing with users in South Korea," the CCEJ said in a statement. "Google should therefore respond to South Koreans' requests for information about its history of leaking sensitive data.” (via IAPP NZ)
I suspect that the laws in both countries can be used against Google in this scenario. The point is that expecting people to understand the differences in the policies and the requirements of law is not fair and reasonable. The current infrastructure itself is arguably no longer legitimate, in this regard VRM projects have great opportunity to do something different.
The current system pre-supposes that an individual is capable of reading and understanding policies (and all related policies) in the context of a one time click of consent. This capability is obviously limited and many policy changing practices negate the terms, especially in the US. Like Doc says, people should have a nuke button and be able to withdraw consent and withdraw their data or move their data control to their own indie tech.
So, we are working on this nuke button at the CISWG in Kantara.
New EU laws promise to strengthen the ability to block the use of personal data for a specific purpose. This is just one of the data controls that has great potential.
The point being that Doc is right, new fabrics can now be woven to make older and existing laws make much more meaningful transparency and we can now create easy to use data controls for people. This has tremendous potential value.
The issue has for many years been about enforcement enforcement and I think legal reputation is a major tool to increase enforceability of these existing and emerging laws.
More on the way about this.
- Mark
On 24 Jul 2014, at 23:33, StJohn Deakins <
">
> wrote: But here’s the fascinating thing; the internet brings transparency, and in the last few years we all (pretty much) have started carrying the Internet with us 24/7 - in our pocket/bag during the day and waiting by our bedside overnight. Equipped with the right tools (apps) the smartphone can illuminate things that were once made opaque in the Industrial Era. My hope is that if we can do this, companies will need to evolve very quickly to survive in our emerging Information Era. StJ <image001.png>
citizenme
StJohn Deakins
skype: stjohndeakins twitter: @stjohndeakins / @ctznme From: Johannes Ernst [
">mailto:
]
Sent: 24 July 2014 22:50
To: StJohn Deakins
Cc: ProjectVRM list
Subject: Re: [projectvrm] On Datacoup's Patently Unfair T&Cs In the US, all sorts of things change on you all the time. Not just interest rate and fees, but also the fine print. Some of those changes I can understand -- for example, they do need to take into account recent law changes and court rulings in various states. If, for example, state X decided that it should be illegal to buy booze online with a credit card, they basically have to add a line that says that you promise not to buy booze online in such state, otherwise they are probably liable in some fashion, and that's really not open for negotiation. Other changes I can only explain from the perspective of postulating that there is a deliberate strategy to change the terms every few months, in order to make it impossible for you to understand what the current rules are.
That’s true they do, although they’d claim that it’s part of the explicit term of a loan (i.e. variable rate V. fixed rate interest). The hidden term for credit cards is usually “we can ‘share’ your data for marketing purposes”. This actually means “you agree that your data becomes our asset – so in addition to charging 35% APR we’ll also sell all your data to a broker as an additional revenue stream”. skype: stjohndeakins twitter: @stjohndeakins / @ctznme Credit card companies seem to do that all the time. Agreed Doc. The absolute worst combination is: 1. “We can change these terms anytime we want” 2. “Use of the service shows acceptance of the changed terms” Would we accept this in an offline transaction? Imagine hiring a car and the excess/hire rate/insurance etc can be changed without telling you during the rental period - and continued driving of the car during the rental period means acceptance. skype: stjohndeakins twitter: @stjohndeakins / @ctznme An additional point about privacy policies, which haven't been on the table yet in this thread, but usually go hand-in-hand with TOSes: they are policies and not terms, and (like terms) they can change. In fact nearly all of them have a rider saying "we can change these any time we want." Another rider to both TOSes and privacy policies is language that moots most or all obligations in the event of the company's sale to another company. Both these came up a few years back when Foursquare started, and some corner of Harvard did something cooperative with Foursquare that I flagged on a backchannel there. It was all harmless (mostly, as I recall, it was about Harvard getting straight on Foursquare what the names of locations were), but it led a number of us Berkman folk to dig deep into Foursquare's terms, which, typically, featured the riders in the paragraph above. As Renee (a former legal eagle for Harvard) has often taught me (and us) , all the defaults in our (still) Industrial Age marketplace have long put responsibility for terms, conditions and policies on the service provider's or seller's side. This is also how the calf-cow client-server system works on the Web. We individuals are not equals. Coming into a relationship with our own terms, policies, preferences — or anything — isn't unthinkable by legal folk, but rather something they've hardly ever though of, at all. Nor have their law school professors. But we are getting help on the policy side now, with laws and regulations coming down in the EU and Australia. We also have something close to a critical mass of fourth parties (including one by that name) in Australia and New Zealand. These are companies whose job is to side with the customer, or with both the customer and the seller — but with a moral anchor, if you will, on the customer's (or the user's) side. I don't think this has to be as hard as it seems on the surface. (Creating a whole new legal regime out of whole cloth that hasn't been woven, from threads not yet made, of fibers not yet harvested.) The Respect Network tour was a terrific learning experience in this regard. The promises around permissions in the Respect Trust Framework, for example, require new mechanisms for expressing preferences, terms, policies and agreements on both sides. And these don't need to be hard or complicated. To mix metaphors, there are low-hanging fruit there. "Has the ProjectVRM Forum lost its moral compass? I hope not. " No, it hasn't, and you are not it. Your point about TOS and Privacy policies is well-taken and something a lot of us look at frequently. But there is a problem with your comment - that there needs to be some kind of fundamentalist litmus test for participation in this community and we need to police it by some standard of yours. VRM is a "big tent" with participants from across the spectrum of business and life. There are no bosses and there are, like 2 mods. We are here because we think there is something to this idea Doc has been working on for years, and as a community we need lots of voices (including yours) and more importantly, work. Since 2007 we have discussed the idea that VRM is a framework and set of principles, not a black-white determination. There will be "shades of VRM", and as a community we need to recognize that, accept it and be focused on helping participants (including very big organizations) to get better. This list existed long before you got here, Graham. As a community we have called each other out numerous times, and will continue to do so. When we call out data brokers or politicians it's because those are learning moments for everyone, and they are usually TERRIBLE. Additionally, most of us have jobs and we are not all DataCoup users - we all don't fine-tooth-comb every TOS from every VRMish startup on the web. If you have that kind of time, good on ya. There is no "VRM Good Housekeeping Seal" and there might never be. Matt has a startup. He is actually doing something. DataCoup might not be 100% VRM, and may have a crappy TOS, and that's ok. Everyone, including you Graham, has room for improvement. Let us work with him. Matt is here, he is engaging. We can learn from him and hopefully help him. - You might want to talk to legal about the arbitration clause and see if there is a better way - it limits your risk but screws the user
- You might want to look at putting together a TL:DR sidebar on your Privacy page and spelling out, (in bullets, written at a 8th grade reading level) what the policy actually says
- You might want to look at your termination policy in the TOS and properly spell out what happens to the User's data on DataCoup if and when they terminate the relationship (see Doc's "I want a NUKE button for my data on any given service" comment from a couple years ago) and what regulatory requirements might prevent the ability to have a NUKE button (IRS reporting and retention policies, etc.).
"The large print givith, the small print takith away". Priceless and sadly so true. I missed this thread and after reading through, I appreciate the points you've made Graham! In CA arbitration clauses are deemed substantively unconscionable and are struck. Claiming to be VRM 'end customer' friendly in message and posting TOS that exploit the End Customer is directly at odds with VRM. In fact, they ought to post that first sentence above as a disclaimer on their site. You are indeed right. The real world is usually far more grey than stark black or white. But that doesn't mean we should simply accept moral relativism with a shrug of the shoulders. As Michael Sandel points out in his excellent book on 'Justice', we usually know what's the right thing to do. Surely a startup extolling how it wants to treat customers 'fairly' on its front-page should not so blithely insert patently unfair caluses into the small-print of its T&Cs. I have worked with a number of lean startups and recognise the need to learn by doing. But I don't think this is an area where any learning is really required. It is obviously the wrong thing to do. The arbitration clauses are unfair and should be removed. Somethings really are black and white. As the old saying goes... “I do not want to drive across a bridge designed by an engineer who believed the numbers in structural stress models are relative truths.” Best regards from Cologne, Graham PS. FYI. On clicking on Lockstep's T&Cs I am taken to a text box that says Legal Information but has no content. Is this intended?
I do count myself in the camp that distrusts digital companies' Ts&Cs as being monstrously one sided and opaque, but I can't let this bombast go through to the keeper: "Either you treat customers fairly, or you don't. There is no half-way house." Of course there is a half way house. And a one percent way house, and a sixty five percent way house, and a very nearly all the way house -- if only because customers' perceptions of reasonableness (and lawyers' definitions of what the reasonable person thinks) are changing all the time. I repeat, I do agree that the infomopolies are not to be trusted; they do all they can to train users to be relaxed and comfortable and complacent about Ts&Cs. But we really need to tackle these issues with more nuance. Nothing is absolute. Nothing should be said to be "broken" (for the same reason as nothing should ever be assumed to be 100% secure of safe or private. Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft. I am sorry but I do not buy your excuse for creating such ethically problematic and patently unfair T&Cs. It simply doesn't wash. Either you treat customers fairly, or you don't. There is no half-way house. Being a lean start-up is most certainly not an adequate excuse. I have the ProjectVRM Forum to thank for making me so aware of the importance of reading T&Cs. They say so much more about a vendor's underlying approach to business than any amount of flash web pages or glossy marketing. I wonder how many of the other VRM vendors' T&Cs are full of similar one-sided clauses, weasel words and scant regard for customer ethics, as Datacoup's is. More generally, I find it interesting how, on the few occasions that someone has pointed out a serious shortcoming in a VRM solution or its ethics, practically nobody has anything to say about it on the ProjectVRM Forum. Even Doc, who normally has a well-thought through opinion on most things VRM, passed on Datacoup's ethically problematic T&Cs. Yet if a marketer, data seller or politician says or does anything contentious about consumer data, the same ProjectVRM Forum is instantly up in arms. Somethink is not right. Has the ProjectVRM Forum lost its moral compass? I hope not.
Best regards from Cologne, Graham
If your point, as you stated in the follow-up email, was: "The point isn't so much that it is technically difficult for an average Joe to take charge of his own data, but that no average Joe can be bothered to do so." then I don't think I missed it. I addressed it in the first two sentences of my email, which I'll paraphrase here: People won't take control until it's worth their while, which likely happens at a choke-point for a big ticket item. Regarding TOS, we don't have the legal budget (at the moment) to spend on our ideal TOS. In absence of that, we need to start with something broad-sweeping that mitigates our liability as a company, so we an stay alive until we can improve the next version of TOS, product and marketplace. We abhor contracts of adhesion, and are working toward a goal of transforming our TOS into something much more in line with what Doc espouses in The Intention Economy. Building a co. is all about incrementalism. Utopia is not for this world. If you think you are going to open a box and find a panacea, you'll be opening boxes 'til you are blue in the face. As far as datacoup goes, I didn't offer it, to this email chain, as a solution to the ills of all consumer experiences. In fact I didn't make any mention of it at all... you did. If you'd like to chat about my platform, we can set up a call or side email to discuss at further length (current abilities, goals, future path, etc)... I'd be happy to do so. I think you rather missed the main point. The point isn't so much that it is technically difficult for an average Joe to take charge of his own data, but that no average Joe can be bothered to do so. It is primarily about the lack of interest, not just the lack of ability. As the research on the behavioural economics of privacy suggest, personal data managemnt is a very incomplete, messy and technical solution for a privacy job-to-be-done that practically no Joe is really all that bothered about. Today's post-recessionary Joe's are too busy trying to make ends meet and getting on with their busy lives to be bothered with something as irrelevant as data management. As Hume's Guillotine illustrates; 'ought' is not the same as 'is'. You list a short range of data that can be dowloaded through, e.g. APIs. Yet your own company, Datcoup only allows users to download two of them, a range of ephemeral social data from the usual suspects and credit card data. Your service doesn't allow you to download data from 95% of the categories that make up the typical household expenditure, nor does it allow users to control how what little data that can be downloaded is used once it has been downloaded. And it doesn't stop any of the social media or credit card companies from using the data they already collected about you in any which way they want, nor from using the data against you, e.g. by offering you only higher-priced products (as this article on Sell Your Personal Data for $8 per month http://www.technologyreview.com/news/524621/sell-your-personal-data-for-8-a-month/ points out). Despite the claims to democratize personal data by establishing an open, fair marketplace for individuals to sell their personal data, the insistence in Datacoup's long and convoluted T&Cs on mandatory arbitration is anything but fair and democratic. In fact I would go as far to say that it is morally and ethically unacceptable, as it denies one or both parties their fundamental rights to a fair trial by their peers, a foundation of justice (see Signing Away Your Rights http://prospect.org/article/signing-away-our-rights-0 for more details). Under no circumstances would I sign such an unfair contract in order to use Datacoup's services. Best regards from Cologne, Graham
It's time, capital and technical skill intensive for average Joe until it's not. Meaning, at the right choke point, be it for mortgage or other loan product, insurance product, or other big ticket item where the value gained from the vendor is enough to warrant someone to "take control" (aka aggregate and share), then people will do it in droves. As a technical matter, it's really not that difficult at all: Social data: oauth, api's Quantified self data: oauth, api's Search data: browser extension (as effortless as ad blocker) Device data: native or even just mobile browser app Did I miss any major data sources? This all exists, and connecting these data sets in perpetuity takes less than a minute. I think management of personal data by the individual is a lot closer than you are surmising. And why is it fanatical to want to harness the value of an "asset", ostensibly created by yourself (with help from platforms) that others are making billions from? Seems pretty reasonable to me. If you hate to make an ad hominem argument then don't make one. I agree with you that there are many examples where privacy has been trampled upon. And of course, they are a source of much existential angst for the chattering classes. But there are very few examples where your average Joe had decided that enough is enough and that he needs to take charge of his data in future. Installing an ad blocker is almost effortless. And it makes web pages load so much faster. Taking charge of your data is far from it. It requires, time, money and technical skills that the vast majority of Joes do not have. Even if they did, the market for data management tools is at the rapid development stage of market evolution, placing a huge additional integration burden on any Joe bold, or stupid enough to want to manage his own data. To be blunt, personal data management is currently something for fanatics. Moore and Schumpeter may change that, but probably not in the next few years. The market for intermediaries has been well documented. Consumer Focus (http://www.consumerfutures.org.uk/files/2014/01/Next-Generation-Intermediaries.pdf) and Ctrl-Shift (http://www.consumerfutures.org.uk/files/2014/01/The-Rise-of-the-Consumer-Empowering-Intermediary-Ctrl-Shift.pdf) have both produced excellent reports recently describing how they have stepped-up to the plate to provide customers with, e.g. comparison sites and product aggregation for complicated financial services products. AirBnb and Uber whilst superficially similar are not quite the same, as the products they offer are much easier to understand. Both in complicated finanacial services and easier hotel listings, intermediaries provide a multi-sided market (MSM) platform that allows consumers to more easily find, compare and in some cases, buy services from sellers. But in reducing the customer's costs they may increase sellers' costs by a similar or greater amount (see http://www.hbs.edu/faculty/Publication%20Files/14-052_41d72e17-7ca8-4090-99eb-a7d24e8eaa0f.pdf and Section 1 of http://www.econ.cam.ac.uk/research/repec/cam/pdf/cwpe1361.pdf for more details. That is why most MSMs charge sellers to offer their services, at no cost to consumers. And why most brands are keen to get off intermediaries and go direct to consumers. For example, when I worked in the Netherlands insurance market a couple of years ago, one particular motor insurance aggregator had become so powerful that it distorted competition for the industry as a whole. Not only did insurers feel that they would be competitively disadvanteged if they didn't list on the aggregator, but also the aggregator was able to demand lower factory gate pricing than the insurers could offer on their own websites. There was little suggestion that consumers benefited from this centralisation of power in a single aggregator. It was a market failure every bit as large as the previous difficulty in consumers being able to easily compare like-for-like prices on insurer's' websites. Intermediaries are not the competitive panacea that many would like them to be. As the old saying goes, 'be careful what you ask for, you might get it'. Best regards from Cologne, Graham
Responses inline below... AirBnB is interesting. Chesky suggests that Millenials are different to the rest of us... but are they really?
She does cite research, though. I just can't help wondering how tendentious her argument might be. The evidence suggests not. And that bodes poorly for the versions of MeCommerce that requires consumers to raise a finger when it comes to data and privacy.
Ends require means. Lack of means does not argue for absent ends. The appetite for privacy online is real and growing, especially as offenses to it pile up on all generations. Here's the important fact: The Internet is a public space. By design. It's kind of like the physical world that way: "Here ya go, people. You're naked and living outdoors. What are you going to do about it?" (Hmm. Perhaps biting the forbidden fruit in Eden gave us an appetite for privacy, property, and other things to hassle each other about.) Anyway, we've had thousands of years to create privacy technologies such as clothing and shelter. Frank Lloyd Wright said "The meaning of the word 'shelter' includes privacy." He also said architecture was the original art form. We don't have either yet, except through centralized services. We've only been at the Internet we know now for eighteen years. We have a long way to go. Digression... Last night, when our 17-year old son asked me what the big deal was with wanting private (non-intermediated) communications online, I said this: "Imagine if the conversation we are having now in the physical world first required signing in to some company's facility before we could have it." The future looks much brighter for the versions that allow intermediaries to do it all for them.
Airbnb is an intermediary. So is Uber. Both are more lightweight than the traditional forms they supplement or replace. But they still intermediate. They lean toward what Brian the other day called "minimal viable centralization." I think that's a good way of putting it. But do we really want self-serving intermediaries expropriating value by placing themselves between consumers and brands? The evidence from other industries, e.g. airline travel, book selling and general insurance, suggests not.
I'm not sure who you're calling self-serving intermediaries. Travel agents, book stores and insurance agents? I'm guessing, but I don't know. Just looking for clarification. Just a thought.
Best regards from Cologne, Graham
On Sun, 20 Jul 2014, Dan Miller wrote: http://nyti.ms/1yI1ake
If I'm mistaken, many of us have been pretty dismissive of Tom in the past, myself included. But I think this column gets to the heart of how mainstream columnists can and do connect the dots between all of the headline grabbing surrounding the sharing economy and Big Data and the notion that each individual's personal info counts.
The irony of course is that many of us won't use AirBnB thanks to heavy lifting they require in terms of validating our own IDs. Like uploading fotos etc.
Airbnb lost us as customers when they required us — loyal, frequent customers who liked the service a great deal — to "verify" our identities by logging in with Facebook or uploading a personal video. After I posted a critical (but constructive) blog post about it <http://blogs.law.harvard.edu/doc/2013/05/28/lets-help-airbnb-rebuild-the-bridge-it-just-burned/>, they reached out to tell us a bug was involved, and that they were fixing the system. But I don't know if they actually fixed it. From what I gather at <https://www.airbnb.com/trust>, a "Verified ID" still requires exposure through social networks, or ... not sure. And, looking at <https://www.airbnb.com/help/article/450>, I'm not interested in trying. Does anybody know if "verifying" one's ID still requires a video if one is not on Facebook or Twitter? I think someone inclined to rent a room out wouldn't let that stop them, and as much as I care about my privacy I certainly understand the value/purpose to a validated identity in situations like this. What worries me a bit more is:
Chesky answered. “I think now, for the younger generation, ownership is
viewed as a burden. Young people will only want to own what they want
responsibility for. And a lot of people my age don’t want responsibility
for a car and a house and to have a lot of stuff everywhere. What I want
to own is my reputation, because in this hyperconnected world,
reputation will give you access to all kinds of things now. ... Your
reputation now is like having a giant key that will allow you to open
more and more doors. [Young people] today don’t want to own those
doors, but they will want the key that unlocks them” — in order to rent
a spare room, teach a skill, drive people or be driven.
Are we truly at the point in society where no one ever loses their public reputation unfairly, where building a positive reputation is universally accessible and yet hard to game? Are we no longer at risk of confidence games (short or long), where referrals can be minted from thin air, or achievements claimed without any risk of fraud?
These same "young people" also presumably don't want the burden of pensions, insurance, wills... but when cornered will fight for rent control, Medicare, Social Security, and regulations.
I'm reminded of the discussion here about the Uber drivers working 10 hour days at a net wage that only barely covers the gas and wear/tear on the car.
Is that really (or often) the case? I've only used Uber twice, but both times the drivers bragged on the service and told me they were making good money at it. I don't think they were being insincere. And the rides were a helluva log cheaper (in both cases going from airport to home) than taxis. Or this, echoed by a comment on the NYT article by "SJ" of Wash DC:
I find the phenomenon of things like AirBnB to be more of a sign of
economic desperation than any kind of growing interconnectedness. It
also represents a disconnected population willing to give up their
residences to complete strangers for purely financial reasons. In other
words, as the world becomes more and more cutthroat people are becoming
more and more willing to sell every aspect of their lives. What's next.
I do think there is an optimal state where the AirBNB hosts who truly do this for "more than financial reasons", and yet are able to do so profitably, are the vast majority; but as it expands in popularity if the focus is too much on inventory and scale, eventually it will go south, a la Ebay, and have difficulty recovering. Maybe that's the great cycle of these kinds of things, from niche to novelty to winning to scale to decay.
Hope AirBnB doesn't speed through that too quickly, or burn too many people along the way.
Brian
Well, we never used them again. Important fact: there are other choices for some locations, such as VRBO: <http://www.vrbo.com/>.
CEO/Co-Founder
DataCoup, Inc.
------------------------------------------------
Sean W. Bohan ------------------------------------------------
Mobile: 646-234-5693
|