Where does your digital identity want to go today?
This morning I had cause to revisit an identity-related 'design pattern' that I originally worked on during a workshop back in January, in readiness for a follow-up workshop tomorrow.
The pattern is concerned with the way in which personal information can be aggregated, shared and re-used between social networking sites and other tools and the moral and legal rights and responsibilities that go with that kind of activity.
I don't want to write in detail about the pattern here, since it is the topic for the workshop tomorrow and may well change significantly. What I do want to note, is that in thinking about this 'aggregating' scenario I realised that there are three key roles in any scenario of this kind:
- the subject - the person that the personal information is about
- the creator - the person that has created the personal information
- the aggregator - the person aggregating personal information from one or more sources into a new tool or service.
In any given instance, an individual might play more than one of these roles. Indeed, in the original use-case which I provided to kick-start the discussion I played all three roles. But the important thing is that in the general case, the three are often different people, each having different 'moral' and legal rights and responsibilities and different interests in how the personal information is aggregated and re-used.
To illustrate this, here is a simple, and completely fictitious, case-study:
Amy (the subject) uses Twitter to share updates with both colleagues and friends. Concerned about cross-over between the two audiences, Amy chooses to use two Twitter accounts, one aimed at professional colleagues and the other aimed at personal friends. Amy uses Twitter's privacy options to control who sees the tweets from her personal account.
Ben (the creator) is both a friend and colleague of Amy and is thus a follower of both Amy's Twitter accounts. On seeing a personal tweet from Amy that Ben feels would be of wider interest to his professional colleagues, Ben retweets it (thus creating a new piece of personal information about Amy), prefixing the original text with a comment containing the name of Amy's company.
Calvin (the aggregator) works for the same company as Amy and looks after the company intranet. He decides to use a Twitter search to aggregate any tweets that contain the company name and display them on the intranet so that all staff can see what is being said about the company.
Amy's original 'private' tweet thus appears semi-publicly in-front of all staff within the company.
Depending on the nature of the original private tweet, the damage done here is probably minimal but this scenario serves to illustrate the way that personal information (i.e. information that is part of Amy's digital identity) can flow in unexpected ways.
One can imagine lots of similar scenarios arising from unwanted tagged Flickr or Facebook images, re-used del.icio.us links, forwarding of private emails, and so on.
Who, if anyone, is at fault in this scenario? Perhaps 'fault' is too strong a word?
Well, Amy is probably naive to assume that anything posted anywhere on the Internet is guaranteed to remain private. Ben clearly should not have retweeted a tweet from Amy that was intended to remain somewhat private but in the general to-and-fro of Twitter exchanges it is probably understandable that it happened. Note that the Web interface to Twitter displays a padlock next to 'private' tweets but this is not a convention used by all Twitter clients. In general therefore, any shared knowledge that some tweets are intended to be treated more confidentially than others has to be maintained between the two people concerned outside of Twitter itself. Calvin is simply aggregating public information in order to share it more widely within the company and it is thus not clear that he could or should do otherwise.
On that basis, any fault seems to lie with Ben. Does Amy have any moral grounds for complaint? Against Ben... yes, probably, though as I said, the mistake is understandable in the context of normal Twitter usage.
The point here is to illustrate that currently, while many social networking tools have mechanisms for adjusting privacy settings, these are not foolproof and the shared knowledge and conventions about the acceptable use of personal information (i.e. digital identity) typically have to be maintained outside of the particular technology in use. Further the trust required to ensure that things don't go wrong relies on both the goodwill and good practice of all three parties concerned.