The social networking site Friendster got into a lot of trouble with some of its members recently by changing its ground rules. Friendster, along with similar social networking sites, allows individuals to create profiles of themselves on the Internet and then look up profiles belonging to friends, potential romantic interests, and long lost acquaintances. One of Friendster’s neatest functionalities is the ability to see beyond one degree of separation (i.e. to friends-of-friends), which exponentially expands the range of one’s possible social contacts. (For a paper on social networks and their privacy implications, go here.)
Friendster seems to have been gathering data all along about which of its members were viewing which other members’ profiles. But until recently, it kept this data secret, and many of its members appear to have assumed that they could look up the profiles belonging to long-lost-exes, elementary school friends, friends-of-friends, and co-workers anonymously. Not so. Friendster, with little fanfare, recently introduced the “Who’s viewed me” function, and allowed its users to learn the names of everyone who had ever looked them up. Now Friendster users could quickly satisfy their curiosity by finding out who had viewed their profiles, but were mortified to learn that other users could do the same thing to them. Friendster was deluged with outraged user emails and blog commentary, and a terrific law student, Rebecca Silver, brought the controversy to my attention.
Friendster has since apologized for underestimating the intensity of its users’ opposition to the policy change and enabled users to opt in to the anonymous viewing of others’ profiles, which solves the problem reasonably well going forward. But I actually think that Friendster’s initial instincts, this notion of symmetrical privacy, have broad applications to privacy law.
Symmetrical privacy is simply the idea that individuals or entities may access my private data, but if they do so, I am entitled to know what they are up to. Symmetrical privacy is not a core feature of American privacy law, with the exception of case law and several statutes governing criminal searches, but I would argue that this principle has great appeal as a method of resolving many contentious information privacy issues. If an employer, identity thief, health insurer, or credit card company wants to access my credit report, at least let me know about it. If someone makes a FOIA request for government documents that reveal something about me, I should be notified of this request by the government. If someone goes to Fundrace.org or a similar site to see which political candidates I have donated to, I have no right to stop them from doing so, but I ought to have the right to be informed of their snooping. Symmetrical privacy might or might not be a solid foundation for a social networking site, but it seems to me that it is an excellent starting point for the law’s treatment of private information.