To recap what we know about Internet privacy…

There has been quite a lot of talk in social media in recent days about Klout. This has been prompted in large part by an adjustment in Klout scores, which saw a huge drop in influence (10 points in my case). To a lesser extent, some discussion has been generated in response to a very interesting article by Charlie Stross. Klout is not a social network, it is a self-described method to measure influence in social media, from Twitter to Facebook, Klout allegedly measures how many people engage with your content throughout the social sphere. This means that they take into account how many shares, likes, retweets, replies, +1s, and similar social currency you accumulate, and gives you a Klout influence number. So, Lady Gaga and Justin Bieber score quite high in Klout, but also do some social media stars that are not celebrities as such.

I have to admit that I liked the idea of Klout, and that I included a link to it in this blog, and even engaged directly with the site by giving Klout points to people whose content I enjoyed. However, it has been increasingly clear that Klout manages its social engagement analysis by practices that go way beyond what one would normally be comfortable with. The system seems to be based on a very intrusive data mining of everything that you do online. This is done by a system called “supercookies“, which are cookie files stored in different locations to normal cookies, so they are very difficult to track. The problem is that these are sneakily stored because of a simple reason: these cookies are gathering browse history information to create a more detailed picture of the user’s surfing patterns. In the case of Klout, it seems clear that they collect data of what you do from across several social networks, as the interconnection between these services is fundamental to what Klout does. In other words, everything you click, view, like, retweet or share in social networks is available to Klout.

Moreover, Klout is also very intrusive in how it propagates, it has been accused of opening accounts for people who have not signed up to the service, including minors and other subjects that are not likely to be able to offer viable consent. This practice alone is what makes me more concerned about the service.

As mentioned above, Charlie Stross seems to be very concerned about the privacy implications of Klout, and I share most of his concerns. He goes on to describe the issues with the system, but goes further, and declares Klout to be illegal in the UK. As much as I like his books, I have to disagree with his legal take on Klout. Stross says:

“Here in the civilized world we have a fundamental right to privacy. Klout, by its viral nature (and particularly by tracking people without their prior consent) is engaging in flat-out illegal practices. Don’t believe me? Well, here in the UK activities relating to the processing of personal information are governed by the Data Protection Act (1998), a law enforced by the Information Commissioner’s Office.

As we saw earlier, Klout assert that they have the right to collect information about you and conduct direct marketing campaigns if you visit their website. For those of us who are not lawyers, here is the ICO’s conditions for processing personal data: [snip]

Klout are flagrantly in violation of UK data protection law. Their terms and conditions, and their privacy policy, are riddled with loopholes that permit them to resell personal data. They violate Principle 1 of the Act (“the individual who the personal data is about has consented to the processing”). Arguably, they violate Principle 2 of the Act (“be clear from the outset about why you are collecting personal data and what you intend to do with it” — no prior notification to people they hold data on is made). The amount of personal data Klout collects is excessive (see Principle 3), they show no sign of complying with Principle 4 of the Act (“take reasonable steps to ensure the accuracy of any personal data”), and they may well be in breach of Principle 5 (that personal data must be deleted after it is no longer required for the purpose for which it was collected). They violate Principle 6 of the Act (“right to prevent processing for direct marketing; right to object to decisions being taken by automated means”). They violate Principle 8 of the Act (personal data is exported from the EU without due compliance with EU privacy regulations). Shockingly, Klout might actually be in compliance with Principle 7 of the Act governing information security (“you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised”) but it’s hard to tell.”

There are many issues here. Firstly, it can be contested that there is such a thing as a right to privacy in the UK. Art. 8 of the European Convention of Human Rights does establish it, but English courts have repeatedly expressed that there is no right to privacy in common law, and therefore there is no such tort. Courts have been increasingly applying the concept of privacy present in the ECHR, but this is separate from the existence of data protection law. DP is not privacy law, the interests protected are very different from one another, data protection covers information self-determination, which is not the same as privacy, although they may intersect in some occasions.

The second problem with the Stross analysis is the very important question of jurisdiction. I would tend to agree that Klout may be in violation of the Data Protection Act and the European Data Protection Principles as detailed in the above paragraphs. However, Klout is a U.S. company based in San Francisco, and as such it has no reason to comply with European and UK laws, even if the services are available there via the wonders of the Internet. Were they to open a European office, then they would certainly be subject to data protection enforcement, much as Google, Facebook and other Internet giants with European offices have been. Klout cannot be held liable if European citizens forego their rights and use a service that may be violating their rights.

Having said that, I have to share Charlie Stross’ concerns about Klout, and I have removed the link to Klout, and decided to close my account with them. I have to say that the cancellation process seemed to go on without a hitch. Whether any information they have accumulated will remain on their servers is an entirely different question.

I wonder if all of the negative vibe will work against Klout. So far it has been a marketer’s dream. Perhaps it might be time to wake up.


3 Comments

Tyler Singletary · November 17, 2011 at 6:56 am

Just to clarify, Klout does not use SuperCookies. We're continually offered and asked to do so: and we turn it down because it's not consumer friendly. We use open APIs from social networks like Twitter, Facebook, LinkedIn, etc. and collect public data, or data authorized to us via oAuth Authentication to calculate scores. Click-through data is not currently analyzed as part of the scoring algorithm, and again, would only be done through APIs offered by these social networks exposing this information, if that was available.

Tyler Singletary,

Developer Evangelist, Klout

Avatar

Mathias Klang · November 17, 2011 at 9:13 pm

I realize that its strange to compare levels of hell but is Klout any worse than Facebook? FB can follow me around even if I am not logged in (and some say even if I am not on Facebook). Even on you blog I can log in with FB to leave a comment.

But I have a question. Does klout really need you to be a member to measure your clout? Couldn't Klout simply start putting numbers on everyone?

If I ignore the privacy issues (its hard but ok) my real gripe about klout is how utterly useless it really is. Its a game and a system. But they chose impact over certain networks and not others. They create a set of reasonably arbitrary rules and say: these people have won! They have high impact. What klout happily ignores is that people have impact in different ways on different levels, while they chose only to measure a few.

*rant mode off*

    Avatar

    Andres · November 17, 2011 at 9:45 pm

    Good point. I agree with FB, I'm still not too happy with it, but since going back to Costa Rica, I simply must have it to operate in business and social life.

    Klout aggregates all of the different social media in obscure manners, but also they are selling such aggregation. I was also not very happy with their arbitrary number-assignment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.