Several days ago, in the New York Times Magazine, George Washington University law professor Jeff Rosen discussed the issue of online data permanence and what it means for individual privacy. The challenge, he said, is “how best to live our lives in a world where the Internet records everything and forgets nothing — where every online photo, status update, Twitter post and blog entry by and about us can be stored forever.”
Rosen asked the public to submit questions about Internet privacy to Michael Fertik, founder of ReputationDefender, and Paul Ohm, a law professor at the University of Colorado. The answers are given in a two-part series: Part I and Part II. Here’s a sampling of the questions and answers:
Q. How secure are privacy settings on Facebook? For instance, if my information is blocked to all who are not friends, is it possible for those whom I am not friends with to get at that information? — Chrissy
Mr. Fertik: It is important to remember that none of your settings control what information other people post about you. If a friend posts a picture of you using drugs or exercising poor judgment, then that photo will be distributed as far as your friend’s privacy settings allow. If your friend has her privacy set to “friends of friends,” then photos could be visible to hundreds of thousands of people. And, if your friend has her privacy set to “everybody,” then the whole world can see it. The same goes for status updates, videos, applications and more.
Even if your settings are secure today, Facebook has been heavily criticized for changing its privacy options with little advance warning to users. Simply put, it is unwise to assume that any social media company really has its users’ privacy interests at heart. Each of the most recent rounds of “updates” to the company’s privacy options has tried to set the default privacy option as sharing more information than most users shared under older privacy settings. There is no reason to assume that trend will stop. […]
Q. Professor Ohm is right on the mark in calling for strong legislation that would protect Americans’ rights to engage in any lawful off-hours, off-employer-premises activities as they choose without fear of employment discrimination. How can we best craft such legislation to make it truly enforceable and effective? — Scott Enk
Mr. Ohm: I think the only remotely likely source for a new law like this in the United States is a forward-looking state legislature. I doubt any judge will stretch the privacy torts far enough to forbid this kind of background checking. The Federal Trade Commission focuses on consumer privacy and corporate unfair and deceptive practices. And Congress probably lacks the political will to enact a federal law like this.
Is any state legislature likely to enact such a law? Perhaps. Many states have proved themselves to be great champions of personal privacy. Just in the past few years, for example, California has enacted a tough data-breach notification law, and Massachusetts has enacted the most aggressive data-privacy law in the country.
History has taught us that the best time to enact a privacy law is immediately after somebody suffers a sensational, newsworthy privacy harm. When someone leaked Judge Robert Bork’s video rental records, Congress enacted the Video Privacy Protection Act. When a stalker tracked down and killed the actress Rebecca Schaeffer using D.M.V. records, Congress passed the Driver’s Privacy Protection Act. I wonder if the story of Stacy Snyder — the would-be schoolteacher denied a teaching degree because of a MySpace photo — is sensational enough to encourage legislatures to act.