I love me some screenscaping and mashups and data portability, but when it comes to personal information things get a little more complicated.

I'm in San Francisco today at Dappercamp, an event concerning a tool that's always got the rights of those it interfaces with in mind as an issue. Keynote speaker Mitch Kapor just told the group that the foundations of the web are sharing and openness and that intellectual property rights online should be constructed around and respecting those qualities.

It was a refreshing way to frame the often contentious relationship between corporate content publishers and those of us on the margins seeking to mash things up, but similar issues are beginning to arise in terms of personal and interpersonal information about users.

What Google is Doing

The new Google Social Graph API was a big move last week in this direction. The Social Graph API lets developers draw connections between your friends on one service and your friends on another. It indexes XFN (XHTML Friends Network) and FOAF (Friend of a Friend) data, standard microformats that publishers like Twitter or Facebook can append to your friend relationships inside their services.

The Case of the Googled MySpace

Though in most cases the API pulls in publicly available information explicitly marked up with one of two microformats, there is no standard yet developed for user opt-in or opt-out. Google's Social Graph API is also not limited to XNF and FOAF data. MySpace CTO Aber Whitcomb told me this afternoon that the API includes a custom mechanism to extract social connections between friends on MySpace, though that social network does not yet publish XFN/FOAF.

Whitcomb pointed out that while there's interesting information you can learn by looking outward at who a person's friends are, there may be even more information of interest discoverable by looking inward from a social circle in at one person they are all connected to. That's not information that said individual had very explicit control over, though it's fascinating to think about from an application's perspective. None the less, apparently the absence of XFN/FOAF data in your social network is no assurance that it won't be pulled into the new Google API, either. The Google API page says "we currently index the public Web for XHTML Friends Network (XFN), Friend of a Friend (FOAF) markup and other publicly declared connections." In other words, it's not opt-in by even publishers - they aren't required to make their information available in marked-up code.

Where's the user control? While MySpace, for example, says on one hand that user privacy is of the utmost importance - they also say they will deal with the Google Social Graph situation if problems arise. In practice that actually sounds ok to me, but on principle I think there's a cautionary tale here.

Some have said that those not wanting to connect their profiles in a machine readable way simply shouldn't link them at all; others argue that privacy is an illusion and that we need to get over it. Both of those are vastly insufficient responses to the situation.

Issues and Objections

When Robert Scoble was kicked out of Facebook late last year, some users agreed with the company and said "the fact that I've friended you in Facebook doesn't mean I give you permission to take my info outside of Facebook."

Aside from the fundamental absence of user control here (and that is not going to be an easy problem to solve), there are other issues that other bloggers have brought up.

Joshua Porter ties together much of the conversation, first in a post with good comments about why he's excited about the Social Graph API and then in a follow up post summarizing some objections.

Thomas Vander Wal contends that this new API is exactly the kind of thing that "social engineering hackers have waited for." An extended view of phishing, essentially, says that people with malevolent intentions are often able to fool victims by leveraging weak social ties to gain unearned trust. Exposing a whole network of weak social ties makes that easier to do.

Tim O'Reilly is balls-to-the-wall about the post-privacy future. "It’s a lot like the evolutionary value of pain," he says. "Search (searching the social graph) creates feedback loops that allow us to learn from and modify our behavior. A false sense of security helps bad actors more than tools that make information more visible."

danah boyd brings a cold splash of reality to the discussion in her post on privacy and privilege. She points out that teen agers in particular expose themselves very selectively. There are, boyd points out, many people in this world less privileged than Silicon Valley power-nerds are and to whom privacy is very important. I would ask you whether someone escaping from domestic violence, for example, ought to be expected to know how or how not to get their various profiles around the web tied together. Should they not have profiles on the web? Should they not use the web? I think there are ways that these questions can be answered more subtlety than they are today.

How it Ought to Be

The long and short of the situation is this. The ability to determine social connections across multiple websites is a powerful thing. All of us should be asked to opt-in to allowing our social connections to be indexed.

As much as I want the data to be flowing and free - it's not an abstract loss of potential profit from no longer falsely scarce digital content that's at issue when it comes to social connections - as it is with other types of published web content. It's a matter of free will and sometimes personal safety. Web users should not be asked to give these things up in exchange for participation in all that the internet is making possible. It doesn't have to be that way and so it shouldn't be.