Last week, Peter Fleischer blogged about a new law being considered in France that would legislate “the right to be forgotten.” As Peter described it, the proposed law would provide for a broader right for individuals to insist on deletion of their personal information and would require organizations to delete personal information after a specified length of time or when requested by the individual concerned. I wish we had a law like that here.
This week, three developments made me think more about the “right to be forgotten,” or even just the right to change our mind in the cloud. The first was that the Library of Congress announced that it would be archiving all tweets from Twitter. As a privacy advocate, I was initially appalled to read that the LOC would archive tweets without the express permission of the authors, but then I thought about how our emails to the government and other communications are already archived and publicly available from other agencies. Was this the same thing, or is it different? On some level, it makes sense and seems appropriate that our communications with our elected legislators should be retained and part of a public record. But what about personal tweets? When narcissists post every detail of their boring little lives such as what color toenail polish they are wearing, is this really a matter to be archived forever? Maybe the narcissists have no problem with their every word being archived and sociologists studying our culture may find it important and fascinating, but what about the average person? Over on MichaelZimmer.org, Mike raises some good questions about this whole situation. At least Twitter allows users to delete their tweets and there is a 6-month delay before tweets are provided to the LOC.
But what about when users cannot delete their material? Although there are some mechanisms for removing material from Google, the methods are often unwieldy or impossible, such as when Deja News used to require you to send a removal request from the same email address you used to post a usenet article — even if you no longer had that email account. How many people still have material by them or about them on the Internet that they cannot remove or get removed? So yes, we warn our children to be careful about what they post as it may come back to haunt them when they apply to college or for a job, etc., but do we need legislation that guarantees us the right to have our material removed — the right to change our mind?
This week, Kevin Poulsen of Threat Level described a case in which the FBI was able to obtain evidence against a spammer because the spammer used Google Docs and the FBI served Google with a warrant for files. The spammer seemingly has no one to blame but himself since he chose to store files in the cloud and Google’s policies are fairly clear about complying with lawful requests for information. Google Docs also allows users to delete documents, and they say that all copies are deleted — including from backup servers — after 30 days.
But not all cloud services guarantee that your material will be completely deleted. A few days ago, I received an email from someone who prefers to remain anonymous for now. He sent me correspondence between himself and Scribd about their document deletion policies and practices. According to statements by their Director of Community Support, if a user requests deletion of a file, the file is deleted and even the file name cannot be found in a search. BUT: the file remains on Scribd’s backup system and is not deleted from there:
Deleted documents are fully removed from the Scribd system, and are not accessible by the public or Scribd’s support staff. However, deleted documents still exist in secure backups that can be accessed in certain legal situations. System backups are an industry standard practice.
Having tried to wade through Scribd’s privacy policy and API, etc., I did not find any clear statement that alerted users to this possibility. So I have sent Scribd some questions, including:
- Where in scribd’s various privacy policies, API, and terms of use does it specifically tell users that anything they upload may be retained forever even if they delete it?
- Other cloud applications, such as Google Docs, do remove residual files completely — including backups — after 30 days. Why is scribd not willing to do this?
- Under what conditions does scribd require an actual court-approved warrant to produce files or information that reside only on the backup server?
- Does Scribd attempt to contact a user to tell them that there has been a request or a subpoena for their information or files so that they can attempt to quash it?
If I get any answers, I’ll post them.
In the meantime, and until such time as Congress legislates a right to change our mind or a right to be forgotten, think carefully about what cloud services you use and investigate whether they allow you to fully and permanently delete any material you upload to their service.