Social Graph Data and Identity Portability
August 1, 2018 6:30 AM Subscribe
Want to move your online data? New service could simplify the transfer to a rival site - "The Data Transfer Project, announced Friday by Facebook, Google, Microsoft and Twitter, would make taking your business elsewhere much easier. If a company hosting your music, photos, calendars, contacts or other important personal data killed a feature, altered a privacy policy, hiked a fee or otherwise made you question why you gave it your time, you could use the tools the 'DTP' is developing to move that information right over to a competing service."
"by Facebook, Google, Microsoft and Twitter" and the article on USA Today.
Major players in keeping your data [safe].
posted by filtergik at 6:44 AM on August 1, 2018 [10 favorites]
Major players in keeping your data [safe].
posted by filtergik at 6:44 AM on August 1, 2018 [10 favorites]
If this helps you to get your data AWAY from Facebook, Google, Microsoft and Twitter, I'd say it's a good thing.
posted by oneswellfoop at 7:03 AM on August 1, 2018 [1 favorite]
posted by oneswellfoop at 7:03 AM on August 1, 2018 [1 favorite]
Yeah, 100% this is about standardizing your data across services in the service of the next big investor storytime.
posted by gauche at 7:04 AM on August 1, 2018 [6 favorites]
posted by gauche at 7:04 AM on August 1, 2018 [6 favorites]
An interesting idea, though I wonder what happens when DTP itself kills a feature, alters a privacy policy, hikes a fee or otherwise makes you question why you gave it your time
posted by Cogito at 7:07 AM on August 1, 2018 [5 favorites]
posted by Cogito at 7:07 AM on August 1, 2018 [5 favorites]
I wonder what happens when DTP itself kills a feature, alters a privacy policy,
While the data may be interoperable, the DTP system presumably includes the privacy policies of DTP and its affiliates. I'm assuming - even if users could read and be informed by them - and even if the corporations respected them - that it would be super hard or impossible to bring these into alignment. It sees like an additional layer of complexity (and loss of control for the user).
posted by carter at 7:17 AM on August 1, 2018
While the data may be interoperable, the DTP system presumably includes the privacy policies of DTP and its affiliates. I'm assuming - even if users could read and be informed by them - and even if the corporations respected them - that it would be super hard or impossible to bring these into alignment. It sees like an additional layer of complexity (and loss of control for the user).
posted by carter at 7:17 AM on August 1, 2018
Yeah, 100% this is about standardizing your data across services in the service of the next big investor storytime.
This is 100% because the GDPR requires data portability as per art.20:
"1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible."
posted by jaduncan at 7:42 AM on August 1, 2018 [20 favorites]
This is 100% because the GDPR requires data portability as per art.20:
"1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible."
posted by jaduncan at 7:42 AM on August 1, 2018 [20 favorites]
If the GDPR helps kill Twitter or Facebook I will be soooo happy.
posted by schadenfrau at 7:46 AM on August 1, 2018 [2 favorites]
posted by schadenfrau at 7:46 AM on August 1, 2018 [2 favorites]
Thanks for that insight, jaduncan!
posted by carter at 7:57 AM on August 1, 2018 [1 favorite]
posted by carter at 7:57 AM on August 1, 2018 [1 favorite]
"Move" seems to be a less appropriate word than "copy", since I don't see anything about data being deleted from the source site when a transfer occurs. So for example if you initiate a move from Facebook to Google, Facebook will continue have all their records about you, and at best you'll only have the open-graph-compatible subset of Facebook's data.
posted by ardgedee at 8:01 AM on August 1, 2018 [4 favorites]
posted by ardgedee at 8:01 AM on August 1, 2018 [4 favorites]
"Move" seems to be a less appropriate word than "copy", since I don't see anything about data being deleted from the source site when a transfer occurs. So for example if you initiate a move from Facebook to Google, Facebook will continue have all their records about you, and at best you'll only have the open-graph-compatible subset of Facebook's data.
GDPR also enables you to demand deletion of all data per Art 17. It really is quite well written with regard to this, and fines can be based on revenue rather than profit. So it is, to if anything understate the issue, not that the value of the data being kept is likely to exceed the fine.
posted by jaduncan at 8:29 AM on August 1, 2018 [7 favorites]
GDPR also enables you to demand deletion of all data per Art 17. It really is quite well written with regard to this, and fines can be based on revenue rather than profit. So it is, to if anything understate the issue, not that the value of the data being kept is likely to exceed the fine.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:I do hope that the US gets similar legislation at some point.
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
posted by jaduncan at 8:29 AM on August 1, 2018 [7 favorites]
"Move" seems to be a less appropriate word than "copy"
Exactly this! Unless you (A) live in the EU and (B) the EU somehow gets some meaningful oversight into what happens in the deep, dark internals of Internet giants, this is just another way of them getting access to even more information about you (and those in your circles).
Like, it's easy to delete data, but it's easier to do nothing and say you deleted data, and Google, Facebook, Twitter, etc. have given no evidence to date that they act in good faith.
posted by ragtag at 8:33 AM on August 1, 2018 [3 favorites]
Exactly this! Unless you (A) live in the EU and (B) the EU somehow gets some meaningful oversight into what happens in the deep, dark internals of Internet giants, this is just another way of them getting access to even more information about you (and those in your circles).
Like, it's easy to delete data, but it's easier to do nothing and say you deleted data, and Google, Facebook, Twitter, etc. have given no evidence to date that they act in good faith.
posted by ragtag at 8:33 AM on August 1, 2018 [3 favorites]
Some very useful context in this series of tweets from Brian Fitzpatrick. Brian hasn't worked at Google in a few years, but he started the Data Liberation Front at Google back in 2007. That was a half-rogue group of engineers inside the company who thought being able to export your data was an important user right. And so made it happen, resulting in Google Takeout.
This new Data Transfer Project looks to be the evolution of the Google-only initiative. And appears to be a good faith effort to let consumers download their own data from other companies, and build tools to import that data in a reasonably straightforward fashion. I'm a little skeptical of why the companies are doing this, since in so many ways they've fought openness. I'm sure GDPR is one motivation, also heading off consumer protection efforts in general. It helps that this API is awkward enough that it may be hard to build a competing product with it. But it does make it possible to export data in a useful fashion.
Tooting my own horn, I've been working on a simple GPS tracker app that shows you a heatmap of where you've been in the world. We mostly focus on data collected with our own app, but we can also import Google Timeline data exported via Google Takeout. It's pretty neat! So there's at least one example of this kind of data portability being useful in practice.
posted by Nelson at 8:33 AM on August 1, 2018 [5 favorites]
This new Data Transfer Project looks to be the evolution of the Google-only initiative. And appears to be a good faith effort to let consumers download their own data from other companies, and build tools to import that data in a reasonably straightforward fashion. I'm a little skeptical of why the companies are doing this, since in so many ways they've fought openness. I'm sure GDPR is one motivation, also heading off consumer protection efforts in general. It helps that this API is awkward enough that it may be hard to build a competing product with it. But it does make it possible to export data in a useful fashion.
Tooting my own horn, I've been working on a simple GPS tracker app that shows you a heatmap of where you've been in the world. We mostly focus on data collected with our own app, but we can also import Google Timeline data exported via Google Takeout. It's pretty neat! So there's at least one example of this kind of data portability being useful in practice.
posted by Nelson at 8:33 AM on August 1, 2018 [5 favorites]
I had a look at this this intro page - there's a link to a 'How It Works' page. Then there's a further link from there to the current data models.
It seems to be pretty basic - it includes whatever values you might already have stored under various attributes related to calendar, contacts, photos, mail, and tasks. But this is a fraction of what may really be stored by FB etc. - It doesn't really look like a portable graph at this point, more like a collection of tables constructed from API queries that are mapped from the originator and can be mapped at the destination. Maybe a basic graph can be reconstructed at the destination? But it might be missing a lot of data. For example: GPS data collected when logging in from a mobile app; ad profiles; etc.
It'll be interesting to figure out to what extent this really is GDPR compliant.
posted by carter at 8:55 AM on August 1, 2018
It seems to be pretty basic - it includes whatever values you might already have stored under various attributes related to calendar, contacts, photos, mail, and tasks. But this is a fraction of what may really be stored by FB etc. - It doesn't really look like a portable graph at this point, more like a collection of tables constructed from API queries that are mapped from the originator and can be mapped at the destination. Maybe a basic graph can be reconstructed at the destination? But it might be missing a lot of data. For example: GPS data collected when logging in from a mobile app; ad profiles; etc.
It'll be interesting to figure out to what extent this really is GDPR compliant.
posted by carter at 8:55 AM on August 1, 2018
I would find this really useful as since Google liked Picasa their photo upload cloud tool kills my ram and needlessly guzzles bandwidth when I'm not using it, but the pain of migrating gigs of stuff put me off another service.
posted by smoke at 2:45 PM on August 1, 2018 [1 favorite]
posted by smoke at 2:45 PM on August 1, 2018 [1 favorite]
« Older Beautiful libraries | A self-mythologizing memoir Newer »
This thread has been archived and is closed to new comments
posted by carter at 6:38 AM on August 1, 2018 [9 favorites]