I haven't looked too hard at too many privacy policies, but this seems fairly boilerplate to me. I'd suppose if you compare this to [say] Twitter's privacy policy, it would end up reading pretty much the same.
They also say (in "Profile Settings"):
> Klout only analyzes public data or data that we are given explicit access to. We never share your private information with any third party or brand and you can control the information that we make available on your Klout profile page.
The full sentence from Klout's privacy policy (which cstross 'edited' out to make his point) reads:
> Service Providers. We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns.
I believe this lets them off the hook for storing/using your PII with service providers like AWS, Rackspace, Salesforce and Mailchimp/CampaignMonitor.
Disclaimer: not affiliated with Klout in any way except as a user.
EDIT: Yeap, from Twitter's privacy policy:
> Twitter may use both session cookies and persistent cookies to better understand how you interact with our Services, to monitor aggregate usage by our users and web traffic routing on our Services, and to improve our Services.
> We engage certain trusted third parties to perform functions and provide services to us. We may share your personal information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to obligations mirroring the protections of this privacy policy.
I don't understand what you are arguing. If Twitter also break UK law, they are still both breaking UK law. Only Klout also actively creates an account for you and attempts to collect information on every move you make.
Admittedly, I went about it in a ham-handed manner (I blame the Monday), but my core point is this: Klout is doing nothing differently evil with your data, than any other social network. No laws are being broken because [Klout says] no PII is being sold willy-nilly.
> Here in the civilized world we have a fundamental right to privacy.
I live in the UK. I thought it was quite funny that he tried to compare the privacy policies by saying the UK is better. Now the UK might be better in some regards but with the amount of CCTVs abound I still say they have problems with privacy.
There is a significant difference between European privacy laws and those in the US. Generally in Europe privacy is treated as a fundamental right; in the US privacy laws are implemented only when it is necessary to protect the citizens from harm by corporations or industry.
The UK has a large amount of privately owned and operated CCTV cameras. Most are operated by private shop owners etc. They solve countless crimes every day, and deter crime.
There's also CCTV put in place by local councils, to stop anti social behavior and again, prevent crime.
You've been reading reddit too much I expect. There is no conspiracy, no centralized CCTV program where the government spies on us all.
Unlike some countries I could mention, we have a pretty low crime rate. Some of which is due to having various CCTV systems.
The UK does have a problem with speed cameras though. It's a way to generate extra revenue from the population.
> The UK does have a problem with speed cameras though. It's a way to generate extra revenue from the population.
Slipping off-topic, I can't stand that line. You break the law, you get fined. Keep within the law, you don't get fined. Quite frankly if you want to hand revenue to the government via speeding go ahead. But you don't like the law campaign to have it changed, don't just ignore it then moan about being fined for ignoring it.
My issue with speed cameras is their location. They are predominantly on high-speed roads which with a few exceptions are not overly dangerous. I think we should be concentrating on residential areas particularly near schools and parks (the road past the school I used to live near is officially a 20mph zone, but I don't think many people took it at less than 30 and there was no camera or other such equipment there except on the few occasions when a motorcycle-mounted cop sat near the blind-ish corner with his radar gun).
Some of the speed cameras are put within a few feet of a speed limit sign, so you don't have time to adjust reasonably to the new speed and they'll ticket you anyway.
So you've never broken a stupid law, like ripping a DVD?
Around 90% of the population break the speed limit. If you drive on a motorway, doing only the speed limit, you'll be holding up traffic.
When 90% of people break a law, that's a pretty sure sign that the law is bad and should be changed.
Thankfully, the law is soon to be changed, increasing the speed limit on motorways from 70 to 80. It's a start. Politicians have taken notice, and seen that the current speed laws (Put in place decades ago when cars had crappy brakes etc), are out dated.
The mobile speed cameras I see most often are hidden behind trees in areas that have a stupid speed limit (eg a stretch of road with no houses, pavements or people, but 30mph limit).
I'm not moaning about being fined - I take a lot of care not to be. I'm moaning that firstly, they are there to generate revenue, not save lives, and secondly, they actually make our roads more dangerous, with people paying attention to their speed, rather than real dangers/people/etc.
So a ton of shop owners just installed CCTV cameras for the hell of it did they? No correlation with them doing that and shoplifting/other crime going down eh?
I'm sure councils also install CCTV cameras on the streets just for the fun of it, or to spy on people rather than to cut down anti social behavior, muggings, pickpocketing, knife crime etc.
Yes, we have a low crime rate due to our culture. But we have an even lower crime rate due to the private CCTV cameras, and council run CCTV systems.
I don't really understand how your privacy is invaded by shop owners videoing the shop to make sure people aren't stealing stuff. It's not like they make the tapes public or don't erase them after a few days...
How many breaches of trust have you heard of? Have there been cases of shop owners identifying people buying sausages and posting their mugshots online or something?
> But we have an even lower crime rate due to the private CCTV cameras, and council run CCTV systems.
Don't stretch your assertions too far. From the reports I read (think it might have been a Home Office report) there was no significant change in crime rate, but crimes were less likely to take place where there was a CCTV camera. The criminals move on to unprotected areas, you could say.
n.b. the top comment in the thread is certainly BS. CCTV is installed in public (or quasi-public e.g. shops) areas where nobody has an expectation of privacy. If they made the situation worse, you'd have to define what 'negative privacy' could mean...
In 2007, the UK watchdog CameraWatch claimed that the majority of CCTV cameras in the UK are operated illegally or are in breach of privacy guidelines.
The 'privacy guidelines' in question being the Data Protection Act, which is fundamentally a set of laws related to data processing. In this case, CCTV tapes could be stolen and the cameras themselves are not always signposted.
As the linked post demonstrates, privacy issues are covered by the Act - but as far as I'm concerned, you have no privacy whether half a dozen strangers are watching you in the street or whether you're being broadcast to the whole world.
Really? UK police disagree with you. http://www.guardian.co.uk/uk/2008/may/06/ukcrime1 CCTVs don't prevent or help solve crimes, and there is an explicit (not even secret!) plan to implement a national CCTV database.
The Guardian as a source? The Guardian is even worse than Reddit in its open bias against government, corporations, etc etc (Also that story is 3 years old. Hardly current).
The Guardian is like The Daily Mail but for the other side of the political spectrum.
The daily mail etc scare the public into thinking that immigrants/the poor/terrorists etc are going to kill them. The guardian scares the public into thinking that the government and corporations are going to kill them.
Obviously neither is true, but both sell newspapers/get readers.
I strongly wonder how many US firms understand EU data laws... Isn't there a campaign against a small company called Facebook and their disregard for our laws?
If you want US firms to pay attention to EU data laws, you'd have to devote some real resources to enforcement.
From this side of the pond, these laws look like they're only very sporadically enforced, and only against large entities like Facebook who've got the legal resources to deal with the hassle. When viewed with typical American attitudes, that barely makes them laws at all - they're the equivalent of jaywalking in NYC.
I'm not sure you even need an EU company, just to be doing business in the EU.
An opposite example is Rovio in Finland are being sued under US patent law by some bunch of patent trolls or other (and it's the Finnish Rovio office rather than any US subsidy named in the suit).
Why does Klout in particular seem to piss off so many people? If the text he cites from the Data Protection law were to be interpreted broadly enough to make Klout illegal in the UK, wouldn't it also cover the information about you that Google and Bing collect and process?
Klout was scoring people without asking them, leading to a lot of people getting low scores (effectively being told "you suck at social media"). When there was no opt-out, people felt like they were being cajoled into playing a game that they don't want to play. (Similar concerns were raised about Get Satisfaction.)
"there are many people who don’t wish to be a part of a non-regulated system, and one that can (rightly or wrongly) be used as a third-party validator for expertise."
"People are emotionally attached to their score. It is tied to their ego"
It seems mean to go around telling people they suck, especially when those people never asked Klout's opinion. This is like Zynga-style dark gamification.
"Just as an SAT score is used to judge students and a credit score is used to judge financial standing, Fernandez hopes that the Klout score will become an ingredient in job interviews."
So not only does Klout tell everyone that you suck, but they want to hurt your career, too.
Without defending Klout, who do seem to go somewhat further than others on this front, the Data Protection Law in the UK isn't quite as strict as the post implies. The issue of consent, for example, is part of a chain of ors, not ands — i.e. it's a sufficient but not necessary condition for processing someone's personal data. If consent was always required for anyone to ever do anything with your information, the press, for example, would never be able to publish critical articles about anyone.
As far as I can tell, the claim of automatically creating accounts is 100% false. So is that of automatically Tweeting or Facebook sharing.
If you sign in to Klout, you'll get fairly in-your-face pitches to invite friends to it. Should you choose to send such an invite, the friend you sent it to would have to respond to this and manually OAuth their account. Similarly, sharing an action taken on Klout to Facebook or Twitter is a manual process. I don't remember seeing any "dark patterns"* at work at all here - nothing is sent automatically, there's no sneaky small print or prefilled checkbox, etc.
It seems the author is also confusing account creation with the service requesting and storing public data from Twitter. Twitter's own privacy policy (https://twitter.com/privacy) is clear re: content being available to search engines and via API. If people do not want their Tweets to be available to search engines and third-party sites that comply with Twitter's policies, they can set their Twitter profiles to private, or can use a service that does not have such an open ecosystem.
But is Klout incorporated or hosted in the UK or EU? If not, how exactly do they violate UK law? I mean, pornography is illegal in many countries, but that doesn't mean a US pornographic website is illegal, even if it's available to citizens of that country.
And what about those online poker companies that are not based in the USA? Why should they comply with USA law?
If Klout are collecting and storing data on UK individuals, they are subject to UK data protecction law. The ease of enforcing that if they don't have a UK operation is another matter, but they are still interacting with UK users in a way which triggers UK rights under UK laws, with which UK courts could require them to comply.
But (I'm pretty sure) it would be illegal for someone from a no-pornography country to view that site.
Using that analogy, then it would be Stross the one committing the offense, not Klout?
So my understanding is what klout does is 'fine' for US users, but gathering data on UK/EU users is subject to EU data protection laws.
That would be the same as it being illegal for a US site to distribute pornography to a person in a country where it was illegal.
The fact is, unless Klout is hosted or incorporated in the UK or EU, the latter have no jurisdiction over the company, and such their laws don't apply.
<em>The fact is, unless Klout is hosted or incorporated in the UK or EU, the latter have no jurisdiction over the company, and such their laws don't apply.</em>
Try telling that to the US government, which hounds internet gambling sites wherever they're based.
The issue of territorial jurisdiction and law on the internet is a really complex one, and much more so when you deal with a fundamental mis-match between legal systems (the EU constitutional-level right to privacy vs. the US lack of same).
I'd say he isn't. But the US government will do it all the same, and at least some of the EU governments would probably also apply the privacy laws on companies dealing with their citizens. (Probably not UK, but France is a good candidate, and Germany is also reasonably rabid about it's privacy laws as of late.)
Law gets really complicated when you cross international boundaries, and usually everyone involved will assert their right to impose laws on you, and whether they actually do this mostly depends on how easy it would be for them to do it.
If you base legal decisions about your business on abstract principles, you might just get detained the next time you route through an airport that belongs to someone you've mightily pissed off. Generally, it's smarter to strive for not offending anyone, or if you cannot manage that, strictly not visiting or in any way depending on countries whose laws you might have broken. For example, if your site is not strictly legal under US law, don't host in under .com.
> The fact is, unless Klout is hosted or incorporated in the UK or EU, the latter have no jurisdiction over the company, and such their laws don't apply.
Jurisdiction is up for the court and legislative to decide.
I do believe that UK courts will assert jurisdiction in cases such as this. UK courts certainly do assert worldwide jurisdiction in other situations - one of several reasons why UK courts are so popular for people who wish to sue for libel, for example.
> The fact is, unless Klout is hosted or incorporated in the UK or EU, the latter have no jurisdiction over the company, and such their laws don't apply.
Entirely untrue. Jurisdiction is a legal term. If a matter directly affects UK citizens in the UK it's very clear that a UK court will consider itself to have jurisdiction over that matter.
The actual reach of the court's power is a different matter. If the offender has absolutely no assets in the UK, and no intention of ever having them, and lives in a country with no extradition treaty with the UK, then perhaps the UK has no ability to punish them. I do not think that is true for the company in question.
You've hit the nail on the head. A company is only subject to UK law if it operates from the UK. Facebook's European office is in Dublin, which is why it is subject to Irish/EU privacy legislation.When Twitter establishes its European office, it will similarly become subject to the same laws.
As far as I know, Klout has no UK/EU presence so it's not subject to these laws.
As you can see, it sets out a long range of situations where UK jurisdiction extends outside the UK, in many cases even if the criminal behavior happened entirely outside of the UK.
I'm not a lawyer, and I don't know all the details and whether or not it'd be likely to be possible to get a court in the UK to accept jurisdiction in a case against Klout, but courts in the UK have a lot of flexibility and the fact that they are in the US by no means automatically means UK courts won't or can't claim jurisdiction.
I don't believe so. If I walk into a store in New York and tell them I'm from the UK, they won't suddenly become subject to UK/EU law if they choose to serve me. I'm the one subjecting myself to US law if I shop there, not vice versa.
Further, even if they were subject to EU law on this, how would any action for a breach be enforced?
Exactly, unless they have a EU office, then they don't have to do anything. (In the same way Mr. Stross is free to say that Taiwan is not part of China (violate PRC law) or deny the holocaust happened (violate German law)).
The reason Facebook is being hounded is because they have an EU incorporated company.
I'd just like to note at this point that I find rmc's analogy personally offensive. (One side of my family tree went missing in 1942: the ones who stayed in Poland after 1939.) A bit more sensitivity about metaphors might be welcome here ...
Setting that aside: http://www.out-law.com/page-479 provides some advice on the Brussels Regulation 2001 concerning e-commerce. The B2C provisions in particular seem weighted to protect consumers, even when the supplier business is outside the EU.
However ... "In the case of disputes involving countries which are outside the scope of European law, there are a number of issues which must be considered. There are a number of international conventions dealing with choice of law, and consumer rights. If these do not set out the relevant position it is then worth checking whether the UK has entered into an agreement with the foreign jurisdiction. Any such agreement would set out the basis on which jurisdiction is determined between the countries. Failing this it would be necessary to consider the legal position under UK law, and what the courts consider to be the appropriate forum for hearing legal issues."
So it's basically a horrendous hairball of treaty law and interlocking legal systems. (And to make matters worse, the USA has a fundamentally different approach to determining jurisdiction in e-commerce, established via case law rather than a regulation aimed at defining consumer protections.)
I agree with Charlie. Also, try "opting out" of Klout - good luck. Best I could do was disable Klout app access to Twitter, etc. I regret ever signing up with them.
"In the past I've fulminated about various social networking systems. The basic gist is this: the utility of a social network to any given user is proportional to the number of users it has"
This is a bit clumsy. If all of my friends are on a social network, it doesn't much matter who else is on it. The utility of a social network is proportional to the number of users I care about.
They also say (in "Profile Settings"):
> Klout only analyzes public data or data that we are given explicit access to. We never share your private information with any third party or brand and you can control the information that we make available on your Klout profile page.
The full sentence from Klout's privacy policy (which cstross 'edited' out to make his point) reads:
> Service Providers. We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns.
I believe this lets them off the hook for storing/using your PII with service providers like AWS, Rackspace, Salesforce and Mailchimp/CampaignMonitor.
Disclaimer: not affiliated with Klout in any way except as a user.
EDIT: Yeap, from Twitter's privacy policy:
> Twitter may use both session cookies and persistent cookies to better understand how you interact with our Services, to monitor aggregate usage by our users and web traffic routing on our Services, and to improve our Services.
> We engage certain trusted third parties to perform functions and provide services to us. We may share your personal information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to obligations mirroring the protections of this privacy policy.