This guy better seek legal assistance quickly. EU data protection legislation is strict, and data about sexual orientation etc. falls under particularly strict protections. The combination of lack of consent and publishing personally identifiable information in a different context, by a different entity of the one that collected it, has plenty of potential for legal challenges that could get rather expensive for him, and I think his glib comment about how the data is already public won't get him very far in court - EU data protection law takes context and what the subject of the information has given consent to very seriously.
When asked whether the researchers attempted to anonymize the dataset, Aarhus University graduate student Emil O. W. Kirkegaard, who was lead on the work, replied bluntly: “No. Data is already public.”
The guy seems completely unrepentant to even the idea that he might be violating people's privacy.
Worse still, it seems likely that they were using data that wasn't actually public:
Their paper reveals that initially they designed a bot to scrape profile data, but that this first method was dropped because it was “a decidedly non-random approach to find users to scrape because it selected users that were suggested to the profile the bot was using.” This implies that the researchers created an OkCupid profile from which to access the data and run the scraping bot. Since OkCupid users have the option to restrict the visibility of their profiles to logged-in users only, it is likely the researchers collected—and subsequently released—profiles that were intended to not be publicly viewable.
Oh, I'm quite sure it wasn't public. I had an OkCupid profile at one time (thankfully deleted, and even then it had no identifying details and was linked to a dummy email), and the only reason I agreed to sign up was the site's assurance that absolutely NOTHING was publicly visible unless you had a profile.
So, yeah, at the risk of breaking my attempted objectivity, I'd be personally thrilled if the guy got sued.
"You should appreciate that all information submitted on the Website might potentially be publicly accessible. Important and private information should be protected by you. We are not responsible for protecting, nor are we liable for failing to protect, the privacy of electronic mail or other information transferred through the Internet or any other network that you may utilize."
Also, the way OkCupid works, you can answer questions either privately or publicly. Even when you answer a question publicly, it is still only visible to other users who have answered the same question. Privately answered questions are never visible, but are used in calculating the "percent match" between two users. So I would presume that they started their scraping bot with fake answers to every single question.
This is of course a kind of "privacy by obscurity," and it is not at all secure. For example, if you want you can probably figure out people's answers to all questions, even the private ones, by having a separate bot for every question. Then the percent match between the bot and a user reveals the user's answer to that one question. (Possibly OkCupid introduces some noise in the matching algorithm to make this harder, but it can almost certainly be circumvented.)
However, the exposure of the data is no more [or less] a violation of privacy than what is typically reserved for operators under the terms and conditions of large websites. Neither is it more [or less] a violation of privacy than what is allowed by right when data is treated as a corporate asset [under US law] when ownership of the asset is transfered via sale or bankruptcy.
To put it another way, it is only to the degree that it is in OkCupid's business interest to limit disclosure of the same data points that OkCupid [insert other any other corporation here] refrains from releasing that data.
The only reason our visceral reactions are different is that we hold biologic people to a different standard of "doing the right thing" than the fictitious persons that are corporations. Legally, a person owned that data. That's why a breach was possible. It's the reification that creates the privacy problem.
> When contacted by Motherboard for comment, Kirkegaard was dismissive, stating he “would like to wait until the heat has declined a bit before doing any interviews. Not to fan the flames on the social justice warriors.”
Yeah, this is a grad student who fails the maturity test in a big way. I could perhaps kind of understand the position that repackaging publicly available sensitive data was just a lapse in taste (assuming, likely erroneously, that it was truly public and not harvested by posing as a mate-seeker). Now he's equating blowback from this lapse with "social justice warriors"? This person sounds like an absolute peach.
Here's a thing I wrote on my personal FB wall as I linked to this article.
####
Some creepy Danish assholes went ahead and released a full dataset on 70.000 random users of the OkCupid dating service "because data science".
After being confronted about the questionable ethics of this stunt, lead researcher Emil O. W. Kirkegaard refuses interviews, stating that the data was already public. Kirkegaard also implies that opponents of his methods are "social justice warriors", an oftentimes euphemistic term for people interested in things like gender and minority rights issues. Interestingly, this term is repeated and specified as an area explicitly excluded from Kirkegaard's interest in "civil liberties" on his personal website.
In addition to "civil liberties", the personal website of this "26 year old polymath wannabe" (read: fuckwit neckbeard) lists interests such as online privacy and the Pirate Party. That's right, you can't make this shit up: http://emilkirkegaard.dk
These people simply don't care that the "public" information posted on a dating site may cost certain people their jobs, families or even their lives, at any point in the future. Open source intelligence like this may be used to extort people at a later date or lower the threshold for invisible discrimination everywhere from the job market to insurance claims.
Perhaps all this seems irrelevant to Kirkegaard, as his self-defined interest in liberty explicitly excludes those most vulnerable to such structures.
The rest of us could do worse than to remember what is going on and question how informed our consent really is: By default, everything you do on the mainstream internet is recorded. Private browser modes don't really help to protect you and neither do VPNs. Practically everything you typically do leaks information that can be connected back to you. For a demo, see https://panopticlick.eff.org.
And oh, dating sites don't exclude sharing your dating related personal info with interested third parties ( https://www.abine.com/blog/2012/privacy-on-okcupid/ ). But hey, you probably don't live with one foot in the closet concerning any aspect of your life you may have hinted at in a dating profile or its chat service. Right?
This time, professional stalkers in imaginary data science lab coats just happened to unmask a bunch of information. The wilful cluelessness apparent in this case is even worse than in the decade-old case there AOL released a bunch of poorly anonymised data on search habits: https://en.wikipedia.org/wiki/AOL_search_data_leak
Normally, interested parties would have to pay a bunch of money for datasets from data brokers or ad/analytics companies and perform a varying degree of computation to unmask and correlate some of the personally identifiable from different sources. That sounds like work, but it's of course increasingly possible to automate.
So, take a step back and realize that the only thing protecting you from an existence in something way worse than the oversight of Stasi, the KGB or Securitate, is the thin veil of aging and increasingly inefficient legal protections we happen to have in many western democracies.
Parties interested in exploring the utter and complete exploitation of your most intimate information sometimes do so with a holier-than-thou aura of privacy mindedness and selective personal liberty politics. All while personally getting their filthy little hands ever dirtier when the power is at their fingertips.
> an oftentimes euphemistic term for people interested in things like gender and minority rights issues.
I wouldn't call it euphemistic. It's willful dismissiveness. And I'd posit that the Venn diagram intersection of users of the term and Ayn Rand super fans is large.
I don't understand why it's necessary to make this political. What these guys did is wrong, I see no need to paint those have similar politics with same brush as this person.
The social justice warrior part was brought up by the grad student in question. I'd argue that it was he who attempted to turn an isolated act of bad judgement into a political statement. I am, in response, stating that people who think in terms of labeling others as social justice warriors tend to have shitty politics.
HN threads are supposed to be conversations, so please don't copy whole posts from elsewhere—especially not posts of the indignation-stirring genre. Those lead in the opposite direction from the thoughtful discussion we're hoping for.
Well, I admit to posting needlessy aggressive language while angry.
I find few things as infuriating as people who claim they care about privacy while actively taking measures to spread personal information out of the context it was intended for. This is potentially life-threatening stuff for some of the victims of this stunt.
It's most likely licensed by the user to the host (through a ToS), and the host has the ability to use that license to submit takedown notices of their collective database (which is how US copyright law works).
> use that license to submit takedown notices of their collective database (which is how US copyright law works) //
It would be contract law based on the click-wrap/T&Cs of the website wouldn't it? Copyright doesn't cover facts, only their arrangement; ergo as long as he didn't copy the way the content had been presented he would apparently be clear of copyright infringement.
In Europe we have database rights law too, is there an equivalent in the USA?
I don't believe user profiles are going to be considered facts, but creative works. OKCupid's corpus as a whole would be protected as a database, but the individual profiles would not be considered facts.
The individual fields describing the character of the users are surely factual type data, even if fictional they don't amount to creative works. A mugshot (face image) is not likely to be considered sufficiently creative to amount to a work of itself, and that's the most creative component of a persons profile.
My first instinct in this case is to agree that the data is public, or at the very least, protected by account login and therefore only legally protected by the OkCupid terms of use. I see no possible legal argument against the methods of data collection, unless OkCupid wants to sue the researcher for breaching terms of use. Or, perhaps, users could sue OkCupid for failing to diligently protect their data.
That said, this was an Academic study, presumably funded at least in part by the University, and therefore subject to approval from an Institutional Review Board (IRB) [0]. Granted it was not an American university, so perhaps no IRB exists. And it was a small study by a group of graduate students, which seems unlikely to be subject to as much scrutiny as a study officially funded and endorsed by the university. However, this is no excuse for circumventing research ethics. To quote the wiki article, "a key goal of IRBs is to protect human subjects from physical or psychological harm," which implies that moral arguments should hold at least as much weight as legal arguments when considering the potential impact of a study.
It's entirely possible for a study to be legal, but immoral. Since this study came from a university, any moral argument should be as valid as a legal one. The trouble seems to be that nobody heard any argument, moral or legal, before approving the study.
In this case, the failure seems to lie with the Danish University, who allowed its graduate students to conduct a study without consultation from an IRB or any kind of ethical oversight committee.
Interestingly, the data is "public," in the sense that anyone could replicate this study with some Python and OkCupid accounts. So even if researchers are stopped by an IRB from collecting the data, that doesn't mean another entity can't do the exact same study, free from any procedural impediments. So it makes you wonder about the premise of questioning the study in the first place. Perhaps a better use of this soapbox, instead of lambasting the researchers, would be to raise awareness of the fact that what you put onto the Internet is public.
> And it was a small study by a group of graduate students, which seems unlikely to be subject to as much scrutiny as a study officially funded and endorsed by the university
Whether or not this is what happens in practice, the purview of an IRB in the US very much is supposed to cover this situation. IRBs have intentionally broad mandates and cover quite a lot of things that most people would not immediately recognize as 'research' or 'experiments'.
> to raise awareness of the fact that what you put onto the Internet is public.
Most technical people consider 'doxxing' to be bad. However, in most cases, 'doxxing' is simply publicizing information that is already part of the public record[0]. There's a difference, based on the barrier to accessing that information.
[0] If I know your name and your city/state of residence, it's trivial for me to obtain a copy of your driver's license or voting registration information FOIA/FOIL requests typically charge a nominal processing fee to cover the costs of processing the requests, but only because it's a largely manual process, and the marginal costs of requesting many records at once is very low.
(Not disagreeing with you in any way, just want to add onto your points)
> IRBs have intentionally broad mandates and cover quite a lot of things that most people would not immediately recognize as 'research' or 'experiments'.
And yet, professors routinely assign their students to conduct informal "studies" for class credit (perhaps a final project) or learning experience. These sort of "studies" are rarely, if ever, sent to any kind of IRB, and yet plenty of undergraduates are capable of creating a python scraper to download data from OkCupid.
> "There's a difference, based on the barrier to accessing that information"
What is "that information" in the case of this OkCupid study, and what is the "barrier," before and after the research was published? If the "information" is, for example, the fact that your spouse is cheating on you, does this research really remove any "barrier" to make it easier to discover than it was before publishing? If I wanted to know if my spouse was cheating on me, I could simply create an OkCupid profile and check the listings in my local town around my spouse's age range. Releasing the data of 60,000 OkCupid accounts, all of which is accessible from simply logging into the website, does not make it any easier for me to find that profile.
Also note that this is different from, say, the Ashley Madison hack, where email addresses were released from an internal, private database. The emails were not "public" information before the data dump, and therefore the data dump lowered the "barrier" to searching for a target individual amongst the thousands of members. In this case, it seems the "data dump" did not introduce any new paths of accessing information. Instead it simply mirrored information that already exists and is readily accessible by effectively anyone with a computer.
> What is "that information" in the case of this OkCupid study, and what is the "barrier," before and after the research was published?
To clarify, I'm contesting this statement:
> Perhaps a better use of this soapbox, instead of lambasting the researchers, would be to raise awareness of the fact that what you put onto the Internet is public.
on the grounds that, even if we were talking entirely about information that is already 100% 'public', there are ethical concerns with making already-public information more readily accessible (and therefore easier to use for nefarious purposes). Doxxing is an easy example because most people generally agree that it crosses some sort of ethical line, and there are plenty of clear examples where doxxed information has been used for nefarious purposes (ie, to harass, stalk, and/or abuse the victim).
In other words, I'm not saying that all of the information in this particular case was already public. I'm saying that focusing on that distinction is a distraction from the underlying issue.
Yes, and I'm contesting the statement that this research made any information "more readily accessible." In what way was information inaccessible before the study, and accessible afterward?
The only qualifying scenario I can think of is if someone deleted their profile during the study, and it "reappeared" as a result of the study publishing its data.
There's a difference between "making more accessible" and "making accessible".
The latter means that information that was _inaccessible_ was made accessible (ergo: you couldn't access the information before the event).
The former is less constrained: it just means that whatever state of accessibility the information was in, it is now easier to access.
As an example: digitizing a book that is available for free to anyone who goes to Public Library One in Big City makes it more accessible (because I can access it from the other side of the world while eating soup) even though it wasn't _inaccessible_ before.
> Most technical people consider 'doxxing' to be bad.
By the way. I'm genuinely curious - were there any researches on this sort of statistics? If you know of anything like that, would you mind sharing?
I suspect (without any basis) that if a different groups to be compared, the fraction among the STEM people could be somewhat lower, relative to others.
Normally publishers look for some statements (either in the manuscript or in the submission or both) that you have followed ethical standards in gathering and sharing the data. It's easy to bypass that when you start your own Journal!
IRBs are an American institution. My understanding is that research ethics in Europe are governed by inter-institutional ethics committees, but only for biomedical research (i.e. clinical trials).
That aside, IRBs have been very slow to adjust review procedures for online studies. For example, the nonmedical IRB at Cornell determined that the Facebook emotional contagion experiment was outside of its jurisdiction, since Facebook was the data collection agent-- from their perspective the Cornell researchers were working with a pre-existing dataset. So it's not necessarily the case that ethics review is a silver bullet for cases like this.
It's not clear to me that we have a good understanding of what ethical responsibility looks like in this domain, in large part because the organization of research on online behavior (a joint venture between social scientists, software engineers, universities, companies like OKCupid, etc.) is still poorly understood by most of the academic world.
IRB would likely not review this if the researcher pitched it to them as a public dataset. 45 CFR 46.101(b)(4) enumerates topics which are exempt from IRB review, one is:
"Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects."
> Perhaps a better use of this soapbox, instead of lambasting the researchers, would be to raise awareness of the fact that what you put onto the Internet is public.
That is maybe not the best lesson to take from this.
The problem seems to be that people want to create a binary distinction between "public" (meaning public domain, can be used for anything by anyone) and "private" (meaning something known solely to a single individual), with no intermediary steps between them.
But profile data like this is something that lives in the space in between. You're clearly intending to share it with people in a particular category (other similarly-situated users) but not everyone and not forever. It's the sort of data you expect not to be archived; if you delete your account then it should go away.
That is not how the laws of physics work. If you allow the data to be seen by other users and anyone can sign up to be another user then anyone can see the data and anyone can copy it. But that is why we have social norms. That is why finding the online dating profile of everyone who works at the same company as you and then mass mailing it to everyone in the office is not considered friendly behavior.
And probably what companies that run sites like this should be doing is adopting a robots.txt that disallows crawling of user profiles and then rate limiting to some maximum number of profile views (e.g. 10,000/month) that no real user would ever hit but would provide a good hint to data hoovering operations that they aren't wanted here.
> people want to create a binary distinction between "public" [...] and "private"
Because they (me included) tend to believe that's how it works in reality - at least when the worst-case scenarios kick in. Something's either known or not, and there's a saying that a word spoken is past recalling (or similar idioms in many languages).
Social and legal norms may provide one with a recourse/remedy after the exposure, trying to compensate for the leak, create a chilling effect to prevent others from performing similar actions, and possibly limit the distribution of the leaked information. Nonetheless, chances are, it will already be seen (and copied) by many, thus effectively becoming public. Sure, sometimes data could get lost forever, with no public copies remaining, but sometimes it could rise to extent of Streisand effect as well.
So, well, I tend to believe it's a good idea to raise awareness that the only guaranteed way to not get burnt is to not share the sensitive information, at the very least with the parties you can't trust to handle it. And trusting any party must also include a consideration of the risks involved. This probably sounds harsh, but the idea of awareness is that it must be better be informed about worst-case scenarios and be safe(r) than unaware and sorry.
>a robots.txt that disallows crawling of user profiles
It's a voluntary mechanism and convention that requests that pages not be crawled, which is somewhat different from what you wrote. (Which isn't to say that it shouldn't be used buy AFAIK it has no legal significance.)
No, robots.txt is never related to authorization. Even suggesting it in the same post is misleading. If you have something that shouldn't be seen, password protect it.
Also, your rate-limiting idea misses the point. It just adds a few steps to the scraping process without actually changing the game. If you realize you can't hide profiles you need to tell your users that they should write a profile they wouldn't mind having seen at work, not pretend that making the door smaller helps.
IANAL but IIRC if a person accesses a computer in violation of a terms of use agreement, then the government can prosecute them for unauthorized access under CFAA. The government. Not OkCupid. Prosecute, not sue. OkCupid has a statement in its terms of use that this is for personal use only. Accessing it for the purpose of sharing data as an academic study seems to violate those terms of use, which would mean access was illegal under CFAA.
> United States v. Lori Drew, 2008. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449
I think it was a wise decision. This particular case aside, government's ability to prosecute over ToS violations opens up an enormous way for possible abuse (think of visiting a site whose ToS forbid ad-blocking with one active).
His webpage says he's a student in linguistics. He appears to have no psychology credentials. The article does a really poor job of pointing this out and just refers to him as a graduate student.
This appears to have been done through OpenPsych which is a project he founded. I'd be willing to bet that there was zero oversight and no ethics committee for this "study".
>The most important, and often least understood, concern is that even if someone knowingly shares a single piece of information, big data analysis can publicize and amplify it in a way the person never intended or agreed.
Please read articles at least a few paragraphs in before commenting.
Agree completely. With that said, with many pieces of data, there are still limitations on their usage - public or not. A company can't use your public photo as their brand image without your involvement, for example (... or so i hope, hah).
I do agree that there are uncontrollable outcomes that need to be understood - your viral example is a great one. But the viral outcome is inherently uncontrollable and fully decentralized. A study done by a select group of person(s) is controllable.
I think there's a visceral reaction to this specific content, that "dating profile data" is different than "reddit comment history", despite being equally public, and both are probably similarly identifiable.
It boils down to expectation vs. reality, right? It doesn't make sense to me to prohibit research institutions from pulling data if they can in a way that doesn't violate any usage agreements or user expectation. Do people get upset if OKCupid uses their data for their blog posts? What's the significant difference?
To me, the action/lesson here is for OKCupid to implement something in their usage agreement preventing data scraping by end users (the bot the researcher wrote is probably not what OKC wants people doing). Then it becomes an ethical violation, but without it, I'd consider this data fair game.
OkCupid's data has to be identifiable because of the nature of their service. Reddit accounts don't need real data. I doubt they are similarly identifiable in the common case.
However, this isn't very important. Regardless of how personally identifiable the data is, it is extremely rude to use it without specific consent.
> What's the significant difference?
They data was provided for dating purposes, not research. Context and intent matter. Maybe someone doesn't want to give data to that research, for any reason. Or maybe they do and would be willing to provide more data to the research if asked.
> prohibit research institutions
The same would apply to anybody using the data for a different purpose. The data was provided under a certain context, for a purpose.
> pulling data if they can in a way that doesn't violate any usage agreements or user expectation.
Why isn't asking permission the first step? Just take the data because nobody has legally prohibited that specific situation? That's how bad regulation happens. Just because something is technically legal doesn't mean it's a good idea. When enough people get pissed off about bad behavior, they tend to pass laws or regulations (which may or may not actually fix the problem).
"Consent" is an agreement by two or more parties on some specific subject, preferably when all parties are properly informed about the subject.
Putting your dating profile on a dating site, with preferences for matches, means explicitly "I want these specific people to look at my dating profile - FOR DATING". That is the obvious purpose of the site and the profile, and the "preferred matches" only reinforce that, not to mention the internal filters OkC allows you to use to block people who don't match a certain %.
There is not any explicit purpose or intent that says "I want this personal information to be used by researchers in a large group study". There was no explicit agreement between the user and these researchers. Hence, no consent.
However. The question then becomes, "Do they need consent?"
The answer is: Check the Terms Of Service on the website. If the website explicitly forbids using the data for research purposes, they can probably be sued by the website for breach of TOS. If the TOS does not explicitly prohibit research use, then no, they don't need consent.
Oh - and if it wasn't already obvious, the users don't own the data, so they have no say in how it is used.
I completely agree with you. This boils down to OKC needing to enforce some kind of, "Our users have this expectation, so let's formalize it in writing somewhere."
Informal systems and agreements are hard to navigate, and I don't think this one falls on the side of "should have known better", which is what the writer of this Wired article implies with his/her tone.
> the users don't own the data, so they have no say in how it is used.
That statement requires proof, preferably in form of recent case law.
In either case, the TOS states: “You further agree that you will not use personal information about other users of this Website for any reason without the express prior consent of the user that has provided such information to you.”
> That statement requires proof, preferably in form of recent case law.
Uh, i'm pretty sure the company collected and possesses the data. It's on their hard drives and they allow you to view it by connecting to their servers using their software. A user, as an outside party, has no claim to someone else's property. (But you're right, IANAL, so maybe there's some freaky justification for being able to tell someone else what they can do with their own data on their own servers?)
Well the TOS seems to spell it out! Unfortunately, as it is [probably] the company's property, it is probably the company that would have to issue any lawsuit. Then it's up to the courts to judge whatever legal argument is made.
This is a great question (and I don't have an answer). I was hoping to see more people talking about this here.
There is a ton of grey area about public not equaling consent, where it seems like usually the argument is about something that's legal, but probably immoral. Most people wouldn't want someone making a billboard that said "look at this guy," with an arrow pointing to their facebook profile picture. People also generally don't like people filming them in public (case in point: https://www.youtube.com/watch?v=jzysxHGZCAU).
It's a really tough question that's been made a lot harder by the internet. I'd love to hear a good explanation about what crosses the line of inappropriate use of public information.
Why? Context (both situational and by social norm) and intended use. People change their behavior based on a lot of factors; they choose what they disclose and modify that choice in realtime as the context changes.
For example, two people talking on the street are clearly in public. However, if they look around and see that there isn't anybody near them, nor are there any recording devices[1], they may choose to speak in confidence. While they are technically "in public", they are de facto private, at least temporarily. Pivacy isn't a Boolean property, and it can change all the time.
Expanding on the same example, if there are three people in the same situation, something said between Alice and Bob is obviously not "private" because Carol can overhear it, but there may be an expectation that it is public within that group, but private with respect to everyone else.
For OkCupid, I would guess that most people have an expectation that the data they share "publicly" will be used in the expected features of the site. Their data won't be public in the general sense, but it will be public to people with OkCupid accounts. Many people also expect that they data will be used[2] as the site presents the data being used. Searches done manually are different than a program that walks the entire database.
Anybody that wants to work with technically public data in a way that is outside the usual user-available features should really be getting informed consent first. This has nothing to do with legal restrictions (which may also exist in some situations); failure to ask first will simply earn you a reputation of being a "peeping tom" that shouldn't be trusted.
[1] see the recent situation in Oakland with the FBI hiding microphones
[2] modulo minor administrative uses done by OkCupid itself
I don't believe expectation should set morality, because it's not clear what expectation is. You're basically relying on an implicit rule, rather than specifically defining that rule, and expecting people to know what you're thinking in your head without expressing those thoughts. Just from a cultural standpoint this will most certainly cause problems, considering how each culture defines morality slightly (or significantly) differently.
I understand that some OKCupid users may have an expectation that their data is used for dating purposes, but if that's not written anywhere, then how am I supposed to know that's what they expect? How is a researcher supposed to know what's in the user's heads when they put that data out there?
It's up to OKCupid to define boundaries. Write down these expectations, formalize them, and then it'll be clear what the boundaries are on this pseudopublic information.
Meta: did something change in Wired's policy? Because I can read the article with an ad blocker turned on. Googling for recent articles about it, I don't see anything.
Edit: Never mind, I can scroll all the way through and I can see the whole article. But if I read from the top and then scroll, it blocks me. So they give me a chance to see "oh it's all there," start reading, and then block it for me. Talking about dark patterns... I mean, I get it from a financial standpoint, and I'm totally going to circumvent this blocking now (private window, inspect element, I don't know what'll work yet), but it's just shitty.
I'm running NoScript, uBlock Origin, and Disconnect. No issues at all. I'd imagine NoScript is to thank for not having the scroll issue that you're coming up against.
In the grand scheme of things this is good news. People need to realise they can't trust random websites with their deepest secrets.
There is no reason to think no one is scraping dating websites, social medias and other "public" personal data for personal profit. For blackmailing, social engineering...
The sooner people will get this chilling feel that "wait, what I post online may actually come back to bite me" the better.
I get that this isn't "socially acceptable" and that it requires an account to access (accounts which can be created by the general public). But every time I think about it I fall back to the conclusion that if they didn't release it it would be fairly easy to collect anyways. So yes, this release made it easier, but at some level I see that as a good thing to make people aware of.
I see why this got so much discussion, it's a very grey area from my point of view.
I really do not understand this argument or belief people have, that they can send out their information into the world, via a network of unknown intermediaries to a private third party in another country, and somehow their data is still "private". That your data is posted for everybody to see on a publicly accessible website, and somehow your data is still "private".
Here's something incredibly simple: if you don't want your data to be public, then don't share it! Don't transmit it! Don't want the other users on OkCupid storing your information? Why did you put it there in the first place!?!? The internet is not now, nor was it ever, a private place.
These guys did nothing wrong as far as I'm concerned, besides maybe breaching OkCupid's TOS. OkCupid can sue if it pleases them, but that's a matter for civil law.
If I'm out chatting with friends about my life and I'm in public then I may have no real expectation of privacy, but that doesn't mean I won't be upset if someone decides to follow me around with a spotlight shouting about everything I'm saying
80 comments
[ 5.0 ms ] story [ 143 ms ] threadThe guy seems completely unrepentant to even the idea that he might be violating people's privacy.
Their paper reveals that initially they designed a bot to scrape profile data, but that this first method was dropped because it was “a decidedly non-random approach to find users to scrape because it selected users that were suggested to the profile the bot was using.” This implies that the researchers created an OkCupid profile from which to access the data and run the scraping bot. Since OkCupid users have the option to restrict the visibility of their profiles to logged-in users only, it is likely the researchers collected—and subsequently released—profiles that were intended to not be publicly viewable.
So, yeah, at the risk of breaking my attempted objectivity, I'd be personally thrilled if the guy got sued.
I mean, sure, academics might get stopped by lawsuits. Russian social engineering hackers won't though.
"You should appreciate that all information submitted on the Website might potentially be publicly accessible. Important and private information should be protected by you. We are not responsible for protecting, nor are we liable for failing to protect, the privacy of electronic mail or other information transferred through the Internet or any other network that you may utilize."
This is of course a kind of "privacy by obscurity," and it is not at all secure. For example, if you want you can probably figure out people's answers to all questions, even the private ones, by having a separate bot for every question. Then the percent match between the bot and a user reveals the user's answer to that one question. (Possibly OkCupid introduces some noise in the matching algorithm to make this harder, but it can almost certainly be circumvented.)
However, the exposure of the data is no more [or less] a violation of privacy than what is typically reserved for operators under the terms and conditions of large websites. Neither is it more [or less] a violation of privacy than what is allowed by right when data is treated as a corporate asset [under US law] when ownership of the asset is transfered via sale or bankruptcy.
To put it another way, it is only to the degree that it is in OkCupid's business interest to limit disclosure of the same data points that OkCupid [insert other any other corporation here] refrains from releasing that data.
The only reason our visceral reactions are different is that we hold biologic people to a different standard of "doing the right thing" than the fictitious persons that are corporations. Legally, a person owned that data. That's why a breach was possible. It's the reification that creates the privacy problem.
Yeah, this is a grad student who fails the maturity test in a big way. I could perhaps kind of understand the position that repackaging publicly available sensitive data was just a lapse in taste (assuming, likely erroneously, that it was truly public and not harvested by posing as a mate-seeker). Now he's equating blowback from this lapse with "social justice warriors"? This person sounds like an absolute peach.
####
Some creepy Danish assholes went ahead and released a full dataset on 70.000 random users of the OkCupid dating service "because data science".
After being confronted about the questionable ethics of this stunt, lead researcher Emil O. W. Kirkegaard refuses interviews, stating that the data was already public. Kirkegaard also implies that opponents of his methods are "social justice warriors", an oftentimes euphemistic term for people interested in things like gender and minority rights issues. Interestingly, this term is repeated and specified as an area explicitly excluded from Kirkegaard's interest in "civil liberties" on his personal website.
In addition to "civil liberties", the personal website of this "26 year old polymath wannabe" (read: fuckwit neckbeard) lists interests such as online privacy and the Pirate Party. That's right, you can't make this shit up: http://emilkirkegaard.dk
These people simply don't care that the "public" information posted on a dating site may cost certain people their jobs, families or even their lives, at any point in the future. Open source intelligence like this may be used to extort people at a later date or lower the threshold for invisible discrimination everywhere from the job market to insurance claims.
Perhaps all this seems irrelevant to Kirkegaard, as his self-defined interest in liberty explicitly excludes those most vulnerable to such structures.
The rest of us could do worse than to remember what is going on and question how informed our consent really is: By default, everything you do on the mainstream internet is recorded. Private browser modes don't really help to protect you and neither do VPNs. Practically everything you typically do leaks information that can be connected back to you. For a demo, see https://panopticlick.eff.org.
And oh, dating sites don't exclude sharing your dating related personal info with interested third parties ( https://www.abine.com/blog/2012/privacy-on-okcupid/ ). But hey, you probably don't live with one foot in the closet concerning any aspect of your life you may have hinted at in a dating profile or its chat service. Right?
This time, professional stalkers in imaginary data science lab coats just happened to unmask a bunch of information. The wilful cluelessness apparent in this case is even worse than in the decade-old case there AOL released a bunch of poorly anonymised data on search habits: https://en.wikipedia.org/wiki/AOL_search_data_leak
Normally, interested parties would have to pay a bunch of money for datasets from data brokers or ad/analytics companies and perform a varying degree of computation to unmask and correlate some of the personally identifiable from different sources. That sounds like work, but it's of course increasingly possible to automate.
So, take a step back and realize that the only thing protecting you from an existence in something way worse than the oversight of Stasi, the KGB or Securitate, is the thin veil of aging and increasingly inefficient legal protections we happen to have in many western democracies.
Parties interested in exploring the utter and complete exploitation of your most intimate information sometimes do so with a holier-than-thou aura of privacy mindedness and selective personal liberty politics. All while personally getting their filthy little hands ever dirtier when the power is at their fingertips.
####
I wouldn't call it euphemistic. It's willful dismissiveness. And I'd posit that the Venn diagram intersection of users of the term and Ayn Rand super fans is large.
> I favor whatever [political position] has the best outcomes no matter which ideology it is in line with
aka he's apparently above the limitations imposed on mere mortals like the inability to see the future. Are we sure this guy isn't just a parody?
nice job completely discrediting yourself as someone with the same (dis)respect for common decency as the person you disagree with.
I find few things as infuriating as people who claim they care about privacy while actively taking measures to spread personal information out of the context it was intended for. This is potentially life-threatening stuff for some of the victims of this stunt.
Good!
It would be contract law based on the click-wrap/T&Cs of the website wouldn't it? Copyright doesn't cover facts, only their arrangement; ergo as long as he didn't copy the way the content had been presented he would apparently be clear of copyright infringement.
In Europe we have database rights law too, is there an equivalent in the USA?
That said, this was an Academic study, presumably funded at least in part by the University, and therefore subject to approval from an Institutional Review Board (IRB) [0]. Granted it was not an American university, so perhaps no IRB exists. And it was a small study by a group of graduate students, which seems unlikely to be subject to as much scrutiny as a study officially funded and endorsed by the university. However, this is no excuse for circumventing research ethics. To quote the wiki article, "a key goal of IRBs is to protect human subjects from physical or psychological harm," which implies that moral arguments should hold at least as much weight as legal arguments when considering the potential impact of a study.
It's entirely possible for a study to be legal, but immoral. Since this study came from a university, any moral argument should be as valid as a legal one. The trouble seems to be that nobody heard any argument, moral or legal, before approving the study.
In this case, the failure seems to lie with the Danish University, who allowed its graduate students to conduct a study without consultation from an IRB or any kind of ethical oversight committee.
Interestingly, the data is "public," in the sense that anyone could replicate this study with some Python and OkCupid accounts. So even if researchers are stopped by an IRB from collecting the data, that doesn't mean another entity can't do the exact same study, free from any procedural impediments. So it makes you wonder about the premise of questioning the study in the first place. Perhaps a better use of this soapbox, instead of lambasting the researchers, would be to raise awareness of the fact that what you put onto the Internet is public.
[1] https://en.wikipedia.org/wiki/Institutional_review_board
Whether or not this is what happens in practice, the purview of an IRB in the US very much is supposed to cover this situation. IRBs have intentionally broad mandates and cover quite a lot of things that most people would not immediately recognize as 'research' or 'experiments'.
> to raise awareness of the fact that what you put onto the Internet is public.
Most technical people consider 'doxxing' to be bad. However, in most cases, 'doxxing' is simply publicizing information that is already part of the public record[0]. There's a difference, based on the barrier to accessing that information.
[0] If I know your name and your city/state of residence, it's trivial for me to obtain a copy of your driver's license or voting registration information FOIA/FOIL requests typically charge a nominal processing fee to cover the costs of processing the requests, but only because it's a largely manual process, and the marginal costs of requesting many records at once is very low.
> IRBs have intentionally broad mandates and cover quite a lot of things that most people would not immediately recognize as 'research' or 'experiments'.
And yet, professors routinely assign their students to conduct informal "studies" for class credit (perhaps a final project) or learning experience. These sort of "studies" are rarely, if ever, sent to any kind of IRB, and yet plenty of undergraduates are capable of creating a python scraper to download data from OkCupid.
> "There's a difference, based on the barrier to accessing that information"
What is "that information" in the case of this OkCupid study, and what is the "barrier," before and after the research was published? If the "information" is, for example, the fact that your spouse is cheating on you, does this research really remove any "barrier" to make it easier to discover than it was before publishing? If I wanted to know if my spouse was cheating on me, I could simply create an OkCupid profile and check the listings in my local town around my spouse's age range. Releasing the data of 60,000 OkCupid accounts, all of which is accessible from simply logging into the website, does not make it any easier for me to find that profile.
Also note that this is different from, say, the Ashley Madison hack, where email addresses were released from an internal, private database. The emails were not "public" information before the data dump, and therefore the data dump lowered the "barrier" to searching for a target individual amongst the thousands of members. In this case, it seems the "data dump" did not introduce any new paths of accessing information. Instead it simply mirrored information that already exists and is readily accessible by effectively anyone with a computer.
To clarify, I'm contesting this statement:
> Perhaps a better use of this soapbox, instead of lambasting the researchers, would be to raise awareness of the fact that what you put onto the Internet is public.
on the grounds that, even if we were talking entirely about information that is already 100% 'public', there are ethical concerns with making already-public information more readily accessible (and therefore easier to use for nefarious purposes). Doxxing is an easy example because most people generally agree that it crosses some sort of ethical line, and there are plenty of clear examples where doxxed information has been used for nefarious purposes (ie, to harass, stalk, and/or abuse the victim).
In other words, I'm not saying that all of the information in this particular case was already public. I'm saying that focusing on that distinction is a distraction from the underlying issue.
The only qualifying scenario I can think of is if someone deleted their profile during the study, and it "reappeared" as a result of the study publishing its data.
The latter means that information that was _inaccessible_ was made accessible (ergo: you couldn't access the information before the event).
The former is less constrained: it just means that whatever state of accessibility the information was in, it is now easier to access.
As an example: digitizing a book that is available for free to anyone who goes to Public Library One in Big City makes it more accessible (because I can access it from the other side of the world while eating soup) even though it wasn't _inaccessible_ before.
By the way. I'm genuinely curious - were there any researches on this sort of statistics? If you know of anything like that, would you mind sharing?
I suspect (without any basis) that if a different groups to be compared, the fraction among the STEM people could be somewhat lower, relative to others.
That aside, IRBs have been very slow to adjust review procedures for online studies. For example, the nonmedical IRB at Cornell determined that the Facebook emotional contagion experiment was outside of its jurisdiction, since Facebook was the data collection agent-- from their perspective the Cornell researchers were working with a pre-existing dataset. So it's not necessarily the case that ethics review is a silver bullet for cases like this.
It's not clear to me that we have a good understanding of what ethical responsibility looks like in this domain, in large part because the organization of research on online behavior (a joint venture between social scientists, software engineers, universities, companies like OKCupid, etc.) is still poorly understood by most of the academic world.
"Research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publicly available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects."
[0] http://www.hhs.gov/ohrp/regulations-and-policy/regulations/4...
That is maybe not the best lesson to take from this.
The problem seems to be that people want to create a binary distinction between "public" (meaning public domain, can be used for anything by anyone) and "private" (meaning something known solely to a single individual), with no intermediary steps between them.
But profile data like this is something that lives in the space in between. You're clearly intending to share it with people in a particular category (other similarly-situated users) but not everyone and not forever. It's the sort of data you expect not to be archived; if you delete your account then it should go away.
That is not how the laws of physics work. If you allow the data to be seen by other users and anyone can sign up to be another user then anyone can see the data and anyone can copy it. But that is why we have social norms. That is why finding the online dating profile of everyone who works at the same company as you and then mass mailing it to everyone in the office is not considered friendly behavior.
And probably what companies that run sites like this should be doing is adopting a robots.txt that disallows crawling of user profiles and then rate limiting to some maximum number of profile views (e.g. 10,000/month) that no real user would ever hit but would provide a good hint to data hoovering operations that they aren't wanted here.
Because they (me included) tend to believe that's how it works in reality - at least when the worst-case scenarios kick in. Something's either known or not, and there's a saying that a word spoken is past recalling (or similar idioms in many languages).
Social and legal norms may provide one with a recourse/remedy after the exposure, trying to compensate for the leak, create a chilling effect to prevent others from performing similar actions, and possibly limit the distribution of the leaked information. Nonetheless, chances are, it will already be seen (and copied) by many, thus effectively becoming public. Sure, sometimes data could get lost forever, with no public copies remaining, but sometimes it could rise to extent of Streisand effect as well.
So, well, I tend to believe it's a good idea to raise awareness that the only guaranteed way to not get burnt is to not share the sensitive information, at the very least with the parties you can't trust to handle it. And trusting any party must also include a consideration of the risks involved. This probably sounds harsh, but the idea of awareness is that it must be better be informed about worst-case scenarios and be safe(r) than unaware and sorry.
It's a voluntary mechanism and convention that requests that pages not be crawled, which is somewhat different from what you wrote. (Which isn't to say that it shouldn't be used buy AFAIK it has no legal significance.)
Because so many people misunderstand it, robots.txt is often a list of what you should crawl to find the good stuff.
Also, your rate-limiting idea misses the point. It just adds a few steps to the scraping process without actually changing the game. If you realize you can't hide profiles you need to tell your users that they should write a profile they wouldn't mind having seen at work, not pretend that making the door smaller helps.
> United States v. Lori Drew, 2008. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using 18 U.S.C. § 1030(a)(2)(C) against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449
I think it was a wise decision. This particular case aside, government's ability to prosecute over ToS violations opens up an enormous way for possible abuse (think of visiting a site whose ToS forbid ad-blocking with one active).
[1] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#c...
This appears to have been done through OpenPsych which is a project he founded. I'd be willing to bet that there was zero oversight and no ethics committee for this "study".
Please read articles at least a few paragraphs in before commenting.
Making something public comes with the possibility that it might go "viral" or some other form of popularity. That's what "public" means, after all.
This article presupposes the reader considers what happened to be wrong, and does nothing to explain why it's wrong.
I do agree that there are uncontrollable outcomes that need to be understood - your viral example is a great one. But the viral outcome is inherently uncontrollable and fully decentralized. A study done by a select group of person(s) is controllable.
Thoughts?
It boils down to expectation vs. reality, right? It doesn't make sense to me to prohibit research institutions from pulling data if they can in a way that doesn't violate any usage agreements or user expectation. Do people get upset if OKCupid uses their data for their blog posts? What's the significant difference?
To me, the action/lesson here is for OKCupid to implement something in their usage agreement preventing data scraping by end users (the bot the researcher wrote is probably not what OKC wants people doing). Then it becomes an ethical violation, but without it, I'd consider this data fair game.
OkCupid's data has to be identifiable because of the nature of their service. Reddit accounts don't need real data. I doubt they are similarly identifiable in the common case.
However, this isn't very important. Regardless of how personally identifiable the data is, it is extremely rude to use it without specific consent.
> What's the significant difference?
They data was provided for dating purposes, not research. Context and intent matter. Maybe someone doesn't want to give data to that research, for any reason. Or maybe they do and would be willing to provide more data to the research if asked.
> prohibit research institutions
The same would apply to anybody using the data for a different purpose. The data was provided under a certain context, for a purpose.
> pulling data if they can in a way that doesn't violate any usage agreements or user expectation.
Why isn't asking permission the first step? Just take the data because nobody has legally prohibited that specific situation? That's how bad regulation happens. Just because something is technically legal doesn't mean it's a good idea. When enough people get pissed off about bad behavior, they tend to pass laws or regulations (which may or may not actually fix the problem).
TL;DR - "This is why we can't have nice things."
https://en.wikipedia.org/wiki/Right_to_be_forgotten#Current_...
Putting your dating profile on a dating site, with preferences for matches, means explicitly "I want these specific people to look at my dating profile - FOR DATING". That is the obvious purpose of the site and the profile, and the "preferred matches" only reinforce that, not to mention the internal filters OkC allows you to use to block people who don't match a certain %.
There is not any explicit purpose or intent that says "I want this personal information to be used by researchers in a large group study". There was no explicit agreement between the user and these researchers. Hence, no consent.
However. The question then becomes, "Do they need consent?"
The answer is: Check the Terms Of Service on the website. If the website explicitly forbids using the data for research purposes, they can probably be sued by the website for breach of TOS. If the TOS does not explicitly prohibit research use, then no, they don't need consent.
Oh - and if it wasn't already obvious, the users don't own the data, so they have no say in how it is used.
Informal systems and agreements are hard to navigate, and I don't think this one falls on the side of "should have known better", which is what the writer of this Wired article implies with his/her tone.
That statement requires proof, preferably in form of recent case law.
In either case, the TOS states: “You further agree that you will not use personal information about other users of this Website for any reason without the express prior consent of the user that has provided such information to you.”
Uh, i'm pretty sure the company collected and possesses the data. It's on their hard drives and they allow you to view it by connecting to their servers using their software. A user, as an outside party, has no claim to someone else's property. (But you're right, IANAL, so maybe there's some freaky justification for being able to tell someone else what they can do with their own data on their own servers?)
Well the TOS seems to spell it out! Unfortunately, as it is [probably] the company's property, it is probably the company that would have to issue any lawsuit. Then it's up to the courts to judge whatever legal argument is made.
There is a ton of grey area about public not equaling consent, where it seems like usually the argument is about something that's legal, but probably immoral. Most people wouldn't want someone making a billboard that said "look at this guy," with an arrow pointing to their facebook profile picture. People also generally don't like people filming them in public (case in point: https://www.youtube.com/watch?v=jzysxHGZCAU).
It's a really tough question that's been made a lot harder by the internet. I'd love to hear a good explanation about what crosses the line of inappropriate use of public information.
For example, two people talking on the street are clearly in public. However, if they look around and see that there isn't anybody near them, nor are there any recording devices[1], they may choose to speak in confidence. While they are technically "in public", they are de facto private, at least temporarily. Pivacy isn't a Boolean property, and it can change all the time.
Expanding on the same example, if there are three people in the same situation, something said between Alice and Bob is obviously not "private" because Carol can overhear it, but there may be an expectation that it is public within that group, but private with respect to everyone else.
For OkCupid, I would guess that most people have an expectation that the data they share "publicly" will be used in the expected features of the site. Their data won't be public in the general sense, but it will be public to people with OkCupid accounts. Many people also expect that they data will be used[2] as the site presents the data being used. Searches done manually are different than a program that walks the entire database.
Anybody that wants to work with technically public data in a way that is outside the usual user-available features should really be getting informed consent first. This has nothing to do with legal restrictions (which may also exist in some situations); failure to ask first will simply earn you a reputation of being a "peeping tom" that shouldn't be trusted.
[1] see the recent situation in Oakland with the FBI hiding microphones
[2] modulo minor administrative uses done by OkCupid itself
I understand that some OKCupid users may have an expectation that their data is used for dating purposes, but if that's not written anywhere, then how am I supposed to know that's what they expect? How is a researcher supposed to know what's in the user's heads when they put that data out there?
It's up to OKCupid to define boundaries. Write down these expectations, formalize them, and then it'll be clear what the boundaries are on this pseudopublic information.
Edit: Never mind, I can scroll all the way through and I can see the whole article. But if I read from the top and then scroll, it blocks me. So they give me a chance to see "oh it's all there," start reading, and then block it for me. Talking about dark patterns... I mean, I get it from a financial standpoint, and I'm totally going to circumvent this blocking now (private window, inspect element, I don't know what'll work yet), but it's just shitty.
Most sites ban content scraping by users (And good sites have technical countermeasures)
There is no reason to think no one is scraping dating websites, social medias and other "public" personal data for personal profit. For blackmailing, social engineering...
The sooner people will get this chilling feel that "wait, what I post online may actually come back to bite me" the better.
I see why this got so much discussion, it's a very grey area from my point of view.
Here's something incredibly simple: if you don't want your data to be public, then don't share it! Don't transmit it! Don't want the other users on OkCupid storing your information? Why did you put it there in the first place!?!? The internet is not now, nor was it ever, a private place.
These guys did nothing wrong as far as I'm concerned, besides maybe breaching OkCupid's TOS. OkCupid can sue if it pleases them, but that's a matter for civil law.