Plaxo and Privacy — A Storm In A Teacup?

Plaxo, the besieged contact updating service, is pointing readers of its blog to an article that takes issue with the company’s critics.

The article, written by Jim Harper of, takes issue with privacy concerns, especially those aired by Australian academic Roger Clarke which I’ve tried to summarise in an earlier post. Jim’s language is quite robust, apparently a reaction to Roger’s own riposte to an earlier posting by Jim on RFID tags. Still, he makes an interesting point: Why all the fuss about handing over your contact data?

For just a moment, let me go into Clarke’s starting point a little further: the idea that contact information is sensitive. It’s not. In fact, contact information is created precisely for the purpose of sharing. People print contact information on cards and give it out. There are entire books – called “phone books” – designed to broadcast contact information far and wide. People put their contact information on letters and in e-mails. Contact information is about as private as the nose on your face.

So who is right? It’s true that contact information in itself is a more or less public commodity. I can decline to hand over my business card to someone I don’t like the look of, but once the card is handed over to anyone, I can no longer assume that information is secure. But my reading (and hey, I’m no expert) of Roger’s original piece is that there are two main outstanding problems:

  • It’s less about handing over one’s data about oneself, but about someone else handing over their data about you. The main objection people have about Plaxo is that, by uploading their address book to Plaxo’s servers, someone else is giving away information about you. As Roger points out: “Under the doctrine of privity, a contract creates rights and responsibilities for the parties to the contract, but for no-one else. Hence there are no rights whatsoever under the contract for the individuals to whom the data relates.”
  • The second issue is about the connections implied in such data — not just whether you’re in someone’s address book, and who else is there alongside you. If someone is arrested for fraud, does the fact that you’re in their address book make you a suspect? Roger writes: ”The threat involved in consolidations of address-books therefore has an important social dimension, and if it affects a person’s employability or career advancement, then an economic dimension as well.”

On the surface neither of these concerns may seem all that relevant. If you’re in a criminal’s address book/PDA/cellphone chances are you’re going to be interviewed by police, whether they got the information from Plaxo or from riffling through his dashboard glove compartment. And, in the first case, what’s the difference between someone storing your contact details in their PDA than online with Plaxo?

First off, I think Jim’s taking too much of an old world view of privacy. He writes that “there isn’t much difference between an online social network and the online or offline lists of club memberships, fraternities, churches, phone systems, magazine subscribers, buyers of goods, sellers of goods, transporters of goods, employees, employers: the list of lists goes on and on.” True, in terms of the nature of such data. But computers and the Internet make handling — and, potentially, mining — such lists much more efficient. In its first seven months Plaxo had more than a million members: Assume, each one has a contact list of 100 people. That’s 100 million names (lots of duplication, of course, but my figures are conservative.) Plaxo has promised not to do anything with this data, but Roger’s point is a fair one: Existing privacy laws don’t really deal with situations where users voluntarily surrender data about other people. So we’re already in new territory.

Internet users are already aware of this; just a year or so ago many of us wouldn’t have baulked at entering personal details into a website in return for access. Not any more. The Internet, once this great repository of information and a community of benign and helpful folk, has turned around and bit us on the collective behind. Spam is just the most visible aspect of it. We now see our lives visible online, so much so that prospective dates are ‘Googled’ to see whether their background is up to snuff. Privacy nowadays is not so much about keeping yourself to yourself, but in trying to reassert some sort of control over which specific data enters the public domain. A blogger is quite happy to spill their most intimate beans online, but that doesn’t mean they’re about to reveal their cellphone number to telemarketers, or become part of some large database that may end up being sold to a few years down the track. Personal contact data are, after medical and financial data, the most sensitive data one has.

Jim’s right to raise questions about the heat that Plaxo has been taking (and I readily confess some of the postings here have perhaps contributed to it, although I’ve tried to synthesize the arguments for and against, along with Plaxo’s responses). But it seems to me that if people feel uncomfortable with their data being held by a company that has not revealed how it is going to make its money (or even if it has) then their right to not have their data stored there must be respected, both in law and in the storers’ privacy policy.