Do you know where your data is?

Over at DataPortability.org, I'm in a conversation about what we want to see in a modern Terms of Service or End User License Agreement. Political geography is a subset of what I want to know.

Five Location Disclosure Questions:

1. In which countries is my data stored?

A lesson from the cloud computing community: When your data leaves your country, the country where your data is stored may define and apply rights and liabilities that don't exist in your own.

For example, libel, privacy, copyright, and free speech laws vary wildly even with the EU, let alone the whole world. You may not want your medical records to be arbitrarily stored outside your own country.

Your activity may be illegal in some countries but not in yours. For example, countries enforce laws against vices (gambling, sex, alcohol, narcotics) and monopoly protection (criminalization of copyright infringement, VoIP banning) that may be legal where you live.

2. What options do I have for controlling where my data is stored?

Can I choose to keep my data within my country? Within a specific state/province?

Can I choose among countries or adherents to specific treaties?

Which ones?

3. Are all countries receiving the same terms of service?

If not, which ones are receiving variants and how are their TOS/EULAs different? Some countries don't recognize any right of privacy from the
government. e.g. China, Burma, etc. I should be able to shop for the best flavor of TOS/EULA that works for me.

4. Who owns the company?

This reveals potential for bias and conflicts of interest. Share with me whether you are "Privately held", "Subsidiary of", or "Publicly traded".

A hypothetical Skype employee may not want to share certain information with a StumbleUpon site where her web surfing behavior (looking for a new job on company time?) can flow back to eBay (which owns both Skype and StumbleUpon) and her boss.

5. In which country/countries (and states/provinces) is this site's owner incorporated?

This information tells me how much access do I have to legal remedies and which laws govern this company. My choice to use a service and how much information I disclose to/through it depends on whether the company is chartered in a war zone, or in a country with stronger privacy laws than my own.

On the path to location informed social data portability 

• Does your TOC/EULA disclose this information? Few do. How do we make disclosure valuable to site operators?
• Can you even answer these questions? Are your back-office operations so decentralized, diffuse, virtualized, and outsourced location metadata is hard to find? How can we make it easier to collect this information and organize it for sharing?
• How can we present answers effectively? Nobody wants another zillion pages of legalese. Designing generic TOC/EULA for rapid understanding and visualization will make disclosure useful and worth the effort.

I'm eager to discuss this at the O'Reilly Where 2.0 Conference in May 2009.

tags: privacy, dataportability, policy, location, geography, jurisdiction, nexus, tos, eula, terms, conditions, agreement, contract, geodata, metadata, proximity, cloudcomputing, disclosure, registration

follow @skypejournal and @Phil Wolff. Ask for an invitation to the Skype Journal private roundtable.

foto: cc-by Shahram Sharif