Is Klout crossing the line when it comes to privacy?

Updated: If getting beaten up by critics and targeted by angry users is a sign of success, then Klout must be doing pretty well. The San Francisco-based startup — which is trying to compile a kind of “reputation rank” for the social web based on user activity on Twitter, Facebook and other networks — has come under fire recently for changing its algorithms and making many of its users’ rankings fall. But a more serious allegation is not that Klout is invading the privacy of its existing users, but of many who haven’t even joined the service, by compiling “shadow profiles” of them, including children. Is that an infringement of our digital rights, or just the new reality of living our lives online?
In one of the most recent critical posts about this kind of practice, prominent science-fiction author Charles Stross describes Klout as an “evil social network,” and says it does a series of things that are invasions of users’ privacy, including posting updates to its users’ Facebook walls and Twitter accounts to help the service “spread like herpes.” But one of the main criticisms Stross makes is that Klout creates profiles for users without their permission, based on their public activity on networks like Facebook. Stross describes “the ideal social network” as one that is:

[F]ree-to-use, is highly addictive, uses you as bait to trap your friends, tracks you everywhere you go on the internet, sells your personal information to the highest bidder, and is impossible to opt out of.

Stross goes on to say that Klout’s approach is likely illegal in the United Kingdom and possibly in much of the European Union, because it does these things with people’s data without telling them, and without specifically asking for permission (I’ve reached out to Klout for comment and will update this post if and when I get a response). According to Stross, the Information Commissioner’s Office in Britain, which enforces the 1998 Data Protection Act, requires that services get consent for data collection.

If the data is all public, have users consented to its use?

As Stross himself notes, however, “consent” is not defined in the legislation, so it’s not clear what exactly is required of a service like Klout. All the information used to create a profile on the service and generate a ranking comes from the public activity of those users: their Twitter profiles and activity, their Facebook profiles, their status updates, comments on other users’ pages, and so on. Klout explains that it collects this information and that users can prevent it from being collected by changing the privacy settings on the services it harvests data from. And in a move to blunt some of the criticism from those such as Stross, the company recently added the ability to delete a profile.

In addition to the criticisms of these “shadow profiles” in general, others have criticized Klout for creating these profiles even for non-adults, if those children have posted comments on or otherwise interacted with someone’s public Facebook page. While that may get Klout in some hot water with privacy regulators, the practice of creating profiles for users who haven’t even signed up with the service is far from unique: Facebook has also been criticized by a user in Ireland for collecting data on users who don’t have accounts, including their names and email addresses (the network says it does this so it can let users know when their friends join) and other social networks do something similar.
Update: In response to the criticisms about collecting data involving minors to create profiles on the service, Klout CEO Joe Fernandez said via email that the company “has no interest in creating profiles for minors” and that it has “taken steps above and beyond what Facebook does to make sure this doesn’t happen again.”
There’s no question that the issue of how much information services like Klout can collect about a user without their permission is a hot-button topic in many circles, including in Washington and in the European Union, where Google (s goog) and Facebook have both come under fire for the way they collect and store data — and even the way that they take photos of peoples’ houses, in the case of Google Streetview. Legislators in the U.S. have been working on “Do Not Track” legislation, which theoretically could be extended to cover the kind of thing that Klout and other networks and services do.
That said, however, it’s hard to see why Klout should be criticized for collecting information about people based on their public web activity. How is this any different from what Google does when it uses the behavior of users to assign a PageRank to the ads and links it shows in search results? And when I look at Google+ or Facebook, both show me people I might want to add based on my history of interacting with them in a variety of ways, again based on my public activity on the web. They may not be creating a profile for me or assigning me a Klout rank, but it fundamentally amounts to the same thing. (Google also now indexes all public Facebook comments.)
What’s clear is that as Klout grows and tries to extend its idea of “reputation rank” to more and more places online, these kinds of concerns — well-founded or not — are likely to get more common, and more vocal, rather than less.
Update: In his email response, Fernandez said that:

Privacy is a top concern for us. We work really closely with the platforms (twitter/fb/etc) and with our legal counsel to make sure we are on the right side of these issues across all the different laws around the world. It’s tricky because the landscape is developing quickly and this is new territory for everyone. You’ve seen how much Facebook and Google have struggled with these issues so everyone is kind of stumbling through it. Klout is a consumer facing brand that is trying to create a public standard. With that goal in mind it is critical that we are model citizens in this space and we do everything we can to respect the privacy of our users.

Post and thumbnail photos courtesy of Flickr user Josh Hallett