(UPDATE: Greetings to our friends from Hacker News. If you want to join in the discussion and haven't posted here before, please read the moderation policy first. (This is a moderated forum.))



"If you're not paying for the product, you are the product."

In the past I've fulminated about various social networking systems. The basic gist is this: the utility of a social network to any given user is proportional to the number of users it has. So all social networks are designed to tweak that part of the primate brain that gets a dopamine reward from social activity — we are, after all, social animals. But providing a service to millions of customers is expensive, and your typical internet user is a cheapskate who has become accustomed to free services. So most social networks don't charge their users; they are funded indirectly, which means they've got to sell something, and what they've got to sell is data about your internet usage habits, which is of interest to advertisers.

So the ideal social network (from an investor's point of view) is one that presents itself as being free-to-use, is highly addictive, uses you as bait to trap your friends, tracks you everywhere you go on the internet, sells your personal information to the highest bidder, and is impossible to opt out of. Sounds like a cross between your friendly neighbourhood heroin pusher, Amway, and a really creepy stalker, doesn't it?

Meet Klout. (Yes, that's their wikipedia stub. No, I am not going to link to them.)

[ Klout ] ... provides social media analytics that measures a user's influence across their social network. The analysis is done on data taken from sites such as Twitter and Facebook and measures the size of a person's network, the content created, and how other people interact with that content. Klout recently added LinkedIn, Foursquare, and YouTube data to its algorithm.

Sounds harmless enough, at first read. Unfortunately, it isn't.

Klout operates under American privacy law, or rather, the lack of it. If you created a Klout account in the past, you were unable to delete it short of sending legal letters (until November 1st, when they kindly added an "opt out" mechanism). More to the point, Klout analyse your social graph and create accounts for all your contacts without asking them for prior consent. It also appears to use an unwitting user's Twitter or FB credentials to post updates on their Klout scores, prompting the curious-but-ignorant to click on a link to Klout, whereupon they will be offered a chance to log in with their Facebook or Twitter credentials. So it spreads like herpes and it's just as hard to get rid of. Is that all?

No, that isn't all. Let me fire up a sandboxed browser instance and cut'n'paste a little bit of Klout's terms and conditions:

By accessing the Klout website ("Site") or using the services offered by Klout ("Services") you agree and acknowledge to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, please do not access the Site or use the Services.

... we may use your contact information to market to you, and provide you with information about, our products and services, including but not limited to our Service [ note that "not limited to" clause -- cs. ] ... When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website ("Log Data" ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click ... Klout may use both session cookies and persistent cookies to better understand how you interact with the Site and our Service, to monitor aggregate usage by our users and web traffic routing on the Site, and to improve the Site and our services [ services to who? Answer: the folks who pay Klout money ] ... We engage certain trusted third parties to perform functions and provide services to us, including ... direct marketing campaigns. We will share your personally identifiable information with these third parties ... [ there, they said it ] ... The Site is not directed to persons under 18 [ because that's about the only privacy-protected class in US law ].

Got that? You don't need to open an account for Klout to assert that they own you; just looking at their T&Cs is enough. Now for the privacy policy:Now let's look at something else.

Here in the civilized world we have a fundamental right to privacy. Klout, by its viral nature (and particularly by tracking people without their prior consent) is engaging in flat-out illegal practices. Don't believe me? Well, here in the UK activities relating to the processing of personal information are governed by the Data Protection Act (1998), a law enforced by the Information Commissioner's Office.

As we saw earlier, Klout assert that they have the right to collect information about you and conduct direct marketing campaigns if you visit their website. For those of us who are not lawyers, here is the ICO's conditions for processing personal data:

One of the conditions for processing is that the individual has consented to their personal data being collected and used in the manner and for the purposes in question. ... Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual's consent as: "... any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". The fact that an individual must "signify" their agreement means that there must be some active communication between the parties. An individual may "signify" agreement other than in writing, but organisations should not infer consent if an individual does not respond to a communication — for example, from a customer's failure to return a form or respond to a leaflet. ... Consent obtained under duress or on the basis of misleading information does not adequately satisfy the condition for processing.

Klout are flagrantly in violation of UK data protection law. Their terms and conditions, and their privacy policy, are riddled with loopholes that permit them to resell personal data. They violate Principle 1 of the Act ("the individual who the personal data is about has consented to the processing"). Arguably, they violate Principle 2 of the Act ("be clear from the outset about why you are collecting personal data and what you intend to do with it" — no prior notification to people they hold data on is made). The amount of personal data Klout collects is excessive (see Principle 3), they show no sign of complying with Principle 4 of the Act ("take reasonable steps to ensure the accuracy of any personal data"), and they may well be in breach of Principle 5 (that personal data must be deleted after it is no longer required for the purpose for which it was collected). They violate Principle 6 of the Act ("right to prevent processing for direct marketing; right to object to decisions being taken by automated means"). They violate Principle 8 of the Act (personal data is exported from the EU without due compliance with EU privacy regulations). Shockingly, Klout might actually be in compliance with Principle 7 of the Act governing information security ("you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised") but it's hard to tell.

It kind of puts my objections to Google+ into perspective, doesn't it?

Anyway: if you sign up for Klout you are coming down with the internet equivalent of herpes. Worse, you risk infecting all your friends. Klout's business model is flat-out illegal in the UK (and, I believe, throughout the EU) and if you have an account with them I would strongly advise you to delete it and opt out; if you're in the UK you could do worse than send them a cease-and-desist plus a request to delete all your data, then follow up a month later with a Freedom of Information Act request.