Last week’s CBS News Sunday Morning told the story of Ashley Payne. The Georgia school teacher was pressured to resign after vacation pictures, showing her drinking alcohol, were circulated on Facebook.
The foul cry is that no one but her closest friends should have ever seen those pictures because her Facebook privacy settings were strictly set. As Ms. Payne describes:
“But it sort of feels like the same thing as if I had put the pictures in a shoebox in my house and someone came in and took them and showed one of them to the principal.”
Wrong. No one broke into the sanctity of Ms. Payne’s home and stole her pictures. That would have been a clear privacy violation. The more accurate characterization is that she shared her pictures with a gossipy friend who passed them on.
That said, the real injustice is how the school board used the photos, not that the board had access to them. Unless her employment contract prohibits off-duty drinking, I would argue the board misused her information.
When thinking about privacy, I’ve noticed that we often confuse use with access. It seems that we have good policy around data access violations but not much around data use violations save, of course, the Fair Credit Reporting Act.
I’ve been thinking about how to characterize this confusion and have landed on, aptly, the Confusion Matrix used in supervised machine learning. Basically, the diagonals denote clarity and the anti-diagonals confusion. So, it makes sense to enforce loss of data with breach notification laws.
But, when we confuse data use with data access, we may end up prosecuting Facebook gossips for sharing your data, instead of punishing employers for misusing information when they overstep their authority.