Privacy Fail: Klout Has Gone Too Far.

Everyone has Klout - and now that includes your whole familyKlout — and influence measurement in general — has always been a controversial topic.  How do you define influence?  How do you measure it?  Isn’t it context-specific?  Much has been written and debated on this topic, and there is much more work to be done on this.

There’s another way in which Klout, specifically has been controversial.  “Everyone has Klout” says the Klout home page.  What that means is that Klout will create a profile for you, whether you’ve opted in to be measured or not.  Once they’ve created a profile for you, there is no way to opt out or deactivate your profile.  Even if you don’t want to be measured, profiled, tracked or seen as endorsing their product.

So far, I’ve felt that this was a gray line.  The way that Klout created most of its profiles was based on your Twitter account — and Twitter is, by its nature, a public platform.  Open a Twitter account, and there are many tools and applications that will be able to access your account and all your posts and meta-data associated with them via the Twitter API.  Still, it’s not unreasonable to suggest that a company that sells its data to marketers, as Klout does, offer a way for people to opt out.

But now things have gone too far.

When I logged into my Klout page this morning, I was very surprised to see that Klout now lists my son as one of the people I influence.  Anyone who is a parent of a young adult will know that nothing is more unlikely.  And, knowing that my son is not on Twitter, and has always been very careful about managing his privacy on the Internet, how did Klout get the information to create a profile on my son???

This is where Facebook and its famously obtuse privacy settings comes into the picture.   Facebook recently made a number of changes to its platform, one of which was to allow users to specify whether their posts were visible just to friends or public (or some combination).   Whatever you used for your last post becomes the default for your next post.  As a result, my Facebook posts are set to be visible to the public.  And when my son recently commented on one of my Facebook posts, so was his comment–and Klout used that comment to find him and create a profile on him.

Search Google for his name + Facebook, and you won’t find his page.  You won’t even find him via Facebook search, unless you have more personal information on him to narrow your search down.  But now you can easily find him via a prominent link from the Klout profile of a relatively public person.

I’m not a legal expert, or a privacy expert, so I have no idea whether laws are being broken here.  And yes, any decent headhunter could find his Facebook profile if they were looking for it.

But the idea that, just by virtue of the fact that he commented on my post, I am now exposing him, a link to his Facebook profile, and the information that Klout is pulling on his social graph — all in a far more public and visible manner than he would ever chose to agree to — is extremely disturbing to me.

Danny Brown has already posted on this topic on his blog.  I really hope we hear from Klout on this issue.  To date, the only recourse you have to protect not only your own privacy, but that of your family’s, according to Klout, is to not share any information publicly.  If there were a way to de-activate my account until this was sorted out, I would.

Meanwhile, I have unlinked my Facebook account, and I suggest you do the same.

UPDATE:  Brian Carter has added a post on this at AllFacebook.

UPDATE:  I just heard from another social media professional that she has found a Klout profile for her son, who is 13 years old.  In other words, Klout is creating profiles and assigning scores to minors.

UPDATE 10/28:  Marian Heath, who manages family safety for Facebook, has advised that Facebook is  investigating this issue.

UPDATE 10/29: Lisa Vaas has written a well-researched article on this issue for Naked Security.

UPDATE 10/31:

  • Klout is no longer linking users created via a Facebook scrape to individual profile pages.  However, the users still show up in the “influence networks” of their Facebook friends, and their scores are displayed on Klout and in applications and browser extensions that pull Klout scores.
  • We’ve uncovered that some users now have duplicate Klout profiles with different Klout scores.

UPDATE 11/1:  As of today, Klout allows users to delete their account.

UPDATE 11/8:  Klout is no longer creating profiles and scores for unregistered Facebook users.

UPDATE 11/14: