opting in and opting out

I just got an email from the University of Michigan’s School of Information informing me that they have created an account for me, using my name and email address, in their job placement database, because they noticed that I publicly posted a job ad relevant to their students. And now I can use iTrack to post my job where their students and alumni can see it! And receive communication from their students! And their newsletters, which they helpfully chose to opt me into!

Uh, no.

I responded with an immediate request to be removed from their database and a rejection of their approach. You do NOT create un-asked-for accounts using people’s personal information and then inform them of that action. You can, and possibly should, proactively market your new services, and encourage people to opt in. But this? Crossed a line.

The Creepy Line. The “I like the tshirt you’re wearing in your Facebook photo” and “your hair smells so pretty” and seriously, you’re in the bushes outside my window? Line.

And suddenly I stopped, and thought, “Okay, but we do that for our campus users. They get a SUNYCard and they get a dining hall account, and swipe-card door access, and a library account, and an email account, and a Moodle account, and a Bursar’s account…” But it’s different. Those are people who have already opted into a community. They are already members of a self-selected group, of SUNY Potsdam community members.

I am not a University of Michigan community member. I’m not an alumna, I’m not a donor, I’m not even an acquaintance. Existing on the internet and posting jobs on my blog and on our campus website does not make me an opted-in member of a community. It does not give others rights to do things in my name. It does not authorize unsought paternalistic actions conducted by others on my behalf.

So then I wonder if we should be assuming those rights over our users. How far can we assume the opt-in goes? We talk about LDAP, and how if we get everything linked up the way we want to, we can auto-create ILLiad accounts that authenticate to Campus Computer Accounts the same way our ILS database does. And right now I’m wondering: do we have the right to presume to do so? Where are the boundaries of the institutional relationship? What’s the bell curve of user expectation of that relationship look like, and where does “hell yeah, create accounts for me” fall in comparison to “why do you think you have the right to do that with my data?”

I don’t know the answer. But I know how I felt just now, and I’ll store it away for the next time we start assuming rights to use our good intentions to help our users by doing stuff for them, unasked an uninvited.

Leave a Reply

%d bloggers like this: