10. Duty of Care
User Driven Services look out for their users’ well-being.
If a service is truly acting in our best interests, it will take appropriate measures to protect us from dangers resulting from our use of the service. User Driven Services continually work to minimize user exposure to liability, risk, and potential harm.
Minimal identity information should be acquired and what is acquired should be retained for a minimal period of time, to help reduce the possibility of inappropriate identity correlation and theft. Services should acquire and maintain a minimum amount of confidential data—identity or otherwise—and where feasible, should store that data in an encrypted form. Services should also endeavor to minimize the possibility that their system becomes as vector for attacks of any kind on users, including phishing, viruses, Trojans, and malware. User Driven Services should also expend appropriate duty of care in protecting their systems from hacking and attacks, not simply out of self-interest, but to protect their users’ interests as well.
Google and Firefox help prevent users from unwittingly visiting potentially malicious websites, working with the StopBadware program at the Berkman Center for Internet and Society. The PCI Security Standards Council oversees payment card industry (PCI) data security standards designed to protect credit card data. Classically, Doctors adhere to the Hippocratic Oath, with its essential commitment to “Do no harm“. Attorneys and accountants have strict ethical and legal obligations to see to the welfare of their clients.
- Does the service take precautions to prevent potential risks to its users?
- Does the service have adequate security and monitoring in place to effectively identify potential risks and active incursions?
- Does the service manage its data so as to minimize the exposure profile for potential users, both in minimal data acquisition and in timely deletion?