Data protection and social networks

Data: Pew Research Center, Internet and American Life SurveysGraphic: Jenise Uehara Henrikson, Search Engine Journal, 30/8/11

Which data are social networks storing?• In 2011, Austrian law student

Max Schrems received 1,222 pages of data after subject access request to Facebook

• Searches, pages viewed, relationships with friends, events, like button tracking, cookies, conversation tracking…

• Facebook now has data download tool, supplies 39 of 84 data categories held TouchGraph Facebook Browser

Data: CareerBuilder, online, fieldwork 17/11/09-2/12/09, probability sample of 407 UK private sector employers, sample error ±4.41%

Graphic: Jenise Uehara Henrikson, Search Engine Journal, 30/8/11

Reasonable expectations?• Oxford students fined on basis of Facebook photos of exam

celebrations. Whose “fault”?• Students who didn’t take appropriate security measures

using available tools?• Oxford proctors for snooping on a “private place”?• Facebook because it did not provide the right defaults for

a “reasonable expectation of privacy”?• A29WP: “SNS should ensure privacy-friendly and free of

charge default settings are in place restricting access to self-selected contacts”

• Canadian Privacy Commissioner: “Facebook’s default settings in respect of photo albums and search engines do not meet users’ reasonable expectations”

Data shared about third parties

• How far can users control what is “tagged” with their identifier?

• Facial recognition• A29WP: “Users should be advised

by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.”

TouchGraph Facebook Browser

Facebook Platform• Over 9m apps and integrated websites as of March 2012• “Social Plugins” are revealing browsing behaviour across the Web to

Facebook and Twitter – used by latter for profiling (10 days of records). Banned in Schleswig-Holstein

• X’s app consent may reveal personal data about Y, and transmit user IDs to ad tracking companies

• Canadian Privacy Commissioner: “Facebook should be doing much more to ensure that meaningful consent is duly obtained from users when developers access their personal information [and] technological safeguards that will not simply forbid, but effectively prevent, developers’ unauthorized access to personal information that they do not need.”

Young people and privacy• Most young people see Internet as private space for talking to

(already-known) friends, and target information to peer group• Lenhart et al. (2007) found stricter access controls on photos/videos

by teens than adults (76% v 58% most of time/sometimes)• Teens showed higher privacy concerns with parental monitoring;

parental discussions increased privacy concerns and reduced disclosure

• Human impulse to connect and share information with friends, but when mediated can easily be replicated and spread to places never intended. Teens less good at managing collapsed contexts (boyd, Marwick)

• Adult users of social media are developing similar behaviours – consequence of mediation, not age (Marwick et al. 2010)

Young adults and privacy• Hoofnagle et al. (2010) found very limited understanding

of privacy laws among young adults – 42% answered all 5 questions incorrectly

• Jones et al. surveyed 7,421 students at 40 US colleges. 75% concerned about passwords, SSNs, credit card numbers but few about SNSes due to insignificant consequences (2009)

Student information disclosure

What kind of personal information do you post online? (first year N=177, final year N=133) Oostveen (2010)

Sampling Facebook Experiences

Mobile phones carried by students Location retrieved with embedded GPS Subjects answer questions (e.g., sharing choices)

Facebook Application Location disclosed to friends

Server Data are collected in our server Questions are sent to participants through SMS

Aims To understand: Why do students share their location How (text, picture) When, to whom they share this location At what locations are they more willing to share

• 40 participants responded to over 2000 questions over 2 weeks• Participants are more willing to share their location when they are in ‘Leisure’ or

‘Academic’ locations than in the ‘Library’ or in ‘Residential’ areas.

Location sharing

Abdesslem, Parris & Henderson (2010)

Privacy is contextual• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors”• Privacy salience primes concerns• “People, it seems, feel more comfortable providing

personal information on unprofessional sites that are arguably particularly likely to misuse it.”

• “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.”

John, Acquisti and Loewenstein (2011)

Homo economicus vs. sapiens• Bounded rationality• Privacy risks are highly probabilistic, cumulative, and

difficult to calculate• Most individuals bad at deferred gratification, and have

time-inconsistent preferences

Acquisti (2009)

How to further privacy in social networks?• Is the consent given when signing up for Facebook (and apps) good

enough? Informed? “Explicit” for sensitive data? EC: “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”

• Should current consent expose users to future risks? “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”

• Can T & C which exclude liability for privacy and security breaches be potentially void as unfair consumer terms? EC: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”

• EC: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”

Individuals ≠ data controllers

• How sustainable is Lindqvist?• A29WP: “when access to a profile is

provided to all members within the SNS or the data is indexable by search engines, access goes beyond the personal or household sphere.”

• Better privacy protection by infomediaries?• Defaults/Nudges?• Expedited temporary restrictions on sharing?

References

SNS market penetration

Source: Le Monde, 15/5/08

Is competition regulation required?• OpenSocial and related efforts may reduce switching

costs, • but network effects will still act as a barrier to entry• vertical integration will limit consumer choice

Competition authorities could: • impose ex ante interoperability requirements • upon dominant social utilities • between vertically integrated value chains• to minimise network barriers

Three models

Model 1: Must-carry obligations • on broadcasters and Electronic Programme Guides

Model 2: API disclosure requirements • on Microsoft from DoJ and EC rulings

Model 3: Interconnect requirements • on telcos, especially with SMP• for IM clients, from Time Warner/AOL merger case

Model comparison• API disclosure requirements are necessary but not

sufficient - ability to program platform apps is of little use if they cannot run

• Must-carry obligations enable one platform to “break in” to another (eg Flickr app on Facebook)

• Interconnect requirements most likely to lead to seamless user experience that will create real competition