Data protection and social networks


Published on

First presented at Future of Digital Identity, British Library, 7 Jan 2010. Updated for presentation at Privacy and the Law Conference, London, 1 Dec 2010, and for an OxPILS seminar at Balliol College, 23 May 2012.

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Data protection and social networks

    1. 1. Data protection and social networks
    2. 2. Data: Pew Research Center, Internet and American Life SurveysGraphic: Jenise Uehara Henrikson, Search Engine Journal, 30/8/11
    3. 3. Which data are social networksstoring?• In 2011, Austrian law student Max Schrems received 1,222 pages of data after subject access request to Facebook• Searches, pages viewed, relationships with friends, events, like button tracking, cookies, conversation tracking…• Facebook now has data download tool, supplies 39 of 84 data categories held TouchGraph Facebook Browser
    4. 4. Data: CareerBuilder, online, fieldwork 17/11/09-2/12/09, probability sample of 407 UK private sector employers, sample error ±4.41%Graphic: Jenise Uehara Henrikson, Search Engine Journal, 30/8/11
    5. 5. Reasonable expectations? • Oxford students fined on basis of Facebook photos of exam celebrations. Whose “fault”? • Students who didn’t take appropriate security measures using available tools? • Oxford proctors for snooping on a “private place”? • Facebook because it did not provide the right defaults for a “reasonable expectation of privacy”? • A29WP: “SNS should ensure privacy-friendly and free of charge default settings are in place restricting access to self- selected contacts” • Canadian Privacy Commissioner: “Facebook’s default settings in respect of photo albums and search engines do not meet users’ reasonable expectations”
    6. 6. Data shared about third parties • How far can users control what is “tagged” with their identifier? • Facial recognition • A29WP: “Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’sTouchGraph Facebook Browser consent.”
    7. 7. Facebook Platform• Over 9m apps and integrated websites as of March 2012• “Social Plugins” are revealing browsing behaviour across the Web to Facebook and Twitter – used by latter for profiling (10 days of records). Banned in Schleswig-Holstein• X’s app consent may reveal personal data about Y, and transmit user IDs to ad tracking companies• Canadian Privacy Commissioner: “Facebook should be doing much more to ensure that meaningful consent is duly obtained from users when developers access their personal information [and] technological safeguards that will not simply forbid, but effectively prevent, developers’ unauthorized access to personal information that they do not need.”
    8. 8. Young people and privacy• Most young people see Internet as private space for talking to (already-known) friends, and target information to peer group• Lenhart et al. (2007) found stricter access controls on photos/videos by teens than adults (76% v 58% most of time/sometimes)• Teens showed higher privacy concerns with parental monitoring; parental discussions increased privacy concerns and reduced disclosure• Human impulse to connect and share information with friends, but when mediated can easily be replicated and spread to places never intended. Teens less good at managing collapsed contexts (boyd, Marwick)• Adult users of social media are developing similar behaviours – consequence of mediation, not age (Marwick et al. 2010)
    9. 9. Young adults and privacy• Hoofnagle et al. (2010) found very limited understanding of privacy laws among young adults – 42% answered all 5 questions incorrectly• Jones et al. surveyed 7,421 students at 40 US colleges. 75% concerned about passwords, SSNs, credit card numbers but few about SNSes due to insignificant consequences (2009)
    10. 10. Student information disclosure What kind of personal information do you post online? (first year N=177, final year N=133) Oostveen (2010)
    11. 11. Sampling Facebook Experiences Facebook Application  Location disclosed to friends Server  Data are collected in our server  Questions are sent to participants Aims To understand: through SMS  Why do students share their location  How (text, picture)  When, to whom theyMobile phones carried by students share this location Location retrieved with embedded GPS  At what locations are Subjects answer questions (e.g., sharing choices) they more willing to share
    12. 12. Location sharing• 40 participants responded to over 2000 questions over 2 weeks• Participants are more willing to share their location when they are in ‘Leisure’ or ‘Academic’ locations than in the ‘Library’ or in ‘Residential’ areas. Abdesslem, Parris & Henderson (2010)
    13. 13. Privacy is contextual• “Contrary to the assumption … that people have stable, coherent, preferences with respect to privacy, we find that concern about privacy … is highly sensitive to contextual factors” • Privacy salience primes concerns • “People, it seems, feel more comfortable providing personal information on unprofessional sites that are arguably particularly likely to misuse it.” • “Covert inquiries … do not trigger concerns about privacy, and hence promote disclosure.” John, Acquisti and Loewenstein (2011)
    14. 14. Homo economicus vs. sapiens• Bounded rationality• Privacy risks are highly probabilistic, cumulative, and difficult to calculate• Most individuals bad at deferred gratification, and have time-inconsistent preferences Acquisti (2009)
    15. 15. How to further privacy in socialnetworks?• Is the consent given when signing up for Facebook (and apps) good enough? Informed? “Explicit” for sensitive data? EC: “general principle of transparent processing”, “improving the modalities for the actual exercise of the rights of access, rectification”, “clarifying and strengthening the rules on consent”• Should current consent expose users to future risks? “The eternal memory of Google” vs. the “right to be forgotten”; “data portability”• Can T & C which exclude liability for privacy and security breaches be potentially void as unfair consumer terms? EC: “general personal data breach notification”, “extending the power to bring an action before the national courts”, “strengthening the existing provisions on sanctions”• EC: “further promoting the use of PETs and the possibilities for the concrete implementation of the concept of ‘Privacy by Design’”, “continue to promote the development of high legal and technical standards of data protection in third countries and at international level”
    16. 16. Individuals ≠ data controllers • How sustainable is Lindqvist? • A29WP: “when access to a profile is provided to all members within the SNS or the data is indexable by search engines, access goes beyond the personal or household sphere.” • Better privacy protection by infomediaries? • Defaults/Nudges? • Expedited temporary restrictions on sharing?
    17. 17. References
    18. 18. SNS market penetration Source: Le Monde, 15/5/08
    19. 19. Is competition regulation required?• OpenSocial and related efforts may reduce switching costs,• but network effects will still act as a barrier to entry• vertical integration will limit consumer choiceCompetition authorities could:• impose ex ante interoperability requirements• upon dominant social utilities• between vertically integrated value chains• to minimise network barriers
    20. 20. Three modelsModel 1: Must-carry obligations• on broadcasters and Electronic Programme GuidesModel 2: API disclosure requirements• on Microsoft from DoJ and EC rulingsModel 3: Interconnect requirements• on telcos, especially with SMP• for IM clients, from Time Warner/AOL merger case
    21. 21. Model comparison• API disclosure requirements are necessary but not sufficient - ability to program platform apps is of little use if they cannot run• Must-carry obligations enable one platform to “break in” to another (eg Flickr app on Facebook)• Interconnect requirements most likely to lead to seamless user experience that will create real competition