Privacy and Social Networks


Published on

Presentation for Internet Governance Forum on workshop "Governance of Social Media"

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Privacy and Social Networks

    1. 1. Privacy and social networks Ian Brown (Oxford Internet Institute) Lilian Edwards (Sheffield University)
    2. 2. “ Sensitive” personal data <ul><li>Do Social Networking Sites contain: </li></ul><ul><li>“ personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” ( Article 8 Data Protection Directive) </li></ul>
    3. 3. Tagging <ul><li>Should you have a right to control what is “tagged” with your name or identifier? </li></ul><ul><li>Facebook lets you control who can find “your” tags </li></ul><ul><li>A29WP: “Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.” </li></ul>
    4. 4. Tag control <ul><li>You can control who sees items tagged as you </li></ul><ul><li>Not possible in sites that expose tags to search engines </li></ul>
    5. 5. Facebook applications <ul><li>Over 350,000 active apps as of June 2009 </li></ul><ul><li>X’s consent may reveal personal data about Y </li></ul><ul><li>Canadian Privacy Commissioner: “ Facebook should be doing much more to ensure that meaningful consent is duly obtained from users when developers access their personal information [and] technological safeguards that will not simply forbid, but effectively prevent, developers’ unauthorized access to personal information that they do not need.” </li></ul>
    6. 6. Reasonable expectations? <ul><li>Oxford students fined on basis of Facebook photos of exam celebrations. Whose “fault”? </li></ul><ul><ul><li>Students who didn’t take appropriate security measures using available tools? </li></ul></ul><ul><ul><li>Oxford for snooping on a “private place”? </li></ul></ul><ul><ul><li>Facebook because it did not provide the right defaults for a “reasonable expectation of privacy”? </li></ul></ul><ul><li>A29WP: “ SNS should ensure privacy-friendly and free of charge default settings are in place restricting access to self-selected contacts” </li></ul><ul><li>Canadian Privacy Commissioner: “Facebook’s default settings in respect of photo albums and search engines do not meet users’ reasonable expectations” </li></ul>
    7. 7. User population issues <ul><li>If adults rarely take steps to protect their privacy, should we expect teenagers to? Risk awareness; jam today; culture of disclosure. But when FB users grow up.. </li></ul><ul><li>What would make kids privacy-aware? </li></ul><ul><li>Wired July 17 2007 report => “It seems the privacy threat is not so much Big Brother as your mother.” </li></ul><ul><li>Some suggestions of default of no spider-able profiles for under 18s on SNSs. </li></ul><ul><li>Some sites much more protective – cf Bebo. </li></ul>
    8. 8. Individuals ≠ data controllers <ul><li>How sustainable is Lindqvist? </li></ul><ul><li>A29WP: “when access to a profile is provided to all members within the SNS or the data is indexable by search engines, access goes beyond the personal or household sphere.” </li></ul><ul><li>Better privacy protection by infomediaries? </li></ul><ul><ul><li>Defaults/Nudges? </li></ul></ul><ul><ul><li>Expedited temporary restrictions on sharing? </li></ul></ul>
    9. 9. How to further privacy on Facebook and SNSs? <ul><li>EU Data Protection law on the whole requires consent to legitimise data collection, processing and transfer </li></ul><ul><li>Is the consent given when signing up for Facebook (and apps) good enough? Informed? “Explicit” for sensitive data? </li></ul><ul><li>Should current consent expose users to future risks? “The eternal memory of Google” </li></ul><ul><li>Can T & C which exclude liability for privacy and security breaches be potentially void as unfair consumer terms? </li></ul><ul><li>Some ideas: </li></ul><ul><ul><li>A legal regime requiring that defaults be provided at the most privacy-friendly setting? </li></ul></ul><ul><ul><li>Automatic expiration of data? </li></ul></ul>
    10. 10. References <ul><li>L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation , Stanford University Press, 202-227. </li></ul><ul><li>Office of the Federal Privacy Commissioner, PIPEDA Case Summary #2009-008: CIPPIC against Facebook </li></ul><ul><li>Article 29 Working Party Opinion 5/2009 on online social networking </li></ul>