Posts Tagged: privacy

Research / ThoughtsNo Comments
3
Apr 09

CIO Magazine on privacy in social networks

C.G. Lynch of CIO magazine examines the business implications of the shifting nature of privacy in social networks.  He draws on research that Jacob Kramer-Duffield and I ran last fall:

But it turns out some users have fiddled with those privacy settings, after all. In research conducted by the UNC School of Information and Library Science this past fall, more than 70 percent of 495 college students surveyed claimed to have altered their Facebook privacy settings in some way. Around half of the students also said they limited access to their profile to “friends only.”

The research also indicates that their attention to privacy controls increases with their time on the service. During their first six months on Facebook, only 40 percent of students said they modified their privacy settings. After one year, that number jumped to nearly 80 percent.

It is a great article – I’ve spoken with Chris a few times and he’s an astute analyst of social networks.  The article has good quotes from Chris Kelly, Facebook’s smart Chief Privacy Officer.

As I mentioned in a post last week, Jacob and I are currrently writing this study up for publication.  We presented initial results at the ASIST Annual Meeting, but we hope to get this into journal form so we can share the results more broadly.

Noticed / Research5 Comments
9
Mar 09

NY Times Botches SNS Privacy

Via Michael Zimmer, an embarrasing NY Times story from Randall Stross on privacy in social networks.  Stross writes:

As the scope of sharing personal information expands from a few friends to many sundry individuals grouped together under the Facebook label of “friends,” disclosure becomes the norm and privacy becomes a quaint anachronism.

Facebook’s younger members — high school or college students, and recent graduates who came of age as Facebook got its start on campuses — appear comfortable with sharing just about anything. It’s the older members — those who could join only after it opened membership in 2006 to workplace networks, then to anyone — who are adjusting to a new value system that prizes self-expression over reticence.

Stross simply has this one wrong.  Instead of misguided intuition, let’s look at the numbers.  In the Summer/Fall of 2008, Jacob Kramer-Duffield and I ran a survey of undergraduate Facebook users.  We employed a list-based simple random sample, with 494 respondents.  When asked the question Have you changed the default Facebook privacy settings to give yourself enhanced privacy in Facebook?, 72.47% responded “Yes.” To the question Based on your Facebook privacy settings choices, who do you allow to see your Facebook profile?, 50% answered “Only my Facebook friends.” (1)

Stross would also benefit from looking at Lampe et al., 2008, a longitudinal analysis of Facebook use by a cohort of undergraduate students at Michigan State University.  The authors note “In 2006, 64% of users had the default settings for privacy. In 2007, this number dropped to 45% of users who had the default settings, and by users maintained the default privacy settings.” (p. 726)  Williams (2008), employing a SRS at Texas Tech, found that “In regard to public access to their Facebook profile, (50.6%) allowed only their friends to access their page, while (71.0%) stated that the primary target of their communication were friends.” (p. 52)  Williams writes (in her very interesting thesis) “Perhaps this is an indication that Facebook users, in particular at this institution, have greater concerns for invasions of privacy or a greater need to protect their disclosures from the general Facebook audience.”

I could go on.  Strauss, who theoretically has access to a research library, could have skimmed Lewis et al., 2008, Tufekci, 2008 or any of the recent studies put out by the Pew Internet and American Life Project for context.  Since he didn’t, he actually gets the issue backward.  I’ve written about this before, but the basic idea is this: Young people didn’t simply decide to give up privacy.  Rather, the studies show that social network sites, in their early iterations, created a very meaningful sense of close community.  Young people disclosed not because attitudes about privacy instantly and simultaneously changed, but because they felt very comfortable with their audience.  Zimmer continues:

Stross likely doesn’t realize it, but he’s right that sites like Facebook have “[dissolved] the line that separates the private from the public.” In few realms of our lives can we truly identify a strict dichotomy between public and private information. Instead, everything is contextual. And, yes, that’s what makes thinking about privacy difficult, but that doesn’t mean we throw in the towel. Instead, we accept the challenge and work to create policies and build technologies for the sharing of information that properly reflect a contextual notion of privacy, rather than a binary one.

The conclusion that Stross draws – that adults are now going to massively change their disclosure behavior because of young people – is as flawed as his “privacy as anachronism” point.  The real story is that adults are grappling with and establishing norms of privacy in a manner very similar to young people.  This is my summer research topic, so watch this space for more along these lines.  A final point – the 20% statistic.  First, Facebook defaults have changed over the years, so a default now may have been a modification in the past.  Second, Facebook’s audience is increasingly international, so we must remember that norms will vary significantly across nations and cultures.  Third, privacy is not in Facebook’s business interests.  Less privacy = more content, so it may not be in Facebook’s interest to craft a privacy statistic that reflects current norms.

Notes:

(1) This survey was initially presented at the 2008 ASIST Annual Meeting.  We are currently writing it up for publication.

References:

Lampe, C., Ellison, N. B., and Steinfield, C.  (2008).  Changes in use and perception of facebook.  In CSCW ’08: Proceedings of the ACM 2008 conference on Computer supported cooperative work, New York, NY, USA, 2008 (pp. 721-730).  ACM.

Williams, I. M.  (2008).  The Effects of Anticipated Future Interaction and Self Disclosure on Facebook.  Masters thesis, Texas Tech University.

Lewis, K., Kaufman, J., and Christakis, N.  (2008).  The Taste for Privacy: An Analysis of College Student Privacy Settings in an Online Social Network.  Journal of Computer-Mediated Communication, 14(1), 79-100.

Tufekci, Z.  (2008).  Can You See Me Now? Audience and Disclosure Regulation in Online Social Network Sites.  Bulletin of Science Technology and Society, 28(1), 20-36.  http://bst.sagepub.com/cgi/content/abstract/28/1/20

Noticed / Thoughts4 Comments
5
Mar 09

Facebook and the Death of Networks

InsideFacebook reports on the coming “opening up” of Facebook:

After Facebook’s press event yesterday announcing public profiles and the real-time home page “stream,” I briefly chatted with Mark Zuckerberg about the future of sharing on Facebook. Essentially, Mark said things are headed toward a hybrid model in which some information shared by users can be private and some information shared by users can be public, depending on users’ preferences.

This direction means users will need to think in new ways about sharing on Facebook. Historically, sharing on Facebook has been managed through Facebook’s robust privacy settings, with most of the default settings being set relatively strictly (usually limiting access to most information to others in your school or regional networks). Now, Facebook users will also have the option to easily share some information much more openly – even completely publicly for the whole world (and search engines) to see if they so choose.

While Zuckerberg said Facebook is still working on the user interface that would make such sharing settings robust and easy to use, these changes are going to have significant implications for the nature of sharing on Facebook.

Perhaps.  One of the stories that doesn’t get talked about much is the massive shift towards privacy in Facebook in the last few years.  In studies I’ve run, and in data I’ve seen, there is (and has been) a clear migration towards friends-only profiles in Facebook.  In my opinion, this is the result of 1) increased awareness and comprehension of privacy risks 2) context collapse and 3) the aggressive nature by which Facebook manages the community.  As I’ve written previously, Facebook’s users have adapted to this new reality, and accordingly enforce a high level of information control.  We’ve studied online community long enough to know that users won’t change practice simply because the community has new features.  To that extent, we shouldn’t expect Facebook’s move towards openness to radically affect the community.

I see this move as the death of regional networks. Facebook’s initial genius was to segment schools by network.  Schools are unique; they are closed communities full of individuals who interact daily, who share a strong common bond.  Because of this very strong group identification, Facebook users felt comfortable sharing and disclosing to other members of their school network.  When Facebook opened to everyone, they attempted to replicate this success by introducing regional networks.  As one might imagine, regional networks are vastly different from school networks.  There is no verification for entry, the networks are much larger and much less cohesive, and the group effects are meaningless.  Regional networks were simply an arbitrary segmentation so Facebook could keep up the master-plan nature of its community.

Fast-forward to 2009, and a few things have changed.  Primarily, lots of people have Facebook accounts.  Unlike college students who are heavily focused on interacting in their local, university network, older users operate without a focus on location or geography.  You don’t care about what network Bob from First Grade uses, because the nature of interaction isn’t about browsing Bob’s profile – it is about establishing a friend connection.  For older users, Facebook is much more about point-to-point use than browsing interaction (and if anyone wants to lament the “devaluing” of Friendship, they should consider how the system forces people into friendship to accomplish informational goals).  This nature of interaction has largely rendered regional networks and their privacy functions meaningless.

This takes us back to the original question – will all this new openness radically affect Facebook?  No.  Facebook’s contexts collapsed a long time ago.  Facebook is already open.  Users factor this openness into what they say and do, who they friend, and the privacy settings they maintain.  Sure, publicity seekers will like this new openness, but there may be a reverse incentive for other users.  This semi-openness may make users more findable, forcing more awkward friendship negotiations and context collapse, leading to reduced sharing of information (the lifeblood of Facebook).  This shouldn’t be taken as a criticism of Facebook, but just as a reflection of the social realities of a massive online system with real-world implications.  If everyone in the world was on the same listserv we’d behave the same way.

Upsides for Facebook?  This is a great chance to become a huge peer content-distribution network.  Take photo galleries.  If Facebook stepped their game up a little in photo galleries (hosting multiple size photos, offering printing services, etc), it could easily compete into the territory of Flickr, Kodak or Snapfish (Note: Why FB, with their 11 Trillion photos, hasn’t done this meaningfully yet is beyond me).  There are many valuable products that Facebook could provide via the public profile, any number of which are monetizable and provide real value (i.e. not just network value).  This would mark a serious legitimization of Facebook as a business – sort of like an inverse Google.  In the case of Google, you spread yourself over all of their services.  With Facebook, the individual would be the center of the network, and their profile could be a place for search, hosting, file sharing, chat/videochat, photo hosting, blogging, microblogging, and so forth.  As unglamorous as it sounds, there is still a huge market to be people’s webpage.

Noticed / Research / Thoughts10 Comments
18
Feb 09

How Facebook Should Address User Rights

Earlier today, Mark Zuckerberg announced that Facebook would be significantly revising the new Facebook terms of service.  He writes:

Going forward, we’ve decided to take a new approach towards developing our terms. We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don’t plan to leave it there for long.

Our next version will be a substantial revision from where we are now. It will reflect the principles I described yesterday around how people share and control their information, and it will be written clearly in language everyone can understand. Since this will be the governing document that we’ll all live by, Facebook users will have a lot of input in crafting these terms.

Of the changes, Michael Zimmer writes:

Consider their declaration that “We won’t use the information you share on Facebook for anything you haven’t asked us to.” Ok, well, I never asked to be opted into an automatic News Feed, nor did I ask to be a part of Beacon, but Facebook used my data for these purposes without my informed consent. Will they do it again? Will a more robust behavioral targeting system be implemented? Will I have asked Facebook to use my proifle data for that purpose?

Zimmer’s comments reveal the fundamental conceit of this discussion – what is “our information” in Facebook and where does it begin and end?  Put another way, it is easy to imagine a photograph we upload as “our information.”  But what about the pokes we send into the ether, or even more abstractly, the deltas between our logins as recorded by Facebook’s servers.  All of this is “our information,” and all of this information would be coveted by marketers.

I would like to argue that the idea of owning one’s information in the context of third-party systems is impossible.  “Our information” is used, reused, extracted, archived, analyzed, recombined, logged and backed up in so many ways by third-parties, the idea of actually owning it (meaning we could “remove” it at our discretion) is an impossibility.  More practically, if we did own our information, we would be able to do just as Zimmer states – opt out of Newsfeeds, control how our information flows through Facebook.  I don’t forsee this happening any time soon.

To Facebook’s credit, I believe the terms update actually reflected this reality of information ownership dilemma.  There are so many derivatives of information, the company couldn’t reasonably promise ownership.  Information almost inherently shape-shifts in technical systems; this information-derivation “problem” affects everyone from Google and Yahoo to the lowliest blog.

How can Facebook address this issue?  First, Facebook needs to move the discussion away from this overarching concept of “information.”  Facebook cannot truthfully promise ownership of all of our information, at least to the extent is passes a “removal” test.  Second, Facebook needs to study user perceptions of information in the site.  For example, HCI literature shows us a number of gaps between “observable” information and systems- or backend-information.

A user may consider her pictures as information, but they may not consider their attention data as information.  By understanding the user’s conception of information, it can more accurately craft a terms of service that reflects user’s needs.  Facebook is ultimately responsible to its users.  While policy wonks may deride a system that does not promise “absolute” control, Facebook should focus primarily on user conceptions of information and start building the policy out from there.

Facebook should also adopt the following practical suggestions.  First, Facebook should place a reasonable lifespan (eighteen to twenty-four months) on information users identify as important.  Facebook should delete my pictures within two years from the time I remove my account.  Simple as that.  Second, Facebook should work with a few policy and ethics organization to create a Facebook code of information ethics.  A few members of this organization would comprise an external board that could review and approve that new features are in-line with the code of ethics.  Finally, Facebook should hire an ombudsman.  The ombudsman should be hired for a contractually-tenured period and be given a blog on a third-party server.

Mark Zuckerberg talks about Facebook as if it was a country.  If Facebook were a country, it would more accurately resemble North Korea or China than the United States.  Facebook must move forward aggressively to institute better corporate and ethical governance.  Facebook is in a very critical phase, where a new audience is flooding in.  Investments made into protecting user rights will be recouped many times over.  However, if Facebook does not act aggressively, or it simply pays lip service to the problem (e.g., just creating a Facebook group), they stand to alienate this increasingly older, more rights-aware audience.

Noticed / ResearchNo Comments
5
Feb 09

Legal Analysis of Social Marketing

Bill McGeveran has posted a draft legal analysis of social marketing, to appear in the University of Illinois Law Review.  Bill writes:

I’ve completed a manuscript for my newest journal article, which began life as some posts (starting here) musing about the legal implications of Facebook’s then-new advertising programs, including Facebook Beacon, which notified users’ friends of their purchases.

The abstract:

“Social marketing” is among the newest advertising trends now emerging on the internet. Using online social networks such as Facebook or MySpace, marketers can send personalized promotional messages featuring an ordinary customer to that customer’s friends. Because they reveal a customer’s browsing and buying patterns, and because they feature implied endorsements, the messages raise significant concerns about disclosure of personal matters, information quality, and individuals’ ability to control the commercial exploitation of their identity. Yet social marketing falls through the cracks between several different legal paradigms that might allow its regulation — spanning from privacy to trademark and unfair competition to consumer protection to the appropriation tort and rights of publicity.

This Article examines potential concerns with social marketing and the various legal responses available. It demonstrates that none of the existing legal paradigms, which all evolved in response to particular problems, addresses the unique new challenges posed by social marketing. Even though policymakers ultimately may choose not to regulate social marketing at all, that decision cannot be made intelligently without first contemplating possible problems and solutions. The Article concludes by suggesting a legal response that draws from existing law and requires only small changes. In doing so, it provides an example for adapting existing law to new technology, and it argues that law should play a more active role in establishing best practices for emerging online trends.

This article along with James Grimmelman’s recent Facebook and the Social Dynamics of Privacy, are must reads for scholars interested in the legal implications of information sharing in online social networks.  Both are wonderful contributions from some very right-headed scholars.

Noticed / Thoughts5 Comments
24
Nov 08

Serious Privacy Issues with Google SearchWiki

David Weinberger highlights a stunning oversight by Google’s SearchWiki team (bold mine):

[T]he results page shows you the nicknames of other users who have voted the page up. So, now the whole world will see that “dweinberger” not only searched for “Angelina Jolie” but thumbs-upped the page of closeups of her tattoos? Guess who just changed his nickname to something less identifiable! This is a feature without value — the list of names isn’t clickable or complete or tell you how many people voted it up — unless you recognize someone’s nickname, in which case it has negative value.

In addition, Google has made a curious decision in requiring all SearchWiki “notes” to be public.  That is, if you want to take advantage of SearchWiki and leave yourself a note, all other SearchWiki members will be able to read it.  This is broken on many levels.  Obviously, there are privacy concerns – you may want to leave a note, but do you really want all other Google users to be able to read it?  And beyond privacy, what about utility.  Let’s say you want to leave yourself a note “To get to the policy page, click on About, and then Policies.”  Since you can only place that note publicly, it will quickly get lost in the sea of other Google users notes.

Considering Google’s zero-day rollout of SearchWiki into their main search property, the lack of HCI and Privacy consideration that went into the product is shocking.  There’s no opt-out.  All comments are forced public.  There’s no way to change your handle.  There’s no way to leave yourself a privacy-enhancing private note. Instead of rolling this feature out fully-baked (opt-in/out, with critical functionality), Google has rolled a half-baked product to all users and forced them through this curious funnel.

Last year Starbucks radically changed its business model by returning the company to its roots.  I don’t know how well that effort has worked, but I liked the concept.  Using the economic downturn as an excuse, perhaps its time for Google to do the same?

Software / Thoughts1 Comment
2
Sep 08

Google Chrome Privacy Information

Via Vowe.net, the Google Chrome Privacy Policy (scroll down, soon to be located here).  It appears that Chrome will follow a pattern similar to the Google Toolbar – that is, all browsing behavior is sent to Google, but an opt-out is provided.  From the Chrome Privacy Policy:

  • When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for.
  • If you navigate to a URL that does not exist, Google Chrome may send the URL to Google so we can help you find the URL you were looking for.
  • Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates.  If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well.

The last bullet is particularly interesting – each Google Chrome browser is fingerprinted so it can be uniquely identified.  It should be noted that Google isn’t the first to fingerprint their browsers – Microsoft tags Internet Explorer with a Globally Unique ID.

As I previously noted, Google is allowing users the ability to opt-out of statistical reporting.  I worry that those who opt-out will not be provided the full browsing experience, compelling users to participate in the statistical reporting.  Furthermore, close attention should be paid to “advanced” features that provide additional reporting, above and beyond the standard statistical reports.  Google Toolbar contains a number of these features that report URL’s, typed information and page content.

The best approach is for Google to be extremely open with Chrome and its privacy practices.  Indeed, open sourcing the code is good – but Google should go a few steps further and meaninfully address the issue in a human-readable format.  Google’s argument about a next-generation browser is solid, and I would be willing to give it a shot.  First, however, Google must win my trust.

← Older Entries
Newer Entries →