The Privacy Jungle: On the Market for Data Protection in Social Networks

We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, nondecisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites’ privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites’ privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximize sign-up numbers and encourage data sharing from the pragmatic majority of users.

[1]  Ethan A. Kolek,et al.  Online Disclosure: An Empirical Examination of Undergraduate Facebook Profiles , 2008 .

[2]  France Bélanger,et al.  Trustworthiness in electronic commerce: the role of privacy, security, and site attributes , 2002, J. Strateg. Inf. Syst..

[3]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[4]  Catherine Dwyer,et al.  Digital Relationships in the "MySpace" Generation: Results From a Qualitative Study , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[5]  David S. Rosenblum,et al.  What Anyone Can Know: The Privacy Risks of Social Networking Sites , 2007, IEEE Security & Privacy.

[6]  Starr Roxanne Hiltz,et al.  Trust and Privacy Concern Within Social Networking Sites: A Comparison of Facebook and MySpace , 2007, AMCIS.

[7]  A. Finder For Some, Online Persona Undermines a Résumé , 2006 .

[8]  Judith Donath,et al.  Public Displays of Connection , 2004 .

[9]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[10]  Christos Faloutsos,et al.  Parallel crawling for online social networks , 2007, WWW '07.

[11]  H. Varian Economic Aspects of Personal Privacy , 2009 .

[12]  D. Boyd Why Youth (Heart) Social Network Sites: The Role of Networked Publics in Teenage Social Life , 2007 .

[13]  David Gefen,et al.  The Moderating Influence of Privacy Concern on the Efficacy of Privacy Assurance Mechanisms for Building Trust: A Multiple-Context Investigation , 2008, ICIS.

[14]  Elisa Bertino,et al.  A roadmap for comprehensive online privacy policy management , 2007, CACM.

[15]  H. Jeff Smith,et al.  Information Privacy: Measuring Individuals' Concerns About Organizational Practices , 1996, MIS Q..

[16]  Shishir Nagaraja The Economics of Covert Community Detection and Hiding , 2008, WEIS.

[17]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[18]  George Danezis,et al.  The Economics of Mass Surveillance and the Questionable Value of Anonymous Communications , 2006, WEIS.

[19]  Danah Boyd,et al.  Social network sites: definition, history, and scholarship , 2007, IEEE Engineering Management Review.

[20]  Mark S. Ackerman,et al.  Privacy in pervasive environments: next generation labeling protocols , 2004, Personal and Ubiquitous Computing.

[21]  Balachander Krishnamurthy,et al.  Characterizing privacy in online social networks , 2008, WOSN '08.

[22]  Krishna P. Gummadi,et al.  Measurement and analysis of online social networks , 2007, IMC '07.

[23]  Douglas C. Sicker,et al.  Security and Lock-In , 2004, Economics of Information Security.

[24]  Nicole B. Ellison,et al.  Social network sites: definition, history, and scholarship , 2010 .

[25]  Bhavani M. Thuraisingham,et al.  Inferring private information using social network data , 2009, WWW '09.

[26]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[27]  Julia Brande Earp,et al.  An experimental economics approach toward quantifying online privacy choices , 2006, Inf. Syst. Frontiers.

[28]  Frank Stajano,et al.  Eight friends are enough: social graph approximation via public listings , 2009, SNS '09.

[29]  M. McCombs Agenda setting function of mass media , 1977 .

[30]  E.J. Westlake,et al.  Friend Me if You Facebook: Generation Y and Performative Surveillance , 2008, The Drama Review.

[31]  Rachel Greenstadt,et al.  Why we can't be bothered to read privacy policies models of privacy economics as a lemons market , 2003, ICEC '03.

[32]  Westley Weimer,et al.  Talking to strangers without taking their candy: isolating proxied content , 2008, SocialNets '08.

[33]  Heather Richter Lipford,et al.  Understanding Privacy Settings in Facebook with an Audience View , 2008, UPSEC.

[34]  Lorrie Faith Cranor,et al.  Timing is everything?: the effects of timing and placement of online privacy indicators , 2009, CHI.

[35]  Blase Ur,et al.  Enhancing Privacy on Social Networks By Segregating Different Social Spheres , 2008 .

[36]  Sören Preibusch,et al.  Privacy-Preserving Friendship Relations for Mobile Social Networking W 3 C Workshop on the Future of Social Networking – Position Paper , 2008 .

[37]  Benjamin Edelman,et al.  Adverse selection in online "trust" certifications , 2009, WEIS.

[38]  Lise Getoor,et al.  To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles , 2009, WWW '09.

[39]  Cynthia Dwork,et al.  Wherefore art thou r3579x?: anonymized social networks, hidden patterns, and structural steganography , 2007, WWW '07.

[40]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[41]  Oliver Günther,et al.  Privacy Design in Online Social Networks: Learning from Privacy Breaches and Community Feedback , 2008, ICIS.

[42]  Bettina Berendt,et al.  E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior , 2001, EC '01.

[43]  Lei Li,et al.  Inferring privacy information via social relations , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[44]  Andrew C. Simpson,et al.  On the need for user-defined fine-grained access control policies for social networking applications , 2008, SOSOC '08.

[45]  Alessandro Acquisti,et al.  Privacy in electronic commerce and the economics of immediate gratification , 2004, EC '04.

[46]  John Riedl,et al.  You are what you say: privacy risks of public mentions , 2006, SIGIR '06.

[47]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[48]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[49]  Kai Lung Hui,et al.  Online Information Privacy: Measuring the Cost-Benefit Trade-Off , 2002, ICIS.

[50]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[51]  Lorrie Faith Cranor,et al.  Power strips, prophylactics, and privacy, oh my! , 2006, SOUPS '06.

[52]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.

[53]  Mark S. Ackerman,et al.  Beyond Concern: Understanding Net Users' Attitudes About Online Privacy , 1999, ArXiv.

[54]  Cliff Lampe,et al.  A familiar face(book): profile elements as signals in an online social network , 2007, CHI.

[55]  Rajeev Motwani,et al.  Link Privacy in Social Networks , 2008, ICDE.

[56]  Minas Gjoka,et al.  Poking facebook: characterization of osn applications , 2008, WOSN '08.

[57]  M. de Zwart,et al.  Security and privacy in massively-multiplayer online games and social and corporate virtual worlds , 2008 .

[58]  Sonja Buchegger,et al.  A case for P2P infrastructure for social networks - opportunities & challenges , 2009, 2009 Sixth International Conference on Wireless On-Demand Network Systems and Services.

[59]  David Evans,et al.  Privacy Protection for Social Networking Platforms , 2008 .

[60]  George Danezis,et al.  Prying Data out of a Social Network , 2009, 2009 International Conference on Advances in Social Network Analysis and Mining.

[61]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[62]  Sören Preibusch,et al.  Implementing Privacy Negotiations in E-Commerce , 2006, APWeb.

[63]  Frank Stajano,et al.  Privacy-enabling social networking over untrusted networks , 2009, WOSN '09.