The Economics of Privacy in Social Networks

June 26th, 2009 at 09:46 UTC by Joseph Bonneau

We often think of social networking to Facebook, MySpace, and the also-rans, but in reality there are there are tons of social networks out there, dozens which have membership in the millions. Around the world it’s quite a competitive market. Sören Preibusch and I decided to study the whole ecosystem to analyse how free-market competition has shaped the privacy practices which I’ve been complaining about. We carefully examined 45 sites, collecting over 250 data points about each sites’ privacy policies, privacy controls, data collection practices, and more. The results were fascinating, as we presented this week at the WEIS conference in London. Our full paper and complete dataset are now available online as well.

We collected a lot of data, and there was a little bit of something for everybody. There was encouraging news for fans of globalisation, as we found the social networking concept popular across many cultures and languages, with the most popular sites being available in over 40 languages. There was an interesting finding from a business perspective that photo-sharing may be the killer application for social networks, as this features was promoted far more often than sharing videos, blogging, or playing games. Unfortunately the news was mostly negative from a privacy standpoint. We found some predictable but still surprising problems. Too much unnecessary data is collected by most sites, 90% requiring a full-name and DOB. Security practices are dreadful: no sites employed phishing countermeasures, and 80% of sites failed to protect password entry using TLS. Privacy policies were obfuscated and confusing, and almost half failed basic accessibility tests. Privacy controls were confusing and overwhelming, and profiles were almost universally left open by default.

The most interesting story we found though was how sites consistently hid any mention of privacy, until we visited the privacy policies where they provided paid privacy seals and strong reassurances about how important privacy is. We developed a novel economic explanation for this: sites appear to craft two different messages for two different populations. Most users care about privacy about privacy but don’t think about it in day-to-day life. Sites take care to avoid mentioning privacy to them, because even mentioning privacy positively will cause them to be more cautious about sharing data. This phenomenon is known as “privacy salience” and it makes sites tread very carefully around privacy, because users must be comfortable sharing data for the site to be fun. Instead of mentioning privacy, new users are shown a huge sample of other users posting fun pictures, which encourages them to  share as well. For privacy fundamentalists who go looking for privacy by reading the privacy policy, though, it is important to drum up privacy re-assurance.

The privacy fundamentalists of the world may be positively influencing privacy on major sites through their pressure. Indeed, the bigger, older, and more popular sites we studied had better privacy practices overall. But the desire to limit privacy salience is also a major problem because it prevents sites from providing clear information about their privacy practices. Most users therefore can’t tell what they’re getting in to, resulting in the predominance of poor-practices in this “privacy jungle.”

Entry filed under: Academic papers, Privacy technology, Security economics, Social networks

7 comments Add your own

  • 1. Francis Davey  |  June 26th, 2009 at 11:09 UTC

    This may seem like a stupid question but what is a “paid privacy seal” and do they get paid in fish, or opportunities to balance balls on their noses?

  • 2. Ajit Jaokar  |  June 26th, 2009 at 17:34 UTC

    Great stuff. Keep up the good work. shall blog/post and also refer in my PhD literature rgds Ajit

  • 3. me  |  June 27th, 2009 at 10:44 UTC

    I wish there was a place to get boiler plate privacy policies for social websites. Anyone know of any??? Or lawyers who draw these up fairly cheaply???

  • 4. Dave Birch  |  June 28th, 2009 at 11:30 UTC

    “Too much unnecessary data is collected by most sites, 90% requiring a full-name and DOB.”

    Aren’t they made to do this by regulators worried about grooming of under age teenagers etc etc? The problem is a much with the ecosystem for social networking as it is with social networks themselves. We need to find ways to communicate the more positive capabilities of new technology (eg, U Prove).

  • 5. Clive Robinson  |  July 4th, 2009 at 07:15 UTC

    @ Dave,

    “Aren’t they made to do this by regulators”

    Yes and that’s one of the underlying problems with all such systems, second to the problem of financing a site.

    It’s the law of “unintended consiquences” that applies to most modern laws brought in as a cure for a problem that politicians (or the rest of us for that matter) don’t understand.

    Likewise history has shown that all tools that are usefull will eventualy become weapons.

    These issues are not new, society in the past had these issues as well, but generaly they where localised and custom and practice resolved the issues as they developed over time. Usually the greater good of the utility of a tool was found to out weigh it’s evil as a weapon.

    Therefor we kind of accept the fact that knives need to have sharp points to be usefull as a tool, but as a consiquence the knife can also be used to maim and kill.

    The compramise is a “mature” response arived at as the issues evolved over considerable time compared to current human expereance via the “grandfather effect” (ie “it was good enough for gand pops so it’s good enough for me”)

    However due to amongst other things “free market” ideals technology has made “local” an irrelavance, your society is not the town you live in anylonger it’s the “globe” and technology has via automation increased the power of an individual to that of an army of “idiot savants” doing a masters bidding unquestioningly.

    The unfortunat side effect is new technologies and methods do not have time to mature and likwise peoples attitudes do not have time to evaluate the “greater good” against the “inherant evil”.

    The problem we now face as a global society is significant. New technology will almost invariably be used for bad as well as good. But bad news travels fast and impacts heavily on the human mind often before the greater good utility has been seen. Especialy when the technology enables a lone individual to effectivly practice evil against millions in time scales to short for individuals let alone societies to react.

    It has turned us into proffesional luddites driven by “sound bite” fear to voice “something must be done to stop this evil” usualy with a “fore the sake of the children”.

    However the traditional luddite response of “putting in the clog” (sabotage) is not what society needs if it is to move forward with technology.

    We have an uneasy relationship with the last great enabaling technology (powered transport available to the masses) and the effects it has had on society even after a hundred years are still not understood by the many.

  • 6. CK  |  July 5th, 2009 at 09:47 UTC

    A very interesting article, compounded by security and privacy issues when you allow one social site to ‘import’ your information from another..

  • 7. Malcolm Scott  |  July 15th, 2009 at 12:26 UTC

    Perhaps awareness of sites’ privacy policies can be encouraged by adding a condensed form of your dataset to the Wikipedia list of social networking sites you link to?

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

June 2009
M T W T F S S
« May   Jul »
1234567
891011121314
15161718192021
22232425262728
2930