It’s impossible to be online and not encounter social networking, which in recent years, has embedded itself in many facets of people’s online lives. Websites such as Facebook, MySpace, Twitter and LinkedIn offer their users huge forums for sharing information, establishing contact with others and maintaining ties to friends and family.
This article examines social networking services from a privacy standpoint, looking at key issues such as access, control, limitations and trust. Websites’ privacy policies and their weaknesses are also examined, by using the well-known social networking service Facebook as an example of how these services can compromise users’ security.
The virtual communities of social networking websites have rapidly developed in recent years. For instance, facebook.com ranks second on US Quantcast rankings, with over 130 million visitors per month from the US alone. Other social networking sites, such as MySpace, Twitter and LinkedIn rank within the top fifty most visited websites in the US.
Upon joining a social networking site, users provide personal information to create a profile, which may include their name or username; birth date; photos and videos; hometown; location; religious beliefs; ethnicity; personal interests and other identifying information. Through their profile, users make links with other people on the site, whether they are existing friends and family, or new acquaintances. While some users create their profiles to communicate with their circle of friends, information on social networking sites can all to easily be accessible to the public, employers, the press, academic staff, law enforcement and more.
Many social networking websites have restrictions for membership, which limit who can have access to users’ information. MySpace requires users to be at least thirteen years old, while Facebook is open to anyone. Sites like LinkedIn require users to be invited to the network, in order to show that they are part of a professional community. Despite these membership restrictions, social networking sites facilitate the sharing of digital information at a large scale. Distribution of information may be done by members within the network, or by the website itself. Sharing member information with third party advertisers is a common practice for many social networking sites.
Once users put their information online, they relegate much of their control over it. Information is transmitted much faster through an online social network than through a “real” or offline network. Even though people in the real world do not all have the same access to an individual’s personal information, on a social networking site, every “friend” has access to whatever the user may choose to put online.
There are various reasons for a user to limit the access to their personal information. Since digital information is shared amongst a group of people, it could be collected and stored for an undefined period of time. This may be harmful to the individual if the information is in the possession of someone for whom it was not intended.
Many social networking sites maintain files of users that try to reflect his/her identity as accurately as possible. Content is contributed by the user along with other members of the website. Users may have problems with how much control they actually have over their own online identity. Some social networking sites also have access to the user’s personal information from other websites.
Most social networking sites are free of charge; however, they depend on third-party affiliates to generate income. Many social networking sites collect and sell user information in the form of marketing profiles. One example of this is the targeted ads used by Facebook. With this program, third party advertisers use information from a users’ profile to create personalized advertising content. Currently, Facebook does not allow users to opt out of receiving such content.
Limited user control of information could lead to dangerous outcomes. Combined with loose access limitations, it may become difficult to prevent information-based harm. For instance, users of social networking services may unwittingly be putting themselves at risk for identity theft. Studies have shown that it is easier than one might imagine to guess a social security number. With knowledge of one’s address and current employer, a burglar may know when a house is empty. With lax restrictions on information collection, information processing and information dissemination, users of social networking services may be poorly protected from such harmful outcomes.
From a privacy standpoint, trust is a key concept for social networking sites, among other online interactions. Trust is closely linked to information disclosure and social exchange. If users believe that the disclosure of information will be beneficial to them, then they are more likely to enter into a relationship with the social networking service.
However, researchers believe that the level and basis of this trust is not well understood. Despite numerous incidents, millions of users continue to join and participate in social networking sites, adding more and more personal information to their profiles. Unfortunately, the type of privacy expected and provided by social networking services is often undefined or inadequately defined.
Default privacy settings on many social networking sites do not offer a high level of privacy protection. They often allow a large amount of personal information to be accessible to any viewer. This may include blogs, comments, profile photos or videos.
Many social networking sites have privacy policies that appear as disclaimers that a user must accept to continue using the service. Through his/her acceptance of the terms and conditions, the user waives some privacy rights and other privileges over his/her personal information. Critics have pointed out that many of these privacy policies suffer from:
- Provide inadequate information for users: Users are largely unaware of any changes to the social networking service, or the results that may occur from these changes. Users are also kept in the dark regarding any third party service providers the site may share information with.
- Lack of independent review: The majority of social networking sites lack an independent monitoring system.
- 2006: User information started to be shared with the public as well as third-party application developers. Facebook users were misled to reveal personal information that had once been protected.
- 2007: Facebook’s Beacon program disclosed users’ personal information without their knowledge or consent. This was a violation of a number of federal and state laws, including the Video Privacy Protection Act; California’s Computer Crime Law; the Electronic Communications Privacy Act; and the Computer Fraud and Abuse Act.
- 2009: Facebook made significant changes to its Terms of Service, declaring that it retained broad and even retroactive rights to users’ information, even after their accounts had been deleted. In the face of public outcry, Facebook was forced to overturn the changes.
- 2009: The Privacy Commissioner’s Office of Canada found Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA).
- Currently, publicly available information on Facebook includes: names; profile photos; list of friends; pages that members are fans of; gender; geographic regions; and networks that members belong to.
This article introduces key privacy and security concepts surrounding social networking sites. While such sites have seen incredible popularity in recent years, they are also potentially dangerous tools, as they provide almost unrestricted access to the personal information of hundreds of millions of people worldwide. The article looks at issues of access to such information, how access is limited and how privacy and trust affect users of social networking sites. The article also explores some shortcomings and potential privacy risks, through a brief examination of Facebook’s privacy policies and their changes over time.
In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:
- Privacy by policy, notice and choice (III.A.a.)
- Social networking services (VI.C.)