It seems like it is not sometimes known what the privacy interests are that one has when using social networking sites. There seems to sometimes be this idea, which has been referred to as the “secrecy paradigm,” that things which are “posted on a public website” cannot be the subject of “privacy.” That’s not really all that there is to privacy. For example, Alan Westin considered it:
Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others.
So how does this get expressed in the world of social networking? Two recent publications give a good , though I suspect not exhaustive, overview. The European Network and Information Security Agency (ENISA) prepared a position paper on “Security Issues and Recommendations for Online Social Networks” (pdf). The International Working Group on Data Protection in Telecommunications, composed mainly of European privacy officials, has issued a “Report and Guidance on Privacy in Social Network Services” (pdf) A few examples from these highlight the idea that privacy is more than just secrecy.
ENISA identifies the problem of “Digital Dossier Aggregation.” Data can easily be taken from social networks and placed in a different context — it can be easy to build a profile of a person that is not controlled by that person. Further, social networks collect your browsing information — who you click on, who you interact with — and often don’t discuss what uses they put this information to. These are both common privacy issues: that users may lose control of their data and that data is being collected and put to secondary uses.
ENISA also identifies two risks which I had not considered previously. Facial recognition algorithms will be able to be deployed on social networks, and allow automatic identification of individuals and linking of several profiles. Semi anonymous online dating profiles will be able to be automatically matched with non-anonymous images elsewhere online. Extracting other information from images will allow algorithms to determine what people are doing (such as drinking) and maybe even where.
Lastly, ENISA also identifies the difficulty of account deletion as a privacy risk. Facebook users have complained about how difficult deletion can be. This is another way in which controlling your data is important. ENISA even goes one step further, and proposing that social networks make profiles “portable” so that users can easily move from one network to another — promoting competition and user control, and alleviating the other threats which come from the centralization of data.
The report contains other issues, such as stalking, spam, and even corporate espionage. Read the whole thing.
Working Group on Data Protection in Telecoms
The Working Group notes some of the security concerns that ENISA focuses on, but also mentions other privacy issues. The first is that online data is usually permanent — it is hard to erase. Even once the data subject deletes the data they control, cached copies may exist, or other services may have duplicated the data. Secondly, the intimacy of the relationships online may be illusory — and sometimes exclude key players. One’s “friends” on social networking sites are not necessarily real friends. I’ll add that the social nature of the site, as well as its communications (talking about your friends, your networks, and who can see your data) covers up the fact that the service operates as a Big Brother, watching and collecting all your activity online.
This data collection — of your browsing history and other activity — raises other issues, as this data may be accessible to law enforcement and intelligence services. The data will also be used for marketing and other secondary uses that may not be clearly specified by the social networking service. Further uses may be employers or others interested in researching the reputation of individuals.
Lastly, a new development is the creation of application programming interfaces, or APIs. These allow even more third party access to data, often in a way that is hidden. I’ve previously blogged about the privacy and civil liberties issues with law enforcement created applications. You can read there for the specific problems on the Facebook platform. But the general problem is that third party access is being increased in ways which are not transparent to users.
Guidelines and Recommendations
The discussion above should clarify what people mean when they talk about social networking privacy. It is not just a matter of “keep things secret.” For some steps on how to deal with these issues, I again recommend you check out the two publications.
“Report and Guidance on Privacy in Social Network Services” (pdf).
“Security Issues and Recommendations for Online Social Networks” (pdf).