This document discusses privacy in the context of social networks. It begins by outlining some of the reasons why privacy is important, such as protection from unwanted monitoring, embarrassment, and lack of control over personal information. It then discusses why privacy is difficult to achieve, including technical issues like ease of data collection and inferencing, as well as social and organizational challenges. Specific privacy issues with social networks are also examined, such as managing different personas and risks of social phishing attacks. Potential approaches to designing for privacy are proposed, such as privacy policies, segmentation of users, and raising awareness of information access.

1. The Social Web and Privacy

2. Examples of Privacy in the News

3. Examples of Privacy in the News

4. Why Care about Privacy?
• Your thoughts?
“You have zero
privacy. Get over
it.”
-- Scott McNealy

5. • Protection from spam, identity theft, mugging
• Discomfort over surveillance
– Lack of trust in work environments
– Might affect performance, mental health
– May contribute to feeling of lack of control over life
• Starting over
– Something stupid you did as a kid
• Creativity and freedom to experiment
– Protection from total societies
– Room for each person to develop individually
• Lack of adoption of tech
Why Care About Privacy?
End-User Perspective
Everyday Risks Extreme Risks
Strangers
_________________________________
Stalking
Personal safety
Employers
_________________________________
Over-monitoring
Discrimination
Reputation
Friends, Family
_________________________________
Over-protection
Social obligations
Embarrassment
Government
__________________________
Civil liberties

6. The Fundamental Tension
• More information can be used for good and for bad
• Example: Facebook
– Socializing and keeping in touch with friends
– Finding old family and friends
– Organizing people for action (Arab spring)
– But embarrassing photos or breakups recorded for all time
– But getting fired (or not being hired) for certain usage
– But new vector for spam and attacks
– But behavioral advertising

7. Behavioral Advertising
• “the practice of tracking an individual’s online
activities in order to deliver advertising tailored to the
individual’s interests” - FTC
• Take into account more information for ads
– browsing habits
– search queries
– web site history
– Like’s
– Profile
– Sometimes tracking across multiple sites
• Goal is to increase relevancy and get higher
conversion rate

8. The Fundamental Tension
• Most apps today have this same tension
• Example: Locaccino (People Finder)
– Okayness checking and coordination
– But also stalking, monitoring at work,
embarrassment, revealing home
• Example: Amazon (ecommerce)
– Improved search results,
personalized content, recs
– Price discrimination, selling your info
to others, not keeping your info safe
from hackers

9. • “Privacy” conflates many different issues
– Protection from spam / intrusions (telemarketers)
– Protection from hackers (security)
– Undesired social obligations (with friends and family)
– Embarrassment (friends, family, colleagues)
– Unwarranted monitoring (government, employers)
– Separation of different spheres of life
Why is Privacy Hard?
Definition problem

10. Different Spheres of Life Collapsed

11. Other Examples (based on real examples)
• Bill posts 30 pics from college and tags friends. One
friend is Steve, who is shown drunk and vomiting in
the picture that shows up on Steve's "Photos" page.
Mom, dad and grandma all acquire a new perspective
on the financial help they gave Steve for college.
• Janet, a high school senior, posts a generic comment:
"feeling bla today." Margaret, a friend of Janet's
parents, comments, "what's wrong, honey?" After
that, several of Janet's high school friends post a
series of profane, obscene or objectionable
comments that humorously suggest causes or cures.
Because Margaret commented, all subsequent
comments flow into Margaret's Facebook News Feed.

13. How Well Do You Think Google+ Circles
Solves the Problem?

14. • Expectations and levels of comfort change
with time and/or experience
– Both individual and societal
– Many people objected to having phones in
their homes because it “permitted intrusion…
by solicitors, purveyors of inferior music,
eavesdropping operators, and even
wire-transmitted germs”
Why is Privacy Hard?
Social Perspective

15. Why is Privacy Hard?
Social Perspective
The appearance of Eastman’s cameras was so sudden
and so pervasive that the reaction in some quarters was
fear. A figure called the “camera fiend” began to appear
at beach resorts, prowling the premises until he could
catch female bathers unawares.
One resort felt the trend so heavily that it posted a
notice: “PEOPLE ARE FORBIDDEN TO USE THEIR
KODAKS ON THE BEACH.” Other locations were no
safer. For a time, Kodak cameras were banned from the
Washington Monument. The “Hartford Courant”
sounded the alarm as well, declaring the “the sedate
citizen can’t indulge in any hilariousness without the risk
of being caught in the act and having his photograph
passed around among his Sunday School children.”

16. Example: Facebook News Feed
• News Feed introduced in 2006
– All the information was already on individual profiles
– News feed aggregated it all in one place
• Original reaction to it?

18. Why Did People Have This Reaction?
• And why did Facebook have it on by default?

19. • Easier to capture data
– Video cameras, camera phones, microphones, sensors
– Break “natural” boundaries of physics
• Easier to store and retrieve data
– LifeLog technologies
– Googling a potential date
Why is Privacy Hard?
Technical Perspective

20. • Data getting easier to store and retrieve
– LifeLog technologies
– Googling a potential date
Why is Privacy Hard?
Technical Perspective

21. • Easier to capture data
– Video cameras, camera phones, microphones, sensors
– Break “natural” boundaries of physics
• Easier to store and retrieve data
– LifeLog technologies
– Googling a potential date
• Easier to share data
– Ubiquitous wireless networking
– Blogs, wikis, YouTube, Flickr, FaceBook
• Better ways of inferencing
Why is Privacy Hard?
Technical Perspective

22. Example of Inferencing
• “If we wanted to figure out if a customer is pregnant,
even if she didn’t want us to know, can you do that?”
– Because birth records are usually public, the moment a
couple have a new baby, they are almost instantaneously
barraged with offers and incentives and advertisements from
all sorts of companies… the key is to reach them earlier,
before any other retailers know a baby is on the way.
– [A study in the 1980s] found that when someone marries, he
or she is more likely to start buying a new type of coffee.
When a couple move into a new house, they’re more apt to
purchase a different kind of cereal. When they divorce,
there’s an increased chance they’ll start buying different
brands of beer.

23. Example of Inferencing
– Many shoppers purchase soap and cotton balls, but when
someone suddenly starts buying lots of scent-free soap and
extra-big bags of cotton balls, in addition to hand sanitizers
and washcloths, it signals they could be getting close to their
delivery date.
– [Target] was able to identify about 25 products that, when
analyzed together, allowed him to assign each shopper a
“pregnancy prediction” score.
– [S]ome women react badly…we started mixing in all these
ads for things we knew pregnant women would never buy,
so the baby ads looked random. We’d put an ad for a lawn
mower next to diapers. We’d put a coupon for wineglasses
next to infant clothes. That way, it looked like all the products
were chosen by chance.

24. • Bad data can be hard to fix
– Sen. Ted Kennedy on TSA no-fly list
• Market incentives not aligned well
– More info can market better
– Can sell your info
• Many activities are hidden
– Why does Facebook and Path want your contacts list?
Why is Privacy Hard?
Organizational Perspective
Shares location, gender,
unique phone ID,
phone# with advertisers
Uploads your
contact list
to FB servers

25. What is Privacy?
• No standard definition, many different perspectives
• Different kinds of privacy
– Bodily, Territorial, Communication, Information
• Many different philosophical views on info privacy
– Different views -> different values -> different designs
– Note: next few slides not mutually exclusive

26. Privacy as Solitude / Isolation
• “The right to be let alone”
• People tend to devise strategies “to restrict their own
accessibility to others while simultaneously seeking to
maximize their ability to reach people” (Darrah et al 2001)
– Protection from interruptions and undesired social obligations
• Examples:
– Spam protection
– Do-not call list, not answering mobile phone
– Invisible mode, ignoring an IM
– IPod cocooning on public transit

27. Privacy as Anonymity
• Hidden among a crowd
• Examples:
– Web proxy to hide web traffic
– K-anonymity
• “An asian male in this room who is over 30 and once
broke his right arm” vs “a female”

28. Privacy as Anonymity
• Work by Latanya Sweeney on re-identification of data
– Massachusetts insurance company wanted to release data
of state employees to medical researchers
– Took their database, removed obvious identifiers
• Deleted name, SSN, street address
– “Governor Weld resided in Cambridge, Massachusetts, a
city of 54,000 residents and seven ZIP codes. For twenty
dollars, [Sweeney] purchased the complete voter rolls from
the city of Cambridge, a database containing, among other
things, the name, address, ZIP code, birth date, and sex of
every voter. By combining this data with the GIC records,
Sweeney found Governor Weld with ease. Only six people
in Cambridge shared his birth date, only three of them men,
and of them, only he lived in his ZIP code.”

29. Privacy as Anonymity
• More work by Latanya Sweeney
– Showed that 87% of Americans could be uniquely
identified by ZIP code, birth date, gender
• Netflix linkage attack by Narayanan and Shmatikov
– Netflix offered $1m to the team who could improve their
recommender system by 10%
– Offered an anonymized set of 500k users
• UserID, ratings of movies, date of ratings
– Demonstrated how to (weakly) re-identify some people

30. Privacy as Projecting a Desired Persona
• People see you the way you want them to see you
(impression management)
• Examples:
– Cleaning up your place before visitors
– Putting the right books and CDs out
– Having “desirable” Facebook groups,
hobbies, politics, etc on your profile

31. Privacy as Projecting a Desired Persona
• Facebook and projecting a persona
– Let’s consider what’s involved
– People create a profile with an
expectation to be seen by certain people
• Think friends
– But can be seen by many others
• Think family, employers, parents
– Controls are hard to manage here
– Also asynchronous, don’t get feedback as in real life

33. Online Social Networks vs Real Life

34. Some Incidents
• Prospective Employers
– New York Times article describes how one hiring officer lost
interest in a promising applicant when he discovered through
Web chat that the applicant was interested in “smoking
blunts, shooting people, and obsessive sex.”
• Microsoft commissioned research in Canada,
Germany, Ireland, Spain, and the United States
– 91 percent of people have done something to manage
their online profile
– only 44 percent of adults actively think about the long-term
consequences their activities have on their online reputation.

37. A
A
A
B
B
C

38. Privacy as a Process
• Controlled, rationalistic process
– Bank and web site privacy policies
– Many rules governing how personal
information gathered and used
• Organic and fluid process
– Adjusting window blinds
– Opening or closing my office door
– Choosing what I do or don’t disclose during a conversation

39. Privacy as Protection of Self vs Others
• Protecting Self
• Protecting Others?
– Mandatory privacy, wearing clothes
– Cell phones going off in theaters

40. Overview of Privacy
• Why care?
• Why is it hard?
• Thinking about and Designing for Privacy
– Specific design issues
• Specific Issues with Social Networks

41. Lessig’s Framework
• Lawrence Lessig is a
academic lawyer best
known for copyright
issues
• Presents a framework
for how to influence
behavior, has been
adapted by others for
privacy

42. Exercise
• How to manage
privacy on social
networks?
• Split into 4 teams

43. Privacy Policies
• Evidence strongly suggests people don’t read
privacy policies
– Carlos Jensen et al, CHI 2004
– Also found that far more people say they read privacy
policies than logs indicate
• Problems with privacy policies?

44. Multi-Level Privacy Policies
• http://www.pg.com/privacy/english/privacy_notice.html

45. Multi-Level Privacy Policies
• Idea from EU Working group on privacy
– Short - Few sentences, for mobile phone
– Condensed - Half page summary
– Full - Details

46. Privacy Labels

47. Segmenting Users
• Westin and others have been running surveys over
the past few years looking at individuals wrt orgs
• Responses can be “strongly disagree,” “somewhat
disagree,” “somewhat agree,” “strongly agree.”
• Sample three questions from 2001 study:
1. Consumers have lost all control over how personal
information is collected and used by companies
2. Most businesses handle the personal information they
collect about consumers in a proper and confidential way
3. Existing laws and organizational practices provide a
reasonable level of protection for consumer privacy today

48. Segmenting Users
• Rough order of magnitude results over the years
• Don’t care (~10%)
– I’ve got nothing to hide
– We’ve always adapted
– "You have zero privacy anyway. Get over it."
• Fundamentalist (~25%)
– Don’t understand the tech
– Don’t trust others to do the right thing
• Pragmatist (~65%)
– Clear cost-benefit
– Some research has suggested distinction between
identity-concerned vs profile-concerned (~evenly split)

49. Specific Design Issues with Privacy
• Awareness
• Social Phishing

50. Awareness
• Should social networking sites provide awareness
of who has recently seen your profile?
• Examples of sites that do offer awareness:
– Friendster, LinkedIn (somewhat)
– Orkut, OKCupid (opt-in)
• Sites that do not:
– Facebook, MySpace
• Pros and Cons?

51. Phishing

52. Phishing Attacks
• A form of social engineering
– Estimated $350m-$2b direct losses a year
– Spear-phishing and whaling attacks escalating
– Steal sensitive corporate or military information

54. Phishing Attacks
• A form of social engineering
– Estimated $350m-$2b direct losses a year
– Spear-phishing and whaling attacks escalating
– Steal sensitive corporate or military information
– bankofthevvest.com
• From the CACM article, citing Gartner report:
– 19% surveyed said clicked on link
– 3% gave up personal information
• Other stats:
– Microsoft: ~0.4% of IE beta users entered information
(Florencio and Hurley, WWW2007)

55. Phishing Attacks
• Social networks can be used to facilitate phishing
– Study by Indiana University
– Crawled social networking data for students
– Experimental condition: Get fake email from a friend
• Alice would get fake email from friend “Bob”
– Control condition: Get fake email from stranger at university
– Asked people to log into the university site
• Passwords verified but not stored anywhere

56. Social Phishing Attacks
• Social phishing 4.5x more effective
• Similar results to other studies
– West Point cadets asked to login by fictitious colonel

57. Ethics of this study?
• What were people’s reactions, and why?
• Other ways to do this (or similar) studies?

58. What other kinds of Social Phishing
Scams can you think of?

59. What other kinds of Social Phishing
Scams can you think of?

60. What other kinds of Social Phishing
Scams can you think of?

61. What other kinds of Social Phishing
Scams can you think of?
• Video of the party you were at
– Scammer took person’s own photo, blurred it,
put a play button on top, and linked to malware