This document discusses privacy in the context of social networks. It begins by outlining some of the reasons why privacy is important, such as protection from unwanted monitoring, embarrassment, and lack of control over personal information. It then discusses why privacy is difficult to achieve, including technical issues like ease of data collection and inferencing, as well as social and organizational challenges. Specific privacy issues with social networks are also examined, such as managing different personas and risks of social phishing attacks. Potential approaches to designing for privacy are proposed, such as privacy policies, segmentation of users, and raising awareness of information access.
4. Why Care about Privacy?
• Your thoughts?
“You have zero
privacy. Get over
it.”
-- Scott McNealy
5. • Protection from spam, identity theft, mugging
• Discomfort over surveillance
– Lack of trust in work environments
– Might affect performance, mental health
– May contribute to feeling of lack of control over life
• Starting over
– Something stupid you did as a kid
• Creativity and freedom to experiment
– Protection from total societies
– Room for each person to develop individually
• Lack of adoption of tech
Why Care About Privacy?
End-User Perspective
Everyday Risks Extreme Risks
Strangers
_________________________________
Stalking
Personal safety
Employers
_________________________________
Over-monitoring
Discrimination
Reputation
Friends, Family
_________________________________
Over-protection
Social obligations
Embarrassment
Government
__________________________
Civil liberties
6. The Fundamental Tension
• More information can be used for good and for bad
• Example: Facebook
– Socializing and keeping in touch with friends
– Finding old family and friends
– Organizing people for action (Arab spring)
– But embarrassing photos or breakups recorded for all time
– But getting fired (or not being hired) for certain usage
– But new vector for spam and attacks
– But behavioral advertising
7. Behavioral Advertising
• “the practice of tracking an individual’s online
activities in order to deliver advertising tailored to the
individual’s interests” - FTC
• Take into account more information for ads
– browsing habits
– search queries
– web site history
– Like’s
– Profile
– Sometimes tracking across multiple sites
• Goal is to increase relevancy and get higher
conversion rate
8. The Fundamental Tension
• Most apps today have this same tension
• Example: Locaccino (People Finder)
– Okayness checking and coordination
– But also stalking, monitoring at work,
embarrassment, revealing home
• Example: Amazon (ecommerce)
– Improved search results,
personalized content, recs
– Price discrimination, selling your info
to others, not keeping your info safe
from hackers
9. • “Privacy” conflates many different issues
– Protection from spam / intrusions (telemarketers)
– Protection from hackers (security)
– Undesired social obligations (with friends and family)
– Embarrassment (friends, family, colleagues)
– Unwarranted monitoring (government, employers)
– Separation of different spheres of life
Why is Privacy Hard?
Definition problem
11. Other Examples (based on real examples)
• Bill posts 30 pics from college and tags friends. One
friend is Steve, who is shown drunk and vomiting in
the picture that shows up on Steve's "Photos" page.
Mom, dad and grandma all acquire a new perspective
on the financial help they gave Steve for college.
• Janet, a high school senior, posts a generic comment:
"feeling bla today." Margaret, a friend of Janet's
parents, comments, "what's wrong, honey?" After
that, several of Janet's high school friends post a
series of profane, obscene or objectionable
comments that humorously suggest causes or cures.
Because Margaret commented, all subsequent
comments flow into Margaret's Facebook News Feed.
12.
13. How Well Do You Think Google+ Circles
Solves the Problem?
14. • Expectations and levels of comfort change
with time and/or experience
– Both individual and societal
– Many people objected to having phones in
their homes because it “permitted intrusion…
by solicitors, purveyors of inferior music,
eavesdropping operators, and even
wire-transmitted germs”
Why is Privacy Hard?
Social Perspective
15. Why is Privacy Hard?
Social Perspective
The appearance of Eastman’s cameras was so sudden
and so pervasive that the reaction in some quarters was
fear. A figure called the “camera fiend” began to appear
at beach resorts, prowling the premises until he could
catch female bathers unawares.
One resort felt the trend so heavily that it posted a
notice: “PEOPLE ARE FORBIDDEN TO USE THEIR
KODAKS ON THE BEACH.” Other locations were no
safer. For a time, Kodak cameras were banned from the
Washington Monument. The “Hartford Courant”
sounded the alarm as well, declaring the “the sedate
citizen can’t indulge in any hilariousness without the risk
of being caught in the act and having his photograph
passed around among his Sunday School children.”
16. Example: Facebook News Feed
• News Feed introduced in 2006
– All the information was already on individual profiles
– News feed aggregated it all in one place
• Original reaction to it?
17.
18. Why Did People Have This Reaction?
• And why did Facebook have it on by default?
19. • Easier to capture data
– Video cameras, camera phones, microphones, sensors
– Break “natural” boundaries of physics
• Easier to store and retrieve data
– LifeLog technologies
– Googling a potential date
Why is Privacy Hard?
Technical Perspective
20. • Data getting easier to store and retrieve
– LifeLog technologies
– Googling a potential date
Why is Privacy Hard?
Technical Perspective
21. • Easier to capture data
– Video cameras, camera phones, microphones, sensors
– Break “natural” boundaries of physics
• Easier to store and retrieve data
– LifeLog technologies
– Googling a potential date
• Easier to share data
– Ubiquitous wireless networking
– Blogs, wikis, YouTube, Flickr, FaceBook
• Better ways of inferencing
Why is Privacy Hard?
Technical Perspective
22. Example of Inferencing
• “If we wanted to figure out if a customer is pregnant,
even if she didn’t want us to know, can you do that?”
– Because birth records are usually public, the moment a
couple have a new baby, they are almost instantaneously
barraged with offers and incentives and advertisements from
all sorts of companies… the key is to reach them earlier,
before any other retailers know a baby is on the way.
– [A study in the 1980s] found that when someone marries, he
or she is more likely to start buying a new type of coffee.
When a couple move into a new house, they’re more apt to
purchase a different kind of cereal. When they divorce,
there’s an increased chance they’ll start buying different
brands of beer.
23. Example of Inferencing
– Many shoppers purchase soap and cotton balls, but when
someone suddenly starts buying lots of scent-free soap and
extra-big bags of cotton balls, in addition to hand sanitizers
and washcloths, it signals they could be getting close to their
delivery date.
– [Target] was able to identify about 25 products that, when
analyzed together, allowed him to assign each shopper a
“pregnancy prediction” score.
– [S]ome women react badly…we started mixing in all these
ads for things we knew pregnant women would never buy,
so the baby ads looked random. We’d put an ad for a lawn
mower next to diapers. We’d put a coupon for wineglasses
next to infant clothes. That way, it looked like all the products
were chosen by chance.
24. • Bad data can be hard to fix
– Sen. Ted Kennedy on TSA no-fly list
• Market incentives not aligned well
– More info can market better
– Can sell your info
• Many activities are hidden
– Why does Facebook and Path want your contacts list?
Why is Privacy Hard?
Organizational Perspective
Shares location, gender,
unique phone ID,
phone# with advertisers
Uploads your
contact list
to FB servers
25. What is Privacy?
• No standard definition, many different perspectives
• Different kinds of privacy
– Bodily, Territorial, Communication, Information
• Many different philosophical views on info privacy
– Different views -> different values -> different designs
– Note: next few slides not mutually exclusive
26. Privacy as Solitude / Isolation
• “The right to be let alone”
• People tend to devise strategies “to restrict their own
accessibility to others while simultaneously seeking to
maximize their ability to reach people” (Darrah et al 2001)
– Protection from interruptions and undesired social obligations
• Examples:
– Spam protection
– Do-not call list, not answering mobile phone
– Invisible mode, ignoring an IM
– IPod cocooning on public transit
27. Privacy as Anonymity
• Hidden among a crowd
• Examples:
– Web proxy to hide web traffic
– K-anonymity
• “An asian male in this room who is over 30 and once
broke his right arm” vs “a female”
28. Privacy as Anonymity
• Work by Latanya Sweeney on re-identification of data
– Massachusetts insurance company wanted to release data
of state employees to medical researchers
– Took their database, removed obvious identifiers
• Deleted name, SSN, street address
– “Governor Weld resided in Cambridge, Massachusetts, a
city of 54,000 residents and seven ZIP codes. For twenty
dollars, [Sweeney] purchased the complete voter rolls from
the city of Cambridge, a database containing, among other
things, the name, address, ZIP code, birth date, and sex of
every voter. By combining this data with the GIC records,
Sweeney found Governor Weld with ease. Only six people
in Cambridge shared his birth date, only three of them men,
and of them, only he lived in his ZIP code.”
29. Privacy as Anonymity
• More work by Latanya Sweeney
– Showed that 87% of Americans could be uniquely
identified by ZIP code, birth date, gender
• Netflix linkage attack by Narayanan and Shmatikov
– Netflix offered $1m to the team who could improve their
recommender system by 10%
– Offered an anonymized set of 500k users
• UserID, ratings of movies, date of ratings
– Demonstrated how to (weakly) re-identify some people
30. Privacy as Projecting a Desired Persona
• People see you the way you want them to see you
(impression management)
• Examples:
– Cleaning up your place before visitors
– Putting the right books and CDs out
– Having “desirable” Facebook groups,
hobbies, politics, etc on your profile
31. Privacy as Projecting a Desired Persona
• Facebook and projecting a persona
– Let’s consider what’s involved
– People create a profile with an
expectation to be seen by certain people
• Think friends
– But can be seen by many others
• Think family, employers, parents
– Controls are hard to manage here
– Also asynchronous, don’t get feedback as in real life
34. Some Incidents
• Prospective Employers
– New York Times article describes how one hiring officer lost
interest in a promising applicant when he discovered through
Web chat that the applicant was interested in “smoking
blunts, shooting people, and obsessive sex.”
• Microsoft commissioned research in Canada,
Germany, Ireland, Spain, and the United States
– 91 percent of people have done something to manage
their online profile
– only 44 percent of adults actively think about the long-term
consequences their activities have on their online reputation.
38. Privacy as a Process
• Controlled, rationalistic process
– Bank and web site privacy policies
– Many rules governing how personal
information gathered and used
• Organic and fluid process
– Adjusting window blinds
– Opening or closing my office door
– Choosing what I do or don’t disclose during a conversation
39. Privacy as Protection of Self vs Others
• Protecting Self
• Protecting Others?
– Mandatory privacy, wearing clothes
– Cell phones going off in theaters
40. Overview of Privacy
• Why care?
• Why is it hard?
• Thinking about and Designing for Privacy
– Specific design issues
• Specific Issues with Social Networks
41. Lessig’s Framework
• Lawrence Lessig is a
academic lawyer best
known for copyright
issues
• Presents a framework
for how to influence
behavior, has been
adapted by others for
privacy
42. Exercise
• How to manage
privacy on social
networks?
• Split into 4 teams
43. Privacy Policies
• Evidence strongly suggests people don’t read
privacy policies
– Carlos Jensen et al, CHI 2004
– Also found that far more people say they read privacy
policies than logs indicate
• Problems with privacy policies?
45. Multi-Level Privacy Policies
• Idea from EU Working group on privacy
– Short - Few sentences, for mobile phone
– Condensed - Half page summary
– Full - Details
47. Segmenting Users
• Westin and others have been running surveys over
the past few years looking at individuals wrt orgs
• Responses can be “strongly disagree,” “somewhat
disagree,” “somewhat agree,” “strongly agree.”
• Sample three questions from 2001 study:
1. Consumers have lost all control over how personal
information is collected and used by companies
2. Most businesses handle the personal information they
collect about consumers in a proper and confidential way
3. Existing laws and organizational practices provide a
reasonable level of protection for consumer privacy today
48. Segmenting Users
• Rough order of magnitude results over the years
• Don’t care (~10%)
– I’ve got nothing to hide
– We’ve always adapted
– "You have zero privacy anyway. Get over it."
• Fundamentalist (~25%)
– Don’t understand the tech
– Don’t trust others to do the right thing
• Pragmatist (~65%)
– Clear cost-benefit
– Some research has suggested distinction between
identity-concerned vs profile-concerned (~evenly split)
50. Awareness
• Should social networking sites provide awareness
of who has recently seen your profile?
• Examples of sites that do offer awareness:
– Friendster, LinkedIn (somewhat)
– Orkut, OKCupid (opt-in)
• Sites that do not:
– Facebook, MySpace
• Pros and Cons?
52. Phishing Attacks
• A form of social engineering
– Estimated $350m-$2b direct losses a year
– Spear-phishing and whaling attacks escalating
– Steal sensitive corporate or military information
53.
54. Phishing Attacks
• A form of social engineering
– Estimated $350m-$2b direct losses a year
– Spear-phishing and whaling attacks escalating
– Steal sensitive corporate or military information
– bankofthevvest.com
• From the CACM article, citing Gartner report:
– 19% surveyed said clicked on link
– 3% gave up personal information
• Other stats:
– Microsoft: ~0.4% of IE beta users entered information
(Florencio and Hurley, WWW2007)
55. Phishing Attacks
• Social networks can be used to facilitate phishing
– Study by Indiana University
– Crawled social networking data for students
– Experimental condition: Get fake email from a friend
• Alice would get fake email from friend “Bob”
– Control condition: Get fake email from stranger at university
– Asked people to log into the university site
• Passwords verified but not stored anywhere
56. Social Phishing Attacks
• Social phishing 4.5x more effective
• Similar results to other studies
– West Point cadets asked to login by fictitious colonel
57. Ethics of this study?
• What were people’s reactions, and why?
• Other ways to do this (or similar) studies?
61. What other kinds of Social Phishing
Scams can you think of?
• Video of the party you were at
– Scammer took person’s own photo, blurred it,
put a play button on top, and linked to malware
Editor's Notes
Your thoughts?
Interest in controlling public image
Going to get a job, online persona may be at odds with future employers
Bad guys want to take your info / identity theft / credit / reputation
Selling your personal information
Identity fraud
Teenagers privacy / friend list / tension with parents
Political dissidents / Civil liberties
Misuse of personal information
Advertisers / spam
What your friends think of you / see you
Future effects / Bill Clinton
http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/
http://www.wired.com/threatlevel/2009/12/gps-data/
Your thoughts?
Interest in controlling public image
Going to get a job, online persona may be at odds with future employers
Bad guys want to take your info / identity theft / credit / reputation
Selling your personal information
Identity fraud
Teenagers privacy / friend list / tension with parents
Political dissidents / Civil liberties
Misuse of personal information
Advertisers / spam
What your friends think of you / see you
Future effects / Bill Clinton
Possibly selling your information (and you’re not making any money off of it)
Don’t know where it’s going to end up
Spam
Job security
Personal responsibility, protect others
Paris Hilton
Embarrassment
Facebook’s frictionless sharing
Future expectations of privacy for today’s teens
Control, different parts of your life made public
Personal security
Federal Trade Commission. Self-regulatory principles for online behavioral advertising, 2009.
Burglars went to airports to collect license plates
Credit info used by kidnappers in South America
People felt things that were private / perceptions of privacy were changed
Something being public vs publicized
No choice, pushed on people
Facebook’s motivations
Probably share more
More likely to spend time on site (more ads served)
Feel less lonely, tell your story
If off by default, critical mass problem
Market incentives too
Market incentives too
How Companies Learn Your Secrets
http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html
How Companies Learn Your Secrets
http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html
Example: Facebook
Data protection issues?
Advertisers, what kinds of info shared with them
Database security
Credit card security
Applications / security / what info is shared / etc
No crawling
Personal privacy issues?
What your friends share about you
List of friends shown on your page
Pictures
What non-friends can see vs friends
All of these examples have elements of both data protection and personal privacy
Presence, who you choose to talk to,idle time, screening, invisible, ignore
IM company, what info do they collect
Friends, hobbies, what your friends can see, what your friends write about you, photos
How long is information kept? Plug-ins for facebook, info to 3rd parties, can’t get info off facebook, advertisers
Re-identification
Also limited use for HCI (since you often already know who the other party is)
http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars
Re-identification
Also limited use for HCI (since you often already know who the other party is)
http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars
Re-identification
Also limited use for HCI (since you often already know who the other party is)
http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars
Here’s an example from Paul Adams, how it’s hard to have a static web page that is appropriate for multiple spheres of your life
Again, we have this challenge of a blob of friends vs the way we think of and manage our relationships in the real world
http://www.articlesbase.com/college-and-university-articles/caution-college-admissions-peeking-at-facebook-profiles-668232.html
a Kaplan survey this fall indicated that college admissions
officers are beginning to visit the social networking websites of applicants for admissions. Kaplan surveyed 320 admissions officers and reported that 1 in 10 had looked at applicants social networking site
. Twenty-five percent of the officers stated the information on the students profiles had a positive effect on the applicants admissions process, for 38% of the admissions officers stated that students profiles had a negative effect.
Many of you will go through this process as you near graduation.
Also see this regarding college admissions:
http://www.insidehighered.com/quicktakes/2012/10/05/facebook-posts-and-lost-chances-admission
Loud stereo
Camera phones
Speeding cars
Loud stereo
Camera phones
Speeding cars
Too hard to read
Privacy policy changed, can I challenge?
This policy can change at any time, come back often
Cover you’re @$$
No market or perhaps legal interest
Tedious to read, get in the way
General consensus: designed to protect service providers rather than inform consumers
Too long and too legal
Written in small font, get out of the way
Vague
Easy to not read
Block our process
Reserves the right to change at any time
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.61.9960
We were able to differentiate the remaining participants by the
focus of their privacy concerns: Identity concerned users are more concerned
about revealing information like their name, email or mailing address, while
profiling averse users are more concerned about disclosing such information as
their interests, hobbies, and health status.
Privacy, but also business issues for Facebook too
Voyeurism leads to more time spent viewing others, stickiness of site
Biz week http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.
The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.
http://www2007.org/program/paper.php?id=620
unethical, inappropriate, illegal, unprofessional, fraudulent, self-serving, and/or useless
They called for the researchers conducting the study to be fired, prosecuted, expelled, or otherwise reprimanded.
Note the URL, been up for at least 3 weeks, still up Oct 23 2008