Privacy Polices & Social Networking Services

1. Privacy Polices & Social Networking Services COMS E6125 Web-enHancedInformation Management (WHIM) Joyce Chen [cjc2179] March 29, 2011

2. We like being stay connected to friends, but we also like our privacy… Census is government’s job! Online Privacy Bill of Rights Facebook is doing FBI and CIA’s jobs!

3. Why don’t we read privacy policies before joining a website? …b/c they are too long?

4. Goals of the Study • What are the main characteristics, similarities and differences of major SNS providers’ privacy policies? • What kind of information do major SNS providers require users to provide in order to use their services? • Do major SNS providers take the initiative to inform their users on potential risks involved with sharing information and privacy rights in general? • Do major SNS providers offer adequate overall privacy protection to their users?

5. Five Websites as Case Studies

6. Methodology 1: Accessibility and User-Friendliness11 Criteria Used • number of words • comparison to average privacy policy (based on the top 1,000 websites’ average length of privacy policies, which is 2,462 words) • amount of time it takes one to read (when is based on the assumption that an average person would read approximately 244 words/minute) • availability of direct link to its actual privacy policy from the index page • availability in languages other than English • availability of detailed explanation of privacy control/protection • availability of trust E-verification • availability of links to U.S. Department of Commerce’s “Safe Harbor Privacy Principles” • availability of contact information in case of questions • coverage of kids privacy • containing the clause that the SNS provider reserves the right to change the privacy policy at anytime

7. Methodology 2: Evaluation and Comparison of Content 5 Criteria Used • allowance of an opt-out option • allowance of third party access to users’ information • discussion of the usage of cookie or tracking tools • explicit statement of what type of information they share with third-parties • sharing of users’ location data

8. Methodology 3: Comparison of Account Creation Process  3 Criteria Used • number of fields required during the initial account creation (i.e. on the index page) • details that are required for a user to create an account on the index page • availability of explanation on required information

9. Methodology 1: Results

10. Methodology 2: Results

11. Methodology 3: Results

12. Conclusions • While these five SNS providers do allow opt-out options for their services, many of them are preset to expose users’ information • Some of these SNS providers may allow third-party developers to access personal information, including location data, (though some are not personally identifiable) if users did not take proactive actions to disallow such proceedings. • SNS providers claim that such allowance enhances the online social networking experience because as one shares more, he/she may discover others who share the similar interests, personalities, background and locations etc. To SNS providers’ own benefit, such sharing of information with third parties may increase their business revenue (improving ads clicking by showing ads that people are more likely to click). • All five SNS providers utilize cookies and similar tracking tools to both enhance users’ experience with the websites as well as to record and store such information for the websites’ business benefits. Nevertheless, these five SNS providers do explain to their users explicitly the kind of information they share with third party developers, make certain that kids under 13 (for LinkedIn it is 18) are not allowed to use their services or have to use the services under parental watch and allow users to change the default settings. • Almost all of them, except for Google Buzz, do state at the end of the policies that they reserve the right to change the policies at any time.

13. A Few More Findings… • Most of the privacy policies are offered in more than one language to cater to different populations. • Except for Google Buzz, contact information is provided in privacy policies in case of questions. • Most policies do adhere to U.S. Department of Commerce’s “Safe Harbor Privacy Principles” and a couple of them are TrustE-verified. • In terms of account creation processes, most of them require users to input the same information in order to create accounts. Foursquare, among the five, asks the most information, including location and phone since it is a mobile-based SNS. • It is interesting to note that three out of five SNS providers’ privacy policies’ length (number of words) are below average when the average is considered to be 2,462 words long. This means that most of them can be read under 10 minutes. While Facebook and LinkedIn’s privacy policies’ length are above average, they can be read around 20 minutes as well. Based on this, it is perhaps rather surprising that many SNS users do not make the effort to read them before signing up.

14. More Conclusions… • Since this is only a five SNS provider case study, it is difficult to make general statements about all SNS providers. However, it seems there is no connection between website popularity and privacy policies’ length. Facebook, among the five, probably has the most number of registered and/or active users. At the same time, it also has the longest privacy policy statement among the five and offers the most interactions / activities / functions / APIs. Perhaps one can make a general conclusion that when a SNS provider provides more functions / interactions on their websites, the longer their privacy policies become since they may need to set more guidelines in regards how they collect and share data and the default settings a user may adjust to protect his/her privacy rights. • All in all, these five SNS providers do announce to their users in their privacy policies that they collect and store data and may share with third party developers. What is not clearly stated is exactly what information is collected and shared. • Furthermore, while the SNS providers do inform users how to adjust their privacy settings in their accounts if he/she does not wish to share his/her information, the default settings are set to expose users’ information. These five privacy policies are informative but the adequacy of protecting a user’s rights to his/her privacy is debatable.

15. Limitations of the Study • This study is only based on five websites while there are many other SNS providers. Therefore, any conclusions and generalizations made are limited. • The criteria used to evaluate the websites privacy policies are limited and they can certainly be expanded to acquire a deeper understanding. • The criteria used to conduct the evaluation may not be completely fair since no two sites are identical. • Some criteria used to examine the privacy policies and the account creation process is vague, difficult to be defined and subject to bias. For example, criteria such as the “detailed explanation of Privacy Control” or “explicit statement of what type of information a SNS provider shares with third-party developers” are rather difficult to be determined. How detailed is comprehensive and how explicit is clear enough? Something that seems clear to one may appear to be ambiguous to another. • Some websites’ privacy policies will indicate that they may update the terms at anytime and may even take effect immediately. Therefore, this study may cover only one version of the privacy policy.

16. References [1] Facebook Privacy Policy, < http://www.facebook.com/policy.php > [2] Freni, Dario, Carmen Ruiz Vicente, Sergio Mascetti, Claudio Bettini and Christian S. Jensen. “Preserving Location and Absence Privacy in Geo-Social Networks.” October 2010. ACM 978-1-4503-0099-5/10/10. [3] Foursquare Privacy Policy. http://foursquare.com/legal/privacy [4] Gross, Ralph and Alessandro Acquisti. “Information Revelation and Privacy in Online Social Networks (The Facebook case).” 2005. ACM Workshop on Privacy in the Electronic Society (WPES). [5] “Google Buzz Privacy Policy.” Oct. 15, 2010. <http://www.google.com/buzz/help/intl/en/privacy.html> [6] Korolova, Aleksandra, Rajeev Motwani, Shubha U. Nabar and Ying Xu. “Link Privacy in Social Networks.” October 2008. ACM 978-1-59593-991-3/08/10. [7] LinkedIn Privacy Policy. < http://www.linkedin.com/static?key=privacy_policy> [8] O’Dell, Jolie. Mashable. “The Real Reason No One Reads Privacy Policies.” Jan. 27, 2011. < http://mashable.com/2011/01/27/the-real-reason-no-one-reads-privacy-policies-infographic/> [9] NPR. “Protecting Your Privacy On Social Networking Sites.” May 21, 2010. < http://www.npr.org/templates/story/story.php?storyId=127037413> [10] Privacy Rights Clearinghouse. “Fact Sheet 35: Social Networking Privacy: How to be Safe, Secure, and Social.” June 2010. < http://www.privacyrights.org/social-networking-privacy> [11] ReadWriteWeb. “Privacy, Facebook and the Future of the Internet.” <http://www.readwriteweb.com/archives/privacy_facebook_and_the_future_of_the_internet.php > [12] Twitter Privacy Policy. < http://twitter.com/privacy> [13] Zhou, Bin, Jian Pei and WoShunLuk. “A brief survey on anonymization techniques for privacy preserving publishing of social network data.” December 2008. SIGKDD Explorations Newsletter , Volume 10 Issue 2 . [14] Yuan, Mingxuan, Lei Chen, Philip S. Yu. “Personalized privacy protection in social networks.” November 2010. Proceedings of the VLDB Endowment , Volume 4 Issue 2.