Privacy Jungle: Data Protection in Social Networks

Dear all,

We are pleased to announce the largest and most comprehensive field study in the academic literature so far of data protection on social networking sites. Our analyses include the sites' functionality, privacy controls, written privacy policies, P3P policies, and metadata for each site. The dataset and our interpretations are freely available online and will be presented at WEIS 2009 in London in two weeks time:

    Joseph Bonneau, Sören Preibusch:
    The Privacy Jungle: On the Market for Data Protection in Social Networks
    in: The Eighth Workshop on the Economics of Information Security (WEIS 2009)
    http://preibusch.de/publ/privacy_jungle

Abstract:
We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, non-decisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites' privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites' privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximise sign-up numbers and encourage data sharing from the pragmatic majority of users. 

Regards,
Sören

Received on Friday, 12 June 2009 14:42:43 UTC