PRIVACY POLICES & SOCIAL NETWORKING SERVICESCOMS E6125 Web-enHanced Information Management (WHIM)

Joyce Chen

[cjc2179]

March 29, 2011

We like being stay connected to friends, but we also like our privacy…

Online Privacy Bill of Rights

Census is government’s

job!

Facebook is doing FBI and

CIA’s jobs!

Why don’t we read privacy policies before joining a website?

…b/c they are too long?

Goals of the Study

• What are the main characteristics, similarities and differences of major SNS providers’ privacy policies?

• What kind of information do major SNS providers require users to provide in order to use their services?

• Do major SNS providers take the initiative to inform their users on potential risks involved with sharing information and privacy rights in general?

• Do major SNS providers offer adequate overall privacy protection to their users?

Five Websites as Case Studies

Methodology 1: Accessibility and User-Friendliness11 Criteria Used1. number of words2. comparison to average privacy policy (based on the top 1,000

websites’ average length of privacy policies, which is 2,462 words)3. amount of time it takes one to read (when is based on the

assumption that an average person would read approximately 244 words/minute)

4. availability of direct link to its actual privacy policy from the index page

5. availability in languages other than English6. availability of detailed explanation of privacy control/protection 7. availability of trust E-verification8. availability of links to U.S. Department of Commerce’s “Safe

Harbor Privacy Principles”9. availability of contact information in case of questions10. coverage of kids privacy11. containing the clause that the SNS provider reserves the right to

change the privacy policy at anytime

Methodology 2: Evaluation and Comparison of Content 5 Criteria Used

1. allowance of an opt-out option

2. allowance of third party access to users’ information

3. discussion of the usage of cookie or tracking tools

4. explicit statement of what type of information they share with third-parties

5. sharing of users’ location data

Methodology 3: Comparison of Account Creation Process 3 Criteria Used

1. number of fields required during the initial account creation (i.e. on the index page)

2. details that are required for a user to create an account on the index page

3. availability of explanation on required information

Methodology 1: ResultsEvaluation and Comparison of Privacy Policies-Accessibility/User-Friendliness

  Facebook Foursquare Google Buzz LinkedIn TwitterNumber of words 5860 words 2,436 words 1,094 words 5,650 words 1,287 wordsComparison to average Privacy Policy (based on 2,462 words)

Above average Below average (but very close to the average)

Below Average Above average Below average

Amount of time it takes one to read (based on an average person reading speed--244 words /minute)

Approx. 24 minutes Approx. 10 minutes Approx. 5 minutes Approx. 23 minutes Approx. 5 minutes

Direct link to its actual privacy policy from the index page

No Yes Yes Yes Yes

Availability in languages other than English

Yes Yes Yes Yes Yes

Detailed explanation of privacy control/protection

Yes Yes Yes No No

Trust E-Verified Yes No No Yes NoLinking and/or mentioning to U.S. Dept. of Commerce “Safe Harbor Privacy Principles”

Yes No Yes Yes No

Availability of contact information in case of questions

Yes Yes No Yes Yes

Coverage of kids privacy Yes Yes No Yes Yes

Containing the clause that it reserves the right to change the privacy policy at any time

Yes, but users will be notified

Yes, but users will be notified

No Yes, but users will be notified of material changes

Yes, but users will be notified of material changes

Methodology 2: ResultsEvaluation and Comparison of Privacy Policies – “Content”

  Facebook Foursquare Google Buzz LinkedIn Twitter

Allowance of an opt-out option

Yes Yes Yes Yes Yes

Allowance of third-party access to users’ information

Yes/No, depending on a user’s sharing setting and the information shared

Yes Yes Yes Yes

Discussion of the usage of cookie or tracking tools

Yes Yes Not specified; but Google states that it records users’ use of their products

Yes Yes

Explicit statement of what type of information they share with third-parties

Yes Yes Yes Yes Yes

Sharing of users’ location data

Yes Yes Yes Unclear; not mentioned in the Privacy Policy

Yes

Methodology 3: ResultsEvaluation and Comparison of Account Creation Process

  Facebook Foursquare Google Buzz LinkedIn Twitter

Number of fields required during the initial account creation

9 10 Zero if you have a Gmail account

4 6

Details that are required for a user to create an account

First name, last name, email, password, gender, birthday

First name, last name, password, email, phone, location, gender, birthday, photo

None if you have a Gmail account

First name, last name, email, password

First name, username, password, email, “let others find me by my email,” “I want the inside scoop”

Availability of explanation on required information

Yes Yes Information on how Google Buzz works is available

No Yes, actually includes the entire Terms of Service in a Text area box

Conclusions• While these five SNS providers do allow opt-out options for their services,

many of them are preset to expose users’ information• Some of these SNS providers may allow third-party developers to access

personal information, including location data, (though some are not personally identifiable) if users did not take proactive actions to disallow such proceedings.

• SNS providers claim that such allowance enhances the online social networking experience because as one shares more, he/she may discover others who share the similar interests, personalities, background and locations etc. To SNS providers’ own benefit, such sharing of information with third parties may increase their business revenue (improving ads clicking by showing ads that people are more likely to click).

• All five SNS providers utilize cookies and similar tracking tools to both enhance users’ experience with the websites as well as to record and store such information for the websites’ business benefits. Nevertheless, these five SNS providers do explain to their users explicitly the kind of information they share with third party developers, make certain that kids under 13 (for LinkedIn it is 18) are not allowed to use their services or have to use the services under parental watch and allow users to change the default settings.

• Almost all of them, except for Google Buzz, do state at the end of the policies that they reserve the right to change the policies at any time.

A Few More Findings…• Most of the privacy policies are offered in more than one language to cater to

different populations.• Except for Google Buzz, contact information is provided in privacy policies in

case of questions. • Most policies do adhere to U.S. Department of Commerce’s “Safe Harbor

Privacy Principles” and a couple of them are TrustE-verified. • In terms of account creation processes, most of them require users to input the

same information in order to create accounts. Foursquare, among the five, asks the most information, including location and phone since it is a mobile-based SNS.

• It is interesting to note that three out of five SNS providers’ privacy policies’ length (number of words) are below average when the average is considered to be 2,462 words long. This means that most of them can be read under 10 minutes. While Facebook and LinkedIn’s privacy policies’ length are above average, they can be read around 20 minutes as well. Based on this, it is perhaps rather surprising that many SNS users do not make the effort to read them before signing up.

More Conclusions…• Since this is only a five SNS provider case study, it is difficult to make general

statements about all SNS providers. However, it seems there is no connection between website popularity and privacy policies’ length. Facebook, among the five, probably has the most number of registered and/or active users. At the same time, it also has the longest privacy policy statement among the five and offers the most interactions / activities / functions / APIs. Perhaps one can make a general conclusion that when a SNS provider provides more functions / interactions on their websites, the longer their privacy policies become since they may need to set more guidelines in regards how they collect and share data and the default settings a user may adjust to protect his/her privacy rights.

• All in all, these five SNS providers do announce to their users in their privacy policies that they collect and store data and may share with third party developers. What is not clearly stated is exactly what information is collected and shared.

• Furthermore, while the SNS providers do inform users how to adjust their privacy settings in their accounts if he/she does not wish to share his/her information, the default settings are set to expose users’ information. These five privacy policies are informative but the adequacy of protecting a user’s rights to his/her privacy is debatable.

Limitations of the Study• This study is only based on five websites while there are many other SNS

providers. Therefore, any conclusions and generalizations made are limited.

• The criteria used to evaluate the websites privacy policies are limited and they can certainly be expanded to acquire a deeper understanding.

• The criteria used to conduct the evaluation may not be completely fair since no two sites are identical.

• Some criteria used to examine the privacy policies and the account creation process is vague, difficult to be defined and subject to bias. For example, criteria such as the “detailed explanation of Privacy Control” or “explicit statement of what type of information a SNS provider shares with third-party developers” are rather difficult to be determined. How detailed is comprehensive and how explicit is clear enough? Something that seems clear to one may appear to be ambiguous to another.

• Some websites’ privacy policies will indicate that they may update the terms at anytime and may even take effect immediately. Therefore, this study may cover only one version of the privacy policy.

References[1] Facebook Privacy Policy, < http://www.facebook.com/policy.php >[2] Freni, Dario, Carmen Ruiz Vicente, Sergio Mascetti, Claudio Bettini and Christian S. Jensen. “Preserving Location and Absence Privacy in Geo-Social Networks.” October 2010. ACM 978-1-4503-0099-5/10/10.[3] Foursquare Privacy Policy. http://foursquare.com/legal/privacy[4] Gross, Ralph and Alessandro Acquisti. “Information Revelation and Privacy in Online Social Networks (The Facebook case).” 2005. ACM Workshop on Privacy in the Electronic Society (WPES).[5] “Google Buzz Privacy Policy.” Oct. 15, 2010. <http://www.google.com/buzz/help/intl/en/privacy.html> [6] Korolova, Aleksandra, Rajeev Motwani, Shubha U. Nabar and Ying Xu. “Link Privacy in Social Networks.” October 2008. ACM 978-1-59593-991-3/08/10.[7] LinkedIn Privacy Policy. < http://www.linkedin.com/static?key=privacy_policy> [8] O’Dell, Jolie. Mashable. “The Real Reason No One Reads Privacy Policies.” Jan. 27, 2011. < http://mashable.com/2011/01/27/the-real-reason-no-one-reads-privacy-policies-infographic/>[9] NPR. “Protecting Your Privacy On Social Networking Sites.” May 21, 2010. < http://www.npr.org/templates/story/story.php?storyId=127037413> [10] Privacy Rights Clearinghouse. “Fact Sheet 35: Social Networking Privacy: How to be Safe, Secure, and Social.” June 2010. < http://www.privacyrights.org/social-networking-privacy> [11] ReadWriteWeb. “Privacy, Facebook and the Future of the Internet.” <http://www.readwriteweb.com/archives/privacy_facebook_and_the_future_of_the_internet.php >[12] Twitter Privacy Policy. < http://twitter.com/privacy> [13] Zhou, Bin, Jian Pei and WoShun Luk. “A brief survey on anonymization techniques for privacy preserving publishing of social network data.” December 2008. SIGKDD Explorations Newsletter , Volume 10 Issue 2 .[14] Yuan, Mingxuan, Lei Chen, Philip S. Yu. “Personalized privacy protection in social networks.” November 2010. Proceedings of the VLDB Endowment , Volume 4 Issue 2.