Social Networking Privacy: Understanding the Disconnect from Policy to Controls

8
60 COMPUTER Published by the IEEE Computer Society 0018-9162/13/$31.00 © 2013 IEEE Pauline Anthonysamy, Phil Greenwood, and Awais Rashid, Lancaster University, UK A proposed method for mapping privacy policy statements to privacy controls can help providers improve data management transparency, thereby increasing user trust. A lthough social networking sites (SNSs) continue to attract millions of diverse users worldwide, they remain plagued by privacy compromises that breed user dissatisfaction and lack of trust. Governments are taking steps to address these concerns through efforts such as the EU’s Data Protection Directive 1 and the US Federal Trade Commission’s mandate, 2 but despite these attempts and the willingness of sites to continually tweak their privacy policies and controls (www.fearlessweb.trendmicro.com/2012/tips-and-tricks/ facebook-privacy-controls-get-a-facelift), most SNS users still know little about how the site manages their personal information 3 or how privacy controls work. 4 To demonstrate that they have taken protective measures, SNS providers need to confirm that privacy controls reflect their established privacy policy. But is it even possible to establish a traceable mapping between the two? To answer this question, we looked at observable relationships between policy content and the control functions of 16 prominent SNSs. For our study, “privacy policies” are actions that the SNS performs on user-supplied information, and “privacy controls” are the operations presented to users to manage their personal information. “Observable relationship” is the user’s perspective of interacting with a social network—how the user sees interaction realized through the SNS’s privacy controls and how those controls relate to the site’s privacy policy. Unlike researchers who extract software requirements directly from privacy policies 5,6 or legal documents, 7 we explored whether the runtime functionality that privacy controls provide is traceable to the statements in the privacy policies and do so in the highly volatile domain of an SNS. Our goal was to establish a clear traceability relationship that could better guide users on how the site and third parties handle their information and to give the SNS a better understanding of how to increase user trust through proven compliance. This study expands our previous work 8 to explore privacy policies using a systematic traceability method based on an SNS taxonomy and a detailed mapping between privacy policy statements and privacy controls. Our analysis answers three questions: • What common information themes do SNS policies address? What privacy controls are available to SNS users? • To what degree is it possible to trace a relationship Social Networking Privacy: Under- standing the Disconnect from Policy to Controls RESEARCH FEATURE

Transcript of Social Networking Privacy: Understanding the Disconnect from Policy to Controls

60 computer Published by the IEEE Computer Society 0018-9162/13/$31.00 © 2013 IEEE

Rese aRch Fe atuRe

Pauline Anthonysamy, Phil Greenwood, and Awais Rashid, Lancaster University, UK

A proposed method for mapping privacy policy statements to privacy controls can help providers improve data management transparency, thereby increasing user trust.

A lthough social networking sites (SNSs) continue to attract millions of diverse users worldwide, they remain plagued by privacy compromises that breed user dissatisfaction and lack of trust.

Governments are taking steps to address these concerns through efforts such as the EU’s Data Protection Directive1 and the US Federal Trade Commission’s mandate,2 but despite these attempts and the willingness of sites to continually tweak their privacy policies and controls (www.fearlessweb.trendmicro.com/2012/tips-and-tricks/facebook-privacy-controls-get-a-facelift), most SNS users still know little about how the site manages their personal information3 or how privacy controls work.4

To demonstrate that they have taken protective measures, SNS providers need to confirm that privacy controls reflect their established privacy policy. But is it even possible to establish a traceable mapping between the two?

To answer this question, we looked at observable relationships between policy content and the control functions of 16 prominent SNSs. For our study, “privacy policies” are actions that the SNS performs on user-supplied information, and “privacy controls” are the operations presented to users to manage their personal information.

“Observable relationship” is the user’s perspective of interacting with a social network—how the user sees interaction realized through the SNS’s privacy controls and how those controls relate to the site’s privacy policy.

Unlike researchers who extract software requirements directly from privacy policies5,6 or legal documents,7 we explored whether the runtime functionality that privacy controls provide is traceable to the statements in the privacy policies and do so in the highly volatile domain of an SNS. Our goal was to establish a clear traceability relationship that could better guide users on how the site and third parties handle their information and to give the SNS a better understanding of how to increase user trust through proven compliance.

This study expands our previous work8 to explore privacy policies using a systematic traceability method based on an SNS taxonomy and a detailed mapping between privacy policy statements and privacy controls. Our analysis answers three questions:

• What common information themes do SNS policies address?

• What privacy controls are available to SNS users?• To what degree is it possible to trace a relationship

Social Networking Privacy: Under-standing the Disconnect from Policy to Controls

Rese aRch Fe atuRe

JuNe 2013 61

between the SNS’s policy information and its privacy controls?

After applying our method to analyze the 16 sites, we found a significant disconnect between policy statements and privacy controls. A more formal description of our method, in which we assess the degree of traceability between statements in SNS privacy policies and privacy controls, illustrates its applicability in other domains centered on user-generated content.9

DATA COLLECTIONThe 16 SNSs we analyzed provide typical functionalities,

such as conversing with other members, creating profiles, and sharing photos and videos (http://en.wikipedia.org/wiki/List_of_social_networking_websites). Collectively, the sites have at least 10 million active global users, make privacy policies available online, and provide a variety of privacy controls—all criteria for our analysis.

We began by taking a snapshot of each site’s privacy policy as the SNS would present it to a nonmember. We then created four test accounts on each site: two for adults (18 years and older) and two for minors (13 to 17 years) to reflect the distinct regulatory codes that govern the access of minors on an SNS. With these four accounts, we could make each profile visible from another and identify any differences between adult and minor accounts. We made each account “friends” (or equivalent status) with the others.

During account creation, we recorded all requested information, providing the same profile data for each site (www.comp.lancs.ac.uk/~anthonys/dataset.html) and included both mandatory and optional information to enable comparisons across sites and to determine the information’s default visibility. When using SNS search features and external search engines to access user profiles, we noted the difference between publicly viewable profile information and what friend accounts could see. Finally, we recorded all available privacy controls and their default settings, which we maintained throughout data collection.

The privacy controls included in the mapping are restricted to the operations in the SNS’s settings page; we did not include operations that appear as hyperlinks in the sites’ privacy policies.

One person carried out the data collection and analysis procedure, which a second person independently reviewed and verified. We relied on our mapping method9 to resolve any data-checking conflicts.

TRACEABILITY MODELING AND EVALUATIONTo establish traceability, we identified common reference

points that would let us establish a mapping between SNS privacy policies and privacy controls.8 We then scaled the mappings to determine the degree of traceability.

Mapping procedureIn an SNS model, users submit data and can choose (or

are required) to make that data visible to others. Thus, the common reference points that enable a policy-to-control mapping are data and visibility. That is, we modeled policy statements as actions over data and visibility and privacy controls as operations over data and visibility. Where possible, we established clear mappings from each policy action statement to a corresponding control operation.

We used content analysis10 to categorize qualitative data into meaningful themes, and then decomposed privacy policy statements and examined each statement to identify the actions (expressed as verbs or verb phrases in natural language) that an SNS performs in terms of user-supplied data and its visibility. We applied this process to each SNS as part of refining a set of common categories and themes.11 Finally, where possible, we mapped the decomposed statements to privacy controls by applying three steps to each statement in each category:

• attempt to identify a corresponding operation that maps to that statement’s action by matching terminol-ogy (identifying terms that have the same meaning in describing action and operation),

• verify that the data that a control operation manipulates matches that in the statement, and

• verify that the data’s default visibility indicated by the operation is consistent with what the policy statement specifies.

In the excerpt of Facebook’s privacy policy in Figure 1, for example, a statement contains the verb phrase “serve social ads.” After terminology matching, this statement maps to the corresponding advertising operation, “Edit social adverts setting” because “social ads” has the same semantic definition as “social adverts.”

Occasionally, it is difficult to verify that the data manipulated by privacy controls matches that in the privacy policy statement. If a statement used ambiguous or generic catch-all terms like “personally identifiable information,” we had to search for definitions of that term by extrapolating data from the SNS’s description. We then verified the default visibility value of the matched operation to the visibility specified in the policy statement. In Figure 1, “friend” represents the visibility reference point.

The common reference points that enable a policy-to-control mapping are data and visibility.

62 computer

Rese aRch Fe atuRe

Mapping scaleTo qualitatively evaluate the mappings between privacy

policies and controls (operations), we developed a mapping scale to assess the degree to which each operation fulfills the actions described. As Table 1 shows, the possible mappings are complete, partial, or broken.

TRACEABILITY RESULTS

Table 2 summarizes our survey results. The left column is our final t a xonomy of ac t ion categories, which we refined as we identified common characteristics a m o n g t h e p r i v a c y policies for the 16 sites.

Each table cell contains a symbol that denotes the mapping of each privacy policy’s statements (ac-tions) in that category to the corresponding privacy controls (operations). A category that contains three statements, for example, has three corre-sponding markings. “Not applicable” means that mapping did not apply to that category or the site did not specify the re-quired information.

Together, the table cells reveal a significant dis-connect between policy statements and privacy controls. Two-thirds of the categories had at least one broken traceability rating—on average, 43 percent of statements were marked as broken across the 16 sites.

Results for each degree of traceability—complete, partia l, and broken—revealed key insights. Although we provide a brief example of complete traceability, our focus is on partial and broken traceability, since these findings are likely to be of more interest to users.

In the examples, boldface type denotes data, underlining denotes action, and screened text denotes visibility.

Complete traceabilityPolicies for all 16 sites we assessed clearly communicate

the user age requirement in accordance with the US Federal

Table 1. Mapping scale and evaluation criteria.

Traceability degree Characteristics Example

Complete: mapping is consistent and unambiguous

Consistent: terms with same semantic meaning describe both actions and operations.

Unambiguous: information can be interpreted only one way and actions easily relate to operations.

Policy states that a user can opt in or out of all communications or promo-tional emails except essential site notifications, with corresponding operations to do so.

Partial: mapping is imprecise and ambiguous

Imprecise: information is missing or indirect (is there for compliance but not intended for a user to notice).

Ambiguous: terms can be interpreted various ways.

Policy addresses account deletions but the operation to do so is buried within the site’s policy text.

Policy uses generic terms like “per-sonal information” without having a clear definition for it.

Broken: mapping is disjointed

Statements (actions) specified in a privacy policy do not match any operations.

Policy states that SNS providers share users’ information with third parties such as advertisers but no corre-sponding operations are present to restrict this action.

Figure 1. Mapping terms in Facebook’s privacy statement to privacy controls. Matching terminology such as “social ads” and “social adverts” enables mapping between policy statements (top) and controls (bottom), such as “Edit social adverts setting,” as well as between data (name—Denny Daoust) and visibility (Friend—Only [Denny’s] friends).

JuNe 2013 63

Trade Commission2 or the EU directive,1 and we identified complete mappings between age restrictions in the policy statements and sign-up operations.

For example, Tagged’s privacy policy states,

Tagged is a general audience web site that complies with

the Children’s Online Privacy Protection Act (COPPA).

Our registration process is designed to restrict children

under the age of 13 from becoming members of Tagged

and using our site.

On the basis of “restrict” (action), we classified this statement in the age restriction subcategory and identified “age” as the relevant data. We then mapped this statement to a Tagged sign-up operation. We deemed the mapping complete when registration failed if we tried to sign up using a birth date that violated the site’s age requirement.

We established complete mappings on 12 sites that had statements describing age restrictions for sign-up in their privacy policies. However, in three of these sites, we found that simply entering a different birth date let users circumvent the site’s age restrictions during sign-up. The remaining nine sites required that the user clear the browser cookies before performing the operation.

Four sites did not state any age restrictions in their privacy policies, but we encountered restrictions when we tried to sign up, so we classified them as not applicable (-).

Partial traceabilityWe rated statements in two categories—“Optional

information” and “Information sharing by a member with other users”—as generally having partial traceability across the 16 sites. The rating was either because the SNS was vague about what data it collects or because the SNS did not adequately communicate default visibility settings.

Vague data definition. Precise data definitions are vital to understanding information significance, particularly in ascertaining what data can enable user identification when shared with third parties. Most of the policies we examined have imprecise and ambiguous descriptions of the data types collected.

For example, Orkut’s privacy policy states,

As an Orkut member, you can create a profile or Orkut com-

munity that includes personal information, such as your

gender, age, occupation, hobbies and interests plus other

content, such as photos.

We could directly map only a few items specified in the policy to items the site actually collected.12 Using catch-all phrases such as “other content” without defining them (as in the Orkut statement) was cause for a partial rating in the optional information category. Only six sites had precise definitions for all statements (and therefore a complete rating) describing the registration information collected; only four had complete mappings for the optional information.

Table 2. Degree of traceability from the mapping process.

Information collectionDirect collection Personal information/registration information ��� � �� ◗ ◗ ◗ ◗ � - ◗ � ◗ � � ◗ ◗

Optional information �◗◗◗ ◗◗ �� ◗◗ ◗◗ ◗◗ ◗ ◗◗ ◗◗ ◗◗ � ◗◗ � � ◗ ◗◗

Indirect collection Information gathered passively � � � � � � � � � � � � � � - �Information useInternal usage ��� �� � � � � � � � � � �� � �� � �Communication � � �� � � �� � �� � � � � � �� ◗ �◗

Advertising �� ◗ � � � � � �◗ �◗ � � ◗ – ◗ ◗◗ �Aggregation � � � � – � – � – � � � � � – �Personalization �� – – – � – – � – – � � – – – �Information sharingSharing by a member With other users ��� ◗◗ �� �◗ �◗ �◗ ◗◗ �� �◗◗ ◗◗� ◗◗ ◗◗ � �� �◗ – With third parties ◗�◗ ◗� – ◗ – � �� – � � – � – �� � –Sharing by the SNS provider With third parties �� � � � � � � � � � � � � � – � With law enforcement � � � � � � � � � � � � � � – �Information managementReview/change personal information � � � ◗ ◗ � � ◗ ◗ ◗ � � � � ◗ �Information removal �◗ – ◗◗ ◗◗ – – ◗ �� ◗◗ �� ◗◗ – ◗ �� �◗ ��Information monitoring By SNS provider ◗� ◗� ◗� ◗� � ◗� ◗� ◗� � ◗� � ◗� ◗� ◗� ◗� ◗�

By third parties ◗◗� ◗� ◗� ◗� ◗� � � ◗� �� � � � � � � �Information protection (for speci�c groups)Age restrictions � � � � � – � � – � �� � � – – �

Legend: � Complete ◗ Partial� Broken − Not applicable

Linke

dIn

Orku

t

Live S

pace

Live

Jour

nal

Frie

ndst

er

Tagg

ed

Netlo

g

Bado

o

Nexo

pia

Perfs

pot

Twitt

er

Hi5

Privacy policy categories Face

book

MyS

pace

Bebo

Hyve

s

64 computer

Rese aRch Fe atuRe

Failure to communicate default visibility. In most of the surveyed sites, users manage personal information through role-based access-control mechanisms.6 Fourteen sites included statements explaining what information a user can share and with whom, and we could map these statements to the corresponding operations. However, 10 of the 14 sites failed to communicate the default configu-rations (mostly public) that come with a new profile. Only Orkut and Live Space made Friend grouping the default configuration.

Ten sites implemented a restricted-sharing mechanism for minors. Facebook, Orkut, Tagged, and MySpace (among others) defaulted to private/restricted for the visibility of minors’ user profiles. MySpace and Facebook have an operation that disallows minor profiles from being searchable by default. Although the sites provide a distinct privacy configuration for minors, the default settings switch automatically to an adult user configuration (more public) when the user turns 18. The sites do not make users aware of this change.

Broken traceabilityBroken mapping occurred mainly in the “Information

gathered passively,” “Internal usage,” “Aggregation,” and “Information sharing by the SNS provider” categories. We attributed broken mapping to lack of user control over indirect data collection, users’ inability to opt in or out of an SNS’s internal processing activities, and lack of user control in preventing information sharing with third parties.

Control of indirect data collection. All 16 sites except Orkut state that site providers might share information with third parties but provide no controls for the user to prevent such sharing.

For example, Nexopia’s privacy policy states,

Nexopia.com also logs non-personally identifiable

information of members and visitors to the site, including

IP address, aggregate user data, and browser type. This

information may be shared with 3rd parties ...

but we found no operations for a user to opt in or out of this collection activity, nor did we find a specific list of data subject to collection.

Orkut is an exception because it has two different poli-cies (its own and a Google policy). Although the Google policy discusses indirect collection, Orkut’s own policy does not, so we rated it as “Not applicable” in this category.

Inability to opt in or out of internal processing. Of the 16 SNSs, 12 state that they aggregate users’ information but none allow the user to control this action. For example, Badoo’s privacy policy states,

We internally use personal information of our users to

statistically analyse site usage, to comply with applicable

law, to improve our content and product offerings ...

which fails to explicitly specify the data that will be used and to whom it might be accessible. Additionally, we could not identify or match any operations with this usage activity. All sites had similar statements in their privacy policies for an internal usage category, but again none had a corresponding control.

Control of third-party data sharing. In 15 sites, we found that users have no way to restrict SNS providers from sharing their information with third parties. For example, Bebo’s privacy policy states,

Bebo may transfer information about you and your use

of Bebo, such as your IP address, information stored via

cookies, and other demographic information about you, to

our advertising affiliates (such as Advertising.com), partners

(including Yahoo! and its affiliates) and other third parties.

The statement makes it clear that IP address and the other identified data items will be visible to advertising affiliates, partners, and other third parties, but catch-all terms like “other third parties” are more illustrative than exhaustive, and we found no corresponding operations to restrict this action.

Multifarious traceabilitySeveral taxonomy categories had a varied degree of

traceability across the surveyed sites. Reasons include lack of support in understanding third-party privacy policies, difficulty in removing personal information, and poorly defined policies about passive data monitoring.

Adding third-party applications. Most sites state that data might be shared with third parties if the user adds an application, follows links to other sites, or clicks on advertisements, but no site provides traceable details on the specific data items that are shared and with which third parties. Orkut’s privacy policy states,

You may choose to use an application by adding it to

your profile. If you add an application to your profile, the

application may collect information from your profile

or other information about your activities on Orkut and

share that information with others.

As in Bebo’s statement, this statement contains catch-all terms that the policy does not define, and we also found no

Several taxonomy categories had a varied degree of traceability across the surveyed sites.

JuNe 2013 65

operations that let users control this sharing. We therefore gave Orkut a broken rating in the “Sharing by a member with third parties” category.

Conversely, Facebook and LinkedIn explicitly specify the data that might become visible when the user adds an application, and we found operations to control some of the data to be shared. These sites received a complete (LinkedIn) or complete and partial (Facebook) rating in the same category.

A few sites post a link to the third party’s privacy policy when the user tries to connect to an application. It is up to the user to find these privacy policies, discover which terms apply to the application’s use, and understand how such use affects user privacy. Of the 10 sites that had statements indicating that data might be shared directly with third parties, five had broken mappings.

Removing personal information. Twelve sites addressed account removal in their privacy policies, but mappings of the corresponding statements were inconsistent. For example, Hi5’s privacy policy states,

If you would like to delete your account, log into Hi5, go

to your account settings page by clicking the account link

in the top right hand corner. On that page, right below

the email address field you will see a link to cancel your

account.

Although we found the matching operation on the settings page, the operation deactivated, not deleted, the account. Similarly, Facebook’s privacy policy specifies that users can either deactivate their account or remove it. However, we found only a deactivation link on the settings page; the deletion link was accessible only through the privacy policy (indirect mapping), which earned the site one partial rating in the information removal category.

Myspace, Hyves, and Friendster did not include any information on data removal in their privacy policies, but we found deletion and cancellation operations. We therefore marked these sites as “Not applicable” in accordance with our mapping method (site did not specify the information required for evaluation). For example, on its settings page, Hyves indicates that removing an account will permanently delete all profile information. Although we verified that this action did indeed remove the account, the removal operation was buried in other settings, making removal complicated and unclear.

Hyves’s omission of explicit instructions on account removal places the burden on users to discover how to delete their accounts. Perhaps of greater concern is PerfSpot’s omission of information on data removal. Its privacy policy neither included information on account deletion nor provided any operations to do so.

Passive data monitoring. Automatic observation of user behavior reveals the applications used, webpages visited,

music listened to, and so on. For example, PerfSpot’s pri-vacy policy states,

PerfSpot may use session cookies and persistent cookies for

the purpose of tracking various important data. ... While we

recommend that you allow these cookies ..., you may adjust

your computer’s settings to restrict or refuse them.

and,

PerfSpot uses clear .GIFs and log file data to … monitor the

impact. … marketing efforts … monitor aggregate metrics

providing detailed data on user activities while on the

Website.

In accordance with the first statement, we could block cookies by configuring the browser settings (operation), but the task was not trivial, particularly for a nontechnical user (indirect mapping). We therefore gave this statement a partial rating in the “Information

monitoring by SNS provider” category. For the second statement, we could not identify any corresponding operations relating to this action, so it received a broken rating in the same category.

Privacy policies also include statements about third-party data monitoring. Six sites provided links to the SNS’s advertising initiatives opt-out program, where users can opt in or out of having third-party cookies placed on their computer. However, the user must read privacy policies rigorously to be informed about this link (requiring additional effort and reasoning). For that reason, we gave these sites at least one partial rating in the “Information monitoring by third parties” category. We found no corresponding opt-in or -out operation in the other 10 sites, which received broken ratings.

EVALUATION OF KEY FINDINGSPrevious work on SNS privacy concerns focused

on ensuring software requirements compliance with governing legal texts and privacy policies5,7 or on measuring the correctness and usability of privacy controls.4,12 Our evaluation environment was far more dynamic, in that we attempted to determine if the SNS’s privacy controls’ runtime functionality is traceable to the network’s privacy policy statements.

We could block cookies by configuring the browser settings (operation), but the task was not trivial, particularly for a nontech-nical user (indirect mapping.)

66 computer

Rese aRch Fe atuRe

We used the privacy policies and controls available during our data collection period from January to May 2011, and some have since changed. Although these updates might somewhat affect our categories and analysis, we stand by our assertions that privacy policies and controls are largely disconnected. Our analysis reveals an overall lack of traceability and transparency and an indeterminable information flow.

Lack of traceabilityWe found a widespread lack of traceability between

privacy policies and the runtime implementation of privacy controls: only 23 percent of all statements across the surveyed sites had a complete mapping to controls. The underlying causes are attributable to the SNS business model. Unlike users who are site consumers or customers of conventional service providers such as Amazon or eBay,

SNS users and their personal information are the products. Consequently, SNSs generate revenue from sharing users’ information with third parties.

The SNS business model leads to an interesting dichotomy between the users’ privacy needs and the SNS’s sustainability: if everything were private, the site would have no data on which to capitalize. Our study aimed to establish a balance between SNS and user needs by emphasizing the need for externally observable relationships between privacy policies and policy controls so that both users and SNS providers can have confidence that the privacy controls are consistent with policy statements.

The open challenge for traceability and requirements engineering research is how to provide such traceability in open online social settings in which privacy and business needs often conflict.

Lack of transparencyWe found that 43 percent of policy statements could not

be mapped in any way to the available privacy controls, particularly when those statements related to actions over which the user had no control, such as indirect data collection or monitoring or the aggregation of user activities. Unless a user clearly understands the privacy policy, there is little awareness of how the site or third parties are using personal data, which can foster user mistrust.

Although the SNS might not view lack of transparency as broken, from a user perspective, it is traceable to a privacy policy’s systemic failure. We see a need for effective privacy-

awareness mechanisms that give users a sense of how the site and third parties are monitoring their actions and using their data, but the mechanisms cannot compromise the usability of SNS features. Evolving such a mechanism requires some tangible online experience to create and hone the sense of when privacy is being compromised.

Indeterminable information flowIndeterminable information flow is the user’s inability to

visualize and track personal information through the SNS. We arrived at this idea while analyzing the content of privacy policies. As we developed the subcategories in Table 2, we realized that the kinds of data and visibility under first-order categories such as information collection, usage, and sharing tended to be disconnected. For example, Hi5’s privacy policy on data collection states,

If you send SMS, MMS, or text messages to the Services, we

will collect the telephone number ...

To easily track the flow of this information through the use and sharing stages, corresponding references to this data should be included under the policy’s appropriate use and sharing sections, but they are not.

Privacy policies need more effective structures that make more explicit the information flow through the SNS from collection to use and sharing. Exploration from a software design perspective might reveal a way to incorporate information flow into privacy controls design, hence making such information flow visible during the users’ interactions with these controls.

Our study of 16 popular SNSs reveals that two-thirds of the principles addressed in privacy policies are not reflected in the runtime implementation of privacy

controls. This finding underlines the seriously deficient state of privacy management in a world connected by innovative online social media.

Researchers, social networking providers, privacy groups, and users must come together to address several key challenges. The first is how to balance the often conflicting economic and privacy goals of diverse stakeholders in an SNS. This challenge requires developing new economic and business models that embrace privacy as a feature rather than an obstacle.

Another issue is how to make SNS users more privacy-aware in their day-to-day interactions. This would require offering new modes of user experience that do not detract from the SNS services but still provide a sense of the user’s exposure during interactions on an SNS.

The final challenge is how to make information flow more transparent, which requires new forms of privacy controls that will let users understand what happens to their information when they select particular settings. The

Two-thirds of the principles addressed in privacy policies are not reflected in the runtime implementation of privacy controls.

JuNe 2013 67

ultimate goal is to transparently embody privacy policies within privacy controls.

We have taken a step toward defining and understanding these challenges. Establishing a clear traceability relationship will benefit users by providing clearer guidance on how their information is handled and aid SNSs by validating compliance and increasing users’ trust.

AcknowledgmentsThis research is funded by a Lancaster University 40th Anniversary Research Studentship, EPSRC grant EP/I016546/1 and EP/I016546/1. We thank Barry Porter for his valuable feedback on this article.

References 1. “Protection of Personal Data—European Commission

Data Directive 95/46/ec, 2011; www.eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:31995l0046:en:not.

2. “Federal Trade Commission Privacy Online: Fair Information Practices in the Electronic Marketplace,” 2000; www.ftc.gov/reports/privacy3.

3. R. Singh, M. Sumeeth, and J. Miller, “A User-Centric Evaluation of the Readability of Privacy Policies in Popular Web Sites,” Information Systems Frontiers, Feb. 2010, pp. 1-14.

4. M. Majeski, M. Johnson, and S.M. Bellovin, The Failure of Online Social Network Privacy Settings, tech. report CUCS-010-11, Columbia Univ., 2011.

5. J. Young, “Commitment Analysis to Operationalize Software Requirements from Privacy Policies,” Requirements Eng., vol. 16, no. 1, 2011, pp. 33-46.

6. J. Young and A. Antón, “A Method for Identifying Software Requirements Based on Policy Commitments,” Proc. 18th Int’l Conf. Requirements Eng. (RE 10), IEEE CS, 2010, pp. 47-56.

7. T. Breaux and A. Antón, “Analyzing Regulatory Rules for Privacy and Security Requirements,” IEEE Trans. Software Eng., Jan. 2008, pp. 5-20.

8. P. Anthonysamy, A. Rashid, and P. Greenwood, “Do the Privacy Policies Reflect the Privacy Controls on Social Networks?” Proc. Int’l Conf. Privacy, Security, Risk and Trust (PASSAT 11), IEEE CS, 2011, pp. 1155-1158.

9. P. Anthonysamy, P. Greenwood, and A. Rashid, “A Method for Analysing Traceability Between Privacy Policies and Privacy Controls of Online Social Networks,” Proc. Ann. Privacy Forum: Closing the Loop from Research to Policy, Lancaster Univ.; www.comp.lancs.ac.uk/~anthonys/publication.html.

10. B. Glaser and A. Strauss, The Discovery of Grounded Theory: Strategies for Qualitative Research, Aldine Transaction, 1967.

11. A.I. Antón and J.B. Earp, “A Requirements Taxonomy for Reducing Web Site Privacy Vulnerabilities,” Requirements Eng., vol. 9, 2004, pp. 169-195.

12. J. Bonneau and S. Preibusch, “The Privacy Jungle: On the Market for Data Protection in Social Networks,” Economics of Information Security and Privacy, Springer 2010, pp. 121-167.

Pauline Anthonysamy is a PhD student in the School of Computing and Communications and a member of the Cyber Security Research Centre at Lancaster University, UK. Her re-search interests include developing computational approaches for privacy policy compliance and traceability to a system’s runtime functionality and the modeling and analysis of privacy in online social networks. Anthonysamy received an MS in com-puter science from the University of Ottawa, Canada. She is a member of ACM. Contact her at [email protected].

Phil Greenwood is a senior research associate in the School of Computing and Communications and a member of the Cyber Security Research Centre at Lancaster University, UK. His re-search interests include the development of novel software engineering tools and techniques to address current and future cybersecurity risks while reconciling the associated sociotech-nical challenges. Greenwood received a PhD in computer science from Lancaster University. Contact him at [email protected].

Awais Rashid is a professor in the School of Computing and Communications and director of the cross-disciplinary Secu-rity-Lancaster Research Centre at Lancaster University, UK. He also heads the EPSRC-GCHQ Academic Centre of Excellence in Cyber Security Research at Lancaster University. His research interests include engineering trusted and trustworthy systems, sociotechnical approaches to cybersecurity, privacy manage-ment, and ethics. Rashid received a PhD in computer science from Lancaster University He is a member of IEEE and the IEEE Computer Society. Contact him at [email protected].

Selected CS articles and columns are available for free at http://ComputingNow.computer.org.

stay connected.

Keep up with the latest IEEE Computer Society publications and activities wherever you are.

| IEEE Computer Society| Computing Now

| facebook.com/IEEEComputerSociety| facebook.com/ComputingNow

| @ComputerSociety| @ComputingNow

| youtube.com/ieeecomputersociety