Privacy and social networks

Ian Brown (Oxford Internet Institute)Lilian Edwards (Sheffield University)

“Sensitive” personal data

Do Social Networking Sites contain: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” (Article 8 Data Protection Directive)

Tagging

Should you have a right to control what is “tagged” with your name or identifier?

Facebook lets you control who can find “your” tags

A29WP: “Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.”

Tag control

You can control who sees items tagged as you

Not possible in sites that expose tags to search engines

Facebook applications Over 350,000 active apps as of June 2009 X’s consent may reveal personal data about Y

Canadian Privacy Commissioner: “Facebook should be doing much more to ensure that meaningful consent is duly obtained from users when developers access their personal information [and] technological safeguards that will not simply forbid, but effectively prevent, developers’ unauthorized access to personal information that they do not need.”

Reasonable expectations? Oxford students fined on basis of Facebook photos

of exam celebrations. Whose “fault”? Students who didn’t take appropriate security measures using available tools?

Oxford for snooping on a “private place”? Facebook because it did not provide the right defaults for a “reasonable expectation of privacy”?

A29WP: “SNS should ensure privacy-friendly and free of charge default settings are in place restricting access to self-selected contacts”

Canadian Privacy Commissioner: “Facebook’s default settings in respect of photo albums and search engines do not meet users’ reasonable expectations”

User population issues If adults rarely take steps to protect their privacy, should we expect teenagers to? Risk awareness; jam today; culture of disclosure. But when FB users grow up..

What would make kids privacy-aware? Wired July 17 2007 report => “It seems the privacy threat is not so much Big Brother as your mother.”

Some suggestions of default of no spider-able profiles for under 18s on SNSs.

Some sites much more protective – cf Bebo.

Individuals ≠ data controllers

How sustainable is Lindqvist?

A29WP: “when access to a profile is provided to all members within the SNS or the data is indexable by search engines, access goes beyond the personal or household sphere.”

Better privacy protection by infomediaries? Defaults/Nudges? Expedited temporary restrictions on sharing?

How to further privacy on Facebook and SNSs?

EU Data Protection law on the whole requires consent to legitimise data collection, processing and transfer

Is the consent given when signing up for Facebook (and apps) good enough? Informed? “Explicit” for sensitive data?

Should current consent expose users to future risks? “The eternal memory of Google”

Can T & C which exclude liability for privacy and security breaches be potentially void as unfair consumer terms?

Some ideas: A legal regime requiring that defaults be provided at

the most privacy-friendly setting? Automatic expiration of data?

References L. Edwards & I. Brown (2009) Data Control and Social Networking: Irreconcilable Ideas? In A. Matwyshyn (ed.) Harboring Data: Information Security, Law and the Corporation, Stanford University Press, 202-227.

Office of the Federal Privacy Commissioner, PIPEDA Case Summary #2009-008: CIPPIC against Facebook

Article 29 Working Party Opinion 5/2009 on online social networking