IE Business School, MDMK2013

Are Social Networks a Threat to Privacy or is the Notion of Privacy Changing?

Nowadays, more than 2 billions people worldwide are spending more the 16 hours (32 hours in the US) a month online, and social networking accounts for 22% of that time1. This is particularly true for the younger generation, the so called digital natives, but the phenomenon is taking over older users too and they are growing faster than ever 2 . Google and Facebook are the most visited web sites on the internet with hundred millions of unique users daily 3! If Facebook were a country it would be the third largest in the world4. Pretty impressive gures. This gives a good idea of what we are talking about here. It no longer is a marginal activity done by a few students: it is a worldwide event touching billions of people daily. Aside the fabulous opportunities it offers, it also bears a growing concern about privacy and data protection. The rising of the Web 2.0 and its sharing tools - Facebook, YouTube, Twitter, Wordpress, LinkedIn, and Pinterest to name a few - enables people to create content and not just consume it. Internet users are becoming active players in the web of participation creating and uploading content from pictures to movies and creating proles on various social networks sharing personal data. With these new circumstances, a growing concern in terms of privacy and data protection arose. In this document we are going to look at this phenomenon and try to answer the question if social networks are a threat to privacy or if we, the users, do no longer care about it in order to socialize. To come to this answer we will try to dene privacy and how we can protect it but we will also clarify the specic threats associated to social networks and what we should do as users to protect our private sphere. We will not dive in the depth of all legal writings and laws, but will try to understand the underlying principles. It is important to know the legal framework upon which privacy can be protected.

What Is Privacy and How Do we Protect It?

There is a wealth of information and documents about privacy on the internet, but somehow it is hard to nd one single denition of it. Albeit the various descriptions lead to similar denitions, they come across as a broader concept with multiple understandings, depending on factors like the moment in time it was stated or the country and the cultural
1 2

http://www.mediabistro.com/alltwitter/online-time_b22186 http://www.pewinternet.org/Reports/2010/Older-Adults-and-Social-Media/Report.aspx 3 http://www.mediabistro.com/alltwitter/online-time_b22186 4 http://www.forbes.com/sites/kashmirhill/2012/02/22/facebooks-top-cop-joe-sullivan/

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

background of the author. We also noticed that the concept of privacy has evolved throughout history to match the rising worries following the technological evolution. Today, with the democratization of internet and social medias we are probably standing at a the corner stone of a new denition of privacy. To begin, we have selected tree denitions of privacy and we will try to extract and understand the underlying characteristics of this notion. The aim here is to get a sense for what privacy is and the scope it covers. The rst one is dated 1967 and is given by Alan F. Westin a law Scholar and pioneer in the eld of privacy and data protection in the USA. Privacy may be dened as the claim of individuals, groups or institutions to determine when, how and to what extent information about them is communicated to others5. What we learn here is that privacy is considered as the claim to determine or in other words, the request to decide what information is disclosed. We are talking about a proactive action from the individuals, groups or institutions regarding their private information. Now let us look at what Wikipedia says about privacy. Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.6 This is a contemporary denition of the subject referring to the ability to seclude oneself or facts about oneself. The distinction to Westins statement is in the way we treat information disclosure, we do not only want to control it, but to clearly keep it partially away from other people. In our opinion this shows a shift in perception on privacy. Now let us look at a last one to see if we can learn something more on the topic. Privacy International, the leading NGO in the eld of privacy and data protection, denes it more directly as: Privacy is the right to control who knows what about you, and under what conditions....7 What should grab our attention here is the notion of context - under what conditions. Besides the right for information control, the conditions under which they are disclosed are highlighted. Interpreting this, we could say that the context in which information is disclosed has a relevance and this is an addition to the earlier denitions. Without going further into denition analysis, we should now be able to grasp the dominant notions behind privacy - selective and contextual information disclosure hence personal and private data. So far, one question has not been answered: is privacy a right? In fact there is not a right to privacy in the legal sense of the word 8, but it is a human value that can be protected through specic laws such as the law of data protection for example. Going a little deeper
5 6

Westin AF, Privacy and Freedom New York: Atheneum, 1967, page 7 http://en.wikipedia.org/wiki/Privacy 7 https://www.privacyinternational.org/ 8 http://www.privacilla.org/fundamentals/privacyright.html

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

here, we should mention that the UN Declaration of Human Rights9 grants every human the right to privacy protection yet its recognition by law may vary between countries. For example, in the United States, the Supreme Court has legally recognized the right to privacy as a fundamental right despite the fact it is not explicitly stated in the Constitution. In Switzerland on the other hand, the right to privacy is stated in the Constitution under article 1310.

... and What About Data Protection Law?

As mentioned before one of the way privacy can be safeguarded is through the law of data protection. On a european level, EU Commission has released Directive 95/46/EC about the processing of personal data by automated means in order to protect the rights and the freedom of citizens11. We would like to excerpt one point which we believe will help understand the issues with social networks. The point in question special categories of data processing says the following: it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. This provision comes with certain qualications concerning, for example, cases where processing is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis...12 Is that not exactly the kind of information social networks are gathering about us? To a certain extent, it is. However, the information is actively shared by the users themselves. By now we should probably start to understand that with the rise of social medias, data protection law faces new challenges. Initially the law was designed to prevent all unauthorized or un-proportional use of private data by companies or the State, but nowadays, people themselves are sharing these details on their social network proles, thus making it accessible to a broader public. In Switzerland data protection law goes in the same direction and also denes sensitive personal data 13 . Moreover, the law states that all information gathering should be done in a lawful manner and that we have the right of information, meaning we can ask data controller about what is happening with our data. Additionally the law clearly mentions that we must always consent to the use of our personal information and in most cases we do by accepting terms and conditions.

The Universal Declaration of Human Rights - Article 12 Federal Constitution of the Swiss Confederation - http://www.admin.ch/ch/e/rs/1/101.en.pdf 11 http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm 12 http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm 13 http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.CH
10

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

But do you read them? An english study nd out that only 7%14 of online shoppers read terms and conditions. Another UK poll states that while most users are aware of terms and conditions and privacy statements on websites, one in four (24 per cent) say they never actually read them, with the same proportion saying they read them thoroughly15. Fundamental rights and applicable laws should protect us from unwanted information disclosure and gathering but with technological evolution new behavior have emerged and laws must catch up. People not necessarily share more information than before but the aggregation and spreading of information on social networks are changing the game and people are not always aware of what they are up to when clicking I Accept.

What Are the Privacy Issues Specic to Social Networks?

In the previous pages we saw that privacy is all about control of information disclosure and data protection, as well as collection and misuse of it. On social networking sites this becomes a central aspect because the user is in fact actively and deliberately sharing most of his personal details, hence giving up his privacy. The amount of information and content shared on social networks is growing steadily 16 and often users are not totally aware of the consequences this could bear. Social networks have allowed to gather an enormous amount of private data about ourselves, and part of it may be sensitive. We are not just talking about our names and addresses! We freely disclose details about our religious or political opinions, friends and family members, we share pictures and movies, we check-in every time we go somewhere, etc. These are exactly the topics the law of data protection is meant to protect. All these pieces of information taken separately are less revealing about us, but combining them together and put in a certain context gives a pretty accurate image of our lives and social behaviors indeed. The reality is that we usually explicitly give permission to social media sites to compile this information and use it, but we are not always aware of what that means. According to a PEW Internet research, users do not fully understand how their data is stored and used 17. Facebook for example uses this information to offer targeted adds. Google also offers targeted adds but they also use aggregated information to offer more relevant search results. For some, this collection and usage of information represents and ethical problem. We believe that as long as data is secure and not transmitted to third parties without our consent, it is acceptable in exchange for the benets we get from using social networking sites.

14 15

http://www.guardian.co.uk/money/2011/may/11/terms-conditions-small-print-big-problems http://media.ofcom.org.uk/2012/03/29/uk-adults-less-concerned-over-internet-despite-privacy-risks/ 16 And with mobile devices this is growing even faster - http://gopopcorn.ca/blog/wp-content/uploads/oneminuteinfographic.jpg 17 Pew Internet, Privacy Management on social media sites, p. 4

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

So, what happens when information is handled over to third parties? In March last year Facebook created quite a stir in the US when they announced they would share details like addresses and phone numbers to third parties18 . The controversy was so big that they revised their decision. Nevertheless, we should know that in reality, they could have done it because they were in their right since, again, we have accepted it in the terms and conditions!

Are We Giving Up Privacy?

Although the majority of users dont read the terms and conditions we should also mention that in contradiction most social network users are concerned about privacy. 58% of people polled in the PEW Internet Research study say their prole is set to private. 19% have their prole set to partially private settings meaning friends of their friends can see it and only 20% have set their prole on public19 . The majority of people are denitely concerned about privacy. In general women are much more conservative in terms of privacy settings on Facebook. We might presume that younger users are less concerned about it, but this is not the case either. According the PEW: users of all ages are equally likely to choose a private, semi-private or public setting for their prole. There are no signicant variations across age groups users of all ages are20 . So why is this such a big issue? It seems everybody on social networking sites is aware of privacy and make the effort to protect it. The fact is that half of the social network user say they have faced difculties in managing their privacy settings21 and by default proles are public which requires an effort to make it private. In real life the opposite is trough. If you are having a conversation with a friend it is private by default until one of you decide to spread the information 22 . Still people do not entirely understand how data is stored and processed. It is important to highlight some of the issues that could arise due to social media usage. The International Working Group on Data Protection in Telecommunications released the so called Rome Memorandum a report and a guidance on privacy in social network23 . This document states the biggest concerns with regards to social networking sites, and offers clear recommendations to authorities, service providers and users. We took out some of the key elements bellow. Data may linger: Once data is published on the internet it may stay there forever even if the user deletes it from the original site.

18 19

http://techland.time.com/2011/03/01/once-again-facebook-will-share-personal-data-with-third-parties/ Pew Internet, Privacy Management on social media sites, p. 5 20 Pew Internet, Privacy Management on social media sites, p. 6 21 Pew Internet, Privacy Management on social media sites, p. 8 22 Jeff Jarvis, Public Parts, Simon & Schuster 2011 23 International Working Group on Data Protection in Telecommunications, Report and Guidance on Privacy in Social Network Services, Rome Memorandum, 43rd meeting, 3-4 March 2008, Rome (Italy)

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

Notion of community: Online, friends are not necessarily the same as ofine, and users are not always aware as to which extend their personal data is shared. We feel secure because of the notion of community, but it is seldom the case. Free services: We must remember that if the service is free of charge, it is probably because we are the product that social networks sell to third parties like advertisers. Trafc data collection: Technically social networks are able to record every move we make and gather information like IP addresses, allowing them to locate users, or time and duration of the connection. Excessive and misuse of personal data: Thanks to face recognition software, pictures may become biometric identiers and depending on the privacy settings these can be accessible by unwanted sources due to a lack of protection against copying and saving of such kind of content. Remember that this information can also be accessible by recruiters. Identity thefts: This is a big concern according to the Working Group due to wide availability of personal information. This is one point we should be more concerned about. With informations like name, address, birth date, phone number or mothers maiden name it becomes easy to steal your identity 24. This is an non exhaustive list and social media users must be aware that there are other aspects like cyberstalking, cyberbullying, prole squatting and phishing to name a few, that represent a real danger online. These issues are the same in most countries. In Switzerland the FDPIC 25 issued an recommendation in regards to social networks, mentioning identical threats for social media users26 as in the Rome Memorandum.

So, What Should We Do to Protect Ourselves?

So far we learned what the different aspects that come in play when we talk about privacy on social medias are. Despite the fact that people are generally concerned by the protection of their personal data, it is not always clear how to protect it. Granted that social networks are not making it easier for us by constantly changing their settings and terms and conditions. Coming back to the report of the International Working Group on Data Protection and Telecommunication, regulators, service provides, and users must all take action in order to provide more privacy and security on social networks. We will summarize the key elements of the Recommendation. Regulators should re-think the legal framework to protect citizens and force social networks sites to notify all data breaches and to be completely transparent with the use of users data. The introduction of right to use pseudonyms should also be part of a regulatory frameworks according to the authors.
24 25

http://www.hufngtonpost.com/robert-siciliano/identity-theft-commited-u_b_243305.html The Federal Data Protection and Information Commissioner 26 http://www.edoeb.admin.ch/themen/00794/01124/01254/index.html?lang=fr

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !

IE Business School, MDMK2013

Social networks should become more transparent toward users and have clear privacy policies. We believe that they should even question the validity of their terms and conditions in order to guarantee a better user experience. In addition social networking sites should be more transparent about how users can access, modify or delete personal data and even be transparent about their business model, hence creating a relationship based on trust. Privacy-friendly settings should be the norm and an improved control over data sharing means must be implemented through opt-out mechanisms. Last but not least, the users must be more careful when publishing personal data and bear in mind that what they publish could be seen by recruiters, identity thefts or stalkers. Taking the time to inform oneself about the social media service provider, privacy settings or the way personal data is treated becomes more important than ever. The use of different username and password also enhances the security. For more tips on how to tune up privacy settings on Facebook start with Facebooks Help Center and if you need more, Google it. There are dozens of top 10s and tips on how to do it.

What Is the Conclusion?

As asked in the beginning, are social networks a threat to privacy or is the notion of privacy changing we would answer that based on the learning from this document we cannot clearly say that social networks are a threat to privacy. The sharing and accumulation of personal data is made easier by these sites but to a certain extend privacy settings can prevent unwanted disclosure. However, concerning data transmission to third parties, the situation is blurred and social networks probably play with it. Remember we are the product they sell to marketers and they have an interest in knowing as much as possible about us to offer better targeted advertising. Has the notion of privacy changed? Certainly! The concept of privacy evolved over time and there is no reason why this would not happen now. Nevertheless, we can say that today users are aware of the privacy issues related to social networks. We could probably even say that users are more aware of privacy today than in the past but new means for gathering and spreading information have emerged, making it challenging again. Social networks are a great tool and offer amazing possibilities. If we take a moment to set up privacy settings and think twice before posting something we should be able to enjoy its benets and reduce the risks. Law will always be behind technological evolution and it is up to us, the users, to take care of our own privacy.

2012 | Marc Lounis - www.lounis.ch | Virtual Companies Legal Environment !