PRIVACY POLICES &
SOCIAL NETWORKING
SERVICES
COMS E6125 Web-enHanced Information Management (WHIM)
Joyce Chen
[cjc2179]
March 29, 2011
We like being stay connected to friends,
but we also like our privacy…
Census is
government’s
job!
Facebook is
doing FBI and
CIA’s jobs!
Online Privacy Bill of Rights
Why don’t we read privacy policies before
joining a website?
…b/c they are
too long?
Goals of the Study
• What are the main characteristics, similarities and
differences of major SNS providers’ privacy policies?
• What kind of information do major SNS providers
require users to provide in order to use their
services?
• Do major SNS providers take the initiative to inform
their users on potential risks involved with sharing
information and privacy rights in general?
• Do major SNS providers offer adequate overall
privacy protection to their users?
Five Websites as Case Studies
Methodology 1:
Accessibility and User-Friendliness11 Criteria Used
number of words
comparison to average privacy policy (based on the top 1,000
websites’ average length of privacy policies, which is 2,462 words)
3. amount of time it takes one to read (when is based on the
assumption that an average person would read approximately 244
words/minute)
4. availability of direct link to its actual privacy policy from the index
page
5. availability in languages other than English
6. availability of detailed explanation of privacy control/protection
7. availability of trust E-verification
8. availability of links to U.S. Department of Commerce’s “Safe Harbor
Privacy Principles”
9. availability of contact information in case of questions
10. coverage of kids privacy
11. containing the clause that the SNS provider reserves the right to
change the privacy policy at anytime
1.
2.
Methodology 2:
Evaluation and Comparison of Content 5 Criteria Used
1. allowance of an opt-out option
2. allowance of third party access to users’ information
3. discussion of the usage of cookie or tracking tools
4. explicit statement of what type of information they share
with third-parties
5. sharing of users’ location data
Methodology 3:
Comparison of Account Creation Process  3 Criteria Used
1. number of fields required during the initial account
creation (i.e. on the index page)
2. details that are required for a user to create an account
on the index page
3. availability of explanation on required information
Methodology 1: Results
Evaluation and Comparison of Privacy Policies-Accessibility/User-Friendliness
Facebook
Foursquare
Google Buzz
LinkedIn
5860 words
2,436 words
1,094 words
5,650 words
Above average
Below average (but very
Below Average
Above average
close to the average)
Twitter
1,287 words
Below average
Amount of time it takes one to
read (based on an average
person reading speed--244
words /minute)
Approx. 24 minutes
Approx. 10 minutes
Approx. 5 minutes
Approx. 23 minutes
Approx. 5 minutes
Direct link to its actual privacy
policy from the index page
No
Yes
Yes
Yes
Yes
Availability in languages other
than English
Yes
Yes
Yes
Yes
Yes
Detailed explanation of privacy
control/protection
Yes
Yes
Yes
No
No
Trust E-Verified
Linking and/or mentioning to
U.S. Dept. of Commerce “Safe
Harbor Privacy Principles”
Yes
Yes
No
No
No
Yes
Yes
Yes
No
No
Availability of contact
information in case of questions
Yes
Yes
No
Yes
Yes
Coverage of kids privacy
Yes
Yes
No
Yes
Yes
Containing the clause that it
reserves the right to change the
privacy policy at any time
Yes, but users will be
notified
Yes, but users will be
notified
No
Yes, but users will be
notified of material
changes
Yes, but users will be
notified of material
changes
Number of words
Comparison to average Privacy
Policy (based on 2,462 words)
Methodology 2: Results
Evaluation and Comparison of Privacy Policies – “Content”
Facebook
Foursquare
Google Buzz
LinkedIn
Twitter
Allowance of an optout option
Yes
Yes
Yes
Yes
Yes
Allowance of thirdparty access to users’
information
Yes/No, depending on a
user’s sharing setting
and the information
shared
Yes
Yes
Yes
Yes
Discussion of the
usage of cookie or
tracking tools
Yes
Yes
Not specified; but
Google states that it
records users’ use of
their products
Yes
Yes
Explicit statement of
what type of
information they share
with third-parties
Yes
Yes
Yes
Yes
Yes
Sharing of users’
location data
Yes
Yes
Yes
Unclear; not mentioned
in the Privacy Policy
Yes
Methodology 3: Results
Evaluation and Comparison of Account Creation Process
Facebook
Foursquare
Google Buzz
LinkedIn
Twitter
Number of fields
required during the
initial account
creation
9
10
Zero if you have a
Gmail account
4
6
Details that are
required for a user
to create an account
First name, last name,
email, password,
gender, birthday
First name, last name,
password, email,
phone, location,
gender, birthday,
photo
None if you have a
Gmail account
First name, last name,
email, password
First name,
username, password,
email, “let others find
me by my email,” “I
want the inside
scoop”
Availability of
explanation on
required information
Yes
Yes
Information on how
Google Buzz works is
available
No
Yes, actually includes
the entire Terms of
Service in a Text area
box
Conclusions
• While these five SNS providers do allow opt-out options for their services,
•
•
•
•
many of them are preset to expose users’ information
Some of these SNS providers may allow third-party developers to access
personal information, including location data, (though some are not personally
identifiable) if users did not take proactive actions to disallow such
proceedings.
SNS providers claim that such allowance enhances the online social
networking experience because as one shares more, he/she may discover
others who share the similar interests, personalities, background and locations
etc. To SNS providers’ own benefit, such sharing of information with third
parties may increase their business revenue (improving ads clicking by
showing ads that people are more likely to click).
All five SNS providers utilize cookies and similar tracking tools to both enhance
users’ experience with the websites as well as to record and store such
information for the websites’ business benefits. Nevertheless, these five SNS
providers do explain to their users explicitly the kind of information they share
with third party developers, make certain that kids under 13 (for LinkedIn it is
18) are not allowed to use their services or have to use the services under
parental watch and allow users to change the default settings.
Almost all of them, except for Google Buzz, do state at the end of the policies
that they reserve the right to change the policies at any time.
A Few More Findings…
• Most of the privacy policies are offered in more than one language to cater to
•
•
•
•
different populations.
Except for Google Buzz, contact information is provided in privacy policies in
case of questions.
Most policies do adhere to U.S. Department of Commerce’s “Safe Harbor
Privacy Principles” and a couple of them are TrustE-verified.
In terms of account creation processes, most of them require users to input the
same information in order to create accounts. Foursquare, among the five,
asks the most information, including location and phone since it is a mobilebased SNS.
It is interesting to note that three out of five SNS providers’ privacy policies’
length (number of words) are below average when the average is considered
to be 2,462 words long. This means that most of them can be read under 10
minutes. While Facebook and LinkedIn’s privacy policies’ length are above
average, they can be read around 20 minutes as well. Based on this, it is
perhaps rather surprising that many SNS users do not make the effort to read
them before signing up.
More Conclusions…
• Since this is only a five SNS provider case study, it is difficult to make general
statements about all SNS providers. However, it seems there is no connection
between website popularity and privacy policies’ length. Facebook, among the
five, probably has the most number of registered and/or active users. At the
same time, it also has the longest privacy policy statement among the five and
offers the most interactions / activities / functions / APIs. Perhaps one can
make a general conclusion that when a SNS provider provides more functions
/ interactions on their websites, the longer their privacy policies become since
they may need to set more guidelines in regards how they collect and share
data and the default settings a user may adjust to protect his/her privacy rights.
• All in all, these five SNS providers do announce to their users in their privacy
policies that they collect and store data and may share with third party
developers. What is not clearly stated is exactly what information is collected
and shared.
• Furthermore, while the SNS providers do inform users how to adjust their
privacy settings in their accounts if he/she does not wish to share his/her
information, the default settings are set to expose users’ information. These
five privacy policies are informative but the adequacy of protecting a user’s
rights to his/her privacy is debatable.
Limitations of the Study
• This study is only based on five websites while there are many other
•
•
•
•
SNS providers. Therefore, any conclusions and generalizations made are
limited.
The criteria used to evaluate the websites privacy policies are limited and
they can certainly be expanded to acquire a deeper understanding.
The criteria used to conduct the evaluation may not be completely fair
since no two sites are identical.
Some criteria used to examine the privacy policies and the account
creation process is vague, difficult to be defined and subject to bias. For
example, criteria such as the “detailed explanation of Privacy Control” or
“explicit statement of what type of information a SNS provider shares with
third-party developers” are rather difficult to be determined. How detailed
is comprehensive and how explicit is clear enough? Something that
seems clear to one may appear to be ambiguous to another.
Some websites’ privacy policies will indicate that they may update the
terms at anytime and may even take effect immediately. Therefore, this
study may cover only one version of the privacy policy.
References
[1] Facebook Privacy Policy, < http://www.facebook.com/policy.php >
[2] Freni, Dario, Carmen Ruiz Vicente, Sergio Mascetti, Claudio Bettini and Christian S. Jensen. “Preserving
Location and Absence Privacy in Geo-Social Networks.” October 2010. ACM 978-1-4503-0099-5/10/10.
[3] Foursquare Privacy Policy. http://foursquare.com/legal/privacy
[4] Gross, Ralph and Alessandro Acquisti. “Information Revelation and Privacy in Online Social Networks (The
Facebook case).” 2005. ACM Workshop on Privacy in the Electronic Society (WPES).
[5] “Google Buzz Privacy Policy.” Oct. 15, 2010. <http://www.google.com/buzz/help/intl/en/privacy.html>
[6] Korolova, Aleksandra, Rajeev Motwani, Shubha U. Nabar and Ying Xu. “Link Privacy in Social Networks.”
October 2008. ACM 978-1-59593-991-3/08/10.
[7] LinkedIn Privacy Policy. < http://www.linkedin.com/static?key=privacy_policy>
[8] O’Dell, Jolie. Mashable. “The Real Reason No One Reads Privacy Policies.” Jan. 27, 2011. <
http://mashable.com/2011/01/27/the-real-reason-no-one-reads-privacy-policies-infographic/>
[9] NPR. “Protecting Your Privacy On Social Networking Sites.” May 21, 2010. <
http://www.npr.org/templates/story/story.php?storyId=127037413>
[10] Privacy Rights Clearinghouse. “Fact Sheet 35: Social Networking Privacy: How to be Safe, Secure, and
Social.” June 2010. < http://www.privacyrights.org/social-networking-privacy>
[11] ReadWriteWeb. “Privacy, Facebook and the Future of the Internet.”
<http://www.readwriteweb.com/archives/privacy_facebook_and_the_future_of_the_internet.php >
[12] Twitter Privacy Policy. < http://twitter.com/privacy>
[13] Zhou, Bin, Jian Pei and WoShun Luk. “A brief survey on anonymization techniques for privacy preserving
publishing of social network data.” December 2008. SIGKDD Explorations Newsletter , Volume 10 Issue 2 .
[14] Yuan, Mingxuan, Lei Chen, Philip S. Yu. “Personalized privacy protection in social networks.” November
2010. Proceedings of the VLDB Endowment , Volume 4 Issue 2.