THE IMPACT OF SOCIAL NETWORKS ON USER PRIVACY

What Social Networks Really Learn about their Users!

Steffen Ortmann and Peter Langend¨orfer

IHP, Im Technologiepark 25, D-15236 Frankfurt (Oder), Germany

Keywords:

Social networks, Privacy, Web 2.0.

Abstract:

Millions of users voluntarily release private and business data at community platforms without considering po-

tential impacts on their real lives that may come along with that. Being used for personalized advertisement or

proﬁling, user data are of utmost importance for economic success of the platform. Hence, platform providers

exploit all promising options to gather data while privacy seems partially to be a pain for them. Beside data

voluntarily released by the user, there are techniques and methods to secretly gather more user data, e.g., by

proper fusion of miscellaneous information such as analysis of websites visited or social games played. In

this article we investigate obvious as well as concealed data gathering options of platform providers. By that

we uncover the true detailedness of user data collected by social networks to document our key message, i.e.,

social networks know EVERYTHING about their users. Finally, we discuss why existing privacy protecting

solutions cannot stand up with the threats and risks resulting from easygoing use of social networks.

1 INTRODUCTION

Not only since Facebook

, online social network-

ing is an ever-growing market where the big play-

ers already earn several million dollars per year. On-

line networks are part of the so-called “Web 2.0” pro-

viding ease of use for online information-, identity-

and relation-management (Schmidt, 2006). Instead

of pure information retrieval, the users generate and

administrate online content on a platform provided.

The platform mainly handles the necessary techni-

cal and organisational challenges. Social networks

are a special type of those platforms supporting peo-

ple with features for online interaction. Therefore the

user establishes a mostly self-designed proﬁle reﬂect-

ing her/his online identity. Based on that, the user

connects to other user proﬁles. Finally, the social net-

work builds a graph, usually called “social graph”,

where user proﬁles represent the nodes and links rep-

resent the edges respectively (Wasserman and Faust,

1994). The main functionalities of social networks

are based on this graph, e.g., search engine and mes-

sage services. According to a representative online

survey, 63% of Internet users in Germany are already

members of at least one social community (Rother,

2010). Within the group of 18 to 29 years old peo-

ple, more than 90% are members of social commu-

nities. Nearly half of the users with proﬁles in Face-

book, which in total maintains more than 500 million

active proﬁles, login to the community almost every

day. Anyway, communities still register an increasing

number of users and community logins.

Private user data are of important value for com-

munity owners since they can be used (or sold re-

spectively) for advertisement or even for better and

highly proﬁtable, personalised advertisement. The

latter seems to provide market sizes of several bil-

lion dollars per year and hence, is of enormous in-

terest for platform providers. Only a huge number of

users and a maximum of personal user data assure at-

tractiveness and economical success of the platform.

Consequently, priority objective of platform providers

is collecting as much user data as possible. There-

fore platform providers exploit all promising options

to gather data while privacy seems partially to be a

pain for them.

Due to the rise of social networks large parts of

human life and social interactions migrated into the

Internet. Promoted by network providers and missing

awareness for Internet-media, especially young users

tend to reveal nearly their complete real life in a vir-

tual community. Hence, a vast amount of private and

business data has been put into and stored in these

networks. Millions of users voluntarily release pri-

Ortmann S. and Langendörfer P..

THE IMPACT OF SOCIAL NETWORKS ON USER PRIVACY - What Social Networks Really Learn about their Users!.

DOI: 10.5220/0003402200210026

In Proceedings of the 7th International Conference on Web Information Systems and Technologies (WEBIST-2011), pages 21-26

ISBN: 978-989-8425-51-5

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

vate and business data without considering potential

impacts on their real life that may come along with

that. Platforms of course get aware of private data

and social contacts explicitly given by the user. How-

ever, most users cannot even imagine how much pri-

vate, social and technical data they produce by mere

usage. Besides data explicitly given by the user, plat-

forms are able to gather information that is not explic-

itly given but can be inferred from user behaviour or

context. Even worse is the fact, that adverse infor-

mation may also be published and linked by commu-

nity contacts. There exist practical methods to kindly

“force” users into betrayal of other community mem-

bers they know. Thereby privacy of community mem-

bers may be breached without being noticed by the

affected user. However, we consider such behaviour

contradicting to laws or privacy ethics at least.

Beside own experimental results, we have anal-

ysed the state-of-the-art and media reports concerning

privacy issues, general terms and conditions as well

as the ofﬁcial privacy policies of the big players in the

market, e.g., of Facebook (Facebook, 2010a; Face-

book, 2010b). In this article we list in detail the user

data that are accessible by mere platform usage. We

further focus on discovering methods secretly gath-

ering more information about community members

than those to which users explicitly acknowledged to

be collected. By that we show the detailedness of user

proﬁles, very often reﬂecting real life data, captured

by the social network. Based on that we present ex-

isting privacy protecting technologies and discuss the

reasons why these cannot bear up the privacy threats

posed by social networks. Finally we conclude with

identifying important aspects for further research and

discuss potential provisions for privacy aware usage

of social communities.

2 NO ROOM FOR PRIVACY?

Within the context of data gathering, people worried

about privacy often are confronted with the slogan

“I’ve got nothing to hide” (Solove, 2007). Even if this

is true considering laws, it does not mean private data

may be public in any case. Since privacy is your right

(Warren and Brandeis, 1890) to self-determine when,

how and to what extent information about yourself

is communicated to others (Kuhlen, 1999; Westin,

1967), you should be in almost full control of your

information. As in real life, private data must also

be protected in online communities! Unfortunately,

privacy protection mechanisms provided by the so-

cial networks feature signiﬁcant drawbacks. These ei-

ther provide too little options for securing any private

data or are too complex with respect to usability or do

not allow for ﬁne-grained privacy settings. Pseudony-

mous usage of communities is also unpopular or not

permitted by platform providers.

But privacyismore than just control of data. Good

privacy practise starts with fair information about

kind and purpose of data collected. The latter is the

crux of the matter. While general terms and condi-

tions provide more or less full descriptions of what

data is collected, the purpose usually is not given.

Likewise, informative value of data collected as well

as inferences of those is difﬁcult to understand for the

standard user. Most users do not even approximately

know the mass of information they provide. In the fol-

lowing we uncover the true detailedness of user data

collected by social networks. Beside obviously gath-

ered data voluntarily released by the user we thereby

focus on the data gathered alongside usage as well as

“methods” of concealed data acquisition. By that we

document our simple (and scary) key message, i.e.,

social networks know everything about their users.

2.1 Who is the User?

Usually creating a user proﬁle in a social commu-

nity starts with giving basic data, such as name, birth-

date, gender, language, address and photo. This is not

much information but of course, this is enough data to

determine where you live, to guess your social state

because of your residential area, to search for your

number in public telephone registers and to look at

your house using free online street maps for example.

Also uploading a user photo, which is highly recom-

mended by all communities, allows to use face recog-

nition systems, e.g., as freely available in Google’s

Picasa

, to search for other available data about the

person depicted. If such technique is combined with

mobile devices, everybody may obtain detailed data,

in our case the user proﬁle, about any unknown per-

son just by taking a picture in public.

Data given by the user allows also getting a more

individualised idea about the person behind the user

proﬁle. Hence, that data is even more valuable in

view of advertising. Usually, the user may disclose

status of relationship, political interests, hobbies and

favourites. Of great value are user interests, hobbies

and memberships in clubs. Marketing and selling

companies invest lots of money to acquire knowledge

about people’s favourites in music, movies and books.

The social network provider gets this information al-

most for free. Since such information is not always

given within the user proﬁle, there also exist commu-

nity games asking for personal favourites to ﬁnd other

users in the community with same or similar interests.

WEBIST 2011 - 7th International Conference on Web Information Systems and Technologies

Likewise community applications may ask to evalu-

ate certain product or fashion. By that, the user is

unconsciously quizzed about interests, opinions and

personal taste.

2.2 Who does the User Know?

Data voluntarily released by the user is just the be-

ginning of invasion of privacy. Contacts within the

network best reﬂect a user. First, contacts are people

that a user probably knows. Second, the platform ex-

actly registers the contacts visited, the photos watched

and messages sent to contacts. Here, exactly means to

determine in detail how many messages a user writes

to whom at what time. Even if usually prohibited by

law, it is technically possible to access the content of

the message, too.

Further, the platform registers how often and how

long some activity has been carried out, e.g., how of-

ten a user visits which contact or how much time the

user spends in reading articles or watching photos of

certain user. Finally, the usage of “poke” options, a

kind of digital greeting in Facebook, may reveal close

relation- or partnership between users. By that, dif-

ferentiating contacts between friends, family and ac-

quaintances becomes possible. Obviously, there are

simpler opportunities to gather this information be-

cause platforms also allow users to sort contacts into

certain lists holding all friends, family members, etc.

2.3 What does the User Do?

Inference of comprehensive personalised proﬁles

from data explicitly given by the user is less than

the half of all data gathered. All platforms automat-

ically generate very detailed usage analysis data by

maintaining log ﬁles for each user. Log ﬁles contain

product information about the browser used, IP ad-

dress, date and time of access, amount of data trans-

ferred as well as referrer and target URLs. In other

words, the platform registers how often and how long

certain user accesses the platform. Determining re-

ferrer and target URLs enables also collection of in-

formation about external websites and services used.

Logging of IP addresses and browser information al-

lows identifying the accessing device or user. Since

cookies are used to locally store encrypted creden-

tials, it can be further determined, whether other users

known to the platform frequently enter the network

from the same device, too. Such pair or group of

persons may be family members or live in any rela-

tionship to each other. Moreover, recorded data can

be analysed and give semantics beyond pure techni-

cal information. Platforms exactly know what their

users are doing online. They are also aware of how

long and how often a user plays social games or uses

certain offers. Sometimes the platforms cannot regis-

ter what users are doing in third party offers. For that

case, third parties usually have to conﬁrm delivery of

usage analyses at least. Platforms recognise the time

a user is online, no matter whether it is in the morn-

ing, in the evening or at night. In general, everything

the users do online is recognised by the platforms just

as if somebody is directly observing the users. It does

not matter who, where or when - the platforms always

track what their users are doing.

2.4 Where is the User?

When a mobile device is used to access the network,

the platforms are also permitted to identify the mobile

device, the mobile service provider and yet actual po-

sition data, e.g., derived from an internal GPS mod-

ule. This enables to track the user anywhere at any-

time. Since it is a signiﬁcant intrusion into privacy,

automatic determination and publication of location

data when using mobile devices is disputable. In ad-

dition, Facebook offers a relatively new service called

Facebook Places. Facebook Places enables users to

publish in real time where they actually are and hence,

Facebook also gets to know the location data of users.

This is of less concern if publication of location data

is in the hand of the user. Unfortunately, this service

allows publishing location data of other users, too.

However, meanwhile Facebook has learnt about their

user privacy requirements and allows prohibiting pub-

lication of location data by other users. Certainly, the

user has to explicitly restrict such publications in the

privacy settings, because these allow friends to pub-

lish location data by default.

2.5 What does the User Think?

Finally, social networks even know what their users

think! They know results from polls and votes, log

user-written comments and store twitter messages and

blogs as well. They register the content and the kind

of advertisements a user responds to. Last but not

least, the platform providers get to know how con-

cerned users are about their privacy. Providers learn

whether a user apparently reads the general terms

and conditions or just clicked the accept button. Of

course, the platform provider exactly knows the pri-

vacy settings of a user as well as how often and for

which purpose the user changes the settings. Thereby

the provider learns consumer acceptance in detail and

hence, can well estimate acceptance of platform en-

hancements or new data gathering methods.

THE IMPACT OF SOCIAL NETWORKS ON USER PRIVACY - What Social Networks Really Learn about their Users!

2.6 What do other Users Think about

the User?

During our research we found an interesting and like-

wise scary approach to gather more “user data”. So-

cial networks usually providethird party offers, which

predominantly are games or fun applications, called

apps. Every user should be aware of the fact that apps

are provided for no other reason than to make money

or gather user data or both. Apps basically are free

but allow collecting side data produced by their usage

as well. Beside others, apps of mainly two types put

a user’s privacy at risk, i.e., apps sharing personal in-

terests between users as already mentioned and apps

asking for data and opinions about other users. Es-

pecially the latter type of apps partially signiﬁcantly

invades into user privacy by snifﬁng out other users.

As an example, we found the app “My friends 1.0” in

the German social network StudiVZ

. This app asks

users for personal opinions about contacts. While

testing this app, we were asked questions such as “Do

you believe Henry has enough sex?” or “Do you think

Henry had been in jail anytime?” about a user named

Henry (name substituted).

These are simple questions but obviously nobody

would like respective answers be publicly available.

The really treacherous issue with this app is that users

are tricked into providing information about others by

gaining a certain amount of chips when entering this

data. This virtual currency can be used to buy an-

swers their “friends” have provided about the user in

the same app. So there is a kind of interest in getting

chips to learn what others think about you. Unfortu-

nately the app allows answering these questions even

if the other person is mostly unknown. This was the

case for Henry, who was a bogus person, but already

made new friends and for those Henry already could

answer those questions. Unfortunately, to the best of

our knowledge there exists no approach that may pro-

tect users from being sniffed out in such a way.

2.7 What does the User do Outside the

Network?

Despite the vast amount of user data collected within

a social network already, the world’s number one so-

cial network Facebook opens up methods to gather

user data from outside the network, too. Therefore

Facebook established the Like Button. It enables In-

ternet users to “like“ and thereby share web content

by just clicking a button. Consequently, the inhibition

threshold to share information that way is extremely

low. However, the idea behind the Like Button is as

great as scary. Integrating the Like Button, which is

hosted at Facebook, into some website Facebook re-

ceives information about every entity accessing the

website. This information contains the IP address, the

previously visited website (referrer-URL), timestamp,

browser id, etc. If the accessing person is logged onto

Facebook at the same time, the Like Button displays

other users who also liked this website and Facebook

gets the identity of the accessing user, too. Anyway,

Facebook receives all information mentioned whether

or not the accessing entity is a Facebook user. Hence,

there are still privacy risks since the accessing entity

may be identiﬁed by existing cookies, the IP address

or the browser used. In addition, the Facebook shar-

ing analyse tool, which can be used for free by every-

body, determines the number of likes of any website

implementing the Like Button.

Obviously, Internet users could also share infor-

mation and comments by email like they have done

before Facebook, but using the Like Buttons is much

easier and faster. The only difference is, that Face-

book now also knows, which Internet content some-

body consumed and what Internet users think about

a website or any other content inside and outside the

social network. With more than 500 million active

users and roughly two million websites said to im-

plement the Like Button, Facebook slowly but surely

registers a large part of the worldwide Internet usage.

As all roads lead to Rome in the real world, it ob-

viously seems possible that all clicks in the Internet

shall lead to Facebook in the future.

2.8 Collecting Data of Unregistered

Persons

Meanwhile social networks have started collecting

any data possible, even of persons who are not reg-

istered at the platform. Beside using the Like Buttons

for such purposes, contact importer tools offered by

the social networks are of prominent use. These tools

access contact data available in Microsoft Outlook, on

the iPhone or in MySpace to autonomously search

for platform users with respective data. By that,

these tools transfer any contact data like addresses and

phone numbers to the platforms even though affected

people are not registered users. Moreover, affected

people are neither informed about usage of their con-

tact information nor asked for permission to do so.

Here the respect for someone’s privacy is completely

at the responsibility of the user granting access to con-

tact data. It further is at least questionable whether

such application already contradicts the law. Even if

this approach is yet hard to understand, the user par-

tially has to provide the password required for access-

ing the email account. It seems almost incredible that

WEBIST 2011 - 7th International Conference on Web Information Systems and Technologies

people not even realise they are offering access to all

emails stored in the account, too.

3 NO TECHNICAL PRIVACY

PROTECTION AVAILABLE?

The phenomenon of social networks clearly indi-

cates that privacy enhancing technologies for Internet

use as researched in the past are becoming useless.

Encrypting data when communicating, or restricting

user data revealed when using Internet services does

not help if the data is voluntarily provided and ac-

cessible in social networks. Also techniques (Maaser

et al., 2008; Cranor et al., 2006) based on P3P and

APPEL, which allow to restrict information to be re-

vealed to service providers or at least to inform ser-

vice users about what data is collected and for which

purpose, are not the correct means to deal with the

privacy risks stemming from social networks. Even

though fair informationabout kind and amount of data

gathered would be a step into the right direction, our

experiences clearly show that as long as social net-

works have no additional gain or legal restriction, they

will restrict usage of privacy protecting technology to

a very minimum.

Since this is work in progress we currently evalu-

ate available as well as novel technical approaches for

privacy aware usage of social networks. Technolo-

gies which might enhance privacy protection within

social networks are distributed proﬁle management

as well as different strategies and tools enabling sys-

tems to conﬁgure several privacy proﬁles automati-

cally. Distributed proﬁle management as presented in

(Langend¨orfer et al., 2004) may get rid of the neces-

sity to have all user data centrally handled and stored

in the social network. Instead, the communicating de-

vice used to access the network may negotiate fair in-

formation exchangewith the platform. Likewise auto-

matic assurance of individual privacy proﬁles of sev-

eral users at the same time, as supposed for applica-

tion in pervasive environments(Ortmann et al., 2008),

may be a potential research domain. Obviously the

most difﬁcult part is to deal with the mass of users

a social networks usually have. As a start, grouping

users with similar privacy requirements may offer a

chance to restrict exchange of data between different

user groups as well as between groups and the social

network according to the privacy regulations set for

each group.

Of course, we are aware of the fact that even ad-

vanced privacy preserving technologies cannot pre-

vent from disclosure of private data by other Internet

users. In addition to researching novel technical so-

lutions, here we clearly consider the social network

provider and legislative organs to accept the respon-

sibility of protecting privacy of Internet users. There-

fore regulations forcing social network providers to

adhere to privacy ethics and rules, e.g., as deﬁned in

(International Working Group on Data Protection in

Telecommunications, 2008), must be declared. How-

ever, we strongly believe such privacy regulations to

be achievable by means of law only.

4 CONCLUSIONS

In current ongoing work we have investigated the

terms and conditions, the default privacy settings, as

well as the type of offered apps and the data ex-

change more or less enforced by social networking

platforms. Our research clearly shows that users of

social networks are left alone when it comes to pro-

tecting their privacy. To provide evidence of our key

message saying that social networks know everything

about their users, we have presented the true detailed-

ness of data gathered inside and outside of state of

the art social networks. Currently available privacy

protecting technologies, if applicable to social net-

works at all, clearly favour the platform providers, so

the users are more or less tied to the rules dictated

by providers. This is really unfair given the technical

skills and awareness of the standard Internet user and

the platform providers. However, what worries most

are three facts:

First, the big players in the social network mar-

ket, ﬁrst of all Facebook, have started several ap-

proaches to gather data of unregistered Internet

users as well, e.g., by hosting Like Buttons and

providing contact importer tools.

Second, social platform providers do not clearly

state privacy risks, especially about threats com-

ing from additional means to collect and infer in-

formation from data voluntarily provided by the

users.

Third, the amount of information, platform

providers can access directly and indirectly, can

only be guessed. Even though, we do not know

for sure for which purpose the platform providers

are using the user data.

The ultimate advice we can actually provide is,

think twice before revealing data, when in doubt do

not provide it. When asked for more data become

suspicious and even more careful, and never ever re-

veal data of friends, relatives, etc. Given our research

results we are sure that protecting privacy cannot be

solely achieved by technical solutions. We consider

THE IMPACT OF SOCIAL NETWORKS ON USER PRIVACY - What Social Networks Really Learn about their Users!

future privacy protection a multi disciplinary task. It

requires expertise in social sciences, jurisdiction and

computer science. We sketch what these disciplines

can contribute to better privacy.

Social Sciences. The attitude towards privacy is cur-

rently changing. People are less concerned about

providing their own data. Here social sciences can

contribute by again rising awareness of what people

might lose when providing data to others. To achieve

this goal, potential and real consequences of sloppy

privacy treatment need to be collected, summarised

and reported.

Jurisdiction. The legal setting of terms and condi-

tions should be analysed and new guidelines should

be generated, which indicate a stricter handling of

user data and are backing up the users’ rights. In ad-

dition clear deﬁnitions are required on how sessions

have to be protected. Finally, instead of mere guide-

lines for fair information practises, uniﬁed, standard-

ised legal conditions and privacy rules need to be es-

tablished across country borders.

Computer Science. Here two research directions

seem to be very promising with respect to better pri-

vacy. First it would be a signiﬁcant improvement if

users become aware of what information can be in-

ferred alongside usage or when revealing additional

data. A tool which goes in that direction has been

researched in (Ortmann et al., 2007). To generate the

required information data mining tools can be adapted

to provide the basic information. Then a tool for data

deduction out of the provided and retrieved data needs

to be developed. An open point here is whether plat-

form users will be able or allowed to access all data

required to do proper data retrieval and on top of that

to deduce of potentially revealed data when provid-

ing additional data. Second decentralising social net-

work platforms, as announced in the Diaspora project,

would for sure reduce privacy risks since no single

entity is in possession of all the user data. Conse-

quently, information inference from user data is much

more difﬁcult. For such purpose, we have patented an

approach enabling fair bilateral information exchange

that does not favour certain entity. Privacy of users

of Peer-2-Peer based services, as decentralised plat-

forms would provide, can signiﬁcantly gain from such

an approach. The open technical question is whether

or not such a distributed social network can provide

the service, platform users expect. The other ques-

tion is rather political or just business related. Would

existing platforms allow such a new system to grow?

REFERENCES

Cranor, L. F., Guduru, P., and Arjula, M. (2006). User inter-

faces for privacy agents. ACM Trans. Comput.-Hum.

Interact., 13:135178.

Facebook (Retrieved September 30, 2010a). Facebook Pri-

vacy Policy.

Facebook (Retrieved September 30, 2010b). Facebook

Terms and Conditions.

International Working Group on Data Protection in

Telecommunications (2008). Bericht und empfehlung

zum datenschutz in sozialen netzwerkdiensten - rom

memorandum. Technical report, Berliner Beauftragter

f¨ur Datenschutz und Informationsfreiheit.

Kuhlen, R. (1999). Die Konsequenzen von Informationsas-

sistenten. Suhrkamp.

Langend¨orfer, P., Maass, H., and Falck, T. (2004). Plas-

mads: Smart mobiles meet intelligent environments.

In Proc. 4th Workshop on Applications and Services

in Wireless Networks. IEEE Press.

Maaser, M., Ortmann, S., and Langend¨orfer, P. (2008). The

Privacy Advocate: Assertion of Privacy by Person-

alised Contracts. Books of selected papers from WE-

BIST conferences. LNBIP Springer.

Ortmann, S., Langend¨orfer, P., and Maaser, M. (2007). En-

hancing privacy by applying information ﬂow mod-

elling in pervasive systems. In OTM Workshops,

Vilamoura, Algarve, Portugal. International Work-

shop on Privacy in Pervasive Environments (PiPE07),

Springer LNCS.

Ortmann, S., Langend¨orfer, P., and Maaser, M. (2008).

Adapting pervasive systems to multi-user privacy re-

quirements. International Journal of Ad Hoc and

Ubiquitous Computing, Vol. 3(No. 1):8597.

Rother, P. (2010). Web 2.0 Communities:

Gesch¨aftsmodellanalyse und Erfolgsfaktoren.

BoDBooks on Demand.

Schmidt, J. (2006). Social Software. Onlinegest¨utztes

Informations-, Identit¨ats-und Beziehungsmanage-

ment. Forschungsjournal Neue Soziale Bewegungen,

19(2):3747.

Solove, D. J. (2007). Ive Got Nothing to Hide and Other

Misunderstandings of Privacy. San Diego Law Re-

view, 44:745.

Warren, S. and Brandeis, L. (1890). The right to privacy.

Harvard Law Review, pages 193220.

Wasserman, S. and Faust, K. (1994). Social network analy-

sis: Methods and applications. Cambridge University

Press.

Westin, A. F. (1967). Privacy and freedom. Atheneum, New

York.

WEBIST 2011 - 7th International Conference on Web Information Systems and Technologies