Sunday, August 02, 2009

The Economics of Privacy on Social Networks

Pangloss is pleased to see that Joseph Bonneau of the Cambridge Computer lab has now blogged the terrific work his team have done examining the uptake, marketing and impact of privacy tools provided by social networking sites.

Bonneau's team examined 45 sites, collecting over 250 data points about each sites’ privacy policies, privacy controls, data collection practices, and more. The results were fascinating, as presented at the WEIS conference in London. The full paper and complete dataset are available online as well.

For anyone who's ever wondered why the Facebook privacy tools are greyed out on the front page compared to the other menu items, there are revelations:

"The most interesting story we found though was how sites consistently hid any mention of privacy, until we visited the privacy policies where they provided paid privacy seals and strong reassurances about how important privacy is. We developed a novel economic explanation for this: sites appear to craft two different messages for two different populations. Most users care about privacy but don’t think about it in day-to-day life. Sites take care to avoid mentioning privacy to them, because even mentioning privacy positively will cause them to be more cautious about sharing data. This phenomenon is known as “privacy salience” and it makes sites tread very carefully around privacy, because users must be comfortable sharing data for the site to be fun. Instead of mentioning privacy, new users are shown a huge sample of other users posting fun pictures, which encourages them to share as well. For privacy fundamentalists who go looking for privacy by reading the privacy policy, though, it is important to drum up privacy re-assurance."


In other words, as long suspected, privacy is the enemy of the SNS business model and the sites are very well aware of this, despite being having to be seen to pay lip service to increasing numbers of well meaning codes of practice. Indeed the full paper found that SNS which actively marketed themselves as privacy-protective and hence attracted "privacy fundamentalists", tended simply not to do very well (assessed by longevity and growth of audience in the market). What incentive then to make privacy tools easy to see and use for consumers?

This study adds to the weight of evidence that self regulation and consumer education are not ultimately anything like a real solution to the current problems of voluntary and involuntary data disclosure on SNSs. Good to see real empirical evidence like this :)

Also worth noting for security scholars: the papers are in the main now available from Security and Human Behaviour 2009, the "new" conference (following on from the succes of WEIS) on security and how it is affected by psychological and social factors. Hoping to have time to digest these in thenext few weeks, especially as I've been asked to speak myself at the Cyber Conflict Law and Policy Conference at the Cooperative Cyber Defence Centre of Excellence (CCD COE) in Estonia in September. Should be fascinating :-)