Hiding in Plain Site. An Ethical Analysis of Social Media Privacy Policies in Theory and in Practice

Table of Contents

Abstract

Introduction

Users vs Users

Data and Profit

Open Secrets

We Work For You

An Engine of Manipulation

An Open Model

Case Study: ‘Timothy Pilgrim vs The World’

Conclusion and Solutions

Abstract:

“Social Media has grown rapidly in both its proliferation and in its potential application. In the 1990s, chat sites like AOL and HTML blogs were the stars. Now, sites like Facebook, Twitter, Reddit, and Linkedin play an everyday part in billions of lives. The roles and functions of these sites often overlap in ways where many wouldn't find a difference, yet in the fine print and boardrooms motivations between companies can contrast like day and night. This paper aims to compare differing approaches to the handling of private individual’s data by some of the social media giants.”

Introduction

Humans are a social species with an innate need for community (Gray, 2015). The internet - and social media in particular - provides a seemingly perfect means of instantly broadcasting any opinion or piece of information with the world. In the beginning, social media was merely the sharing of personal stories, jokes and opinions on politics and entertainment but now users share such mundanities as “commute times and coffee temperatures” (Claypoole, 2015). This leads many to feel a sense of empowerment (Pierson, 2012). This empowerment escalates to social justice movements, up to the terrifying online lynch-mobs described in books such as Jon Ronson’s “So You’ve Been Publicly Shamed” (Ronson, 2015).

Online communication has grown rapidly in both its proliferation and in its potential application. In the 1990s, chat sites like AOL and HTML blogs were the stars. Now, sites like Facebook, Twitter, Reddit, and LinkedIn play an everyday part in billions of lives. The roles and functions of these sites often overlap in ways where many wouldn't find a difference, yet in the fine print and boardrooms motivations between companies can contrast like day and night. This paper aims to compare differing approaches to the handling of private individual’s data by some of the social media giants͘

Users vs Users

Social media can provide unethical individuals and groups a way of shaming or ‘doxing’ (the collecting and broadcasting of another’s private information, The Economist, 2014) those with whom they disagree͘ Beyond these issues, classmates can frequently ‘cyber-bully’ one another, burglars and identity-thieves can collect valuable info about their victim’s vacation schedule, health-records, income- level or loot potential (Claypoole, 2015) and careers may even change course due to employers finding disreputable content on their employee’s profiles͘ There are many cases where social media transgressions have inspired terminations of employees with perfect work records (Clark, 2010). In the U.S. this problem alone has led to over twenty states writing legislation to prevent employers from requesting disclosure of their employee’s private social media accounts and passwords (Steeves, 2015). In these ways and more, a person’s post history, photos or personal details can be used against them as direct ammunition.

Social media empires have the ability to raise ethical puzzles in a more indirect fashion, but with far more data and resources at their disposal. Sites can be quite helpful in recommending options when other users are abusive (Humanrightscommission.vic.gov.au, 2014), working closely with law enforcement and offering detailed reporting and flagging options. When the site itself is the problem however, options don’t extend far beyond complaining directly to the offending site or lodging a complaint with government departments such as the Office of the Australian Information Commissioner (Hogben, 2014).

Data and Profit

By using social media, individuals run the risk of being “portrayed as cattle generating money for platform owners” (Heyman et al., 2014). Craig Spiezle, the executive director of advocacy group Online Trust Alliance admits that the primary goal of social media corporations is to sell advertising (Acohido, 2011). The graph below shows recent and forecasted advertising revenue of the top earners, with Facebook taking ~65% of the market and a whopping $21.43 billion expected in the current financial year͘ Twitter’s awarded a distant second place by comparison͘(Source: eMarketer, 2015)

Open Secrets

What users say, when they say it, and to whom they say it is only the tiniest fraction of data held by sites like Facebook and Twitter͘ Twitter’s privacy policy (2015) makes is quite clear that any tweet a user pens is instantly shared with the world; “You are what you tweet.”. Twitter, like Facebook also record transaction and behavioural data including user likes, favourites, follows, public posts, public photos, what you buy, who from, when you bought it, and whether you clicked on a competitor's advertisement before the purchase or not. Facebook goes further, recording attributes -:

“...such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers (including specific geographic locations, ͙, the name of your mobile operator or ISP, browser type,..., mobile phone number and IP address)” (Facebook.com, 2015).

At what point does this data-mining go too far? When should Facebook’s sale of such swathes of information be considered simple greed? Is $23+ billion necessary to make “it possible to operate our companies and provide free services to people around the world” (Facebook.com, 2015)?

Oddly, this doesn’t seem to concern most users, as hinted by Facebook’s escalating usage and profits. Perhaps this is due to their apparent generosity in relation to the release of private information to third-parties and advertisers͘ Facebook does “not share information that personally identifies you.” (Facebook.com, 2011). While they proudly make such (government-mandated) statements, there have been multiple U.S. Federal Trade Commission cases charging breach of these policies (Claypoole, 2015). Even if Facebook were able to properly protect identifiable details like the names and emails of their users, the mosaic-like portrait building that becomes possible when all the other aforementioned data sources are combined can paint an even clearer picture of a user’s identity. A quick read of any social media privacy policy should persuade the average user that any benefits gained fail to outweigh their freedom lost (Rundhovde,2013).

In defence of these sites though, nothing is really ‘hidden’͘ It is all in there and publicly available͘ The policies aren’t too long or packed with jargon either͘ Facebook’s privacy policy is only about the length of a New York Times article (The Whip, 2013). This openness about data reach in a privacy policy might signify no ethical boundary being touched, but policies can be artfully written, with true intentions softened. If this is ever the case, the line has been crossed.

We Work For You

In the privacy policies of Twitter and Facebook there are several points of what could be construed as vague placation, and perhaps deliberate obfuscation. Leaving aside the billions of dollars in profits mentioned above, they seem determined to show that their main alliance isn’t with advertisers, but with their users. This is demonstrated in phrases like -:

“We want our advertising to be as relevant and interesting as the other information you find on our Services.”

“When we have location information, we use it to tailor our Services for you and others...” “We also use information we have to provide shortcuts and suggestions to you.” “We are passionate about creating engaging and customized experiences for people.”

Similarly, Twitter writes -:

“Our Services are primarily designed to help you share information with the world”.

“We collect and use your information below to provide our Services and to measure and improve them over time.”

Twitter’s privacy policy does at least clearly state “you should think carefully about what you are making public”. Facebook, while collecting far more user data than Twitter, omits any similar mention to the gravity of their harvest.

An Engine of Manipulation

Technological literacy is also a factor in questioning the ethics of social media corporations.

Several studies have looked at how a user’s computer literacy might impact their likeliness to go along with default privacy settings. One such study by Vrije Universiteit Brussel researchers asked a key question “what type of privacy is offered most and what kind of behaviour is encouraged by default settings?” (Heyman et al, 2014)͘ telling clue to a site’s transparency with regards to privacy settings is in the ease in which the privacy policy and settings can be located by an average user, what settings/options are offered - and what are omitted - particularly in default mode.

Social media sites, like casinos “built without sunlight or clocks so as to encourage your further play” (Claypoole, 2015) play an integral part in the data mining industry. Their architecture can be structured in such tantalizing and emotionally compelling ways as to be able to extract the highest possible amount of user input. This input is then sold to, and potentially abused by advertisers.

If a user is unaware of a privacy policy, or incapable of finding, understanding, or configuring overly-complicated privacy settings then they are far more likely to be exploited “...despite a desire to behave cautiously and responsibly online...” (Rundhovde, 2013).

An Open Model

Not all social media sites have such invasive and potentially misleading policies as Twitter and Facebook͘ Take these quotes from Reddit’s privacy policy (Reddit͘com, 2015) for example:

“We take protecting your privacy seriously.”

“Your Private Information Is Never for Sale.”

“Our goal in developing our privacy practices is to allow your participation to remain as anonymous as you choose.”

“Reddit Will Not Disclose Your Information Unless Required by Law.”

“We do not sell or otherwise give access to any information collected about our users to any third party.”

“...we will only share your personal data with your consent.”

Reddit’s open-source nature is not without its downsides...

“We do not have control over third parties that may collect and store data independently from reddit without our permission and without following our rules.”

A Case Study: ‘Timothy Pilgrim vs The World’

In 2012, Australian Privacy Commissioner Timothy Pilgrim was granted new powers to enforce data breaches by social media organisations (McDonald, 2012). In a Computerworld interview he stressed that social media sites have -:

“an obligation for organisations to be much clearer about how they are collecting information and what they are going to do about it...Often when we’re dealing with social media sites we do find that individuals don’t necessarily have the strongest privacy settings in place.”

In his 2011/2012 Official Annual Report Message Commissioner Pilgrim explained that-:

“I believe that peoples' sensitivities about the handling of their personal information are being heightened as they transact more online͙ it is also incumbent upon them to actively take on board, wherever possible, the issues raised by their customers and, in situations where they decide not to, to explain why.”

The legislative change does not solely target social media corporations. The commissioner mentions the United Kingdom’s News of the World scandal as another breach example (Pilgrim, 2012).

Privacy complaints rose by 11% in that year compared to 2011 before it. The commissioner wrote that the true figure is likely higher. Security specialists had led him to believe that there were many more breaches occurring than what had been reported to the OAIC (Office of the Australian Information Commissioner).

Changes made to the Privacy Act 1988 allow the OAIC to act without a complaint having been made, and provide the power to enforce penalties of “up to $340,000 for individuals or $1.7 million for companies” (Sendall, 2014). To a company like Facebook, how concerning is a fine which at its maximum is less than 1% of that year’s advertising income?

The OAIC is clearly acknowledging a need for individuals and companies to be more wary of the risks associated with data sharing online. The changes to legislation seem to be a step in the right direction, but only time will tell whether the penalties are severe enough to deter slippery data-miners and corporate giants.

Conclusion and Solutions

With an increasing prevalence of social media applications and user numbers, there will be an increased, parallel incentive for social media outlets. Despite many nations and organisations keeping a watchful eye on these sites, they are still letting them record anything they want about their users so long as they say so in their - mostly-unread - privacy policies (Morrison, 2015). If a legal protection doesn’t yet exist, individuals need to fight back, and precedents must be set.

Lawmakers have had to evolve their thinking to protect the privacy and rights of individual social media users and advocates must continue to raise public awareness of the encroachments of big data miners. Individuals also need to take some personal responsibility. This begins with being able to stay aware of the options available (how to delete accounts/posts, configure privacy/security/advertising settings, etc.); this ends with being able to say enough is enough, and - where the evidence is overwhelming - calling out greed for what it is.

Bibliography

ABC News,. (2010). Facebook admits privacy breach. Retrieved 12 November 2015, from http://www.abc.net.au/news/2010-10-19/facebook-admits-privacy-breach/2303858

Del Riego, A., Abril, P., & Levin, A. (2012). Your password or your paycheck? A job applicant's murky right to social media privacy. Journal Of Internet Law, Vol.16(3), p.1(10). Retrieved from http://web.b.ebscohost.com.ezproxy.lib.rmit.edu.au/ehost/pdfviewer/pdfviewer?sid=30438ee8-6221- 4c23-a52c-2f29b660f4ec%40sessionmgr113&vid=1&hid=109

Gallasch, R. (2011). Social media blurs lines of ethics and privacy. The Examiner. Retrieved 2 November 2015, from http://www.examiner.com.au/story/432725/social-media-blurs-lines-of-ethics-and-privacy/

Holdman, J. (2013). Lawmakers divided over social media privacy legislation. The Bismarck Tribune.

Retrieved 9 November 2015, from http://bismarcktribune.com/business/local/lawmakers-divided-over- social-media-privacy-legislation/article_0b6d0158-6a71-11e2-a724-0019bb2963f4.html

Hollinshead, L. (2013). Social-Media Privacy and Protection Laws. Empl. Rel. Today, 40(3), 73-82.http://dx.doi.org/10.1002/ert.21424

Lawstuff.org.au,. (2015). Lawstuff Australia - Know Your Rights - - Topics - Bullying - Cyber Bullying. Retrieved 10 November 2015, from http://www.lawstuff.org.au/qld_law/topics/bullying/cyber- bullying#wcy

Norman, D. (1988). The Psychology of Everyday Things. New York: Basic Books.

Otalliance.org,. (2015). About Us | Online Trust Alliance. Retrieved 4 November 2015, from https://otalliance.org/about-us

Yuan, E͘, Feng, M͘, & Danowski, J͘ (2013)͘ “Privacy” in Semantic Networks on Chinese Social Media: The Case of Sina Weibo. J Commun, 63(6), 1011-1031. http://dx.doi.org/10.1111/jcom.12058

References

Acohido, B. (2015). Social-media apps raise privacy concerns - USATODAY.com. USATODAY.COM.

Retrieved 1 November 2015, from http://usatoday30.usatoday.com/MONEY/usaedition/2011-07-06- social-media-tools_ST_U.htm

Clark, J. (2010). Social Media and Privacy. Air Medical Journal, 29(3), 104-107.http://dx.doi.org/10.1016/j.amj.2010.02.005

Claypoole, T. (2015). Privacy and Social Media | Business Law Section. Retrieved 9 November 2015, from http://www.americanbar.org/publications/blt/2014/01/03a_claypoole.html

Collins, A. (2015). Facebook sued over 'stolen' DC designs; PayPal to pay $10m for sanction violations; Optus reviewed after privacy breaches :: Articles :: Technology Decisions. Technologydecisions.com.au. Retrieved 12 November 2015, from http://www.technologydecisions.com.au/content/it- management/article/facebook-sued-over-39-stolen-39-dc-designs-paypal-to-pay-1-m-for-sanction- violations-optus-reviewed-after-privacy-breaches-1157883573

Emarketer.com,. (2015). Social Network Ad Revenues Accelerate Worldwide - eMarketer. Retrieved 1 November 2015, from http://www.emarketer.com/Article/Social-Network-Ad-Revenues-Accelerate- Worldwide/1013015

Facebook.com,. (2015). Data Policy. Retrieved 9 November 2015, from https://www.facebook.com/policy.php

Facebook.com,. (2015). Details on Social Reporting. Retrieved 6 November 2015, from https://www.facebook.com/notes/facebook-safety/details-on-social-reporting/196124227075034

Gray, P. (2015). Humans are Social Animals - Anthropology and Product Management. Aipmm.com.

Retrieved 8 November 2015, from http://www.aipmm.com/anthropology/2010/05/humans-are-social- animals-1.php

Heyman, R., De Wolf, R., & Pierson, J. (2014). Evaluating social media privacy settings for personal and advertising purposes. Info, 16(4), 18-32. http://dx.doi.org/10.1108/info-01-2014-0004

Hogben, U. (2014). Privacy Breaches: What are your rights? Does the law need reform? - Startup Daily. Startup Daily. Retrieved 9 November 2015, from http://www.startupdaily.net/2014/09/privacy- breaches-rights-law-need-reform/

Humanrightscommission.vic.gov.au,. (2014). Facebook joins Victoria’s fight against cyberbullying - Victorian Equal Opportunity and Human Rights Commission. Retrieved 5 November 2015, from http://www.humanrightscommission.vic.gov.au/index.php/news-and-events/commission- news/item/992-facebook-joins-victoria%E2%80%99s-fight-against-cyberbullying

McDonald, S. (2012). Social media sites could face court for Privacy Act breaches. Computerworld. Retrieved 8 November 2015, from http://www.computerworld.com.au/article/423350/social_media_sites_could_face_court_privacy_act_ breaches/

Morrison, K. (2015). Survey: Many Users Never Read Social Networking Terms of Service Agreements. Adweek.com. Retrieved 13 November 2015, from http://www.adweek.com/socialtimes/survey-many- users-never-read-social-networking-terms-of-service-agreements/620843

Pierson, J. (2012). Online privacy in social media: A conceptual exploration of empowerment and vulnerability. Communications & Strategies, (88), 99-120. Retrieved from http://search.proquest.com/docview/1239436784?accountid=13552

Pilgrim, T. (2012). Message from the Privacy Commissioner, Timothy Pilgrim| Office of the Australian Information Commissioner - OAIC. Oaic.gov.au. Retrieved 12 November 2015, from https://www.oaic.gov.au/about-us/corporate-information/annual-reports/oaic-annual-report- 201112/message-from-the-privacy-commissioner-timothy-pilgrim

Reddit.com,. (2015). reddit.com: privacy policy. Retrieved 9 November 2015, from https://www.reddit.com/help/privacypolicy

Ronson, J. (2015). So you've been publicly shamed. Riverhead Books.

Rundhovde, H. (2013). I am not that interesting. Social media, privacy literacy, and the interplay between knowledge and experience. The University Of Bergen. Retrieved from https://bora.uib.no/handle/1956/8582

Sendall, C. (2014). Australia's new privacy laws take effect: the OAIC releases draft privacy regulatory action policy - Data Protection - Australia. Mondaq.com. Retrieved 5 November 2015, from http://www.mondaq.com/australia/x/302106/Data+Protection+Privacy/Australias+new+privacy+laws+t ake+effect+the+OAIC+releases+draft+privacy+regulatory+action+policy

Steeves, R. (2015). Privacy and ethics in social media investigations. Inside Counsel.Breaking News, Retrieved from http://search.proquest.com/docview/1728237681?accountid=13552

The Economist,. (2014). What doxxing is, and why it matters. Retrieved 1 November 2015, from http://www.economist.com/blogs/economist-explains/2014/03/economist-explains-9

Twitter.com,. (2015). Privacy Policy | Twitter. Retrieved 9 November 2015, from https://twitter.com/privacy?lang=en

The Whip,. (2013). What's The Average Word Count of Viral Stories?. Retrieved 6 November 2015, from http://blog.newswhip.com/index.php/2013/12/article-length