The Privacy Jungle:On the Market for Data Protection in Social Networks

Conference paper


We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, nondecisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites’ privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites’ privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximize sign-up numbers and encourage data sharing from the pragmatic majority of users.


Social Network Privacy Policy Privacy Practice Data Protection Social Networking Site 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alexa: The Web Information Company (2009)Google Scholar
  2. 2.
    OnGuard Online. (2009)Google Scholar
  3. 3.
    OpenSocial Project. (2009)Google Scholar
  4. 4.
    Platform for Privacy Preferences (P3P) Project. (2009)Google Scholar
  5. 5.
    Ackerman, M.S.: Privacy in pervasive environments: next generation labeling protocols. Personal Ubiquitous Comput. 8(6), 430–439 (2004). DOI s00779-004-0305-8Google Scholar
  6. 6.
    Ackerman, M.S., Cranor, L.F., Reagle, J.: Privacy in e-commerce: examining user scenarios and privacy preferences. In: EC ’99: Proceedings of the 1st ACM conference on Electronic commerce, pp. 1–8. ACM, New York, NY, USA (1999). DOI 336992.336995Google Scholar
  7. 7.
    Acquisti, A.: Privacy in electronic commerce and the economics of immediate gratification. In: EC ’04: Proceedings of the 5th ACM conference on Electronic commerce, pp. 21–29. ACM, New York, NY, USA (2004). DOI Scholar
  8. 8.
    Acquisti, A., Gross, R.: Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook. In: Privacy Enhancing Technologies – LNCS 4258, pp. 36–58. Springer Berlin / Heildelberg (2006). DOI {10.1007/11957454_3}Google Scholar
  9. 9.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security and Privacy 3(1), 26–33 (2005). DOI Google Scholar
  10. 10.
    Anderson, J., Diaz, C., Bonneau, J., Stajano, F.: Privacy preserving social networking over untrusted networks. Second ACM SIGCOMM Workshop on Online Social Networks (2009)Google Scholar
  11. 11.
    Antón, A.I., Bertino, E., Li, N., Yu, T.: A roadmap for comprehensive online privacy policy management. Commun. ACM 50(7), 109–116 (2007). DOI 1272516.1272522Google Scholar
  12. 12.
    Arrington, M.: Elaborate Facebook Worm Spreading. TechCrunch (2008)Google Scholar
  13. 13.
    Arrington, M.: Phishing For Facebook. TechCrunch (2008)Google Scholar
  14. 14.
    Arrington, M.: Facebook Defends Its Turf, Sues TechCrunch (2009). eMarketerGoogle Scholar
  15. 15.
    Backstrom, L., Dwork, C., Kleinberg, J.: Wherefore Art Thou R3579x?: Anonymized Social networks, Hidden Patterns, and Structural Steganography. In: WWW ’07: Proceedings of the 16th international conference on World Wide Web, pp. 181–190. ACM, New York, NY, USA (2007). DOI Scholar
  16. 16.
    Bansal, G., Zahedi, F., Gefen, D.: The moderating influence of privacy concern on the efficacy of privacy assurance mechanisms fo building trust: A multiple context investigation. In: ICIS 2008: International Conference on Information Systems (2008)Google Scholar
  17. 17.
    Barroso, D., Barle, R., Chazerand, P., de Zwart, M., Doumen, J., Gorniak, S., Ka´zmierczak, M., Kaskenmaa, M., López, D.B., Martin, A., Naumann, I., Reynolds, R., Richardson, J., Rossow, C., Rywczyoska, A., Thumann, M.: Security and Privacy in Massively-Multiplayer Online Games and Social and Corporate Virtual Worlds. Tech. rep., ENISA - European Network and Information Security Agency (2008)Google Scholar
  18. 18.
    Belanger, F., Hiller, J.S., Smith, W.J.: Trustworthiness in electronic commerce: the role of privacy, security, and site attributes. The Journal of Strategic Information Systems 11(3-4), 245 – 270 (2002). DOI DOI:10.1016/S0963-8687(02)00018-5. URL 2/1b644a64d596b015dfdbcb4e32b881ceGoogle Scholar
  19. 19.
    Bennett, R.: Plea to ban employers trawling Facebook. The Times (2008). The TimesGoogle Scholar
  20. 20.
    Bonneau, Joseph: New Facebook Photo Hacks (2009). URL http://www. Scholar
  21. 21.
    Bonneau, Joseph and Anderson, Jonathan and Danezis, George: Prying data out of a social network. In: ASONAM 2009 : Advances in Social Networks Analysis and Mining (2009)Google Scholar
  22. 22.
    Bonneau, Joseph and Anderson, Jonathan and Stajano, Frank and Anderson, Ross: Eight Friends Are Enough: Social Graph Approximation via Public Listings. In: SNS ’09: Proceeding of the 2nd ACM Workshop on Social Network Systems (2009)Google Scholar
  23. 23.
    danah boyd: Why Youth (Heart) Social Network Sites: The Role of Networked Publics in Teenage Social Life. Youth, Identity, and Digital Media pp. 119–142 (2008)Google Scholar
  24. 24.
    Buchegger, S., Datta, A.: A case for P2P infrastructure for social networks - opportunities and challenges. In: Proceedings of WONS 2009, The Sixth International Conference on Wireless On-demand Network Systems and Services. Snowbird, Utah, USA (2009)Google Scholar
  25. 25.
    Chau, D.H., Pandit, S.,Wang, S., Faloutsos, C.: Parallel Crawling for Online Social Networks. In: WWW ’07: Proceedings of the 16th international conference on World Wide Web, pp. 1283–1284 (2007)Google Scholar
  26. 26.
    Cranor, Lorrie F., Joseph Reagle, andMark S. Ackerman: Beyond concern: Understanding net users’ attitudes about online privacy. Tech. Rep. TR 99.4.3, AT&T Labs (1999)Google Scholar
  27. 27.
    danah boyd and Nicole Ellison: Social Network Sites: Definition, History, and Scholarship. Journal of Computer-Mediated Communication (2007)Google Scholar
  28. 28.
    Danezis, G., Wittneben, B.: The Economics of Mass Surveillance and the Questionable Value of Anonymous Communications. WEIS:Workshop on the Economics of Information Security (2006)Google Scholar
  29. 29.
    Donath, J. and boyd, d.: Public displays of connection. BT Technology Journal 22(4), 71–82 (2004). DOI Scholar
  30. 30.
    Dwyer, C.: Digital relationships in the "myspace" generation: Results from a qualitative study. In: HICSS ’07: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, p. 19. IEEE Computer Society, Washington, DC, USA (2007). DOI http://dx.doi. org/10.1109/HICSS.2007.176Google Scholar
  31. 31.
    Dwyer, C., Hiltz, S.R., Passerini, K.: Trust and privacy concern within social networking sites: A comparison of Facebook and MySpace. In: Proceedings of the Thirteenth Americas Conference on Information Systems (2007)Google Scholar
  32. 32.
    Edelman, B.: Adverse Selection in Online "Trust" Certifications. WEIS: Workshop on the Economics of Information Security (2006)Google Scholar
  33. 33.
    Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything?: the effects of timing and placement of online privacy indicators. In: CHI ’09: Proceedings of the 27th international conference on Human factors in computing systems, pp. 319–328. ACM, New York, NY, USA (2009). DOI Scholar
  34. 34.
    Felt, A.: Defacing Facebook: A Security Case Study. (2007) Google Scholar
  35. 35.
    Felt, A., Evans, D.: Privacy Protection for Social Networking Platforms. Workshop on Web 2.0 Security and Privacy (2008)Google Scholar
  36. 36.
    Felt, A., Hooimeijer, P., Evans, D., Weimer, W.: Talking to strangers without taking their candy: isolating proxied content. In: SocialNets ’08: Proceedings of the 1st workshop on Social network systems, pp. 25–30. ACM, New York, NY, USA (2008). DOI http://doi.acm. org/10.1145/1435497.1435502Google Scholar
  37. 37.
    Finder, A.: For Some, Online Persona Undermines a Resume. The New York Times (2006)Google Scholar
  38. 38.
    Frankowski, Dan and Cosley, Dan and Sen, Shilad and Terveen, Loren and Riedl, John: You are what you say: privacy risks of public mentions. In: SIGIR ’06: Proceedings of the 29th annual international ACM SIGIR conference on Research and development in information retrieval, pp. 565–572. ACM, New York, NY, USA (2006). DOI 1148170.1148267Google Scholar
  39. 39.
    Frommer, D.: What a Nigerian Facebook Scam Looks Like. The Business Insider (2009). URL nigerian-scammers-still-roosting-on-facebookGoogle Scholar
  40. 40.
    Gideon, J., Cranor, L., Egelman, S., Acquisti, A.: Power strips, prophylactics, and privacy, oh my! In: SOUPS ’06: Proceedings of the second symposium on Usable privacy and security, pp. 133–144. ACM, New York, NY, USA (2006). DOI 1143137Google Scholar
  41. 41.
    Gjoka, M., Sirivianos, M., Markopoulou, A., Yang, X.: Poking facebook: characterization of osn applications. In:WOSP ’08: Proceedings of the first workshop on Online social networks, pp. 31–36. ACM, New York, NY, USA (2008). DOI 1397743Google Scholar
  42. 42.
    Govani, T., Pashley, H.: Student awareness of the privacy implications when using facebook (2005). URL Scholar
  43. 43.
    Guha, S., Tang, K., Francis, P.: NOYB: Privacy in Online Social Networks. In: Workshop on Online Social Networks – WOSN 2008, pp. 49 – 54 (2008)Google Scholar
  44. 44.
    Gürses, S., Rizk, R., Günther, O.: Privacy design in online social networks: Learning from privacy breaches and community feedback. In: ICIS 2008: Proceedings Twenty Ninth International Conference on Information Systems. ACM (2008)Google Scholar
  45. 45.
    Il-Horn Hann and Kai-Lung Hui and Tom S. Lee and I. P. L. Png: Online Information Privacy: Measuring the Cost-Benefit Trade-off. 23rd International Conference on Information Systems (2002)Google Scholar
  46. 46.
    Jagatic, T., Johnson, N., Jakobsoon, M., Menczer, F.: Social Phishing. Communications of the ACM 50(10), 94 (2007). DOI {10.1145/1290958.1290968}Google Scholar
  47. 47.
    Jessi Hempel: Is Facebook Losing Its Glow? Fortune Magazine (2009)Google Scholar
  48. 48.
    Jones, H., Soltren, J.H.: Facebook: Threats to privacy. (2005)Google Scholar
  49. 49.
    Jones, K.: Facebook Admits Sexual Assault Suspect Used Site. Information Week (2009)Google Scholar
  50. 50.
    Kelley, P.G., Bresee, J., Cranor, L.F., , Reeder, R.W.: A “nutrition label” for privacy. Symposium On Usable Privacy and Security (SOUPS) 2009 (2009)Google Scholar
  51. 51.
    Kincaid, Jason: Wakeup Call: Facebook Isn’t a Safe Haven. TechCrunch (2009)Google Scholar
  52. 52.
    Kolek, E., Saunders, D.: Online disclosure: An empirical examination of undergraduate facebook profiles. National Association of Student Personnel Administrators journal (2008)Google Scholar
  53. 53.
    Korolova, A., Motwani, R., Nabar, S.U., Xu, Y.: Link Privacy in Social Networks. In: CIKM ’08: Proceeding of the 17th ACMconference on Information and knowledge management, pp. 289–298 (2008)Google Scholar
  54. 54.
    Krishnamurthy, B.,Wills, C.E.: Characterizing Privacy in Online Social Networks. In:WOSN: Workshop on Online Social Networks, pp. 37 – 42 (2008)Google Scholar
  55. 55.
    Lampe, C.A., Ellison, N., Steinfield, C.: A familiar face(book): profile elements as signals in an online social network. In: CHI ’07: Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 435–444. ACM, New York, NY, USA (2007). DOI http: // Scholar
  56. 56.
    Lindamood, J., Kantarcioglu, M.: Inferring Private Information Using Social Network Data. WOSN: Workshop on Online Social Networks (2008)Google Scholar
  57. 57.
    Lipford, H.R., Besmer, A., Watson, J.: Understanding Privacy Settings in Facebook with an Audience View. In: 1st Conference on Usability, Psychology, and Security. USENIX Association (2008)Google Scholar
  58. 58.
    Loewenstein, G.: Keynote Speech: Searching for Privacy in all theWrong Places: A behavioral economics perspective on individual concern for privacy. WEIS 07: The Seventh Workshop on the Economics of Information Security (2007)Google Scholar
  59. 59.
    Lookabaugha, T., Sicker, D.: Security and Lock-in. WEIS ’03: Proceedings of the Third Workshop on the Economics of Information Security (2003)Google Scholar
  60. 60.
    Lucas, M.M., Borisov, N.: FlyByNight: Mitigating the Privacy Risks of Social Networking. In: WPES 08 - Workshop on Privacy in the Electronic Society, p. 1 (2008). DOI {10.1145/ 1456403.1456405}Google Scholar
  61. 61.
    McCombs, M., Shaw, D.: The Agenda-Setting Function Of Mass Media. Public Opinion Quarterly 36(2), 176–187 (1972)Google Scholar
  62. 62.
    Milne, G., Culnan, M.: Information privacy: measuring individuals’ concerns about organizational practices. Journal of Interactive Marketing 18(3) (2004)Google Scholar
  63. 63.
    Mislove, A., Marcon, M., Gummadi, K.P., Druschel, P., Bhattacharjee, B.: Measurement and Analysis of Online Social Networks. In: IMC ’07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pp. 29–42 (2007)Google Scholar
  64. 64.
    Nagaraja, S.: The economics of covert community detection and hiding. WEIS: Workshop on the Economics of Information Security (2008)Google Scholar
  65. 65.
    Narayanan, A., Shmatikov, V.: De-anonymizing social networks. 30th IEEE Symposium on Security & Privacy (2009)Google Scholar
  66. 66.
    O’Neill, N.: 10 Privacy Settings Every Facebook User Should Know. (2009)Google Scholar
  67. 67.
    Onwuasoanya, A., Skornyakov, M., Post, J.: Enhancing privacy on social networks by segregating different social spheres. Rutgers Governor’s School of Engineering and TechnologyResearch journal (2008)Google Scholar
  68. 68.
    Pilkington, E.: Blackmail claim stirs fears over Facebook. The Guardian (2007). The GuardianGoogle Scholar
  69. 69.
    Poindexter, J.C., Earp, J.B., Baumer, D.L.: An experimental economics approach toward quantifying online privacy choices. Information Systems Frontiers 8(5), 363–374 (2006). DOI Scholar
  70. 70.
    Preibusch, S.: Implementing privacy negotiations in e-commerce. Lecture Notes in Computer Science 3841, 604–615 (2006)Google Scholar
  71. 71.
    Preibusch, S., Beresford, A.R.: Privacy-preserving friendship relations for mobile social networking. W3C Workshop on the Future of Social Networking (2009). URL Privacy-Preserving-Friendship-Relations.pdfGoogle Scholar
  72. 72.
    Randall, D., Richards, V.: Facebook can ruin your life. And so can MySpace, Bebo... The Independent (2008). The IndependentGoogle Scholar
  73. 73.
    Reagle, J., Cranor, L.F.: The platform for privacy preferences. Commun. ACM 42(2), 48–55 (1999). DOI Scholar
  74. 74.
    Rosenblum, D.: What Anyone Can Know: The Privacy Risks of Social Networking Sites. IEEE Security & Privacy Magazine 5(3), 40 (2007). DOI {10.1109/MSP.2007.75}Google Scholar
  75. 75.
    Schmidt, T.S.: Inside the Backlash Against Facebook. Time Magazine (2006)Google Scholar
  76. 76.
    Shepherd, J., Shariatmadari, D.: Would-be students checked on Facebook. The Guardian (2008). The GuardianGoogle Scholar
  77. 77.
    Simpson, A.: On the need for user-defined fine-grained access control policies for social networking applications. In: SOSOC ’08: Proceedings of the workshop on Security in Opportunistic and SOCial networks, pp. 1–8. ACM, New York, NY, USA (2008). DOI 10. Scholar
  78. 78.
    Smith, H.J., Milberg, S.J.: Information privacy: measuring individuals’ concerns about organizational practices. MIS Q. 20(2), 167–196 (1996). DOI Scholar
  79. 79.
    Spiekermann, S., Grossklags, J., Berendt, B.: E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In: EC ’01: Proceedings of the 3rd ACM conference on Electronic Commerce, pp. 38–47. ACM, New York, NY, USA (2001). DOI Scholar
  80. 80.
    Story, L., Stone, B.: Facebook Retreats on Online Tracking. The New York Times (2007)Google Scholar
  81. 81.
    Swan, H.: Social networking across devices: opportunity and risk for the disabled and older community. W3C Workshop on the Future of Social Networking (2009)Google Scholar
  82. 82.
    Varian, H.R.: Economic aspects of personal privacy. Topics in Regulatory Economics and Policy (2002)Google Scholar
  83. 83.
    Vila, T., Greenstadt, R., Molnar, D.: Why We Can’t Be Bothered to Read Privacy Policies: Models of Privacy Economics as a Lemons Market. In: ICEC ’03: Proceedings of the 5th International Conference on Electronic commerce, pp. 403–407. ACM, New York, NY, USA (2003). DOI Scholar
  84. 84.
    W3C, Mobile Web Best Practices Working Group, Checker Task Force: W3C mobileOK Checker (2009). URL Scholar
  85. 85.
    Westlake, E.: Friend me if you facebook: Generation y and performative surveillance. TDR: The Drama Review 52(4), 21–40 (2008). DOI 10.1162/dram.2008.52.4.21. URL http: // Scholar
  86. 86.
    Wham, T.: Transcript of the FTC Workshop on Information Privacy: Measuring Individuals’ Concerns about Organizational Practices. infomktplace/transcript.htm (2001)Google Scholar
  87. 87.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: 8th USENIX Security Symposium (1999)Google Scholar
  88. 88.
    Williamson, D.A.: Social Networking Ad Spending. eMarketer (2008). eMarketerGoogle Scholar
  89. 89.
    XING AG: Press release: XING AG increases revenues by 80 percent and continues to grow profitably (2009). URL press/press-releases/details/article/pm-de/7/3f79db5dea/?tx_ ttnews[pointer]=2Google Scholar
  90. 90.
    Xu, W., Zhou, X., Li, L.: Inferring Privacy Information via Social Relations. International Conference on Data Engineering (2008)Google Scholar
  91. 91.
    Zheleva, E., Getoor, L.: To Join or Not to Join: The Illusion of Privacy in Social Networks with Mixed Public and Private User Profiles. WWW: The International World Wide Web Conference (2009)Google Scholar
  92. 92.
    Zuckerberg, M., Schmidt, H.: Facebook CEO Mark Zuckerberg: Our focus is growth, not revenue. Frankfurter Allgemeine Zeitung / FAZ.NET (2008)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Computer LaboratoryUniversity of Cambridge  

Personalised recommendations