5th Internet, Law and Politics Conference (III). Data protection and Social Networking Sites

Notes from the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.

Data protection and Social Networking Sites
Chaired by Mònica Vilassau

Spain has circa 8,000,000 SNS users that usually set by default the lowest levels of data protection. It’s difficult to find out who’s the owner of data and who’s reliable of data protection. And it’s usual to find use of third parties’ data not only without their consent but without their knowledge.

Esther Mitjans, Director, Catalan Data Protection Agency

Embedded video at http://ictlogy.net/?p=2399

There’s an urgent need to raise awareness about the privacy risks of using social networking sites and being on the Net.

Parents letting their kids freely browse SNS is like letting them go outside and play on the street unsupervised and unaware of some basic issues.

On the other hand, be have also to build confidence in the digital environment, and Law should have a role in trying to bring back (or build) confidence on the system.

There are shared risks where one’s actions have impact on third parties. What happens when data usage goes beyond the household or domestic arena? It’s known that increasingly SNS users use data for commercial purposes or, to say the least, not for strictly personal reasons.

But who’s liable for data protection infringement in SNS? If there’s been a data mining process for commercial uses, liability is easy to track back. But if the origin is a misuse coming from a particular individual, liability becomes not that easy to stablish.

SNS management is an approach to risk management. We should minimize risks for those acting legally, while prosecuting those who act illegally.

Pablo Pérez San-José, Gerente del Observatorio de la Seguridad de la Información Instituto Nacional de Tecnologías de la Comunicación (INTECO)

Embedded video at http://ictlogy.net/?p=2399

The Observatorio de la Seguridad de la Información [Observatory for the Information Security] is aimed towards monitoring and promoting policies for the security of data and information.

Hugh success of SNS at the kids and youngsters level. 43% kids using Tuenti, 80% using YouTube. Attractive because of the online-offline combination.

Three main key points concerning security hazards in SNSs:

  • Creation of profile: terms of service not clear. TOS should be written in plain English. Quite often, users are asked to fill in lots of data that are legally very sensible. Even if these data are not compulsory, they appear on the sign up form and people normally fill them in. User age verification should be more effective (in Spain, you need parental consent to share data if you’re under 14 y.o.). Default privacy settings are very low, allowing maximum visibility.
  • Participation in the SNS: excessive personal information made public on your profile. Non-authorized indexation by search engines. Installation and generic usage of cookies without the user’s knowledge. Reception of hipercontextualized advertising. Giving away intellectual property rights. Malware, phishing, pharming, etc. that use the information available on SNSs to customize to a higher degree attacks to other users. Spam based on false profiles. Sensitive and inappropriate content for minors. Cyberbulling, grooming.
  • Signing off: impossibility to completely and definitely erase your profile. Information that remains on third parties’ profiles.


  • Be proactive following the law
  • Better age verification
  • Appropriate content (depending on environment and target) and well tagged
  • Awareness raising
  • Fostering secure environments, good practices, and a harmonized international law, while enabling the enforcement of law

Facebook and risks to de-contextualization of personal information
Franck Dumortier, Researcher, Centre de recherches informatique et droit (FUNDP-CRID)

Embedded video at http://ictlogy.net/?p=2399

Facebook’s model is based on the presentation of the users’ profiles, the visualization of the network of relation to others, and, most important, use real-world identification signs, including real names and real places.

When is there de-contextualization?

  • Behaviours and information used in another context from that for which they were intended
  • Violation of contextual norms of appropriateness or distribution

While on the real world anyone more distant than the friend of a friend is a stranger, on Facebook anyone you don’t actively hate is a friend. This enables wider dissemination of sensitive and decontextualized content. The driver being the presence of a visible network, tagging, pressure to join the network, etc.

Privacy is a human right, and is normally treated as a data-subject. But he is also a contextual-human, so privacy should also be seen as a right to contextual integrity, and as a right to self-emancipation from one’s own context.

Facebook as a Foucault’s heterotopia: a place that includes all other places, including its relationships.

In this sense, dealing with the “data subject” (identifying someone by reference to one or more factors specific to one aspect of his identity) is a partial approach, and the right to protect data is the right provided to “dividuals” (as divided individuals, parts of individuals).

A prime effect of Facebook, as an heterotopical environment, is to artificially recompose individuals.

De-contextualization threatens data protection rights.


  • Define higher data-privacy compliant default settings
  • Raise awareness
  • Increasing liability of SNS operators is useless

Data protection in Google
Bárbara Navarro, European director of Institutional Relations of Google in Spain and Portugal.

Embedded video at http://ictlogy.net/?p=2399

Businesses are increasingly aware that data protection and privacy are important issues that need being addressed. There is a general claim that demands privacity on demand: I want to upload everything and then be able to manage my own privacy — and the SNS provider respect and protect it.

Some questions on Google and privacy: excessive data retention; Google Street View and Google Earth and their photos; contextual advertising: is it good or bad; cloud computing and jurisdiction; health records; etc.

In most cases, the user can opt-out (temporal or permanent) on specific aspects: ask the deletion of a photo, stop receiving contextualized advertising, etc. Google’s commitment is that the user is the owner of its own information and the things Google does with it.

Three axes of action:

  • Education
  • Collaboration
  • Regulation


Q: Should the government rank and publish what SNS is more data privacy compliant? A: The government should enforce the law but, as it happens with any kind of crime, most information cannot be made public.

James Grimmelmann: If we prohibit sites like Facebook, is there a threat from behaving as more integrated individuals? If it is our will not to be “dividuals”, is there a threat against us if we ban heterotopies like Facebook? Franck Dumortier: Constituting a unique space is wrong because contexts might not fit, because different dimensions of the self might not be overlapping.

Q: How is it that there’s that much content on YouTube from TV channels? Bárbara Navarro: normally it’s individuals who upload videos on YouTube and TV Channels the ones that have to ask for this content to be retired. On the other hand, Google has created a scanning device that can identify protected content and not permit it being uploaded. It is also true, nevertheless, that most channels have their own YouTube channel and they normally allow protected content to be uploaded by individuals as it provides publicity.

Q: Imagine a user that joins a SNS focusing on a specific disease or illness, he then recovers and wants to quit the network and erase all data. How to? Esther Mitjans: The user made an cost-benefit analysis before joining and decided that it was worth joining the network, we should not forget about this. Notwithstanding, they should be following the requisites of the SNS to delete all their traces.

More Information


5th Internet, Law and Politics Conference (2009)

e-STAS 2009 (IV). Round Table: Luis Millán Vázquez, Bárbara Navarro, Fernando Bothelo & Martin Alee Konzett

Notes from Simposium de las Tecnologías para la Acción Social (e-STAS: Symposium on Technologies for Social Action) held in Málaga, Spain, on March 26-27th, 2009. More notes on this event: estas2009. More notes on this series of events: e-stas.

Round Table, conducted by Idelfonso Mayorgas

Martín Alee Konzett, ICT4D.at

ICT4D are enablers of empowerment and, most important, enablers of self-empowerment. We have to work towards a decentralized empowerment.

Bárbara Navarro, Google.es

ICTs have brought us (a) lots of information and (b) a voice to communicate.

Luis Millán Vázquez, FUNDECYT and expert at UN-GAID

We need to develop tools for the imagination, the Imagination Society. Most times, the problem is not doing things, but imagining them, thinking they are possible.

Fernando Bothelo, Literacy Bridge

We have to enable decentralization and taking ownership of the devices of control.

Q & A

Mayorgas: how to deal with control? Navarro: through open standards. Open standards provide confidence and make it possible improvement by third parties. Botelho: open standards have to apply to the whole process of information and communication, and think about it as an ecosystem.

Mayorgas: is cloud computing a solution to access ICTs? Konzett: a good thing about the “cloud” is that anyone can build their own “cloud”, with no need of being maintained or taken care of.

Mayorgas: IT for the people, or people for ITs? Vázquez: IT for the people, but not as a collective, but for the individual persons. We have to empower the individual beyond empowering communities. And universities have to bridge the knowledge divide.

Mayorgas: do we have to empower too the employees at firms (e.g. Google’s employees dedicating 20% of their times to their own projects)? Navarro: many interesting projects come from providing people with tools to enhance creativity. Botelho: Indeed, the processes are as important as the final results. The way things are done do matter and do determine the final results. And the methodology free software is being created and distributed is most valuable.

Luis Millán Vázquez: the Imagination Society — or the Information Revolution — links us through ideas, while the Industrial Revolution liked us through our common needs.

Marta Pastor: how do we actually bridge the digital divide? Fernando Botelho: when we take human rights seriously, everything else (i.e. access to ICTs) will be taken for granted. Luis Millán Vázquez: networks, technological literacy and ability to choose. Navarro: access to networks, open standards, declaration of access to technology and information as a universal service. Konzett: accessibility will most probably be not an issue, thus we should focus on education and open standards that enable decentralized innovation.


e-Stas 2009, Symposium on Technologies for Social Action (2009)