Notes from the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.
Data protection and Social Networking Sites
Chaired by Mònica Vilassau
Spain has circa 8,000,000 SNS users that usually set by default the lowest levels of data protection. It’s difficult to find out who’s the owner of data and who’s reliable of data protection. And it’s usual to find use of third parties’ data not only without their consent but without their knowledge.
Esther Mitjans, Director, Catalan Data Protection Agency
There’s an urgent need to raise awareness about the privacy risks of using social networking sites and being on the Net.
Parents letting their kids freely browse SNS is like letting them go outside and play on the street unsupervised and unaware of some basic issues.
On the other hand, be have also to build confidence in the digital environment, and Law should have a role in trying to bring back (or build) confidence on the system.
There are shared risks where one’s actions have impact on third parties. What happens when data usage goes beyond the household or domestic arena? It’s known that increasingly SNS users use data for commercial purposes or, to say the least, not for strictly personal reasons.
But who’s liable for data protection infringement in SNS? If there’s been a data mining process for commercial uses, liability is easy to track back. But if the origin is a misuse coming from a particular individual, liability becomes not that easy to stablish.
SNS management is an approach to risk management. We should minimize risks for those acting legally, while prosecuting those who act illegally.
Pablo Pérez San-José, Gerente del Observatorio de la Seguridad de la Información Instituto Nacional de Tecnologías de la Comunicación (INTECO)
The Observatorio de la Seguridad de la Información [Observatory for the Information Security] is aimed towards monitoring and promoting policies for the security of data and information.
Hugh success of SNS at the kids and youngsters level. 43% kids using Tuenti, 80% using YouTube. Attractive because of the online-offline combination.
Three main key points concerning security hazards in SNSs:
- Creation of profile: terms of service not clear. TOS should be written in plain English. Quite often, users are asked to fill in lots of data that are legally very sensible. Even if these data are not compulsory, they appear on the sign up form and people normally fill them in. User age verification should be more effective (in Spain, you need parental consent to share data if you’re under 14 y.o.). Default privacy settings are very low, allowing maximum visibility.
- Participation in the SNS: excessive personal information made public on your profile. Non-authorized indexation by search engines. Installation and generic usage of cookies without the user’s knowledge. Reception of hipercontextualized advertising. Giving away intellectual property rights. Malware, phishing, pharming, etc. that use the information available on SNSs to customize to a higher degree attacks to other users. Spam based on false profiles. Sensitive and inappropriate content for minors. Cyberbulling, grooming.
- Signing off: impossibility to completely and definitely erase your profile. Information that remains on third parties’ profiles.
- Be proactive following the law
- Better age verification
- Appropriate content (depending on environment and target) and well tagged
- Awareness raising
- Fostering secure environments, good practices, and a harmonized international law, while enabling the enforcement of law
Facebook and risks to de-contextualization of personal information
Franck Dumortier, Researcher, Centre de recherches informatique et droit (FUNDP-CRID)
Facebook’s model is based on the presentation of the users’ profiles, the visualization of the network of relation to others, and, most important, use real-world identification signs, including real names and real places.
When is there de-contextualization?
- Behaviours and information used in another context from that for which they were intended
- Violation of contextual norms of appropriateness or distribution
While on the real world anyone more distant than the friend of a friend is a stranger, on Facebook anyone you don’t actively hate is a friend. This enables wider dissemination of sensitive and decontextualized content. The driver being the presence of a visible network, tagging, pressure to join the network, etc.
Privacy is a human right, and is normally treated as a data-subject. But he is also a contextual-human, so privacy should also be seen as
a right to contextual integrity, and as a right to self-emancipation from one’s own context.
Facebook as a Foucault’s heterotopia: a place that includes all other places, including its relationships.
In this sense, dealing with the “data subject” (identifying someone by reference to one or more factors specific to one aspect of his identity) is a partial approach, and the right to protect data is the right provided to “dividuals” (as divided individuals, parts of individuals).
A prime effect of Facebook, as an heterotopical environment, is to artificially recompose individuals.
De-contextualization threatens data protection rights.
- Define higher data-privacy compliant default settings
- Raise awareness
- Increasing liability of SNS operators is useless
Data protection in Google
Bárbara Navarro, European director of Institutional Relations of Google in Spain and Portugal.
Businesses are increasingly aware that data protection and privacy are important issues that need being addressed. There is a general claim that demands privacity on demand: I want to upload everything and then be able to manage my own privacy — and the SNS provider respect and protect it.
Some questions on Google and privacy: excessive data retention; Google Street View and Google Earth and their photos; contextual advertising: is it good or bad; cloud computing and jurisdiction; health records; etc.
In most cases, the user can opt-out (temporal or permanent) on specific aspects: ask the deletion of a photo, stop receiving contextualized advertising, etc. Google’s commitment is that the user is the owner of its own information and the things Google does with it.
Three axes of action:
Q: Should the government rank and publish what SNS is more data privacy compliant? A: The government should enforce the law but, as it happens with any kind of crime, most information cannot be made public.
James Grimmelmann: If we prohibit sites like Facebook, is there a threat from behaving as more integrated individuals? If it is our will not to be “dividuals”, is there a threat against us if we ban heterotopies like Facebook? Franck Dumortier: Constituting a unique space is wrong because contexts might not fit, because different dimensions of the self might not be overlapping.
Q: How is it that there’s that much content on YouTube from TV channels? Bárbara Navarro: normally it’s individuals who upload videos on YouTube and TV Channels the ones that have to ask for this content to be retired. On the other hand, Google has created a scanning device that can identify protected content and not permit it being uploaded. It is also true, nevertheless, that most channels have their own YouTube channel and they normally allow protected content to be uploaded by individuals as it provides publicity.
Q: Imagine a user that joins a SNS focusing on a specific disease or illness, he then recovers and wants to quit the network and erase all data. How to? Esther Mitjans: The user made an cost-benefit analysis before joining and decided that it was worth joining the network, we should not forget about this. Notwithstanding, they should be following the requisites of the SNS to delete all their traces.
- Study on safe habits in the use of ICT by children and adolescents and e-trust of their parents ( 3,6 MB)
- Use Case 12 – Risk Management for Social Media
- IDP2009: Data Protection, by Daithí Mac Sithigh.
- #IDP_UOC: V Congrés Internet, Dret i Política: Protecció de dades i xarxes socials, by Ricard Espelt