Information Revelation and Privacy

in Online Social Networks

Ralph Gross and Alessandro Acquisti

[email protected] [email protected]

Heinz Seminars, October 3 rd, 2005

 Information revelation and privacy
in online social networks
• Online social networks (OSN): sites that facilitate
interaction between members through their self-
published personal profiles
• How much do users of OSN reveal about
themselves online?
– A lot
• To whom?
– Friends and strangers
• Why?
 Why?
• Rationality hypothesis: signaling
• Low privacy sensitivity
• Herding behavior
• Peer pressure
• Myopic discounting
• Incomplete information
• …
Privacy, economics, and rationality
1. Incomplete information
2. Bounded rationality
3. Affective processes, psychological/behavioral
deviations from pure rationality model
 Our study
• Starts research on privacy implications of OSN
• Provides first quantification of observed behavior
• Studies actual usage data
• Discusses trade-offs and incentives and advances
behavioral hypotheses
– Yet, still preliminary

 Implications extend beyond OSN domain

 Agenda
1. Online social networks
– The Facebook
2. CMU students and the Facebook
i. Usage data
– Patterns of information revelation
– Inferred privacy preferences
 Risks and trade-offs
ii. User survey (pilot)
– Users’ knowledge and expectations
 Drivers and incentives

3. Next step
– Experiments
Online Social Networks
 What are online social networks?
• Sites that facilitate interaction between members through their self-published
personal profiles
• Common core:
– Through the site, individuals offer representations of their sel[ves] to others to peruse,
with the intention of contacting or being contacted by others, to meet new friends or dates,
find new jobs, receive or provide recommendations, …
• Progressive diversification and sophistication of purposes and usage patterns
– Social Software Weblog groups hundreds of social networking sites in nine categories
(business, common interests, dating, facetoface facilitation, friends, pets, photos, …)

 Classifieds <> OSN <> blogs

 A history of online
social networks
• 1960s: Plato (University of Illinois)
• 1997: SixDegrees.com
• After 2002: commercial explosion
– Friendster, Orkut, LinkedIn, …,
– Viral growth with participation expanding at rates topping 20% a month
– 7 million Friendster users; 2 millions MySpace users; 16 million registered on
Tickle to take personality test (Leonard 2004)
– Revenues: advertising, data trading, subscriptions
– Media attention: Salon, NYT, Wired, …
 Research on online
social networks
• boyd (2003): trust and intimacy on OSN
• Donath and boyd (2004): representation of self on OSN
• Liu and Maes (2005): harvesting OSN for recommender
systems

• (some additional research uses OSN data for other

purposes)
 From (social) network theory
to online networks
• Milgram (1967): the small world problem
– Watts (2003): six degrees
• Granovetter (1973, 1983): weak and strong ties
• Milgram (1977): the familiar stranger

 What about the “unknown buddy”?

 Social network theory and privacy
• Strahilevitz (2005):

Discourse about privacy should be based “on what the parties should
have expected to follow the initial disclosure of information by
someone other than the defendant”

– Consideration of expected information flows within/outside somebody’s social

network should inform that person’s expectations for privacy
• However, application to online social network reveals challenges
 Online vs offline social networks
1. Offline: extremely diverse ties. Online: simplistic binary
relations (boyd 2004)
2. Number of strong ties not significantly increased, but
number of weak ties can increase substantially (Donath
and boyd 2004)
– From a dozen of intimate ties plus 1000 to 1700 “acquaintances,”
to hundreds of direct “friends” and hundreds of thousands of
relations
 Hence:
• Online social networks are vaster and have more weaker ties than
offline social networks
 An imagined community?
• Anderson (1991)
• Intimacy and trust
– Sharing same personal information with a large and potential unknown number of
friends and strangers
• Intimate with everybody? (Gerstein 1984)
 Ability to meaningfully interact with others is mildly augmented, while ability of
others to access the person is significantly enlarged
 Online social networks and
personal information
1. Pretense of identifiability changes across different types of
sites

Anonymous <> Pseudonymous <> Fully identified

2. Type of information revealed or elicited often orbits around

hobbies and interests, but can stride from there in different
directions
– From classified to journals

3. Visibility of information is highly variable

– Members only
– Everybody
 Online social networks and privacy
• Privacy implications of OSN depend on the level of identifiability of the
information provided, its possible recipients, and its possible uses
– Re-identification
• Two directions: known>additional information; unknown>known
– To whom may identifiable information be made available?
• Site, third-parties (hackers, government), users (little control on social network and its
expansion)
– Risks
• From identity theft to online and physical stalking; from embarrassment and blackmailing to
spam and price discrimination
 Online social networks and privacy
• And yet:
– OSN can also offer tools to address online privacy problems
– “Social networking has the potential to create an intelligent order
in the current chaos by letting you manage how public you make
yourself and why and who can contact you.” Tribe.net CEO
Mark Pincus

 Is that true?
The Facebook
 The Facebook
• www.facebook.com
• Started February 2004
– Attracted Silicon Valley funding
• Has spread to 2000 schools and 4.2 million users
• Typically attracts 80 percent of a school’s undergraduate population
– Also gets graduate students, faculty members, staff, and alumni
• Now targeting high schools
• Growing media attention
 Facebook‘s privacy policy
• …is lax, but straightforwardly so:

“Facebook also collects information about you from other sources, such as newspapers and instant
messaging services. This information is gathered regardless of your use of the Web Site.”
…
“We use the information about you that we have collected from other sources to supplement your
profile unless you specify in your privacy settings that you do not want this to be done.”
…
“In connection with these offerings and business operations, our service providers may have access
to your personal information for use in connection with these business activities.”
 Facebook and
unique privacy issues
• Unique data
– Includes home location, current location (from IP address), etc.
• Uniquely identified
– College email account
– Contact information
• Ostensibly bounded community
– “Shared real space”

 …or imagined community?

CMU students and the Facebook: usage data
 Studies
• Gross and Acquisti, Proceedings of WPES 2005
• Acquisti and Gross, Proceedings of PET 2006
 Data gathering
• In June 2005, we created Facebook profiles with different
characteristics
– E.g., degree of connectedness, geographical location, …
• We searched for CMU Facebook members’ profiles using
advanced search feature and extracted profile IDs
– Downloaded profiles
– Inferred additional information not immediately visible from profiles
Demographics
Demographics
Demographics
Information revelation
 Information revelation

• Male users 63% more likely to leave phone

number than female users
• Single male users tend to report their phone
numbers in even higher frequencies
Data verifiability
Data verifiability
 Privacy risks
• Stalking
• Re-identification
• Digital dossier
 Privacy risks: Stalking
• Real-World Stalking
– College life centers around class attendance
– Facebook users put home address and class list on their
profiles; whereabouts are known for large portions of the day

• Online stalking
– Facebook profiles list AIM screennames
– AIM lets users add “buddies” without notification
– Unless AIM privacy settings have been changed, adversary can
track when user is online
 Privacy risks: Re-identification
• Demographics re-identification
• 87% of US population is uniquely identified by {gender, ZIP,
date of birth} (Sweeney, 2001)
• Facebook users that put this information up on their profile
could link them up to outside, de-identified data sources
• Face re-identification
• Facebook profiles often show high quality facial images
• Images can be linked to de-identified profiles on e.g.
Match.com or Friendster.com using face recognition
• Social Security Number re-identification
• Anatomy of a social security number: xxx yy zzzz
• Based on hometown and date of birth xxx and yy can be
narrowed down substantially
 Privacy risks: Digital Dossier
• Users reveal sensitive information (e.g. current partners,
political views) in profiles

• Simple script programs allow adversaries to

continuously retrieve and save all profile information

• Cheap hard drives enable essentially indefinite storage

Privacy risks
Data accessibility
Data accessibility
 Data accessibility
• Profile Searchability
– We measured the percentage of users that changed search
default setting away from being searchable to everyone on the
Facebook to only being searchable to CMU users
– 1.2% of users (18 female, 45 male) made use of this privacy
setting
• Profile Visibility
– We evaluated the number of CMU users that changed profile
visibility by restricting access from unconnected users
– Only 3 profiles (0.06%) in total fall into this category

• Caveat: We would not detect users who had made themselves both
unsearchable and invisible within CMU network (safe to assume their
number is very low)
Data accessibility
 Actual data accessibility:
An imagined community?
• Extensive, uncontrolled social networks
• Fragile protection:
– Fake email addresses
– Manipulating users
– Geographical location
– Advanced search features
• Using advanced search features various profile information can be
searched for, e.g. relationship status, phone number, sexual preferences,
political views and (college) residence
• By keeping track of the profile IDs returned in the different searches a
significant portion of the previously inaccessible information can be
reconstructed
– AIM
 Facebook profiles are, effectively, public data
 Actual data accessibility:
An imagined community
• “What a great illustration of how things you might
not mind being public in one context can cause
all sorts of problems when they wind up globally
public.”
– CMU student
 Initial hypotheses
• Default settings (Mackay 1991)/ Myopic discounting?
– Less than 2% make their profiles less searchable
– Less than 1% make their profiles less visible
• Peer pressure
• Incomplete information and biased perspectives
– An imagined community

• Or simply:
– Low privacy concerns
– Signaling
• Single males list phone number with highly significant more
frequency than females
User survey (pilot)
 (Pilot) Survey
• Goals
– Understand CMU Facebook’s users degree of awareness about
the site and its information revelation patterns; understand their
privacy attitudes and expectations
• Thirty-six online questions
• Anonymous, paid
• Pilot
– 50 subjects
– Focused on Facebook users

• Survey link
CAVEAT:
The following results are based on our pilot test (50 subjects).
Hence they must only be considered suggestive trends rather
than robust evidence. We are now exploring the same
questions in the full survey – please contact us for the most
recent results: [email protected].
 Generic concerns
(7-point Likert scale)

.3
.4
.3

.2
Density
Density
.2

.1
.1

0
0

0 2 4 6 8
0 2 4 6 8 Threats to personal privacy
State of the economy

.3
.25
.2

.2
.15

Density
Density
.1

.1
.05

0
0

0 2 4 6 8
0 2 4 6 8 Global warming
Threats of terrorism
 Specific concerns
(7-point Likert scale)

.4
.8

.3

.3
.6

.2

Density
Density

Density

.2
.4

.1

.1
.2

0
0

0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
Same-sex marriage Permeable borders US vetoes global warming regulations

.5
.3

.4

.4
.3
.2

.3
Density

Density
Density
.2

.2
.1

.1

.1
0

0
0 2 4 6 8 0 2 4 6 8
Friend of friend knew contact information Stranger knows address
0 2 4 6 8
Partners info
 Attitudes vs. behavior
• Share of users with high sensitivity (Likert >5) to
partner/sexual orientation information who provide
it on Facebook: ~70%
• Share of users with high sensitivity (Likert >5) to
home location and class schedule information who
provide it on Facebook: ~32%
• Share of users with high sensitivity (Likert >5) to
contact information who provide it on Facebook:
~42%
 Awareness:
visibility and searchability
• 21% incorrectly believe only CMU users can
search their profiles
• 71% do not realize that everybody at UPitt can
search their profiles
• 40% do not realize that anybody on Facebook
can search their profiles
• 31% do not realize that everybody at CMU can
read their profiles
• On the other side, 23% incorrectly believe that
everybody on Facebook can read their profiles
 Facebook‘s privacy policy,
revisited
“Facebook also collects information about you from other sources, such as
newspapers and instant messaging services. This information is gathered
regardless of your use of the Web Site.”
• 85% believe that is not the case

“We use the information about you that we have collected from other sources to
supplement your profile unless you specify in your privacy settings that you
do not want this to be done.”
• 87% believe that is not the case

“In connection with these offerings and business operations, our service
providers may have access to your personal information for use in
connection with these business activities.”
• 60% believe that is not the case

• Control: perusal of privacy policy does not improve awareness

 Privacy concerns
• 69% believe that the information other
Facebook users reveal may create privacy
risks for those users
• But:
.4
.3
Density
.2
.1
0

0 2 4 6 8
Are you concerned about your personal privacy on the Facebook?
 Information revelation
• Reasons to provide more personal information
(in order of importance):
1. No factor in particular, it's just fun
2. No factor in particular, but the amount of information I reveal
is necessary to me and other users to benefit from the
FaceBook
3. No factor in particular, rather I am following the norms and
habits common on the site
4. Quite simply, expressing myself and defining my online
persona
5. Showing more information about me to "advertise" myself
…..
– Getting more potential dates
 Other privacy concerns
• Reasons for low privacy concerns (in order of
importance):
1. Control on information
2. Control on access
3. CMU environment
4. Student environment
…
 Other privacy concerns
• Does your Facebook profile contain
information that you might not mind being
"public" within the your Facebook or CMU
network, but that would indeed bother you if
other people could access (e.g., family,
interviewers, etc.)?
– 50% answer yes
 Is it possible/likely?

0 1 0 1
.6

.4
.4
Density

Density
.2
.2
0

0 2 4 6 8 0 2 4 6 8 0 2 4 6 8 0 2 4 6 8
Possible Likely
Graphs by q31 Graphs by q31
Next steps
 Next steps
• Full survey
– Users and non-users: different privacy sensitivities?
• Experiments
– Control for initial privacy settings
– Control for perception of other users’ information patterns
– Control for perception of other users’ information revelation
• Other scripts
– Study evolution of a new network
– Study dynamics of information revelation
 Conclusions
• OSN offer exciting ground for privacy research
– Plenty of information revelation
– Alternative explanations
– Actual usage data
• The unknown buddy?
• An imagined community?
 Conclusions
• Facebook users claim, in general, to be concerned
about their privacy but
– Publish plenty of personal information
– Do not use privacy enhancing features
• However, they are both
– …uninformed about specific information revelation patterns
– … aware of generic possibilities
• Suggestive evidence pointing towards:
– Signaling, but also
– Myopic discounting
– Incomplete information