Credit: Technology Review
Social-networking sites lead a double life. On one hand, they encourage users to share as much personal information as possible, making it easy to post photos, videos, notes, and links. But at the same time, these sites have to safeguard that information and limit how it is shared between users and beyond their own walls. Users are often dismayed when their information reaches unintended recipients, such as bosses, relatives, or other companies.

This situation encourages social networks to bury the privacy settings that they build, according to research that will be presented later this month at the Eighth Workshop on the Economics of Information Security, in London, U.K. Social networks are under pressure from privacy-rights groups and activists to build in ways for users to control their information, the researchers say, but it's also in their interest to keep those settings off users' minds.

"To the social network, your value increases the more data you share on the site," says Joseph Bonneau, one of two University of Cambridge researchers who worked on the project. More user data means better targeted advertising, and more of a feeling of community, he says. "Their goal is to create a very free-flowing environment where everybody is constantly sharing everything and seeing all this data on other people," he says. "The best way to achieve that is to not bring up the concept of privacy."

To arrive at their conclusions, the researchers evaluated 45 social-networking sites from all over the world, looking at more than 200 criteria related to privacy policies and privacy controls. Although social-networking sites have often been criticized as a group for their privacy practices, the researchers say that they found a lot of variation in quality. Using criteria such as the amount of data collected during sign up, the default privacy settings, and whether information is routinely shared with third parties, the researchers judged Bebo, LinkedIn, and GaiaOnline to have the best privacy practices of all, and Badoo, CouchSurfing, and MyLife to have the weakest. Ironically, sites that made privacy a selling point tended to have lower-quality privacy controls. Facebook and MySpace ranked toward the middle, but the researchers note that these sites also offer users more features, making privacy harder to maintain.

In general, more popular social-networking sites did better with privacy, which the researchers put down to these sites having more resources to devote to the problem, as well as to being under more pressure to protect user data.

Bonneau believes that revealing the privacy practices of all sites could help put pressure on major sites to add further protections for users. For example, the researchers found one site, the business network Xing, that encrypts all interactions to protect personal information against eavesdroppers. This shows what kinds of features are possible, Bonneau says.
 

Sören Preibusch, another researcher who worked on the project, says that establishing industry standards for privacy settings might help users understand and control what's happening to their information. Murky policies, confusing settings, and incentives to share all their information tend to distract users from the realities of what will happen to their data, he says. "Even though consumers report they are concerned about privacy, they forget their concerns when offered some rewards," Preibusch says. "Even small rewards such as chocolate bars or pennies will convince users to reveal personal information."

Vitaly Shmatikov, a professor of computer science at the University of Texas at Austin, who studies privacy in social networks, says that the implications of the new study will become increasingly important as sites develop better ways to make money from users' data. "I expect that there will be a significant tension between monetization and privacy," he says.

Incidents such as Facebook's Beacon fiasco--the site's controversial attempt to broadcast a user's offline shopping activities through Facebook--highlight the potential for conflict, Shmatikov says. However, he thinks that worse will come when social networks begin focusing less on attracting new users and more on making money from the ones they have.

By their very nature, social-networking sites are designed to "promote the open flow of personal information," says Michael Zimmer, an assistant professor at the School of Information Studies at the University of Wisconsin-Milwaukee. As a result, he says, they're "reluctant to heavily promote their privacy settings," adding, "Facebook has some of the most robust privacy settings out there but offers little to no help on how to use them."

One way to remedy this situation is by finding ways to assist users in navigating privacy settings, Zimmer says. He has, for example, posted a cheat sheet on his site that walks users through the process of configuring the privacy settings on Facebook.

Preibusch says that social-networking sites often leave user profiles almost 100 percent public by default. "Users should be aware that they still have the possibility of taking action by setting their privacy settings inside the network, and not sticking with the permissive defaults," he says.

"The safe way to use the network is to assume that everything you post will eventually be public," adds Bonneau.

Copyright Technology Review 2009.