ABSTRACT
In the Social Web, the Internet and Web are coming into their own, offering an infrastructure for self-expression, information and communication to everyone regardless of their technical expertise. The Social Web comprises many facets: wikis, blogs, photographs/video/etc., portals, tagging systems, etc. Most of these have functionalities that allow “social networks” of people with shared interests or other forms of interdependency to grow and become manifest by links such as blogrolls, comments, etc. One group of applications and portals has made this network building into its core purpose: social network sites (SNS). SNS are web-based services that allow individuals to (1) construct a public or semi-public profile within a bounded system, (2) articulate a list of users with whom they share a connection, and (3) view and traverse their list of connections and those made by others within the system [11]. SNS are not only popular, but also highly effective at turning otherwise often passive users into active contributors: In 2008, more than 30% of Internet users were members of at least one SNS, and more than 80% of SNS users became active network members [18]. The publishing of personal information in a network and the ease with which such information travels through differ-
ent sites and beyond, allows providers and users to profile each other based on personally and relationally revealed data. Thus, on the one hand SNS exemplify functionality that permeates the whole Social Web, on the other hand they are prime examples of profiling functionality. More recently, privacy has shifted into the focus of social-network re-
searchers and practitioners. A common view is that SNS play an active role in the (general) “privacy nightmare” of the Internet. Empirical analyses of SNS support this view, showing that vast amounts of data are collected, often without a clearly defined purpose, that privacy settings are cumbersome and their use poorly communicated, and that privacy setting defaults reveal a lot of information and (see [8] for a detailed analysis of 45 major SNS). Interestingly, millions of users appear to think otherwise, delighting in the new possibilities for self-expression, finding new friends online and sharing resources. Nevertheless, a number of those users also complain about unexpected revelations of their personal information and related privacy concerns. How can these views, which at first sight appear to be opposed, be considered together in order to help users, companies, and society at large to reach common understandings and working implementations of privacy protection in a world in which information sharing is a desirable daily practice? We argue that a solution to this problem lies in studying different ap-
proaches to privacy. The dominant approach to privacy in computer science is to define privacy as data confidentiality — hiding data in an environment in which SNS act as drivers of the privacy-nightmare seducing users to disclose personal information. In this view, solutions consist of formal approaches to ensuring confidentiality through access control methods, data perturbation and other modifications of data to counter unwanted information inferences and leakages. We show later that this approach is not sufficient to address users’ privacy concerns in social networks, is often inappropriate in collaborative sharing environments, and is solely preemptive — most confidentiality and anonymity models do not engage with the information that has already been revealed or leaked. Hence, in this chapter we categorize complementary approaches to privacy and show how the approaches can be used to address the different types of concerns. Once we have sketched out the different approaches, we explore in depth
one of these in the context of social networks, an approach we call privacy as practice. In order to be able to do that we step out of the privacy nightmare discourse, assume that SNS are an interesting space on the Internet for engaging in privacy [2] and that therefore a detailed study of user behavior and concerns in them will yield a more accurate description of the privacy concepts that are relevant. Further, we presume that privacy is not something concrete, in consensus and in constant danger. Rather, we conceive privacy as a set of practices to negotiate what should remain public or private in social contexts. Legal and other regulatory frameworks and various social mechanisms exist to ensure that individuals can practice their privacy. We hence argue that we also need approaches to defining and developing technology that target the
same. Further, SNS provide a prime example for studying the the privacy and
related concerns manifest on the (Social) Web: by virtue of being public and popular, SNS make evident privacy problems elsewhere on the Internet such as emails, discussion forums, chats, or e-Commerce. At the same time, in no other web applications are the user communities so actively involved in privacy debates although similar concerns apply. The chapter is organized as follows. In Section 16.2, we review some domi-
nant approaches to privacy and emphasize the importance of methods other than confidentiality and anonymity for privacy practices. There we also show how the present chapter and Chapters 15 and 18 of this book, which give detailed overviews of mechanisms for protecting profile privacy and methods for private analysis of networks, complement one another. We also shortly contextualize the three approaches by analyzing privacy concerns articulated by users and other stakeholders of social networks. Based on those concerns, in Section 16.3 we categorize the types conflicts that arise among users as a result of two characteristic features of SNS: relational information and transitive access control. We then introduce the initial concepts for a method to detect these conflicts. In Section 16.4, we construct a formal model of the conflicts and describe our conflict discovery method. We then apply our method to four cases which are typical in SNS and discuss their differences. In Section 16.5, we suggest that in order to negotiate the conflicts identified using our method, data-mining and feedback techniques as well as access control alternatives can be used. The method hence not only serves to assemble requirements and study interactions between those requirements; further, by showing outcomes and possible conflicts, it suggests how data-mining can be the core of awareness tools that help users better oversee consequences of their actions. An outlook is given in Section 16.6. In the work presented here, the role of data mining changes. Today data
mining is often seen as a a technology that is at the core of privacy concerns and at the same time is the starting point of a group of methods (“privacypreserving data mining”) that help avoid these. In this chapter, we show how data mining methods and technologies may also inform individuals and groups about the (possible) consequences of various privacy-related behaviors. Finally, it is not the objective of this chapter to propose new access control
models that limit how information can travel according to some specification. Rather, we develop a method to investigate the consequences and conflict potential of information travel resulting from common SNS designs. These detected conflicts can be used to elicit requirements for solutions — these requirements may in turn be useful in designing access control models.
