Dataveillance and privacy in social computing:conceptual exploration and analysis of corporate profiling techniques

Jo Pierson & Rob HeymanEMSOC IBBT-SMIT Vrije Universiteit Brussel

Anonymous no moreThe internet: It is becoming ever more difficult to browse the internet without leaving behind digital footprints that reveal your identity

Mar 10th 2011 | from the print edition

Overview

1. Mass self-communication2. User (dis)empowerment and privacy3. Corporate dataveillance4. Contextual integrity5. Cookies6. Conclusion and recommendations

Mass self-communication

• Forms of communication– Mass communication– Interpersonal communication

• Mass self-communicationMass communication+ Self-communication

– Self-selected in reception– Self-directed in emission – Self-generated in content

• By many who communicate with many• Coexist – interact – complement each other

Mass self-communication

Facebook Factlook, Muhammad Saleem, 2010

Mass self-communication• Networked

individualism & person as the portal (Wellman)

• Increased freedom, but also increased responsibility(vulnerability?)

⇒ User empowerment?

darmano.typepad.com/logic_emotion

User (dis)empowerment• Empowerment / disempowerment paradox

– Techniques and instruments for user empowerment proliferating and reinforcing idea of true user empowerment

– Whereas:• Empirical evidence about what user

empowerment really consists of is too large extent missing

• Risk of denial of disempowerment:• Pressure on ‘always on creativity’• Participation as an obligation rather than as

a choice (e.g. non-inclusion is not an option, especially youngsters)

• Loss of privacy => Vulnerability?

– Castells (2009)– To what extent unprecedented autonomy of creative users shaped,

controlled, curtailed by global multimedia business

Corporate dataveillance and PII

PII

Profile

SNS

Eyeballs

Users/Friends

Contextual integrity: PII exchange fair deal?

Context = Who + sends what + to whom?Contextual integrity = (PII) norms of appropriateness + (to whom) norms of distribution

Implicit

Perceived context

Perceived context

Implicit

Complete context

Complete context

Explicit

Explicit Implicit

Digital privacy:corporate dataveillance

1. Explicit disclosure– Digital footprint/fingerprint– Online identity (EU 54%)– ...

2. Implicit disclosure– Clickstream analysis– Cookies– Profiling– Online behavioural

advertising/targeting– Data mining (cf. Big data)– Deep packet inspection

(DPI)– Recommendation systems– …

Cookies

Cookie affordances1° party http

3° party http

3° p. pixelbug

Flash / LSO Zombie / Respawn

Duration Session/ short-term

Long-term(0-32 years)

Long-term (0-32 years)

Long-term(noexpiration)

Eternity

Reach Ownwebsite

Multiple websites

Multiple websites

Multiple websites

Multiple websites

Default acceptance

Yes* Yes* Yes* Yes** Yes*

Action req No Yes No No No

Removability Easy Easy Easy Hard Hard

Amount of information

4kB 4kB 4kB 100kB 100kB + 4kB

* In Internet Explorer and Mozilla Firefox** Flash player 6 or higher needs to be installed

Relevance cookies• Automatic machine-to-machine, being robust and cross-platform• Giving websites memory: states

– Increasing importance for optimal and convenient functioning internet’s social layer

– ‘Certainly with the much richer and faster environment we are in, this environment will make us end up with more ways of tracking as well.’ (Langheinrich, 2011)

• Evolution– Amount of websites with cookies rises

• Media Matrix Top 500: 81% in 2000 -> 95% in 2007 (98% in 2009)– Amount of cookies per websites increases

• 2.45 cookies in 2000 (1 to 12) -> 8.71 cookies in 2007 – The more popular website, the more cookies

• Consumer tracking technology– Spending of $23 billion (2009) in online advertising economy – On 1,000 popular sites: 40% (2005) -> 80% (2009)

Conclusion

• Cookies are to a large extent missing from users’ perceived context

• Cookie robustness and ubiquitous usage in the social layer of the web make them indispensable– This enables cookie function creep for third

parties• Contextual integrity applied to online user

perception is able to point out key privacy awareness issues and user (dis)empowerment

Recommendations• Increase the perceived context

– Technology: privacy enhancing technologies (PET)?– Users: notification and awareness?

• Awareness - practices - skills - attitudes– Policy: (self)regulation or enforcement?

• Avoiding privacy divide• Future research

1. Mapping and analysis of corporate profiling techniques, beyond cookies

2. Analysis of business practices in profiling 3. Analysis of everyday user practices in relation to privacy4. Linking user practices with affordances of profiling

technologies and business activities ⇒ Policy recommendations on local, national and European

level

Q & A

Vrije Universiteit Brussel (VUB)Interdisciplinary institute for BroadBand Technology (IBBT)

Studies on Media, Information & Telecommunication (SMIT)Pleinlaan 2, B-1050 Brussels - Belgium

http://smit.vub.ac.be

prof. dr. Jo PiersonRob Heyman

T: +32 2 6292412E: jo.pierson@vub.ac.be

<http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html?ref=personaltech>

Evolution in data protection norms

• Generational Development of Data Protection in Europe– Not ‘data’ in need of protection, but the individual

to whom data relates (Mayer-Schönberger)• 4 generations of data protection norms

throughout multiple Data Protection Authorities (DPA)

• Europe shifts responsibility towards its citizens

12/11/09 23 eTHOS

Evolution EU data protection• 1st generation: megaDB vs the state

– 1970: the first databases• Created mistrust among citizens• Only the big ones were regulated

– Regulation was focused on technical aspects of safety– Problem:

• A new actor emerged: the minicomputer, which created multiple databases• The law was unable to control privacy due to the sheer number of new databases

• 2nd generation: the minicomputer– Civilians become the new prosecutors

• DPA becomes ombudsman and regulator– Privacy: ‘the right to be let alone’ (Westin)– All or nothing policy

• Disclosure of personal information more often than not is a precondition to individual participation

• Is it acceptable that such data protection can be exercised only by ‘hermits’?

12/11/09 24 eTHOS

Evolution EU data protection• 3rd generation: right to informational self determination

– Privacy returns in discourse– All or nothing policy is awkward and difficult

• The civilian should have more specific control– He or she should be aware of every use of his or her personal information

• Even more initiative and responsibility shifted towards citizens– Procedures are slow and hard to control and so is the right to privacy

• 4th generation: holistic and sectoral– Civilians are not capable to ensure compliance

• Fortify this position through no fault compensation• The government takes responsibility (Belgian Law 8-12-92 art. 6, 7 and

8) for personal data (health, law and etnicity)• Every sector (e.g. health) has its own specific needs

– Every sector has its own sectoral rules (self-regulation)

12/11/09 25 eTHOS

Implications• Consumer oriented interdisciplinary research on privacy

– Implicit disclosure: analysis of technological affordances and industry developments and user perspectives

– Explicit disclosure: everyday user practices and privacy enhancing solutions

– Points of attention• Awareness: What do people know? (e.g. Facebook Inc.)• Practices: What do people do? (e.g. privacy paradox)• Skills: What are people able to do? (e.g. right not to be identified)• Attitudes: What do users want? (e.g. mediating techno-privacy)

– Interdisciplinary perspective (user, legal, educational, HCI,...)– Link with empowerment (i.e. also inclusion and digital literacy)

• Actions needed for enlarging ‘perceived context’– Interaction with civil society, industry and government on local, national

and European level?– Systematic monitoring?– Educational and training tools?– Awareness campaigns?

Exchange PII between users and digital services: fair deal?

• Contextual integrity (Nissenbaum)– An alternative benchmark for ethics and privacy,

to capture the nature of challenges posed by mass self-communication

– Informational norms• Norm of appropriateness• Norm of information flow

– Link with• Sense of vulnerability• Subjective privacy

– E.g. Google Buzz

Everybody knows you’re a dog...