Here is my First Law of Social Networking: social networking sites are incentivized to promote the open and unfettered flow of mountains of personal information.
Social networks’ ability to make money through contextual and/or behavioral-targeted advertising is dependent on users sharing information about themselves, their lives, and their interests. Facebook’s Mark Zuckerberg confirms this point when he notes that “as long as the stream of information is constantly increasing, and as long as we’re doing our job… of pushing that forward, I think that’s….the best strategy for [Facebook]“. In short, the best strategy for social networks is to increase personal information flows online, or, again in Zuckerberg’s words, to get “people through this really big hurdle of getting people to want to put up their full name, a real picture, mobile phone number…and connections to real people” online.
Consequently, creating and promoting robust, easy-to-use privacy settings to allow users to control and possibly restrict the information they share would generally be counter to a social networking service’s strategic interest. This is my Second Law of Social Networking. Again, consider Zuckerberg’s response to an interviewer’s suggestion that Facebook’s privacy controls are unknown or mis-used by uses: Zuckerberg seemingly laughs it off by simply replying “well, the privacy controls are there.” As if just having them there is good enough….
This apparent contradiction is studied in an important new paper titled “The Privacy Jungle: On the Market for Data Protection in Social Networks” by Joseph Bonneau and Sören Preibusch.The University of Cambridge researchers conducted a thorough analysis of the privacy practices and policies in online social networks, revealing some interesting results regarding how social networking sites differentiate (or not) themselves in the “privacy marketplace.” (Technology Review has a good summary of the research, and some of its implications, including quotes from myself).
They summarize their results as follows (emphasis added):
Our contribution is threefold. First, we report the results of a thorough analysis of the privacy supply in the social networking market (Section 4). Our data supports some common assumptions, such as a generally low quality of privacy policies, usability problems, and poor security practices. It also provides some surprises such as promotion of photo-sharing being far more common than game-playing, and a huge diversity of privacy controls available in different networks which is not effectively conveyed to users.
Second, we aggregate our data into overall privacy and functionality scores for each site, and use these to find which general factors may influence a site’s privacy practices (Section 5). Again, we find interesting results, such as niche sites offering significantly less sophisticated privacy controls than general-purpose sites, positive correlations between privacy and the age, size, and popularity of a site. Privacy and functionality aren’t strong correlated, but sites that promote on privacy are often found having less favourable privacy practices. We also find evidence that sites with better privacy are growing ahead of the market, while those that mention their privacy are falling behind.
Finally, we propose a novel economic model to explain the observed under-supply and under-promotion of privacy as a rational choice by the competing social networking providers. Our model assumes the existence of consumers with varying degrees of privacy concern. We conjecture that websites seek to maximise their desirability to both populations by not raising privacy concerns for the majority of users, while minimising criticism from the privacy-sensitive.
Their final point is worth special consideration: According to the authors, social networking sites might build robust privacy settings to appease privacy advocates, but they don’t promote them and/or make them difficult to use so the majority of users don’t bother to change their default settings, thereby keeping the open flows of personal information undisturbed.
This is my Third Law of Social Networking: Provide privacy, but make it hard. Social networking providers will never admit to this, but the evidence is there: default settings are generally set to share all of your information with all of your friends; there are few (if any) help pages to assist users in managing their privacy (compare to what Google has been doing to try to educate users); maintain the philosophy that, no matter what, information wants to be shared among everyone; and build systems that share everything, and only make privacy changes when the pressure mounts (i.e., News Feed, Beacon, etc).
Thus, we have identified three Laws of Social Networking:
- Promoting the open flow of personal information allows maximum profitability
- Allowing user control over their information flows is counter to profit maximization
- Provide some privacy controls, but make it hard
I’ll need to think more about this, but welcome any feedback.