Privacy
Discussion:
Danah Boyd on why privacy is different in online spaces
In physical spaces, different audiences don't mix and we can perform differently. However, in the context of Networked Sociality, this changes, argues Danah Boyd
From Danah Boyd in the IDC mailing list, February 2007:
"In unmediated spaces, there are walls that allow us to separately contextualize different situations without dealing with the ramifications of those collisions. Online, no such walls. This is a new architecture. So, people have two choices: go into hyper paranoid mode and constantly try to think about what it means to be seen by all people across all time OR live your life in the context you think it should be and hope that you can convince others of this later. (This can be called the ostrich solution.) The problem is that living your life in a pristine manner imagining yourself on the path to presidency (or at least a good behavior patch) is no fun. It's especially no fun for teenagers who are trapped at home and want to hang out with their peers and their only hang out place is online.
There are two populations that complicate the lives of teens: those who hold power over them (parents, teachers, future employers) and those who want to prey on them (primarily marketers). How do you teach people how to behave with such mixed audiences?"
Identity Management may be a danger to Privacy
Brad Templeton on the paradox of digital identity management [1]:
"On the surface, privacy-conscious identity management puts control over who gets identity information in the hands of the user. You decide who to give identity info to, and when. Ideally, you can even revoke access, and push for minimal disclosure. Kim Cameron summarized a set of laws of identity outlining many of these principles.
In spite of these laws one of the goals of most identity management systems has been ease of use. And who, on the surface, can argue with ease of use? Managing individual accounts at a thousand web sites is hard. Creating new accounts for every new web site is hard. We want something easier.
However, here is the contradiction. If you make something easy to do, it will be done more often. It’s hard to see how this can’t be true. The easier it is to give somebody ID information, the more often it will be done. And the easier it is to give ID information, the more palatable it is to ask for, or demand it.
Consider the magstripe found on most driver’s licences. This seems like personal identity management. That card is physically under your control, in your wallet. Nobody, except a police officer who suspects you of something, can demand you produce it. You control whether they can just look at it or can scan it.
Yet the very existence of the stripe makes it easy to read all the data on the card. Sure, they could also look in the card and slowly type it all in, or photograph it, but as you know this is rare. If somebody is demanding this card for ID, it’s faster for them and for you to have them swipe it rather than type in the number and/or your other information. As a result it seems more “reasonable” for them to ask to swipe it, even if they don’t demand it. And thus far more data is collected. (So much that there are legal efforts to limit such scanning.)
This applies even to “ideal” digital identity management systems which let you tweak what information they provide to a web site. In such a system, you can control whether your system offers up a pseudonym or your full name and address. You want that, because if you’re buying a book you want to easily tell them where to send it.
However, at the same time this easy ability to offer your address makes it easy to ask. Today, a site that wants to ask for extra information it doesn’t really need has a disincentive — it has to push you to a form where you have to type it in manually. This makes it far more likely they will ask for this only if they really need it. It makes it really unlikely that they will demand it unless they truly need it. It still happens (I routinely see sites asking for phone numbers they don’t need) but it happens less often than if providing this information required merely a click.
That’s because once you make it trivial to hand over your information, you quickly get to the state where only the privacy zealots put up a fight. And thanks to the fundamental theorem of privacy advocacy — most people don’t care about their privacy until after it’s invaded — this means most people will hand over far more information than needed, and in many cases the few who complain are few enough that companies can safely decide to refuse to deal with them if they won’t hand over the information that’s so easy to hand over.
It’s against our intuition to think of ease of use as a bug, rather than a feature, but sometimes this can be the case.
In addition, single sign-on systems tend to make correlation of user data easier, in spite of their many efforts to try to address this problem. If you use the same ID to sign on at many web sites, it’s hard to stop them from correlating that fact if they get together. Of course, most people use the same login on many sites today, but this is less reliable. (When a site demands an E-mail from me I give a different E-mail to each site, which among other things allows me to see if they pass the E-mail address to any 3rd party.) One of the common identity attributes that will be requested with OpenID is an E-mail address, and this becomes harder to vary if you’re getting the benefit of the single sign-on.
Identity management also encourages the creation of “accounts” when they are not strictly needed at all. Should OpenID become a success, every site will want to use it. Sites that would not have troubled users to create an account to use them will now find it trivial to do so. Their current easy alternative — cookies — are stored on the user’s machine and much more under user control, and much harder to correlate with other sites.
Fully implemented, I predict we’ll see “one click account creation” and “one click login” through the user of browser add-ons. This will result in sites that were perfectly usable without an account suddenly demanding them. Why not, after all? Sites with commercial interest are keenly interested in accounts in order to learn about their users and present information to advertisers or investors.
It is also important to consider how the identity management technology we build will be used in places like China, Saudi Arabia or North Korea. Whatever global standards we adopt, especially with open source or free software, will be readily available for use in these countries.
Unfortunately, these countries will not follow the same principles of user control and consent on identity collection that we do. However, we will save them the time and trouble of building their own ID and surveillance infrastructure. They can readily adapt ours.
We may have to ask ourselves what ethical duty we have to the people of those countries. How would we design our systems if we lived in those places? What software would we give away to those governments? Is our own convenience and ease of use worth so much to us that we want to give these technologies to China where they will help restrict the activities of a billion people? This is not an easy question. The real villains are the oppressors, not the authors of the technology, but that doesn’t stop us from considering how what we build will be used. No solution?
There may be no solution to this paradox. Identity disclosure is, in a sense, the opposite of privacy. Any system that assists in identity disclosure is unlikely to help protect privacy. There are technologies, such as secure pseudonyms and anonymity, and non-correlatable identifiers, which can help, but they are tricky." (http://ideas.4brad.com/paradox-identity-management)
Case Studies
Summary [2] of a presentation by Alessandro Acquisti [3]:
"Alessandro Acquisti , Carnegie Mellon University, delighted us with great insights about “Imagined communities: awareness, information sharing and privacy: the Facebook case” . His research is in the economics of privacy and he revealed interesting facts about Facebook, for example, 89% of Facebook users reveale their real name. And 87% of CMU Facebook profiles reveale birthday, 51% reveale the address, 40% reveale their phone number (40%!). 61% of the posted images are suited for direct identification. Remember that this information will never disappear, it will stored forever in many computers (facebook servers, google servers, archive.org servers and … as the following discussion easily revealed, governments servers, secret agencies servers and probably many companies who can just afford to save everything and decide in future what to do with this information). There is an evident privacy risk of re-identification: 87% of US population is uniquely identified by {gender, ZIP, date of birth} (Sweeney, 2001), Facebook users that put this information up on their profile could link them up to outside, de-identified data sources Facebook profiles often show high quality facial images, Images can be linked to de-identified profiles using face recognition. Some findings on Facebook: Non members rate privacy (concerns, worries, importance) statistically significantly (although only slightly) higher than members. Members deny they use Facebook for dating, however they state they think other members use it for dating. Majority agrees that the information other Facebook members reveal may create a privacy risk for them (mean Likert 4.92). They are significantly less concerned about their own privacy (mean Likert 3.60). Respondents trust the Facebook… more than they trust unconnected Facebook users. The survey about how much users know about Facebook’s privacy policy is interesting as well: “Facebook also collects information about you from other sources, such as newspapers and instant messaging services. This information is gathered regardless of your use of the Web Site.” 67% believe that is not the case. “We use the information about you that we have collected from other sources to supplement your profile unless you specify in your privacy settings that you do not want this to be done.” 70% believe that is not the case." (http://www.gnuband.org/2007/06/26/report_of_conference_on_e-identity_social_issues_in_social_networking_trust_and_reputation/)
More Information
See our entry on Open Privacy standards.