Privacy concernsWidespread privacy failings in online social networks

Published 22 July 2009

A Cambridge University study finds serious privacy weaknesses in the way social networking sites are run; those who join such site are often unaware of these weaknesses

Competition among social networking sites is compromising the protection of users’ data, a Cambridge University study has concluded. The survey covered 45 global social networks, ranging from popular sites such as MySpace and Facebook through to lesser-known foreign networks. Its authors report “serious concerns” about the extent to which these sites fail to keep users’ personal information private.

It is the first detailed analysis to examine the security provisions of a large number of social networks. The report, by researchers in the University’s Computer Laboratory, is being made freely available online.

The problems the report identifies — such as misleading privacy policies and inaccessible privacy guidelines — have long been suspected, but the report provides new numerical data to confirm their scope.

  • Some 90 percent of sites, for example, needlessly required a full name or date of birth for permission to join
  • 80 percent failed to use standard encryption protocols to protect sensitive user data from hackers
  • 71 percent reserved the right to share user data with third parties in their privacy policies

The study also argues that privacy is being compromised by rigorous competition for users. Researchers argue that open discussion of privacy on social networking sites puts off the average user, which discourages the owners from producing explicit or accessible privacy guidelines.

Sites want users to be relaxed and having fun, but when privacy is mentioned users feel less comfortable sharing data,” co-researcher Joseph Bonneau said. “Even sites with good privacy feel that they can’t promote it, so users have no idea of what they’re getting.”

The researchers only covered sites which are available in English, signing up to each using a Yahoo! Email account and the pseudonym “Upton Sinclair.” In each case, Bonneau and his fellow researcher, Sören Preibusch, recorded the amount of personal information that they had to hand over in order to sign up to the site and how much they were told about its privacy policy and settings in the process. They also analyzed how much they could see about the site’s existing members before they joined.

Once they were signed up, the researchers tested each site’s privacy controls against 260 criteria, examining features such as log-in arrangements and the site’s privacy policy and configuration controls.

They found what the report calls “pervasive problems,” including poor Web security practices, confusing user-interfaces, and misleading privacy policies.

All but three of the general purpose sites they examined left new profiles completely visible to at least all the other members of the site by default. As previous studies have suggested that between 80 percent and 99 percent of users never alter their privacy settings, this means that in most cases their profiles will remain visible.

The researchers also produced privacy scores for each of the networks assessed. Bebo and LinkedIn were ranked the highest for their privacy settings, while the British site Badoo earned the wooden spoon. Facebook and MySpace, frequently the targets of privacy critics, finished slightly above average. In general, the researchers found that the larger, more popular, and older sites maintained better privacy practices and adopted higher privacy standards.

The popular sites are just the tip of the iceberg,” Preibusch said. “Niche sites implement significantly less favorable privacy practices and offer fewer controls to their users to configure the sharing of personal information.”

Overall, the report also found that sites which promoted their privacy controls as a selling point tended to be those with fewer users joining the site. It suggests that this may be because the vast majority of people, while they may claim to be concerned about privacy, tend to forget about or ignore the possibility that this may be jeopardized when offered an attractive social networking service.

Since the sites depend on acquiring as many users as possible, the researchers argue that most social networks opt to set up long and complicated privacy measures which, in most cases, it is difficult to access or even find. At the same time, they show off how many users they have and how easy it is to make friends, or share photos, videos and music — all features which it would be harder to sell with stricter privacy controls.

The privacy policies remain in place, the researchers suggest, to placate a vocal minority of “privacy fundamentalists,” who might otherwise expose the lack of policy to the wider majority, prompting a discussion which, through its very existence alone, might dissuade prospective new members from joining.

The report calls for an “opt-out” approach to privacy, in which users’ details are kept private until otherwise stated. It also calls for stronger across-the-board regulation, and suggests that sites could offer “premium” membership schemes which allow users to handle their privacy settings in greater detail if they so wish, a scheme known as “privacy negotiations.”

The full report along with the original dataset can be downloaded here.