On Thursday last week I spoke at the SCL Policy Forum during the “Social Data” session – my talk was about privacy, social media, young people, social norms, regulation and all that kind of thing. Below is a rough transcript of what I said (including links to references etc):
The reference in the title of this presentation to “Getting over it” comes from a now infamous quote by the then CEO of Sun Microsystems, Scott McNealy, who’s reported to have said in an interview in 1999: “You have zero privacy. Get over it!”. When McNealy said that, I was 19 years old. Mark Zuckerberg was only 15 years old and 5 years away from launching Facebook in 2004.
11 years after that McNealy interview, Mark Zuckerberg was interviewed himself in 2010 and he said the following:
“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people… that social norm is just something that has evolved over time.”
That quote of his has also become quite famous and led to a flurry of media attention about Facebook’s attitude to privacy. In that same interview, Mark Zuckerberg went on to say:
“We [Facebook] view it as our role in the system to constantly be innovating and updating what our system is to reflect what the current social norms are”.
It’s this last sentence of his that I think is particularly interesting because it raises various questions about whether it’s social media which drives the development of social norms relating to privacy, or whether the opposite’s the case, and it’s social norms which drive the direction of social media. In reality, we see a symbiotic relationship whereby they influence and are influenced by each other as well as various other factors which I’ll come onto.
By “social norms”, I’m talking about group-held beliefs or societal conventions which specify how individuals should behave in a given context. As a result they create certain expectations regarding that behaviour. Those expectations become significant from a policy or a regulatory perspective when they get used as the basis for legal tests. A relevant one in this case being the “reasonable expectation of privacy” which the English courts have used as a test in the various Article 8 cases around the “misuse of private information”.
Privacy, however, is a nebulous concept. It’s very difficult to pin down an accepted definition. In the late 19th century, the US lawyers Warren and Brandeis came up with their often quoted description of privacy as the “right to be let alone”. In Europe, Article 8 of the ECHR talks about privacy in terms of a right to respect for private and family life, home and correspondence.
So there are various aspects to privacy and they’re protected in different ways. There’s privacy relating to your property, relating to you physically, relating to your communications, and finally there’s “informational” privacy regarding information which relates to you. In this case I’m broadly focusing on informational privacy and its relationship with social media. Of course one of the ways that relationship is regulated is through data protection law which, as we all know, provides rights to data subjects and imposes obligations on data controllers in the context of the automated processing of personal data.
So what’s so special about social media? One of the things people use social media for is to fulfil the same role as a physical social space. So in the same way as people use a cafe to meet up, socialise and communicate, social media acts as an online social space where users socialise and interact. However, whilst these online social spaces may be used for the same purpose as physical social spaces, there are various fundamental differences which affect certain social norms relating to privacy and create certain risks. These are well documented so I won’t go into much detail.
For example, we all know that when you say something in a physical social space, your words remain only in the memory of the person you spoke to. In online social spaces your words stay there. That continuity becomes problematic from a privacy perspective if you say something you might regret later. Particularly if it’s discovered by, say, a university you’re applying to or an employer you’re interviewing with.
That risk is exacerbated by the fact that anything you say can be so easily copied, altered and re-published on a global scale. The potential exposure increases further because online social spaces allow us to be indexed and easily found.
There’s also the issue of audiences. In physical spaces, you can generally see who’s within earshot and so who can hear what you’re saying. In online social spaces, the potential audience for your communications is invisible and potentially vast, and includes the proprietor of the online social space who’s business model is likely to be predicated on you sharing information publicly.
Whilst users of social media may attempt to control this audience with, for example, a selected “friend list” on Facebook, this can create what’s been referred to as the “illusion of intimacy” because the notion of “friends” in an online social space may differ significantly from friendship in a physical social space.
Differing social pressures can also lead to an audience in an online social space taking a different form to that of a physical social space. For example, there aren’t yet well established social conventions regarding the acceptability of rejecting or accepting friend requests on Facebook – so the pressure a user may feel to accept a friend request could lead to a broader audience and the sharing of information with people who aren’t in fact your friends.
A key issue here is that in physical social spaces there are various well established physical social conventions people use as a tool to indicate the degree of privacy or publicity they expect to apply to a particular communication. The volume or tone of my voice for example, or my facial expression, or my body language. The difference with an online social space is that none of these physical social conventions are possible and as a result, in the absence of substitute tools to indicate the user’s intention, communications can end up being more “public” than the user wants or expects.
One of the things the regulatory regime seems to have been trying to do, with varying degrees of success, is place an obligation on the proprietor of an online social space to build functionality which provides equivalent tools to users as a substitute for those missing physical social conventions.
However, there’s an inherent tension in the ease with which that can be done for various reasons. Not only because the service provider’s business model is likely to prefer the public sharing of information, but also because, firstly it puts the onus on the consumer to learn, understand and use those tools, and secondly physical social conventions are nuanced and complex and the effectiveness with which they can be simulated online in a natural way is very difficult.
Before I look at some of these issues further, I want to look at it from a user perspective. It’s particularly interesting when you look at younger social media users. That’s because through the use of social media, I’d suggest that young people understand and value their privacy in a different way to when their parents were young (and social media didn’t exist). There’s evidence of this when you look at young people’s motivations for using social media.
A recurrent theme in relation to privacy is “control”. Some interesting studies conducted by the US Researcher danah boyd [sic] have found that whilst adults think of their “home” as private, it’s a different experience for young people who live at home because they don’t exercise the same control over their personal space as their parents do. Young people may not feel they can control who comes into their house or their room for example. As a result online social spaces, where the young person feels he/she has more control, can feel more “private” than their home. So the increased sharing of information online by young people doesn’t necessarily indicate a disinterest in privacy but rather a search for privacy elsewhere.
A particularly well known piece of ongoing research into young people’s use of social media and their attitudes towards privacy is the research by the Pew and Berkman Centers at Harvard University. In May this year, they published a report in which they found that whilst young people are certainly sharing more personal information on their profiles than in the past, they’re still mindful of their privacy.
Interestingly, the focus groups in that study showed that many of the teens had waning enthusiasm for Facebook because they disliked the increasing adult presence and the excessive sharing by other users but they keep using it because it’s such an important part of their social life – so again it’s not that they don’t care about their privacy, it’s that they feel they need to stay on Facebook in order not to miss out, so the perceived social cost of not being on Facebook outweighs their desire for privacy.
Using Facebook as an example, 60% of teens in the study kept their profiles private. What they refer to as “friend curation” was also an important part of the interviewed teens’ perceived privacy management. For example 74% of them had deleted people from their network or friends list.
A particularly interesting aspect of the study was that it showed that many teen social media users acknowledged that their communications on social media were public and as a result exchanged coded messages that only certain of their friends would understand as a way of creating a different sort of privacy.
It’s easy to keep the focus on Facebook because of its dominance and talks about social media often group all the different services together under the heading “social media”. However it’s important to take other sites and services into consideration and the different meanings that privacy has in relation to them because of their perception, functionality and models.
For example, in the Harvard study (referred to above), while those teens with Facebook profiles most often choose private settings, Twitter users, by contrast, were much more likely to have a public account. The fact that people use Twitter to broadcast their tweets to as many followers as possible means that different expectations relating to privacy may arise compared to, say, updates on Facebook which users may anticipate only sharing with their “friends”.
Different social media services provide people with the opportunity to present different personas or to share different aspects of their identities. What someone chooses to share on Facebook, may be different to what they share on Twitter and different still to what they share on LinkedIn. There’s also the issue of different devices and how social media usage varies on PCs, tablets and of course mobiles – but that’s a whole other talk in itself.
So whilst we have all these different conventions evolving on social media, what role can, should or does regulation play in all of this? I said earlier that one of the things the regulatory regime seems to have been trying to do is place an obligation on service providers to build functionality as a substitute for certain missing physical social conventions. I think the Irish Data Protection Commissioner’s audit of Facebook at the end of 2011 was a good example of this. As part of that audit Facebook’s privacy settings and functionality were examined in great detail and various recommendations were made.
However, as I also said earlier, physical social conventions are nuanced and complex and aside from the fact that a service provider’s business model will prefer the public sharing of information, it’s a massive challenge for an online service to try to emulate the sophistication and nuances of our physical social conventions in a way that consumers will understand and be inclined to use.
As a result, a tension’s created whereby Facebook’s privacy settings got increasingly more complex as they were pressurised to provide more options to users to mirror the granularity with which people understand the privacy of their communications in the physical world. Of course, the more complex the privacy settings get, the more the object’s defeated because the less users understand their options – so the privacy settings then have to become simpler. But of course, when you start to simplify the privacy settings, you then lose the sophisticated and granular way in which people attach different levels of privacy to each of their communications depending on the audience and the context etc.
I think that technology can make progress in resolving that tension, whereby the increasing sophistication of technology allows all the complexities and nuances of physical social conventions to be more naturally and intuitively mapped to social media. However, I think that leads to some important questions that I’d like to leave you with.
Firstly, what should the goal of regulating social media be? Do we actually need regulation to oblige service providers to try to map offline social conventions to the online world or should we just accept that they are fundamentally different?
Also, in this context, who should we actually be trying to regulate? Is it the platform or the users? If it’s the users, do we actually need more regulation? What’s the risk here? Perhaps there may already be sufficient protection from existing laws such as defamation, confidentiality or intellectual property?