A generation is growing up with social networking web sites such as Facebook and MySpace, casually posting accounts of their lives for their friends — and the world — to see. Few of these users realize that the information they post, when combined with new technologies for gathering and compiling data, can create a fingerprint-like pattern of behavior. The information provides opportunities not only for legitimate business purposes, but also for the nefarious aims of identity thieves and other predators, according to faculty at Wharton and elsewhere.
“The way privacy has traditionally been defined is being challenged,” according to Wharton legal studies professor Andrea Matwyshyn, who earlier this year organized the Information Security Best Practices Conference at Wharton. Among other topics, the conference addressed security and safety issues raised by the social networks.
Research on online social networking and how it may alter privacy norms is just beginning, according to technology observers. “Our kids today will give everything [in terms of personal information] away, but it’s not at all clear how this will shake out in the long run,” says Wharton marketing professor Peter S. Fader. “Privacy is a moving target.”
Researchers say that privacy thresholds vary by individual and that those boundaries are being tested by social networking. It is hard, they say, to pinpoint the exact impact of social networking on the web. However, it is clear that individuals are increasingly using these sites to keep in touch with friends, find jobs and enhance their careers. Social networking sites drew 139.8 million visitors in April, a 12% increase from 124.4 million in March, according to comScore, a service that measures web traffic. The April survey found that MySpace led the category with 71 million visitors, while Facebook attracted 67.5 million, and Twitter drew 17 million — an 83% increase.
Mining the Data
Lance Hoffman, a George Washington University computer science professor who spoke at the Wharton conference, noted that by giving up such information as their name, birth date, and a list of their network of friends, users are revealing far more than they know. Third-party applications, he argued, can take that data outside of the friendly confines of a social networking site and combine it with data from other sources to piece together enough information to steal a person’s identity. Just a person’s name and birth date — routinely found on a Facebook profile — can be a useful lever for an identity thief, said Hoffman.
“I’ve had students who used third-party applications that took friends of friends and used facial recognition to identify them,” explains Hoffman. “They didn’t know what to do with the information, but someone else might. What happens when the collecting of this information is automated?”
At the conference, Hoffman illustrated how social connections are made online and the ease with which a stranger can become part of a network. He noted that he is regularly added to mailing lists and invited to become a friend — or “friended” in the social network parlance — of businesses that use the sites as a marketing tool. Indeed, pages used by businesses on Facebook were recently redesigned to look more like those of individuals.
In addition, the line between professional networking on a site such as LinkedIn, and social networking on sites such as Facebook, “has become very thin,” said Hoffman. Many Facebook users might create a more casual persona for themselves on that site than they would on LinkedIn, where they would include nothing but professional information. But both sites can be seen by potential employers and clients — and complications can ensue. One such complication: When a business contact from the LinkedIn world wants to become your friend on Facebook, do you accept the invitation, giving them access to the photos on your Facebook profile from last summer’s rowdy beach party?
And what about the person you don’t really know who wants to be your friend because you have some friends in common? According to Hoffman, that new friend may just be mining your social circle for information. As networks grow and more friends of friends (and their friends) are accepted by users, it’s unclear who can be trusted.
Ultimately, social networking security rests with each user of the service (those friend invitations can always be declined). Hoffman recommended that social network denizens know the privacy policies — governing, among other things, how the information you provide can be used — of the sites they frequent.
At the same time, Hoffman said, web site operators need to make privacy policies easier to understand. “Privacy policies differ in theory and practice. In theory, consumers know about a site’s privacy policy and trust the network. The reality is that no one reads the policies. I don’t read them myself.” Hoffman cited Facebook’s privacy policy — which promises that users have control over their data and what information is shared — as typically murky. (The most recent version is more than 3,700 words — more than twice as long as this article.) Hoffman advocates new formats for privacy policies that act as simplified “nutrition labels,” like those on food products.
Private Here, Not There
Research conducted by Alessandro Acquisti, a Carnegie Mellon University professor of public policy and management who also spoke at the conference, has found that individuals’ notions of privacy are malleable depending on the context of an interaction. According to Acquisti, people are more likely to divulge key personal information — their photo, birthday, hometown, address and phone number — on social networking sites than they would on other web sites. His 2005 study highlighted privacy concerns such as online and physical stalking.
“People [say] privacy [is] important to them, yet they engage in behaviors that indicate a remarkable lack of concern,” Acquisti told the conference participants. “Privacy decision making and valuations are malleable,” but it’s unclear what factors lead to more disclosure. One of those factors might be a “herding effect,” he said. In one study, Acquisti found that that people will divulge information when they see others doing so. That tendency, he believes, may explain why so many people are willing to dish out personal information on the networks.
Information gleaned from such sites is useful not only to identity thieves, but to marketers and other legitimate business interests. Sometimes, the information can be used to find thieves, according to research co-authored by Shawndra Hill, a Wharton professor of operations and information management, and AT&T researchers Deepak K. Agarwal, Robert Bell and Chris Volinsky. Hill says a person’s pattern of behavior on various networks can reveal tell-tale signatures, similar to fingerprints — or perhaps “friendprints” — that can be used to solve a wide range of business challenges, from targeted marketing and advertising to fraud detection.
The study, titled “Building an Effective Representation for Dynamic Networks,” originated as an approach to fraud in the telecommunications industry. The authors were interested in the problem of identifying phone service subscribers who repeatedly default on their bills by signing up for service under an alias. The problem is not new. However, the focus of the paper was to show how to clearly identify a customer’s social network signature and match it to signatures created by customers who had previously defaulted. “Repetitive defaulters may be identified despite their aliases over time by their ‘social network signature,'” according to the paper.
“In other words, consumers are who they call, e-mail or IM,” says Hill. “Though it is not difficult to sign up under an alias, it is extraordinarily difficult to change one’s friends and family.” Large telecommunications firms, Internet providers and social networking sites such as MySpace and Facebook may have rich sets of data in which social network signatures can be identified. Hill says the technique is still being perfected; its accuracy rate is currently about 95%.
Still, the security and privacy questions pose tricky issues for marketers, who have been looking for successful social network advertising models. According to research firm eMarketer, spending on such advertising will be about $1.29 billion this year, up from a projected $1.17 billion in 2008. MySpace garners half of the revenue pie. Social network advertising is only a small slice of the projected $25.7 billion that will be spent on online ads in 2009, according to eMarketer.
Wharton marketing professor Eric T. Bradlow says the Holy Grail for marketers is to track consumers and their friends — and what they say about a product — via social networks. “People are more willing to divulge information for social purposes, and the lead users are 18 to 25 years old,” Bradlow notes. “The social norms around privacy aren’t going to be what they were before.”
But just as Acquisti noted, acceptable social norms will be subject to context. “Let’s imagine that a credit card company had the information you put on Facebook,” Bradlow says. “You’d be appalled. It’s context. People want to say when and where data is shared.”