Privacyin online social networks:

Software agents and beyond

Bettina BerendtDept. Computer Science

KU Leuvenhttp://people.cs.kuleuven.be/~bettina.berendt/

Who am I ?

Privacy,Discrimination

You can sell your privacy, but you can”t buy it back.

?

Meet Kris (1)

• Kris weighs 120 kilos.

• Kris wants to lead a “normal online life”.

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

Meet Kris (2)Does Kris want others to know about his/her weight?a)In an online dating site?1.Kris wants to buy a pair of trousers.•Does Kris want the salesperson to know about his/her weight?•(analogously: diet plan / doctor)2.The shop/doctor wants to sell patients information to health insurance companies.•Does Kris want this?a)The insurance company asks a premium for risk factors.b)The insurance company cannot act on weight information.

Privacy is about ...Confidentiality.Context.

Confidentiality? Information – value!

Confidentiality? Purpose specification, notification … control!

Knowledge? Consequences!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Meet Kris (3)3. Kris has a traffic accident and is

unconscious. Normally, the paramedics come with a stretcher that can carry up to 100 kilos. Time loss could be deadly.

• Would Kris want the doctor to inform the paramedics of his/her weight?

4. Kris wants to join / open a group on the SNS, the HeavyweightDaters.

• Does Kris want others to know about his/her weight?

5. Kris” teenage child Kim is (a) also overweight and (b) on Facebook.

• What advice does Kris give to Kim?

Privacy is about … (contd.)

Control? Trust! (and Consequences)

Hiding? Identity-building, which includes strategic revelations!

…

Kris and metadata

Would Kris be relieved to hear that the <insert your favourite secret service name> saves only metadata?

“They know that you called the suicide help line from the Golden Gate Bridge, but they don”t know what was said.”

A multi-faceted approach

Lawallow, forbid, require, ...

A multi-faceted approach

Technologyencryption, access control,

...

Lawallow, forbid, require, ...

A multi-faceted approach

Technologyencryption, access control,

...

Lawallow, forbid, require, ...

Awarenessof problems, solutions,„what“s going on“, ...

A multi-faceted approach

Technologyencryption, access control,

...

Lawallow, forbid, require, ...

Awarenessof problems, solutions,„what“s going on“, ...

A multi-faceted approach

Technologyencryption, access control,

...

Lawallow, forbid, require, ...

Awarenessof problems, solutions,„what“s going on“, ...

Meet SPION

Tammy SchellensMartin Valcke

Ellen Vanderhoven

Ero Balsa Seda GürsesClaudia Diaz Bart Preneel

Alessandro AcquistiFred Stutzman

Jos DumortierEva Lievens

Brendan Van Alsenoy

Bettina BerendtBo GaoThomas Peetz

Dave ClarkeFrank Piessens

Rula SayafBram Lievens

Jo PiersonRalf

De Wolf

PET approaches (in SPION and elsewhere)

Feedback & awareness

PET approaches (in SPION and elsewhere)

Feedback & awareness

PET approaches (in SPION and elsewhere)

Access control

Feedback & awareness

PET approaches (in SPION and elsewhere)

Access control

Feedback & awareness

PET approaches (in SPION and elsewhere)

Access control

Crypto-graphy

Feedback & awareness

PET approaches (in SPION and elsewhere)

Access control

Crypto-graphy

PET approaches (in SPION and elsewhere)

Access control

Crypto-graphy

Feedback & awareness

SPION PETs

• Access control: Facebook and beyond• Access control and information flow: FlowFox• Cryptography: Scramble• Feedback & awareness: FreeBu

Feedback & awareness:a systems view

Bettina BerendtDept. Computer Science

KU Leuvenhttp://people.cs.kuleuven.be/~bettina.berendt/

Established wisdoms …

“Overdisclosure“ privacy problems

Tools (technological and otherwise) privacy solutions

Evaluation validation of tools

Tool types à la SPION

• Confidentiality• Control• Awareness of ...

– „I am being tracked.“– „which audiences do I have (whom I could

give access)?“ e.g., FreeBu – „when I am thinking too small about this“

A bigger picture

Environment- technology, society

Mental schema- privacy, p. problems

Behaviour- disclosure, evaluation

A bigger picture

Environment- technology, society

Mental schema- privacy, p. problems

Behaviour- disclosure, evaluation

Society, technology interpersonal boundaries disclosure

E

BS

Disclosure disclosure (over)evaluation

E

B

BUT:Evaluating something/someone along different dimensionscan lead to worse judgementsand less satisfying decisions

S

Evaluation disclosure E

BS

Evaluation privacy definitionsE

BS

[Moreno et al., 2009]

Def. of “appropriate”; Privacy is

social privacyand some chilled overdisclosure(as opposed to

instrumental privacy)

& technology

Evaluation privacy definitionsE

BS

Slashdot article on[Jentzsch, Preibusch & Harasser, 2012]

Privacy is an individually owned and

tradeable good(as opposed to

a fundamental right or a social good)

Please argue with me about• Let us not divide and conquer ourselves:

– The standard (scientific ?!) distribution of work can be a dangerous self-blinding and continued delegation of responsibility when it comes to problems like privacy.

– (Being forced to) being responsible is not only bad, but also part and parcel of being a human & a citizen.

• We need awareness (tools), but we also need to build– true private spaces– true public spaces

• “Privacy is not only about clicking Facebook.“

This talk was inspired by many …Intro quote (“I asked the audience not to tweet or blog while I was talking. Not

out of respect for me, but out of respect for themselves.“): • Lanier, J. (2010). You are Not a Gadget. A Manifesto. New York: Knopf.

http://www.jaronlanier.com/gadgetwebresources.html P.9: • Turkle, S. (2010). Alone Together. Why we Expect More from Technology

and Less from Each Other. Basic Books. http://alonetogetherbook.com/ • Altman, I. (1976). Privacy: A conceptual analysis. Environment and

Behaviour, 8(1), 7-29. P. 10: • Illouz, E. (2012). Why Love Hurts. Cambridge: Polity Press. – especially her

reading of • Wilson, T.D. & Schooler, J.W. (1991). Thinking too much: Introspection can

reduce the quality of preferences and decisions. Journal of Personality and Social Psychology, 60(2), 181-192.

• Ofir, C. & Simonson, I (2001). In search of negative customer feedback: The effect of expecting to evaluate on satisfaction and evaluation. Journal of Marketing Research, 38(2), 170-182.

Specific cited sources(these are examples of wider research areas)

P. 12:• Moreno MA, Vanderstoep A, Parks MR, Zimmerman FJ, Kurth A,

and Christakis DA. Reducing at-risk adolescents' display of risk behavior on a social networking web site: a randomized controlled pilot intervention trial. Arch Pediatr Adolesc Med, 163(1): 35-41, 2009.

P. 13:• Nicola Jentzsch, Sören Preibusch, Andreas Harasser. Study on

monetising privacy. An economic model for pricing personal information. European Network and information Security Agency (ENISA). Deliverable, February 2012. http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy