EINS - D5.1.1: Overview of Online Privacy, Reputation, Trust, and Identity Mechanisms

This deliverable provides an overview of the many issues and concerns pertaining to the privacy of users' online personal information, online identity formation, and online trust and reputation mechanisms. The deliverable examines privacy issues as they affect many different internet applications, but particular attention is given to Online Social Networks (OSNs), one the most popular and fastest growing technologies. This deliverable provides insights and lessons not only for understanding online privacy, trust, reputation, and identity issues but also for the development of a holistic Internet science view of privacy. The security and privacy of users' personal information online are affected by the following factors: ? technical, including privacy standards and security settings for different devices and platforms; ? social, including how people use online spaces to create and experiment with their identity formation, and who they perceive to be their audience; ? policy regulations regarding privacy,data sharing, and the availability of government data and for research purposes. Online services are increasingly gaining importance within the everyday lives of people all over the world. Many people, including children and young people, interact with these technologies intensively, and over a prolonged period of time. Moreover, social media and networking platforms allow developers to create particular applications for these platforms. Such large-scale and continuous interactions across online services and applications produce vast quantities of online data that can be combined to produce ever more detailed profiles. These developments have great potential for market research and service innovation, but also raise a host of privacy issues, including: user profiling, third-party data abuse, development and widespread adoption of privacy-invasive social discovery mobile apps, potential privacy threats to minors, and the collapse of a clear distinction between public and private contexts while sharing information online, particularly on mobile devices using location-based features. This deliverable is divided into three sections: privacy and design (technological issues), privacy and behavior/conduct (social behavior issues), and privacy and policy (policy and regulation issues). Section 2, privacy and design, provides an overview of existing privacy, security and encryption methods. Two important conclusions emerge from this section: First, it is difficult for many users to understand the intricacies of data collection, storage, processing, and deletion in the devices and applications they use. These are explicated within the Terms & Conditions and privacy policies of online services, but are often lengthy and ridden with technical and legal jargon. As a means to gather user consent, these are ineffective and thus illegitimate. Moreover, data sharing agreements between online and offline companies raise further privacy concerns owing to the merging of online and offline data into granular user profiles. These agreements are hardly visible to users, as options for opting-out of such data collaborations are not even presented on parent sites of online services. Second, the use of specific location-based services in conjunction with data from other OSNs, in the 21/01/2013 FP7-288021 - ©The EINS Consortium Page 5 of 102 ? Overview of Online Privacy, Reputation, Trust, and Identity Mechanisms ?form of social discovery mobile apps, can lead to privacy-invasive applications of social media, OSN, and mobile data. The combination of personal sensitive mobile information, OSN data, and geolocation tagging on such devices can raise significant user privacy issues and concerns. When users consent to sharing information on two separate online platforms, they do not explicitly consent to these discrete pieces of information being combined. Thus we find that although a number of industry standards and technologies provide users with the means to monitor, regulate, and restrict the flow of their online personal information, much work still needs to be done in order to address and minimize online user privacy issues and concerns. Further investigation into online data gathering, retention, and processing mechanisms as well as into potential uses of location-based data can provide further clarity regarding online user privacy. Privacy and behavior/conduct are the focus of section 3. Each person interacts with and uses online services and applications differently. Some users use online social media and networking services in order to develop and maintain a particular online identity, others use them simply as tools for communicating with colleagues, friends and family online. Users vary in the extent to which they are aware both of privacy-threatening uses of social media and the means available to them to prevent privacy breaches. This also raises challenges for the industry, as can be seen in its inability to accurately translate social, behavioral and privacy norms and conduct into technological options and features. Section 3 also pays attention to the specific needs and problems faced by children and young people when using social media and networking services. The widespread belief that young users do not care about their own online privacy is incorrect. Research has shown that young users are as concerned about their online privacy as adult users are. Nonetheless, young users often find it difficult to comprehend the online privacy policies and regulations (sometimes ignoring such policies altogether), making them vulnerable to online privacy breaches. Section 4, privacy and policy, examines the ways in which governments are responding to the challenges raised by the creation and sharing of data online. Government agencies have to audit and regulate industry standards, mechanisms, and technological tools that are used for collecting, storing, and processing online user information. Policy makers face many technological and managerial challenges, ranging from the difficulty of incorporating privacy by design across web services and applications to managing independent/unregulated technology development processes. Countries and regions deal with user privacy issues and concerns differently. EU member states follow a detailed and comprehensive data use and privacy policy, largely shaped by the 1995 EU Directive on the protection and movement of user data, whereas the USA has a much more fragmented approach towards user privacy. However, data on the internet is not bound by political boundaries, making its regulation even more difficult. Furthermore, some sharing of data is legitimate for law enforcement and commerce. Balancing these legitimate needs with those of individual privacy remains a technical and policy challenge. Section 5 summarizes the main conclusions and provides the following suggestions for future research about privacy in relation to design, behavior/conduct, and policy.