For a moderate amount of time, I had been a “friend” with someone on Facebook, and we appeared to have full visibility of each others activities. Then, recently, I noticed that this person no longer appeared in my feeds or list of friends. I searched for this person on Facebook to no avail (zero results), and attempted to load this person’s Facebook profile using the custom URL, but was met with the standard error “The page you requested was not found”. This prompted me to assume that this person either (a) deactivated her/his page and left Facebook, or (b) un-friended me and tweaked the privacy settings to be essentially invisible to non friends. This didn’t bother me much, and I didn’t really think of it again.

Today, however, I noticed an update in my Ticker noting this person made a comment on some other Facebook user’s (not a friend of mine) page.  This particular action also was reported in my main News Feed. I found it quite odd that suddenly I was seeing updates from this ex-friend. I proceeded to search my friends list, and s/he wasn’t there. I searched for this person’s name, and still received no results. I tried to load this peron’s URL, and got the same error message.

However, when I clicked the user name (this person’s real name) in the status update, I was taken to her/his Facebook profile page, only it now was a different URL with a different username.** But it was my former Facebook friend: same photo, same basic info, etc. I searched the friend list, and I wasn’t there (as expected).  As far as I can tell, this person reactivated or recreated a new Facebook account, and simply decided not to friend me (fine). Yet, I’m not seeing activity from this person — this non Facebook friend — in my News Feed.

Has anyone else experienced this? Or have a possible explanation?  My only guess is that perhaps the user is using the same email address for the new account, and some code within Facebook recognizes that I used to be friends with someone using that email, therefore it is making activity visible to me. This is troublesome, of course, since people unfriend for various reasons, all with the presumption that Facebook activity will no longer be made visible to former friends.

UPDATE: I’ve now realized that this former Facebook friend and I do share one friend in common. So it is possible that her/his privacy settings allow visibility of actions to “Friends of friends”. I will investigate further….

** I should point out that the new custom username for this former Facebook friend is not, as far as I know, this person’s name. Nor does it appear to be any other version of her/his name. To compare, it would be as if I created a new Facebook account with the custom URL of /george.kerplanski. This new username — perhaps created to help obfuscate this user’s new account — appears to violate Facebook’s guidelines, which states “Your username should be as close as possible to your true name”.  I might be wrong about this, of course…

The department’s motivation was largely to ensure professionalism in how its student teachers were acting on social media: not complaining about students on Facebook, Tweeting out funny things a kid said in class, or ranting about a co-worker in a blog post.

I haven’t tried to write such a policy previously, and wanted to carefully balance these important professionalization concerns with a student’s freedom of expression. To guide me, I looked over a variety of existing policies, and came up with the following as an initial draft.

Thoughts?  (I’m particularly concerned about my initial suggestion that students not create blogs to provide commentary on their experiences)

Professionalism, Student Teaching, and Social Media

This document presents social media use guidelines and recommendations suggested for all UWM student teachers. For the purposes of this document, social media means any facility for online publication and commentary, including without limitation blogs, wiki’s, discussion forums, and social networking sites such as Facebook, LinkedIn, Twitter, Tumblr, Google+, Flickr, and YouTube. These guidelines complement – but do not replace – any existing policies regarding the use of technology, computers, e-mail and the Internet in place at UW-Milwaukee or the location of your student teaching placement.

As a student teacher, participation in social media and commenting in online media stories carries with it certain professional obligations. In your role as a student teacher, you represent UW-M with your placement institution. More importantly, you are an educator – a role model – for the students in your classroom. Your actions online should respect these professional obligations.

While all student teachers are welcome to participate in social media, we expect everyone who participates in online commentary to understand and to follow these simple but important guidelines. The goal of these guidelines is simple: to allow you to participate online in a respectful, relevant way that protects your reputation, the reputation of UW-M, respects the relationship between teachers and students, and of course follows the letter and spirit of the law.

Setting up Social Media

Social media identities, logon ID’s and user names should not reference your position as a student teacher or the school in which you are working. You should also not create blogs or social media sites for the specific purpose to provide commentary on your student teaching experience.

Don’t Tell Secrets

It’s perfectly acceptable to talk about your work and have a dialog with the community, but it’s not okay to publish confidential or sensitive information that might jeopardize the privacy of students or the overall educational environment. This includes information such as unpublished details about internal issues within a school or department, examples of student work or performance assessments, conversations had with students, conversations overheard within school, etc.

Respect your audience, your school, and your students

The public in general, and your school’s community and students, reflect a diverse set of people, values and points of view. Don’t be afraid to be yourself, but do so respectfully. This includes not only the obvious (no ethnic slurs, offensive comments, defamatory comments, personal insults, obscenity, etc.) but also proper consideration of privacy and of topics that may be considered objectionable or inflammatory – such as politics and religion. Use your best judgment and be sure to make it clear that the views and opinions expressed are yours alone and do not represent the official views of UW-M or your school.

Student Contact

It is best to not contact or interact with any students from your school through social media, such as Facebook posts/messages, Twitter, or instant messages. Official communication, when appropriate, could take place through official email. Student teachers should also refrain from “friending” or “following” any students from your school on social media.

 

It is a well-written article, quite balanced, and features myself, the T3 principle researcher Jason Kaufman, and fellow Internet research experts Alex Halavais, Fred Stutzman, and Elizabeth Buchanan (I am friends with the latter three, for disclosure). The Chronicle also tracked down a Harvard student presumably within the dataset.

For those looking, my initial blog posts (from 2008) regarding the T3 dataset are here and here, and my full treatment of the dataset release was published here:

• Zimmer, M. (2010). “‘But the data is already public’: on the ethics of research in Facebook,” Ethics & Information Technology, 12(4), 313-325

I don’t want to rehash the entire article or episode, but would like to provide a few annotations:

The article does a nice job pointing out the dual challenges of “Researchers [who] must navigate the shifting privacy standards of social networks and their users”, as well as the “the committees set up to protect research subjects—institutional review boards, or IRB’s—[who] lack experience with Web-based research.”

These are critical revelations that we cannot take lightly. There is much work to be done to ensure researchers of all disciplines and levels recognize and respond to the complexities of engaging in this kind of research online, and that IRBs are sufficiently trained to recognize issues related to Internet research ethics.

To these ends, the Association of Internet Researchers (AoIR) has published an ethics guide (now undergoing revisions) as “as at least a starting point for their inquiries and reflection”, and we’ve held various workshops on the subject. Elizabeth Buchanan and Charles Ess have spearheaded important research on the IRBs’ awareness of Internet-related concerns, and have launched the Internet Research Ethics Digital Library, Resource Center and Commons website as a valuable resource.

And, specific to the article’s mention that I have “pointed to the Harvard case in urging the federal government to do more to educate IRB’s about Web research”, I was privileged to present before the Secretary’s Advisory Committee on Human Research Protections (SACHRP), part of the Office for Human Research Protections in the United States Department of Health and Human Services (HHS). Joined by Elizabeth Buchanan, Montana Miller, and John Palfrey (of Harvard’s Berkman Center, by the way), we discussed emerging ethical issues with Internet-based research and urged the committee to take steps to ensure IRBs and researchers were suitably trained to recognize and address these important ethical issues.

In the context of this entire debate (and some of the original comments left on my blog posts), this passage from the article is quite telling:

But Mr. Kaufman talks openly about another controversial piece of his data gathering: Students were not informed of it. He discussed this with the institutional review board. Alerting students risked “frightening people unnecessarily,” he says.

“We all agreed that it was not necessary, either legally or ethically,” Mr. Kaufman says.

Frankly, I’m troubled by this statement. I will leave it to legal experts to determine if the research violated the consent requirements of the Federal Regulations for the Protection of Human Subjects (45 CFR 46), but from an ethical standpoint, I argue the researchers did have an obligation to respect the intentions of those students who might have restricted their Facebook profiles to only be visible to members of the Harvard community. The researcher’s own codebook acknowledged that the assistants used to access the profile data might have had preferential access to a profile, and that “a given student’s information should not be considered objectively ‘public’ or ‘private’”. This realization should have triggered an ethical concern over whether each students truly intended to have their profile data publicly visible and accessible for downloading.

This is the crux of the issue, and my earlier attempts to learn if and how this apparent waiver of the consent requirement was deliberated by Harvard’s IRB were unsuccessful. Perhaps now we can gain a bit more understanding of why it was deemed that consent wasn’t necessary (and I hope it was a more nuanced decision than simply avoiding “frightening people unnecessarily”).

I agree with the article’s conclusion that the “biggest victim” in this episode is academic scholarship.

The uniqueness of this dataset is of obvious value for sociologists and Internet researchers, and it wasn’t my goal to shut down this research project. It is unfortunate the researchers haven’t been able to find a suitable means of re-releasing the data, but just like the AOL search data release forced us to rethink methods of anonymization before again releasing large datasets of transaction logs, I’m hopeful that this episode can prompt meaningful consideration and debate of our understandings of privacy, anonymity/identifiability, consent, and harm when it comes to Internet-based research.

Finally, I wanted to provide a brief response to the implicit accusation made in the article that I’m a part of some kind of “academic paparazzi”.

I’m not even sure what this means. Perhaps someone thinks I spend my time trolling through other people’s research hoping to find a place where they slip up so I can have a “gotcha” moment? Hardly. I had never written on research ethics until I came across this particular case. I saw a passing mention of the data release on another scholar’s blog, and the ensuing discussion there about how the presumed anonymity of the dataset should be questioned due to its unique data variables. So I started to explore, and my discoveries followed. I’m not out to get anyone, but rather have taken quite a number of proactive steps to help researchers (both the T3 team and more broadly) address these complexities.

The complexities of research ethics and methodology in today’s Internet-based environment is complex, and I’m just starting to scratch the surface. But I don’t take this lightly; I’m a scholar, not a paparazzo.

As I conclude in my full article:

The purpose of this critical analysis of the T3 project is not to place blame or single out these researchers for condemnation, but to use it as a case study to help expose the emerging challenges of engaging in research within online social network settings. …The T3 research project might very well be ushering in ‘‘a new way of doing social science’’, but it is our responsibility scholars to ensure our research methods and processes remain rooted in long- standing ethical practices. Concerns over consent, privacy and anonymity do not disappear simply because subjects participate in online social networks; rather, they become even more important.

I hope that’s the takeaway from all this.

Richard Metzger, whose Wall the photos was removed from, has shared additional details about the incident over at BoingBoing, which illuminated possible reasons for the images removal:

On Friday afternoon, one of my fellow bloggers at Dangerous Minds, Niall O’Conghaile did a quickie cut-n-paste blog post about a “kiss-in” protest scheduled for that night in London at a pub where two young men had been asked to leave earlier in the week because they were kissing. You can read Niall’s post here. He decided to use the above photo because he felt that it was inoffensive (Some outlets have reported that this photo came from the London “kiss-in” page on Facebook, but this is not true, it was Niall’s choice and he found it on Google Images).

I posted this to my own Facebook wall as a matter of course. I put up all of the Dangerous Minds content on my wall. Sometime mid-day is when this would have gone up.

I didn’t really pay that much attention to the matter, but before we went to sleep that night, my wife Tara McGinley, who also blogs at Dangerous Minds, mentioned that this heavy metal kinda guy “Jerry” had written a bunch of childish and homophobic things about this picture on my Facebook wall, saying that he found it “disgusting.” Predictably, a bunch of people jumped all over him and right around 10:30pm Tara noticed that “Jerry” had deleted all of his comments and vamoosed.

The next morning I woke up around 6am to find a note from Facebook waiting for me with the ominous subject “Facebook Warning” informing me that I had posted “abusive material” which they had removed.

Metzger presumes that “Jerry” reported the image/post as sexually explicit, and that set into motion some internal processes at Facebook that led to its eventual removal. (We’ll come back to this in a moment.)

Meanwhile, buried on the 6th page of comments from Metzger’s original post complaining of the photo’s removal is a comment left by “Facebook Communication, providing the following sterile message (screenshot):

Comment from Facebook: The photo in question does not violate our Statement of Rights and Responsibilities and was removed in error. We apologize for the inconvenience.

While this comment from Facebook has been lauded as a grand apology (and I, too, mistakenly thought that The Advocate had actually received an official statement from Facebook), Metzger doesn’t let them off the hook that easily:

The so-called “apology” touted by the likes of Perez Hilton, Pink News, The Advocate and even mainstream news sources like AOL, Huffington Post and Gawker, as if some kind of “victory” had been won by the LGBT community was nothing more than generic “Oopsie! We goofed” text left by a low level Facebook employee six pages in on the comments to the original Dangerous Minds post. …This supposed “apology” was nothing more than a “comment.”

…Furthermore, it’s not saying anything specifically about a gay kiss. This generic text could also refer, for example, to a photo of a breastfeeding woman that someone reported as “abusive” (their word not mine) to Facebook’s censors. Don’t break out the champagne so fast, folks.

I similarly bemoaned in my original post on the lack of any official comment, blog post, press release, or broader explanation by Facebook on how such an “error” happened, what kind of content review processes are in place, or any promise to take better care. I have heard from private, unofficial Facebook sources that “This was all a misunderstanding. None of the content was against our TOS”, but nothing else has been publicly stated on the matter.

So, where does this leave us? Even if we accept Facebook’s generic explanation as both accurate and sufficient in this instance, many unanswered questions remain. Critical questions, indeed, considering the cruel dichotomy of Facebook’s mission to “[Give] people the power to share and make the world more open and connected” and its unquestioned power to control the platform, and thus the conditions under which people are allowed to share.

Below I provide set a open questions related this incident, and I look forward to a public dialogue with Facebook to help address these issues and hopefully resolve some of these concerns.

1. What exactly happened? I think the first issue that needs resolution is an explanation of what exactly happened here. While we can’t expect Facebook to provide details of every case of content removal, this particular situation has caused significant concern — and misinformation — that it deserves specific attention. Facebook should let us know if the image was reported as offensive, and whether an employee then decided to remove it. I suspect a suitable, public explanation can be provided that won’t divulge any private or proprietary information.

2. What was the process? Assuming that the image was indeed removed by an employee (and not just some automated process), we deserve an explanation as to how that process works. Earlier versions of a help page noted that a “A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action”. The same page now indicates that “we remove reported content that violates our Statement of Rights and Responsibilities”. What internal processes exist to make these decisions? Who is authorized? What kinds of definitions and guidelines are provided to determine if something is offensive? Is it a single person who can decide, or must multiple people concur?

3. Has the help page changed? As previously noted, the screenshot of the relevant help page notes the URL string as “/help/?faq=17292″. If you visit this page now, the description has changed. Now there is no mention of a Facebook administrator, and the answer merely states “No, we remove content reported that violates our Statement of Rights and Responsibilities“. Either I’m not able to find the correct help page (and I’ve been trying), or Facebook recently changed the text. We deserve an explanation as to whether this language has been changed, and why. What is originally incorrect (that no administrator actually looks into each report), or has the process now been changed that makes that language obsolete?

4. Have any other processes changed? In general, has this incident prompted any other changes to internal processes within Facebook for dealing with reported content. What kinds of discussions have emerged in the wake of this controversy?

I hope to hear from Facebook, and will share whatever I can.

I few days ago, Facebook removed a photo of two men kissing from a user’s Wall due to an apparent violation of the site’s terms of service. Here’s the message the original poster received from Facebook:

Hello,

Content that you shared on Facebook has been removed because it violated Facebook’s Statement of Rights and Responsibilities. Shares that contain nudity, or any kind of graphic or sexually suggestive content, are not permitted on Facebook.

This message serves as a warning. Additional violations may result in the termination of your account. Please read the Statement of Rights and Responsibilities carefully and refrain from posting abusive material in the future. Thanks in advance for your understanding and cooperation.

The Facebook Team

This act of censorship has received considerable attention (some worthwhile discussions here, here, here, and here). Certainly, it is within Facebook’s right to try to control the type of content shared on its platform, and there are some social good to be gained through content filtering and censorship (i.e., you might want to censor child porn, or links to malware sites, etc).

But there are some fundamental concerns with this case, that point to a growing censorship problem within Facebook.

First, the message sent to the user indicated that “Shares that contain nudity, or any kind of graphic or sexually suggestive content, are not permitted on Facebook.” However, if you review the site’s much lauded Statement of Rights and Responsibilities, that particular language is not present. The Statement does include the directive “You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence” (3.7). Again, this is probably a reasonable restriction (although not completely without controversy). That said, no where in the Rights statement does it prohibit, or suggest a prohibition, on “sexually suggestive” content. It merely restricts pornography and nudity. Therefore, not only does Facebook misquote its own Statement of Rights and Responsibilities to the user when justifying the removal of content, it misapplies said Statement.

Elsewhere, in the site’s Community Standards page (and I’m not sure how Facebook has resolved the attitudes and preferences of a “community” of 600 million users into a single shared set of standards), it notes that “We have a strict “no nudity or pornography” policy. Any content that is inappropriately sexual will be removed”. Again, the photo includes neither nudity nor pornography. How it violates the community standards remains baffling.

Second, let’s assume for a moment that the Statement does include mention of “sexually suggestive” content as mentioned in the warning to the user. Does the photo in question fit that description? Two fully-clothed adult men kissing in public? (FWIW, the two men are actors, as the photos is a promotional image from a popular British soap opera.) While the image does convey emotions and affection, and perhaps might elicit arousal for some, the image is really no different from the thousands (millions?) of similar images of male-female kisses that exist on Facebook. Why this is considered “sexually suggestive” to such an extent that it mandates removal is beyond me.

Third, it appears that this removal was done by a (at least one) human being, and not by some automated process or algorithm. The original contributor provides a screencap of a description in Facebook’s help page answering the question “Does Facebook remove everything that gets reported?”. The answer provided indicates that “No. A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action…” Based on this, it appears that a human took a look at that photo, and decided it was indeed sexually suggestive or pornographic, and then removed it. I think I’d almost rather it had been an algorithm, as it is quite troubling that a Facebook admin, wielding such power, would arrive at this conclusion.

Now, interestingly, the screenshot provided of this help page notes the URL string as “/help/?faq=17292″. If you visit this page now, the description has changed. Now there is no mention of a Facebook administrator, and the answer merely states “No, we remove content reported that violates our Statement of Rights and Responsibilities“. Did Facebook just change this language in reaction to this event? I’ll try to find out.

Fourth, if we assume that a human is indeed deciding what is “sexually suggestive” and removing photos based on his/her judgement, who is this person (or team of people), and what standards are being used? I’ve already done pretty simple searches on Facebook and found plenty of images much more sexually suggestive than this one (including nudity) — and these all remain. What does “sexually suggestive” even mean? Just suggesting the existence of human sexuality in general? Does a hug with a contemporary sex symbol count? Seriously, though, while the desire to restrict nudity and pornography is reasonable, a standard of “sexually suggestive” is almost impossible to define, and apply evenly across 600 million users, each with their own sexual predilections.

Now, there are reports that Facebook has apologized and restored the image. A statement from Facebook is provided in the Advocate: “The photo in question does not violate our Statement of Rights and Responsibilities and was removed in error…We apologize for the inconvenience.” That’s it. No blog posts, press releases, or broader explanation by Facebook on how such an “error” happened, what kind of content review processes are in place, or any promise to take better care. This lack of proper communication and contrition is very disappointing, but not really surprising.

What makes this entire situation even more troubling, however, is the news that Facebook is reportedly in discussions with the Chinese government in an attempt to bring the social network to the China. And, like Google, Facebook will have to play by China’s rules to get this done. This means Facebook will need to implement a much more robust and aggressive content filtering and censorship policy to abide by China’s wishes to limit it’s citizens’ access to information (and I’m sure the Chinese government would love to have access to Facebook’s logs of user profile and usage data, especially related to dissidents, etc). Such a move would hardly be honoring Facebook’s mission to “[Give] people the power to share and make the world more open and connected”. In fact, Facebook has already noted that it is “allowing too much…free speech in countries that haven’t experienced it before”. For a company dedicated to the open flow of information, expressing concern about too much free speech is counter-intuitive and problematic.

Google has struggled with its decision to engage in censorship within China, and ultimately left (although not really in a stand against censorship). Frankly, I’m not left with heaps of confidence that Facebook will be taking the proper path when it comes to global expansion into markets where censorship is the norm. If the way they treated a simple gay kiss is any indication, this could get messy.

UPDATE: I’ve reached out to a few contacts at Facebook with the message below, specifically seeking comment on whether the FAQ page has changed in lieu of these events. I’m awaiting a reply.

Dear Facebook:

While investigating [1] the recent controversy surrounding the apparent removal of a photo of two gay men kissing, I uncovered a possible change to the content within a relevant FAQ/help page, and wanted to seek confirmation and comment.

Note in this original blog post (4-16-2011) about the controversy [2], the user posts a screenshot [3] of a help page describing how reported content gets reviewed. The answer provided indicates that “No. A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action…”, and in includes the URL string of the help page: “/help/?faq=17292″

However, if I visit that page today (4-21-2011), the text is different [4]: “No, we remove content reported that violates our Statement of Rights and Responsibilities. If a violation has occurred, then you may receive a warning or become disabled, depending on the severity of the violation.”   There is no longer any mention of a Facebook administrator looking thoroughly at each page.

This prompts a few questions:

(a) Can you confirm that there has been a change to the text in this page in recent weeks.
(b) If so, can you describe the internal discussion and process that led to this change.
(c) And finally, have any other pages, or internal processes, been changed in recent weeks due to these events.

Thank you,
Michael Zimmer

[1] http://michaelzimmer.org/2011/04/21/facebooks-censorship-problem/
[2] http://www.dangerousminds.net/comments/hey_facebook_whats_so_wrong_about_a_pic_of_two_men_kissing/
[3] http://www.dangerousminds.net/images/uploads/facebookscreenshot.jpg
[4] https://www.facebook.com/help/?faq=17292

–
Michael Zimmer, PhD
Assistant Professor, School of Information Studies
Co-Director, Center for Information Policy Research
University of Wisconsin-Milwaukee
e: zimmerm@uwm.edu
w: www.michaelzimmer.org

• Angela Maycock, assistant director, ALA Office for Intellectual Freedom
• Deborah Caldwell-Stone, deputy director, ALA Office for Intellectual Freedom
• Michael Zimmer, PhD, assistant professor, School of Information Studies at the University of Wisconsin-Milwaukee and co-director of the Center for Information Policy Research
• Ginger McCall, assistant director, Electronic Privacy Information Center’s (EPIC) Open Government Project

The webinar was recorded, and is available here.

My particular slides can be viewed below, and here are some of the resources I mentioned in my presentation:

• Pew Internet & American Life Project – Teen studies
• Youth, Privacy and Reputation (Literature Review)
• How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?
• Publications & presentations by danah boyd (Microsoft Research)

Twitter fought the subpoena’s accompanying gag order, and has earned a partial victory that allowed Twitter to make the order public. [Some surmise that the wording of the order -- asking for size of "data files" -- suggests the same order was made to other ISPs or online providers, but there is no evidence that anyone other than Twitter has objected.] Upon learning of her inclusion in the subpoena, Birgitta Jonsdottir, a member of Iceland’s parliament, sought the help of the EFF and  filed a motion challenging the government’s attempt to obtain the records, asking the court to vacate the order. The motion argued the government’s demand for the records violated First Amendment speech rights and Fourth Amendment privacy rights of the Twitter-account holders.

In March 2011, Judge Theresa Buchanan, in the Eastern District of Virginia, ruled against that motion, arguing that because the government was not seeking the content of the Twitter accounts in question (.pdf), the subjects did not have standing to challenge the government’s request for the records. She further argued that “because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.” The judge was unpersuaded by the petitioners initial suggestion that they did not read or understand Twitter’s Privacy Policy, and that any conveyance of IP addresses to Twitter was involuntary. In a footnote of the motion, she wrote quite plainly: “Internet users are bound by the terms of click-through agreements made online.”

Christopher Soghoian has posted a critical analysis of this portion of the judge’s ruling, noting that while the judge states in her order that “[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of ‘Log Data’ that Twitter collects, transfers and manipulates,” that isn’t entirely true. Soghoian comments:

It would be far more accurate to say that before creating a Twitter account, users are presented a link to a privacy policy, which includes a statement six paragraphs down about IP address collection. Users are further told that by clicking on a button to create the account, that they acknowledge that they read the linked privacy policy, although Twitter does not actually take any steps to make sure that users clicked on the link or scrolled through the content on that page.

Of course, it wouldn’t really matter if Twitter forced people to click on the privacy policy, or scroll through the page, because everyone knows that consumers won’t actually read through the text.

This final point is critical: “everyone knows that consumers won’t actually read through the text.” Soghoian’s post includes numerous studies that show users rarely read terms of service or privacy policies, as well as quotes from both FTC officials and US Supreme Court Chief Justice Roberts acknowledging the fact that these policies are difficult to read and understand.

Building from his original post, Soghoian has penned an amici brief (pdf) to the court, which presents the following argument:

Amici urge the court to not dismiss petitioners’ Fourth Amendment privacy interests based on their mouse clicks. Research has shown that consumers rarely read and even more rarely understand privacy policies. In fact, the mere presence of a privacy policy is often misunderstood by consumers to mean their privacy is protected. While “clickwrap” acceptance of terms may constitute a contract under certain circumstances, this legal construct for private obligations has limited bearing on whether a user’s expectation of privacy against government intrusion is objectively reasonable and protected by the Fourth Amendment.

I’m among the signers* of this brief, and would like to thank Chris for his continued efforts on protecting privacy online.

• Dr. Kelly Caine, Principal Research Scientist in the Center for Law, Ethics and Applied Research in Health Information and the School of Informatics and Computing, Indiana University
• Danielle Keats Citron, Professor of Law, University of Maryland School of Law
• Dr. Serge Egelman
• Jerry Kang, Professor of Law, UCLA School of Law
• Dr. Aleecia M. McDonald
• Frank A. Pasquale, Schering-Plough Professor in Health Care Regulation and Enforcement, Seton Hall Law School, Visiting Fellow, Princeton University Center for Information Technology Policy
• Len Sassaman, Researcher, Katholieke Universiteit Leuven (Belgium)
• Jason M. Schultz, Assistant Clinical Professor of Law, Director, Samuelson Law, Technology & Public Policy Clinic, UC Berkeley School of Law
• Wendy Seltzer, Associate Research Scholar, Center for Information Technology Policy, Princeton University
• Christopher Soghoian, Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University
• Dr. Michael Zimmer, Assistant Professor, School of Information Studies, Co-Director, Center for Information Policy Research, University of Wisconsin-Milwaukee

TrackMeNot represents a form of technological resistance in the fight against the increasing loss of control individuals posses over their online personal information flows, and I was excited to play a very small role in its development while at NYU. Now, five years later, NYU has a thriving Privacy Research Group, filled with “students, professors, and industry professionals who are passionate about exploring, protecting, and understanding privacy in the digital age.”

Recently, two members of the NYU Privacy Research Group, Jaime Madell and Ian Spiro, have launched another privacy-enhancing technology, this time targeted at empowering Facebook users. Their creation is PostPref, a Facebook application that helps users protect the privacy of their photos.

PostPref is an attempt to remedy the lack of context on online social networks, the architectures of which tend to weaken norms of information flow by forcing the “binary” (private vs. non-private) categorization of shared information. Simply put, PostPref is a photo watermarking tool that allows users to quickly and intuitively label their photos so that others know whether they should feel free to redistribute the photos.

The concept is pretty simple: Once you authorize the PostPref app on Facebook, you have the ability to add a red, yellow, or green light, and accompanying message, to each of your photos: A “green” mark means “feel free to re-post freely.” A “yellow” mark means “please ask me first before sharing.” And a “red” mark means “do not share this photo at all!” Below is an image of myself tagged with a yellow watermark, indicating that my permission should be requested before reposting the photo.

Of course, there’s no technical restriction on what others actually can do with these photos. Anyone who has access to your photos on Facebook could download a “red light” photo and use it as they wish. (They might want to crop out the watermark to avoid making their breach of your privacy wishes obvious).

But PostPref is a good step towards putting power back into the hands of users. Facebook consistently misunderstands the nature of privacy online, and tools like PostPref help reorient services like Facebook to better respect the complex nature of privacy online.

The research paper indicates that the Facebook data was provided to the researchers “in anonymized form by Adam D’Angelo of Facebook.” (D’Angelo was then Facebook’s CTO, and left Facebook in 2008.) Curious as to what precisely was included in the data release, and what steps towards anonymization were taken, I downloaded the data (200 MB zip file) on the morning of February 11.

The data files are separated by institution, and in total include, by my estimation, about 1.2 million user accounts. The content of each institution’s file is described as containing the following:

Each of the school .mat files has an A matrix (sparse) and a “local_info” variable, one row per node: ID, a student/faculty status flag, gender, major, second major/minor (if applicable), dorm/house, year, and high school.

Thus, the datasets include limited demographic information that was posted by users on their individual Facebook pages. The identity of users’ dorm and high schools were obscured by numerical identifiers, but to my surprise, the dataset included each user’s unique Facebook ID number. As a result, while user names and extended profile information were kept out of the data release, a simple query against Facebook’s databases would yield considerable identifiable information for each record. In short, the suggestion that the data has been “anonymized” is seriously flawed.

The consequences of this ease of re-identifying the dataset are numerous.

First, while only limited profile information is within the dataset, there is no indication that any consideration was given to users’ particular privacy settings. Based on the article, all user accounts from each of the 100 networks were provided to the researchers, and as long as the user provided the data to Facebook, it was turned over to the researchers. [Clarification: when I say "all user accounts" we provided, I do not mean full profile information was given to the researchers, just the particular data fields as described above]

Yet, in 2005, users had the ability to restrict access and visibility of their Facebook profile, their demographic data, and their lists of friends (much of this control was taken away in 2009). So, a user might have restricted access to certain information to only people within her network or just her friends, and Facebook’s own privacy policy at the time promised that: “No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.” This data release, and the ease by which users could be identified and linked to their data, potentially negates actions taken by users to control access to the data within the files, and seemingly contradicts Facebook’s own privacy policy.

Second, even though the specific data exposure within the dataset is limited, the fact that users can be identified and linked to their in-network social map fosters additional threats to privacy. Previous research (here and here, for example) has shown how “anonymous” datasets can be largely re-identified when there is access to other large sets of data where the subjects are already known. The “Facebook 100″ data, with the Facebook IDs intact to guide identification of users, might be useful in similar efforts.

To recap, the suggestion that the “Facebook 100″ data has been “anonymized” is seriously flawed, and its release might be putting the information of 1.2 million Facebook users at risk.

Interestingly, a few hours after the initial release of the “Facebook 100″ dataset, the researchers Mason Porter announced they were pulling the data due to an unspecified “bug”. Later that evening, the data was again made available with a message indicating that the data files were now fixed.

Again, I was curious, so I downloaded and examined the new dataset. The only change I could see was that now the Facebook ID was removed entirely from the data files, and the order of the records in each file was randomized.

Thus, the “bug” must’ve been that the data was easily re-identifiable, and the “fix” was to take additional steps to anonymize the records. Somone joked on the announcement email list that the “bug” must have something to do with Facebook attorneys, but the Porter’s message re-releasing the data jokes that no lawyers were involved, and that they “really were fixing the data files!”

To me, however, the language used in these explanations was disingenuous. The data, as far as I could tell, had no bugs that prevented its usefulness for social network analysis. No, the problem with the data was that it contained each user’s unique Facebook ID, thus allowing easy identification. The researchers Porter should have been open and honest about why the data was pulled and what they did to correct the situation.

That said, there are still a number of open questions regarding this particular dataset:

To Facebook:

• What kind of internal processes, if any, did D’Angelo follow when releasing the data to these researchers? Was he authorized to do so?
• Was this kind of large data release routine? How many other similar releases have taken place?
• Does Facebook consider releasing this information, with Facebook IDs, in compliance with the privacy policy in effect in 2005? If so, how?

To the research team:

• Was the data received by Facebook already obscured with numerical identifiers replacing student majors, minors, and high schools, or did you add those?
  • UPDATE: I have received word from one of the researchers, Mason Porter, that the data sent to them by Facebook was indeed already obscured with numerical identifiers in the place of actual student major, minor, and high school information.
• Did your IRB review the data used for the research, and approve the subsequent data release?
• Was there any “bug” in the data, or was the attempt to gain greater anonymization of the data the sole reason to pull it from public access?

Obtaining answers to these questions can help us better understand the uniqueness of this situation, and to put better processes and protections in place to prevent similar data releases that falsely believe data is sufficiently anonymized and respecting of users’ privacy expectations.

I hope Facebook and the researchers are willing to engage in a discussion, and I’ll report back on any communication, as allowed.

UPDATE (Feb 15, 6:00pm): I have been in contact with one of the researchers, Mason Porter, who confirmed that the data sent to them by Facebook was indeed already obscured with numerical identifiers in the place of actual student major, minor, and high school information. I’ve inserted this reply into the question above. I have also made a few minor changes to the main text, clarifying that the email messages reporting the “bug” in the data came from Mason alone, and should not be attributed to the entire research team.

UPDATE 2 (Feb 15, 6:10pm): The link to the full, revised dataset (http://people.maths.ox.ac.uk/~porterm/data/facebook100.zip) is no longer active.

UDPATE 3 (Feb 16, 9am): Added a clarification that when I say “all user accounts” were provided to the researchers, I do not mean full profile information was given, just the particular data fields as described above.

UDPATE 4 (Feb 16, 11am): Mason Porter, one of the authors, has posted an explanatory note on his blog indicating that he’s been in contact with the Facebook Data Team, and per their request, “I have taken down the data, and I will be working with them to eventually post a version of the data set with which both they and I are happy.”

This year, I participated in three main events: a pre-conference workshop on “Ethics and Internet Research Commons:  Building a sustainable future”, a session on “Networking and Social Sites” where I presented a paper on “The Laws of Social Networking, or, How Facebook Feigns Privacy”, and a panel discussion titled “On the Philosophy of Facebook“. Details below…

:::

Ethics and Internet Research Commons:  Building a sustainable future

This pre-conference was organized primarily by Elizabeth Buchanan, and featured brief talks by Charles Ess, Alex Halavais, Annette Markham, Malin Svenningson, and myself. We presented case studies that revealed key ethical challenges and identified important components of ethical decision making for Internet researchers, including:

• How does cultural specificity define research ethics and regulation?
• What constitutes a public text online and in what ways can and should they be used in research?
• Why do we consider firewalls and passwords to be the “gold standard” for determining if something was meant to be kept public or private?
• How do researchers work towards the imperative of sharing data while adhering to human subjects regulations?
• What ethical guidelines should be applied to trace data?
• How do researchers handle “closeness” in ethnography in ethical ways?
• What oscillations take place when a researcher is first known as a member of a group and then as a researcher?
• How is “empirical imperialism” affecting research ethics?
• What are the virtues of deception?

An excellent summary of the entire day is over at the Internet Research Ethics project website, which includes links to my slides.

:::

The Laws of Social Networking, or, How Facebook Feigns Privacy

I participated on an excellent session titled “Networking and Social Sites”, which also featured Robert Bodle and Christian Thorsten Callisen.

Bodle’s presentation, “Opening the social media ecosystem: the tenuous nature of interoperability, crossposting, and sharing among dominant social media sites, services and devices”, explored the values, characteristics, and conditions of interoperability between Facebook and its third party developer ecosystem. He found that while Facebook’s APIs provide new ways to share and participate, they also provide Facebook a new means to achieve market dominance, as well as undermine privacy, data security, contextual integrity, user autonomy and freedom.

Callisen’s talk, “The Old Face of ‘New’ Social Networks: The Republic of Letters”, was a historical contextualization of the so-called digital revolution within the longer history of “the virtual”. He showed how the Republic of Letters was essentially a networked virtual community for the reciprocal sharing of information, complete with its own techniques for simulating co-presence, protocols for information transfer and interaction, and varying levels of transparency and encryption.

My presentation, “The Laws of Social Networking, or, How Facebook Feigns Privacy”, was an expanded thought piece inspired by this blog post, where I suggest three natural laws that thwart attempts to provide users of social networking sites sufficient means to control their information flows:

• The first law is somewhat obvious: Social networking sites are incentivized to promote the open and unfettered flow of mountains of personal information.
• The second law, perhaps more of a corollary, follows naturally from this: Providing users robust and easy-to-use tools to control their personal information flows is counter to this profit maximization motive.
• Thus, the third law: Provide users privacy controls only when you must, and position them as both a great a sacrifice, as well as something users probably shouldn’t bother with; make privacy hard.

To support this argument, I discuss various public comments by Facebook’s management team, and show how the laws become encoded within the design of Facebook’s architecture and recent privacy “upgrades”. I concluded that the existence of the laws of social networking create — and perpetuate — a great power imbalance where users lack robust privacy controls, leaving them with limited ability to manage their personal information flows.

The rough text of my remarks can be downloaded here, and my slides are available here.

As an aside: I found it amusing that the most tweeted comment from my talk was a completely off-the-cuff remark criticizing Facebook’s claim that users have control over their information simply due to the existence of privacy controls. I noted that all the controls to fly  a 747 are in the cockpit too, but that doesn’t mean anyone can fly a 747.

:::

On the Philosophy of Facebook

Recognizing that Facebook’s Mark Zuckerberg has built his social networking empire on the belief that “information wants to be shared“, a particular philosophy of information that directly impacts the values built into the design of Facebook, ranging from its user interface, privacy policies, terms of service, and method of governance, I organized a panel to explore the philosophy of Facebook and its broader implications for norms of privacy, identity, governance, sociability, and online life generally.

I was lucky to welcome the following speakers to IR.11 to discuss this important topic:

• Kate Raynes-Goldie, Curtin University of Technology, Australia
• Anthony Hoffmann, UW-Milwaukee, USA
• Korinna Patelis, Cyprus University of Technology, Cyprus
• Trebor Scholz, New School University, USA
• Dylan Wittkower, Coastal Carolina University, USA

Unfortunately, we only had 1 hour (!!) for the panel discussion, but it was a very good 60 minutes; one of the few times I’ve heard Marx, Hegel, Kant, Rawls, Deleuze and Guattari, etc discussed at length at AoIR. We concluded that perhaps an entire pre-conference on the topic is in order for IR.12 (in Seattle in 2011).