Recently, I was approached by a team of researchers concerned with the research ethics issues related to using Facebook to recruit human subjects. Specifically, the team was planning to use Facebook advertisements in order to target certain users for a research study evaluating the effectiveness of a particular educational strategy aimed at decreasing the occurrence of a particular high risk behavior. The researchers were also considering creating a Facebook page in order to manage communication with potential (and perhaps even actual) subjects in the study.
Here’s my initial assessment of the privacy concerns, with some information changed to keep the researchers and the project confidential.
Areas of Concern
The primary concern related to researchers’ use of Facebook for recruiting and communicating with subjects (potential or real) relates to privacy and the possible collection of personally identifiable or other sensitive information.
The use of Facebook Ads results in limited privacy concerns in relation to what the researchers might learn about the subjects. While the research team can target a specific set of users – for example, 18-to-35-year-old women who live in Portland, OR – and would know that anyone visiting their website from that ad fit this general demographic profile, no information about individual Facebook users is shared with the research team. Thus, users would be able to view and click the advertisement, and then visit the research website, without fear of their identity being made known. Further, the act of clicking on ads does not appear on user’s timelines, so friends of that user would not be aware of the user’s action related to the advertisement.
A greater privacy concern related to advertisements relates to what Facebook itself collects. If an advertisement includes text related to drug use, for example, and a users clicks on that ad, Facebook retains a record of that action, and could, potentially, use this action to further develop a profile of the user (beyond what the user voluntarily shares on the platform). Facebook’s potential ability to infer information about the user based on the ads clicked is limited to the information provided in the ad itself, and potentially the URL linked to by the ad.
The use of Facebook Pages introduces greater privacy and confidentiality concerns. If a research team wishes to communicate to interested users or participants through the Page, users will need to “like” the page. This positive action of “liking” a page would appear in the user’s News Feed and be publicly viewable by the users friends. For example, if a user “likes” a page related to a drug use study, her friends would be informed of this action, and the page would be listed among that user’s likes on their profile page. Users can also see a list of friends who have “liked” a page by visiting that page at any time. Users do have the ability of controlling the visibility of their “likes” overall, but not of individual pages.
As with advertisements, user activities on Pages are tracked and potentially used by Facebook to compliment other behavioral and demographic data maintained by the company.
In terms of the [project], these concerns can be summarized as follows:
- Facebook possesses the ability to log user actions related to advertisements, thus any sensitive or controversial content within an ad’s text (such as mention of drug use) could potentially be linked to a user’s account within Facebook’s systems, and Facebook could attempt to infer something about the user based on that action to augment its internal profile of that user. This also applies to user actions on a Facebook Page.
- Facebook possesses the ability to log the URL of external websites users click to from a link embedded in ads or pages. Thus, if a URL contains sensitive or controversial information (for example, http://university.edu/DrugUseStudy), it could potentially be linked to a user’s account within Facebook’s systems, and Facebook could attempt to infer something about the user based on the URL to augment its internal profile of that user.
- User actions (likes, comments, etc) on Facebook pages created for research projects are typically visible on that user’s timeline and profile page, and also viewable by friends who happen to visit the project page. Thus, any sensitive or controversial information on the Page, including its name, could become associated with that user.
The primary recommendation is to minimize the ability for Facebook or a user’s friends from associating interactions with project-related advertisements or pages with any sensitive or controversial information. Thus, the following actions can be taken:
- Advertisements should avoid any sensitive or controversial text that could be associated with a user who decides to take action. For example, instead of mentioning a study on “illegal drug use”, the ad can indicate “recreational activities” or similar. By using more generic text, any association made to the user’s account will have minimal harm.
- URLs used in advertisements or pages should also avoid sensitive or controversial text. For example, http://university.edu/RecreationalActivityStudy should be used rather than http://university.edu/DrugUseStudy. To best protect users, the linked pages should also minimize mention of sensitive or controversial text, ideally providing more general information, and then pointing users to other pages that provide more detail.
- Facebook Pages should also avoid sensitive or controversial text in both their name and the content provided within.
- While Facebook Pages are a practical tool for communicating with subjects, users might avoid “liking” a Page due to privacy concerns. Thus, other means of communication must be implemented.
 The research website likely maintains its own server logs, so a user’s IP address would potentially be collected. This is not related to the use of Facebook, and applies to any visitor to the website under typical circumstance.
 Presently, this is mentioned only as a potential concern; additional verification is needed to confirm if Facebook indeed uses “clicked ads” as a means to refine customer profiles.
What do readers think of this preliminary analysis and set of recommendations?