Facebook and Online Privacy: Atti...
Journal of Computer-Mediated Communication Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences Bernhard Debatin, Jennette P. Lovejoy E.W. Scripps School of Journalism, Ohio University Ann-Kathrin Horn, M.A. Institut f �� ur Kommunikationswissenschaft, Leipzig University (Germany) Brittany N. Hughes Honors Tutorial College/E.W. Scripps School of Journalism, Ohio University This article investigates Facebook users��� awareness of privacy issues and perceived benefits and risks of utilizing Facebook. Research found that Facebook is deeply integrated in users��� daily lives through specific routines and rituals. Users claimed to understand privacy issues, yet reported uploading large amounts of personal information. Risks to privacy invasion were ascribed more to others than to the self. However, users reporting privacy invasion were more likely to change privacy settings than those merely hearing about others��� privacy invasions. Results suggest that this lax attitude may be based on a combination of high gratification, usage patterns, and a psychological mechanism similar to third-person effect. Safer use of social network services would thus require changes in user attitude. doi:10.1111/j.1083-6101.2009.01494.x Introduction Student life without Facebook is almost unthinkable. Since its inception in 2004, this popular social network service has quickly become both a basic tool for and a mirror of social interaction, personal identity, and network building among students. Social network sites deeply penetrate their users��� everyday life and, as pervasive technology, tend to become invisible once they are widely adopted, ubiquitous, and taken for granted (Luedtke, 2003, para 1). Pervasive technology often leads to unintended consequences, such as threats to privacy and changes in the relationship between public and private sphere. These issues have been studied with respect to a variety of Internet contexts and applications (Berkman & Shumway, 2003 Cocking & Matthews, 2000 Hamelink, 2000 Hinman, 2005 Iachello & Hong, 2007 McKenna & Bargh, 2000 Pankoke-Babatz & Jeffrey, 2002 Spinello, 2005 Tavani & Grodzinsky, 2002 Weinberger, 2005). Specific privacy concerns of online social networking Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association 83
include inadvertent disclosure of personal information, damaged reputation due to rumors and gossip, unwanted contact and harassment or stalking, surveillance-like structures due to backtracking functions, use of personal data by third-parties, and hacking and identity theft (boyd & Ellison, 2008). Coupled with a rise in privacy concerns is the call to increase our understanding of the attitudes and behaviors toward ������privacy-affecting systems������ (Iachello & Hong, 2007, p. 100). This paper investigates privacy violations on Facebook and how users understand the potential threat to their privacy. In particular, it explores Facebook users��� awareness of privacy issues, their coping strategies, their experiences, and their meaning-making processes. To this end, we will first take a look at research on Facebook���s privacy flaws and at existing studies of user behavior and privacy thereafter, we will lay out our conceptual background and hypotheses, and present findings from our both quantitative and qualitative empirical research. Finally, we will draw some conclusions from our research. Literature Review Privacy and Facebook: The Visible and the Invisible The privacy concerns delineated above are confirmed by several reports and studies on Facebook. In a report on 23 Internet service companies, the watchdog organization Privacy International charged Facebook with severe privacy flaws and put it in the second lowest category for ������substantial and comprehensive privacy threats������ (������A Race to the Bottom,������ 2007). Only Google scored worse Facebook tied with six other companies. This rating was based on concerns about data matching, data mining, transfers to other companies, and in particular Facebook���s curious policy that it ������may also collect information about [its users] other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service������ (������Facebook Principles,������ 2007, Information We Collect section, para. 8). Already in 2005, Jones and Soltren identified serious flaws in Facebook���s set-up that would facilitate privacy breaches and data mining. At the time, nearly 2 years after Facebook���s inception, users��� passwords were still being sent without encryption, and thus could be easily intercepted by a third party (Jones & Soltren, 2005). This has since been corrected. A simple algorithm could also be used to download all public profiles at a school, since Facebook used predictable URLs for profile pages (Jones & Soltren, 2005). The authors also noted that Facebook gathered information about its users from other sources unless the user specifically opted out. As of September 2007, the opt-out choice was no longer available but the data collection policy was still in force (������Facebook Principles,������ 2007). Even the most lauded privacy feature of Facebook, the ability to restrict one���s profile to be viewed by friends only, failed for the first 3 years of its existence: Information posted on restricted profiles showed up in searches unless a user chose to opt-out his or her profile from searches (Jones & Soltren, 2005). This glitch was fixed in late June 2007, but only after a technology blogger made the loophole 84 Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association
information and their stated privacy concerns (Dwyer, Hiltz, & Passerini, 2007 Livingstone, 2008 Tufekci, 2008). However, a recent study showed that actual risk perception significantly correlates with fear of online victimization (Higgins, Ricketts, & Vegh, 2008). Consequently, the authors recommend better privacy protection, higher transparency of who is visiting one���s page, and more education about the risks of posting personal information to reduce risky behavior. Tufekci (2008) also asserted that students may try ������to restrict the visibility of their profile to desired audiences but are less aware of, concerned about, or willing to act on possible ���temporal��� boundary intrusions posed by future audiences because of persistence of data������ (p. 33). The most obvious and readily available mechanism to control the visibility of profile information is restricting it to friends. However, Ellison, Steinfield, & Lampe (2007) discovered that only 13 percent of the Facebook profiles at Michigan State University were restricted to ������friends only.������ Also, the category ������friend������ is very broad and ambiguous in the online world it may include anyone from an intimate friend to a casual acquaintance or a complete stranger of whom only their online identity is known. Though Jones and Soltren (2005) found that two-thirds of the surveyed users never befriend strangers, their finding also implies that one-third is willing to accept unknown people as friends. This is confirmed by the experiment of Missouri University student Charlie Rosenbury, who wrote a computer program that enabled him to invite 250,000 people to be his friend, and 30 percent added him as their friend (Jump, 2005). Similarly, the IT security firm Sophos set up a fake profile to determine how easy it would be to data-mine Facebook for the purpose of identity theft. They found that out of 200 contacted people, 41 percent revealed personal information by either responding to the contact (and thus making their profile temporarily accessible) or immediately befriending the fake persona. The divulged information was enough ������to create phishing e-mails or malware specifically targeted at individual users or businesses, to guess users��� passwords, impersonate them, or even stalk them������ (������Sophos Facebook ID,������ 2007) These findings show that Facebook and other social network sites pose severe risks to their users��� privacy. At the same time, they are extremely popular and seem to provide a high level of gratification to their users. Indeed, several studies found that users continually negotiate and manage the tension between perceived privacy risks and expected benefits (Ibrahim, 2008 Tufekci, 2008 Tyma, 2007). The most important benefit of online networks is probably, as Ellison, Steinfield, & Lampe (2007) showed, the social capital resulting from creating and maintaining interpersonal relationships and friendship. Since the creation and preservation of this social capital is systematically built upon the voluntary disclosure of private information to a virtually unlimited audience, Ibrahim (2008) characterized online networks as ������complicit risk communities where personal information becomes social capital which is traded and exchanged������ (p. 251). Consequently, social network site users are found to expose higher risk-taking attitudes than individuals who are not members of an online network (Fogel & Nehmad, 2008). Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association 87