Journal of Computer-Mediated Communication Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences Bernhard Debatin, Jennette P. Lovejoy E.W. Scripps School of Journalism, Ohio University Ann-Kathrin Horn, M.A. Institut f �� ur Kommunikationswissenschaft, Leipzig University (Germany) Brittany N. Hughes Honors Tutorial College/E.W. Scripps School of Journalism, Ohio University This article investigates Facebook users��� awareness of privacy issues and perceived benefits and risks of utilizing Facebook. Research found that Facebook is deeply integrated in users��� daily lives through specific routines and rituals. Users claimed to understand privacy issues, yet reported uploading large amounts of personal information. Risks to privacy invasion were ascribed more to others than to the self. However, users reporting privacy invasion were more likely to change privacy settings than those merely hearing about others��� privacy invasions. Results suggest that this lax attitude may be based on a combination of high gratification, usage patterns, and a psychological mechanism similar to third-person effect. Safer use of social network services would thus require changes in user attitude. doi:10.1111/j.1083-6101.2009.01494.x Introduction Student life without Facebook is almost unthinkable. Since its inception in 2004, this popular social network service has quickly become both a basic tool for and a mirror of social interaction, personal identity, and network building among students. Social network sites deeply penetrate their users��� everyday life and, as pervasive technology, tend to become invisible once they are widely adopted, ubiquitous, and taken for granted (Luedtke, 2003, para 1). Pervasive technology often leads to unintended consequences, such as threats to privacy and changes in the relationship between public and private sphere. These issues have been studied with respect to a variety of Internet contexts and applications (Berkman & Shumway, 2003 Cocking & Matthews, 2000 Hamelink, 2000 Hinman, 2005 Iachello & Hong, 2007 McKenna & Bargh, 2000 Pankoke-Babatz & Jeffrey, 2002 Spinello, 2005 Tavani & Grodzinsky, 2002 Weinberger, 2005). Specific privacy concerns of online social networking Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association 83

include inadvertent disclosure of personal information, damaged reputation due to rumors and gossip, unwanted contact and harassment or stalking, surveillance-like structures due to backtracking functions, use of personal data by third-parties, and hacking and identity theft (boyd & Ellison, 2008). Coupled with a rise in privacy concerns is the call to increase our understanding of the attitudes and behaviors toward ������privacy-affecting systems������ (Iachello & Hong, 2007, p. 100). This paper investigates privacy violations on Facebook and how users understand the potential threat to their privacy. In particular, it explores Facebook users��� awareness of privacy issues, their coping strategies, their experiences, and their meaning-making processes. To this end, we will first take a look at research on Facebook���s privacy flaws and at existing studies of user behavior and privacy thereafter, we will lay out our conceptual background and hypotheses, and present findings from our both quantitative and qualitative empirical research. Finally, we will draw some conclusions from our research. Literature Review Privacy and Facebook: The Visible and the Invisible The privacy concerns delineated above are confirmed by several reports and studies on Facebook. In a report on 23 Internet service companies, the watchdog organization Privacy International charged Facebook with severe privacy flaws and put it in the second lowest category for ������substantial and comprehensive privacy threats������ (������A Race to the Bottom,������ 2007). Only Google scored worse Facebook tied with six other companies. This rating was based on concerns about data matching, data mining, transfers to other companies, and in particular Facebook���s curious policy that it ������may also collect information about [its users] other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service������ (������Facebook Principles,������ 2007, Information We Collect section, para. 8). Already in 2005, Jones and Soltren identified serious flaws in Facebook���s set-up that would facilitate privacy breaches and data mining. At the time, nearly 2 years after Facebook���s inception, users��� passwords were still being sent without encryption, and thus could be easily intercepted by a third party (Jones & Soltren, 2005). This has since been corrected. A simple algorithm could also be used to download all public profiles at a school, since Facebook used predictable URLs for profile pages (Jones & Soltren, 2005). The authors also noted that Facebook gathered information about its users from other sources unless the user specifically opted out. As of September 2007, the opt-out choice was no longer available but the data collection policy was still in force (������Facebook Principles,������ 2007). Even the most lauded privacy feature of Facebook, the ability to restrict one���s profile to be viewed by friends only, failed for the first 3 years of its existence: Information posted on restricted profiles showed up in searches unless a user chose to opt-out his or her profile from searches (Jones & Soltren, 2005). This glitch was fixed in late June 2007, but only after a technology blogger made the loophole 84 Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association

public and contacted Facebook (Singel, 2007). Recent attempts to make the profile restrictions more user-friendly and comprehensive seem mostly PR-driven and still include serious flaws (Soghoian, 2008a). In September 2006, Facebook introduced the ������News Feed,������ which tracks and displays theonlineactivities ofa user���s friends, such as uploading pictures, befriending new people, writing on someone���s wall, etc. Although none of the individual actions were private, their aggregated public display on the start pages of all friends outraged Facebook users, who felt exposed and deprived of their sense of control over their information (boyd, 2008). Protest groups formed on Facebook, among them the 700,000-member group ������Students Against Facebook News Feed������ (Romano, 2006, para. 1). Subsequently, Facebook introduced privacy controls that allowed users to determine what was shown on the news feed and to whom. The implementation of a platform for programs created by third-party developers in summer 2007 and the ensuing flood of applications that track user behaviors and/or make information from personal profiles available for targeted advertising do not inspire trust in Facebook���s privacy policy (Schonfeld, 2008 Soghoian, 2008b). Most notably, the Facebook Ads platform has raised serious questions. In an attempt to capitalize on social trust and taste, Facebook���s ������Beacon������ online ad system tracks user behavior, such as online shopping. Initially information was broadcasted to users��� friends. This led to angry protests in November 2007, and the formation of a Facebook group called ������Petition: Facebook, Stop Invading My Privacy!������ that gained over 70,000 members within its first two weeks. Facebook responded by introducing a feature that allowed users to opt out of the broadcasting, yet Beacon continues to collect data ������on members��� activities on third-party sites that participate in Beacon even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends������ (Perez, 2007). Additional concerns have been raised about links between Facebook and its use by government agencies such as the police or the Central Intelligence Agency. In a rather benign example, a police officer resorted to searching Facebook after witnessing a case of public urination outside a fraternity house at University of Illinois at Urbana-Champaign and the only other witness on the scene claimed not to know the lawbreaker. Once on Facebook, the officer searched the man���s friend list and the lawbreaker he was looking for. The first man received a $145 ticket for public urination the other received a $195 ticket for obstructing justice (Dawson, 2007). Additionally, the Patriot Act allows state agencies to bypass privacy settings on Facebook in order to look up potential employees (NACE Spotlight Online, 2006). An online presentation ������Does what happens in the Facebook stay in the Facebook?������ (2007) points out a number of connections between various Facebook investors and In-Q-Tel, the not-for-profit venture capital firm funded by the CIA to invest in technology companies for the CIA���s information technology needs. The chief privacy officer of Facebook, Chris Kelly, accused the video of ������strange interpretations of our policy������ and ������illogical connections������ but did not substantially rebut the allegations (Kelly, 2007). Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association 85

Further criticism is based on the fact that third parties can use Facebook for data mining, phishing, and other malicious purposes. Creating digital dossiers of college students containing detailed personal information would be a relatively simple task���and a clever data thief could even deduce social security numbers (which are often based on 5-digit ZIP codes, gender, and date of birth) from the information posted on almost half the users��� profiles (Gross & Acquisti, 2005). Social networks are also ideal for mining information about relationships or common interests in groups, which can be exploited for phishing. For example, Jagatic, Johnson, Jakobsson, and Menczer (2005) launched a phishing experiment at Indiana University on selected college students, using social network sites to get information about students��� friends. The experiment had an alarmingly high 72 percent success rate within the social network as opposed to 16 percent within the control group. The authors add that other phishing experiments by different researchers showed similar results, ������We must conclude that the social context of the attack leads people to overlook important clues, lowering their guard and making themselves significantly more vulnerable������ (Jagatic et al., 2005, p. 5). A high level of vulnerability is also engendered by the fact that many users post their address and class schedule, thus making it easy for potential stalkers to track them down (Acquisti & Gross 2006 Jones & Soltren 2005). Manipulating user pictures, setting up fake user profiles, and publicizing embarrassing private information to harass individuals are other frequently reported forms of malicious mischief on Facebook (Kessler, 2007 Maher, 2007 ������Privacy Pilfered,������ 2007 Stehr, 2006). While Facebook���s privacy flaws are well documented and have made it into the news media, relatively little research is available on how exactly these problems play out in the social world of Facebook users and how much users know and care about these issues. In their small-sample study on Facebook users��� awareness of privacy, Govani and Pashley (2005) found that more than 80 percent of participants knew about the privacy settings, yet only 40 percent actually made use of them. More than 60 percent of the users��� profiles contained specific personal information such as date of birth, hometown, interests, relationship status, and a picture. The study by Jones and Soltren (2005) showed that 74 percent of the users were aware of the privacy options in Facebook, yet only 62 percent actually used them. At the same time, users willingly post large amounts of personal information���Jones and Soltren found that over 70 percent posted demographic data, such as age, gender, location, and their interests���and demonstrate disregard for both the privacy settings and Facebook���s privacy policy and terms of service. Eighty-nine percent admitted that they had never read the privacy policy and 91 percent were not familiar with the terms of service. This neglect to understand Facebook���s privacy policies and terms of service is widespread (Acquisti & Gross, 2006 Govani & Pashley, 2005 Gross & Acquisti, 2005). In their before and after study, Govani and Pashley (2005) noticed that most students did not change their privacy settings on Facebook, even after they had been educated about the ways they can do so. Several studies found that there is little relationship between social network site users��� disclosure of private 86 Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association

information and their stated privacy concerns (Dwyer, Hiltz, & Passerini, 2007 Livingstone, 2008 Tufekci, 2008). However, a recent study showed that actual risk perception significantly correlates with fear of online victimization (Higgins, Ricketts, & Vegh, 2008). Consequently, the authors recommend better privacy protection, higher transparency of who is visiting one���s page, and more education about the risks of posting personal information to reduce risky behavior. Tufekci (2008) also asserted that students may try ������to restrict the visibility of their profile to desired audiences but are less aware of, concerned about, or willing to act on possible ���temporal��� boundary intrusions posed by future audiences because of persistence of data������ (p. 33). The most obvious and readily available mechanism to control the visibility of profile information is restricting it to friends. However, Ellison, Steinfield, & Lampe (2007) discovered that only 13 percent of the Facebook profiles at Michigan State University were restricted to ������friends only.������ Also, the category ������friend������ is very broad and ambiguous in the online world it may include anyone from an intimate friend to a casual acquaintance or a complete stranger of whom only their online identity is known. Though Jones and Soltren (2005) found that two-thirds of the surveyed users never befriend strangers, their finding also implies that one-third is willing to accept unknown people as friends. This is confirmed by the experiment of Missouri University student Charlie Rosenbury, who wrote a computer program that enabled him to invite 250,000 people to be his friend, and 30 percent added him as their friend (Jump, 2005). Similarly, the IT security firm Sophos set up a fake profile to determine how easy it would be to data-mine Facebook for the purpose of identity theft. They found that out of 200 contacted people, 41 percent revealed personal information by either responding to the contact (and thus making their profile temporarily accessible) or immediately befriending the fake persona. The divulged information was enough ������to create phishing e-mails or malware specifically targeted at individual users or businesses, to guess users��� passwords, impersonate them, or even stalk them������ (������Sophos Facebook ID,������ 2007) These findings show that Facebook and other social network sites pose severe risks to their users��� privacy. At the same time, they are extremely popular and seem to provide a high level of gratification to their users. Indeed, several studies found that users continually negotiate and manage the tension between perceived privacy risks and expected benefits (Ibrahim, 2008 Tufekci, 2008 Tyma, 2007). The most important benefit of online networks is probably, as Ellison, Steinfield, & Lampe (2007) showed, the social capital resulting from creating and maintaining interpersonal relationships and friendship. Since the creation and preservation of this social capital is systematically built upon the voluntary disclosure of private information to a virtually unlimited audience, Ibrahim (2008) characterized online networks as ������complicit risk communities where personal information becomes social capital which is traded and exchanged������ (p. 251). Consequently, social network site users are found to expose higher risk-taking attitudes than individuals who are not members of an online network (Fogel & Nehmad, 2008). Journal of Computer-Mediated Communication 15 (2009) 83���108 �� 2009 International Communication Association 87