The expanded targeting based on user profile activity launched last month by both Facebook and MySpace underscore why we must craft federal (and EU) rules to govern the data collection apparatus of social networks. By combining behavioral targeting, transaction data, and profile information, Facebook and others have entered into a new territory. Even industry insiders understand how a line has been crossed: one senior VP at Digitas (part of the Publicis Groupe ad industry empire) noted that [our emphasis]:
“Facebook has made an announcement that has major implications for how marketers can communicate to members going forward. Essentially, Facebook said that it will allow marketers to target members with ads based on its user’s personal profiles, social connections and even the recent activities of each user’s extended network.
This announcement marks a significant departure in the way social networks have been organized to date. Until now, marketers have had limited opportunity to serve ads directly to users within the social network. With this change, marketers will now have the opportunity to target consumers directly based on attitudinal, behavioral and demographic attributes included directly in or inferred from personal profiles and connections online.”
We have sent out to the FTC today this new report [pdf] by ENISA—the European Network and Information Security Agency. Released in October, “Security Issues and Recommendations for Online Social Networks†is worth reading—for its clear and thoughtful analysis and, frankly, its disturbing implications. It’s clear from the start of the paper that social networking sites (SNS) are more than just commercial or personal playgrounds—they are, notes ENISA—“…all-embracing identity management tools…†As the report explains:
“Users are often not aware of the size or nature of the audience accessing their profile data and the sense of intimacy created by being among digital `friends’ often leads to disclosures which are not appropriate to a public forum. Such commercial and social pressures have led to a number of privacy and security risks for SN members.”
Among the “threats†the report lists includes:
1.1 Digital dossier aggregation: profiles on
online SNSs can be downloaded and stored
by third parties, creating a digital dossier of
personal data.
1.2 Secondary data collection: as well as data
knowingly disclosed in a profile, SN
members disclose personal information
using the network itself: e.g. length of
connections, other users’ profiles visited
and messages sent. SNSs provide a central
repository accessible to a single provider.
The high value of SNSs suggests that such
data is being used to considerable financial
gain.
1.3 Face recognition: user-provided digital
images are a very popular part of profiles
on SNSs. The photograph is, in effect, a
binary identifier for the user, enabling
linking across profiles, e.g. a fully identified
Bebo profile and a pseudo-anonymous
dating profile.
1.6 Difficulty of complete account deletion:
users wishing to delete accounts from SNSs
find that it is almost impossible to remove
secondary information linked to their
profile such as public comments on other
profiles.
Among the report’s other recommendations include the need to consider reviewing regulatory safeguards and data protection law, such as the FTC’s Fair Information Practices. Social networks have become a place where people are living out their lives, sharing intimate details about their identity. They cannot be operated as data mining and digital marketing operations solely. They must operate in the public interest as well, including rules protecting privacy for those under 18.
It’s time for a broad range of stakeholders to work together to address what must be done.
PS: ENISA held a conference on the issue last June, featuring a number of interesting papers.