Researchers at Columbia University — Michelle Madejski, Maritza Johnson and Steven M. Bellovin — released a reportconcerning privacy and online social-networking site Facebook “The Failure of Online Social Network Privacy Settings” (Columbia pdf; archive pdf).
Increasingly, people are sharing sensitive personal information via online social networks (OSN). While such networks do permit users to control what they share with whom, access control policies are notoriously difficult to configure correctly; this raises the question of whether OSN users’ privacy settings match their sharing intentions. We present the results of an empirical evaluation that measures privacy attitudes and intentions and compares these against the privacy settings on Facebook.
Our results indicate a serious mismatch: every one of the 65 participants in our study confirmed that at least one of the identified violations was in fact a sharing violation. In other words, OSN users’ privacy settings are incorrect. Furthermore, a majority of users cannot or will not fix such errors. We conclude that the current approach to privacy settings is fundamentally flawed and cannot be fixed; a fundamentally different approach is needed. We present recommendations to ameliorate the current problems, as well as provide suggestions for future research.
1 Related Work
To the best of our knowledge this is the first attempt to measure the correctness of privacy settings by first surveying user’s sharing intentions, to aid the process of identifying potential violations, then confirming the potential violations with the user. We argue that this method produces a more accurate evaluation compared to passive data collection. This work draws upon many themes including: research on online social network (OSN) usage, surveys on privacy attitude, and evaluations of users’ ability to manage access control policies.