Should User-generated Content be a Matter of Privacy Awareness?

A Position Paper

Nicol

as Emilio D

ıaz Ferreyra, Rene Meis and Maritta Heisel

RTG User-Centred Social Media, University of Duisburg-Essen, Germany

Keywords:

Adaptive Privacy, Self-disclosure, Awareness, Social Network Sites, Data Visceralization.

Abstract:

Social Network Sites (SNSs) like Facebook or Twitter have radically redeﬁned the mechanisms for social

interaction. One of the main aspects of these platforms are their information sharing features which allow

user-generated content to reach wide and diverse audiences within a few seconds. Whereas the spectrum of

shared content is large and varied, it can nevertheless include private and sensitive information. Such content

of sensitive nature can derive in unwanted incidents for the users (such as reputation damage, job loss, or

harassment) when reaching unintended audiences. In this paper, we analyse and discuss the privacy risks of

information disclosure in SNSs from a user-centred perspective. We argue that this is a problem of lack of

awareness which is grounded in an emotional detachment between the users and their digital data. In line with

this, we will discuss preventative technologies for raising awareness and approaches for building a stronger

connection between the users and their private information. Likewise, we encourage the inclusion of awareness

mechanisms for providing better insights on the privacy policies of SNSs.

1 INTRODUCTION

In 1966, tobacco companies across the United States

were affected by a law that later on changed the stan-

dards for the commercialization and distribution of

cigarettes. For the ﬁrst time in the history, a legis-

lation requiring warnings about the risks associated

with the consumption of tobacco was proposed by the

U.S Congress (Hiilamo et al., 2014). Since then, the

companies began ﬁghting against Health Warning La-

bels (HWLs) in cigarette packs basically arguing that

people already knew the hazards of smoking. Despite

their efforts on blocking or weaken HWLs, nowadays

many countries have included and implemented HWL

in their legislations (Hiilamo et al., 2014).

Social Network Sites (SNSs) are spaces which

are not free of privacy risks, and like in the case of

cigarettes consumers, users of SNSs might have heard

about some of these risks before or during their activ-

ity period (i.e. before or after opening an account in a

SNS). While one might argue that the risks of disclos-

ing personal or sensitive information in SNSs are not

as severe as the risks of smoking, unwanted incidents

such as job loss, reputation damage, or unjustiﬁed dis-

crimination should not be neglected or disregarded.

However, very little information (for not to say none)

is provided by the SNSs about the potential risks of

information sharing.

Privacy policies can be considered as an initial ap-

proach towards the information on potential privacy

risks. However, these electronic documents are shown

once to the users (when registering), and are hardly

revised by them in the future. Moreover, privacy poli-

cies basically inform about which data is collected,

how is processed, and under which conditions it is

disclosed to third parties; without any emphasis on

informing about potential risks. If we add to this that

users are not strongly attached to their private infor-

mation, then the chances of users regretting to have

shared private information increases.

We believe that, like tobacco consumers, the

users of SNSs should be empowered with informa-

tion about the potential risks of information sharing.

Moreover, we believe that awareness mechanisms can

be a good alternative not only to inform the users

about such risks, but also to create a stronger tie be-

tween them and their private information. In this

paper we take a closer look at the privacy risks as-

sociated with user-generated content in SNSs in or-

der to discuss possible solutions to this issue. More-

over, we provide arguments towards the use of adap-

tive preventative technologies to move towards a more

DÃ az Ferreyra N., Meis R. and Heisel M.

Should User-generated Content be a Matter of Privacy Awareness? - A Position Paper.

DOI: 10.5220/0006517302120216

In Proceedings of the 9th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management (KMIS 2017), pages 212-216

ISBN: 978-989-758-273-8

privacy-aware social environment in SNSs.

The rest of the paper is organized as follows. In

the next section, we discuss the motivation scenario

and the paper’s background. In Section 3, we analyse

the role of privacy policies and media technologies on

modulating users’ perceptions towards their private

data. Following, we discuss in Section 4 preventative

technologies for the generation of awareness within

SNSs. In Section 5, we analyse an approach for in-

corporating privacy heuristics derived from users’ re-

grettable experiences into the design of preventative

technologies. Thereafter, we discuss the advantages

and drawbacks of this approach in Section 6. Finally,

we conclude in Section 7 with an outlook and consid-

erations for further research.

2 MOTIVATION AND

BACKGROUND

In 2018, the EU’s new General Data Protection Reg-

ulation (GDPR) (Regulation, 2016) will come into

force as the conclusion of a hectic debate which has

involved academics, Internet service providers and in-

ternational organizations across the world. For many,

the Internet is considered an open platform for demo-

cratic participation which promotes freedom of ex-

pression and the right to information access. There-

fore, is not surprising that the GDPR, and more

speciﬁcally the Right to be Forgotten (RTBF), raises

concerns related to abusive removal demands of user-

generated content (e.g. public ofﬁcers trying to sup-

press criminal records), and other issues about poten-

tial unjustiﬁed censorship

. This is a debate which

mainly circles around the right to erase or de-list in-

formation put online by another Internet user. In this

work, we do not aim to discuss this aspect of the

GDPR. Instead, we look to resume the discussion to

the information that users disclose about themselves

in SNSs.

One of the critical concepts included in the GDPR

is the one of “personal data”. For instance, Article 4

says that information related to a “data subject” (i.e.

an identiﬁed or identiﬁable natural person

), such as

name, identiﬁcation number, location, factors speciﬁc

to his/her physical, physiological, genetic, mental,

economic, cultural or social identity, should be con-

sidered as personal information and therefore require

The work by Keller (Keller, 2017), offers a clarifying

view on the RTBF and its hazards for freedom of expression

and information rights on the Internet.

An identiﬁable person is one who can be identiﬁed, di-

rectly or indirectly.

unambiguous consent to be processed. Likewise, Ar-

ticle 9 says that racial or ethnic origin, political opin-

ions, religious or philosophical beliefs, or trade-union

membership should not be processed unless the data

subject gives explicit consent. Unambiguous consent

can be given through a conduct that clearly indicates

that the data subject agrees with the proposed process-

ing of his/her personal data (e.g. when telling the doc-

tor about the medical ailment one is suffering while

he/she enters notes in a computer system). On the

other hand, explicit consent should be given trough

an explicit action by the data subject. This is normally

granted after the data subject clicks on ‘Yes, I agree”

in the privacy policies of the service provider.

3 DATA “VISCERALIZATION”

One of the main reasons for differentiating private

data from general data are the risks associated with

their inappropriate processing and public disclosure.

Basically, the GDPR encloses an implicit warning

message for data processors (the SNSs in our case)

which is that they should safeguard data subjects from

unwanted incidents (such as unjustiﬁed discrimina-

tion, political or religious persecution, or fraud) by

treating carefully their personal data. Privacy policies,

on the other hand, inform the users about which infor-

mation will be collected, processed, used, disclosed

and managed by the data processor. As one can ob-

serve, there is a semantic difference in the message of

the GDPR and the one of privacy policies. Whereas

the GDPR endows service providers with a better per-

ception on the importance of the users’ personal infor-

mation, privacy policies do not provide cues to data

subjects about the importance of their own personal

information. Consequently, privacy policies in some

point modulate users’ perceived severity of privacy

risks in SNSs.

Like privacy policies, information sharing inter-

faces of SNSs also play an important role in shaping

our perceptions of information privacy (Stark, 2016;

ıaz Ferreyra et al., 2017a). Such interfaces are the

entry point of user-generated content which, in many

cases, contains private information. However, since

digital data is intangible, information sharing inter-

faces of SNSs regulate users’ emotional perception

and attachment towards their private information. Let

us consider the following example: imagine that a

stranger stops you in the street and asks you for your

passport. It is quite unlikely that someone would

grant this request in the real world. Moreover, this

situation would normally come along with a visceral

reaction (i.e. an instinctive gut-deep bodily response

like a burning sensation in the stomach) as conse-

quence of this unexpected request. However, when

this information is requested through the interfaces of

a SNSs, such reactions do not seem to arise. Conse-

quently, privacy policies and sharing interfaces are not

succeeding in taking the users’ emotional perception

of their private data to the visceral level.

4 PRIVACY AWARENESS IN SNSs

Like in the case of HWL for the commercialization of

cigarettes, awareness mechanisms for SNSs can con-

tribute to bridge the emotional gap between users and

their digital data. In this section we discuss different

preventative technologies oriented to generate aware-

ness in online self-disclosure scenarios. This is, sce-

narios in which users intend to reveal their own pri-

vate information in SNSs.

4.1 Preventative Technologies

Different preventative technologies have been pro-

posed for mitigating the unwanted consequences of

online self-disclosure (Calikli et al., 2016; D

ıaz Fer-

reyra et al., 2016; Fang and LeFevre, 2010; Wang

et al., 2013; Ghazinour et al., 2013). One of the most

representative of these approaches is the one by Wang

et al. (Wang et al., 2013) consisting of three plugins

for Facebook. These plugins called “privacy nudges”

intervened when the user was about to post a message

in his/her Facebook biography either (i) introducing

a delay, (ii) providing visual cues about the audience

of the post, or (iii) giving feedback about the mean-

ing (positive or negative) of the post. However, since

the feedback generated by the nudges was the same

for every user of Facebook, they did not succeed on

reaching high levels of acceptance. This is, some

users liked them and others found them annoying.

Consequently, this type of technology should provide

adaptive feedback and awareness to their users in or-

der to being widely adopted.

4.2 Adaptive Awareness

Adaptive preventative technologies seek to develop

mechanisms capable to provide tailored feedback and

awareness to their users. One of the preventative

technologies which follow this direction is the one of

Ziegeldorf et al., consisting in a framework of per-

sonalized privacy metrics for the generation of adap-

tive awareness (Ziegeldorf et al., 2015). This ap-

proach, called Comparison-based Privacy (CbP), con-

sists of analysing different comparison metrics which

are computed over the content being shared among

different comparison groups. Basically, comparison

groups consist of groups of people with which the

user can intuitively relate to (e.g. family, friends and

colleagues, users with the same profession or same

age). Likewise, comparison metrics capture aspects

of the sharing behaviour within a privacy group, such

as the sentiment and the type of the content being

shared. A user can choose for instance to compare

the amount of hate speech in his/her posts against the

one of people with his/her same profession. If this

value exceeds a given threshold, then the system alerts

the user. Thresholds can be set individually by users,

or according to general proﬁles representing differ-

ent privacy attitudes (e.g. unconcerned, pragmatist or

fundamentalist). Approaches like this one overcome

the engagement issue caused by generic warning mes-

sages of static approaches.

5 VISCERAL-AWARENESS

DESIGN

One of the key elements of HWLs in cigarettes pack-

aging is that they include pictorial representations of

the risks of tobacco consumption. This is done in or-

der to make users perceive such risks in a more vis-

ceral way. In the case of online self-disclosure, regret-

table experiences come along with visceral reactions

from the users. This is, when a user lives an unwanted

incident after disclosing personal data in SNSs, then

a feeling of regret and repentance arises together with

a visceral reaction. In this section, we discuss design

principles introduced by D

ıaz Ferreyra et al. to in-

clude regrettable experiences into the design process

of preventative technologies.

5.1 Privacy Heuristics

ıaz Ferreyra et al. propose to take into ac-

count regrettable self-disclosure experiences in or-

der to endow preventative technologies with visceral-

awareness principles (D

ıaz Ferreyra et al., 2017a).

Basically, they suggest that privacy heuristics (best

practices) can be derived from regrettable self-

disclosure experiences and used thereafter to raise pri-

vacy awareness. For this, they introduce a Privacy

Heuristics Derivation Method (PHeDer) for eliciting

privacy best practices from user’s regrettable expe-

riences (D

ıaz Ferreyra et al., 2017a). The ﬁrst step

of this method, called Regret Acknowledgement, con-

sists on gathering evidence about a regrettable expe-

rience and describe it in terms of: (i) the informa-

tion that was disclosed (ii) the unintended audience it

reached, and (iii) the unwanted incidents that lead the

user to a feeling of regret. The output of this step can

be represented as in Fig. 1, where the user reported

to have shared his/her political afﬁliation in a public

post. Once the regrettable scenario is described, it is

forwarded to the next step called Regret Analysis.

The Regret Analysis step consists of reﬁning the

scenario of Fig. 1 into privacy risks consisting of a

7-tuple of elements: a list of personal attributes, the

unintended audience, the unwanted incident, the fre-

quency of the unwanted incident, the impact of the

unwanted incident, the risk level, and the user’s pri-

vacy attitude. Whereas the personal attributes can

be derived from articles 1 and 9 of the GDPR, fre-

quency and impact of the unwanted incident (and con-

sequently the risk level) can be expressed using nom-

inal scales. Privacy attitudes are one of the pragma-

tist (medium privacy concern), fundamentalist (high

privacy concern), or unconcerned (low privacy con-

cern). For the example of Fig. 1, the output of this step

would be risk([political opinion], work colleagues,

wakeup call, likely, major, very high, pragmatist).

This information if then forwarded to the third step

of the method which is Heuristic Design.

USER’S POST

“Seriously? Trump became president? What is

happening to the world!? #republicanssuck”

Actual Audience: PUBLIC.

Unintended Audience: The user’s work col-

leagues.

Unwanted Incidents: Wake-up call from superior.

Figure 1: Example of self-disclosure scenario.

The Heuristic Design step uses Constraint Based

Modeling (CBM)(Mitrovic and Ohlsson, 2006) as the

design principle for encoding the outcome of step 2

into a privacy heuristic. In CBM a constraint con-

sists of a pair of relevance and satisfaction condi-

tions, where each member of the pair can be seen as

a set of features or properties that a disclosure sce-

nario must satisfy. For the given example, the rele-

vance conditions would be the existence of a political

opinion inside a post, and the satisfaction condition

would be not include the work colleagues in the post

audience. Such constraints can be expressed using

Horn clauses in Prolog and be included in the ﬁnal

step (Constraint Integration) in the Privacy Heuris-

tics Data Base (PHDB) of an Instructional Awareness

System (IAS) (D

ıaz Ferreyra et al., 2017a; D

ıaz Fer-

reyra et al., 2016).

5.2 Instructional Awareness

Basically, an IAS uses the heuristics inside a PHDB

to detect potentially regrettable disclosures. Such

heuristics are evaluated when a “post” event takes

place in order to determine if the disclosure action can

derive in a regrettable scenario for the user. This is,

done ﬁrst by evaluating the relevance condition of the

heuristics. Let us consider a scenario where a user

wants to disclose once again his/her political afﬁlia-

tion inside a public post. Let us also consider that the

heuristic discussed in Section 5.1 is part of the PHDB.

In this case, IAS will detect that the disclosure can

lead to a potential regret, and therefore proceeds to

raise a warning to the user.

Figure 2: Instructional Awareness System (IAS).

In order to generate adaptive feedback, IAS takes

into account adaptivity variables such as the user’s

privacy attitude, the number of times the user has ig-

nored/accepted the warnings, and how often he/she

discloses private information. This information is

stored in a User Performance Data Base (UPDB) that,

together with the PHDB, makes up IAS’s Knowledge

Base (KB). With the information stored in its KB, IAS

can generate a message such as “Revealing your polit-

ical afﬁliation to your work colleagues can bring you

problems. Do you want some hints on how to pro-

tect your private data?” and recommend the user to

restrict the post’s audience (for instance to “friends

only”). Since information about the risks is also kept

in the KB, an IAS can also provide such additional

information in the warning message.

6 DISCUSSION

Following a similar approach to the HWLs in

cigarettes packages, D

ıaz Ferreyra et al. propose to

inform the users of SNSs about the risks of online

self-disclosure though an IAS. For this, IAS requires

risk knowledge which is stored in a PHDB and ob-

tained through a privacy heuristics derivation method.

This method is an ofﬂine approach for eliciting pri-

vacy heuristics from regrettable online self-disclosure

experiences. Basically, the input of the method are

the experiences that users have reported themselves

(to the development team of IAS for instance), or the

outcome of an empirical research (e.g. questionnaires

or face to face interviews). This approach is effective

for building a baseline of heuristics prior to the exe-

cution of the system. However, eliciting new entries

of the PHDB requires the execution of this process

which can be expensive and inefﬁcient in terms of the

resources and time needed to conduct interviews and

process the outcome of them. One way to overcome

this issue is to consider deleted posts with private in-

formation as potential sources of heuristics (D

ıaz Fer-

reyra et al., 2017b). This is, to use such posts as the

input of a machine learning engine for the automatic

derivation of privacy heuristics at runtime. This way,

the PHDB can be updated with new heuristics with-

out having to execute ofﬂine iterations of the PHeDer

method.

7 OUTLOOK AND CONCLUSION

Adaptive awareness technologies seem to be promis-

ing approaches for empowering the users of SNSs in

making wiser and more informed decisions, as to pro-

tect them from the risks of over-sharing private infor-

mation. We believe that this is not a minor issue that

should be taken seriously into consideration by Inter-

net service providers, multilateral organizations and

policy makers. We have used the example of HWLs in

cigarettes packages as a motivating scenario for work-

ing towards a more privacy aware social environment

in SNSs. Certainly, this topic will be part of a in-depth

and intense debate in the future. Therefore we hope

this paper will offer a more clarifying view on this is-

sue and serve as an instrument for the development of