20 May 2013 13:56

The privacy management of 16 popular social networking sites, including Facebook and Twitter, is “seriously deficient,” according to a study being published in the June issue of Computer magazine.

Researchers from UK-based Security Lancaster, an Academic Centre of Excellence in Cyber Security Research at Lancaster University, found a disconnect between privacy statements and the site’s actual privacy controls.

“Although social networking sites continue to attract millions of diverse users worldwide, they remain plagued by privacy compromises that breed user dissatisfaction and lack of trust,” said co-author Awais Rashid, a Lancaster University professor and director of Security Lancaster.

"Our analysis reveals an overall lack of traceability and transparency.”

Performed between January and May 2011, the study found that two-thirds of the principles outlined in the social networking sites’ privacy policies were not reflected in their privacy controls. Besides Facebook and Twitter, the sites surveyed included LinkedIn, MySpace, Bebo and Badoo.

The researchers created four test accounts on each of the sites–two for adults and two for 13-17 year olds, linking each profile. They explored the differences between each site’s policy statement on privacy and the privacy controls available to the user, attempting to establish whether it was possible to create a traceable relationship between the two.

The researchers’ analysis revealed that none of the sites:

  • Let the user to choose whether the social networking provider could gather information about them
  • Allowed the user to prevent information being shared with third parties
  • Provided traceable details on which items of data were shared and with which third parties.

In addition, information on removing personal information was also inconsistent, with one site – PerfSpot – omitting any information on data removal while Facebook’s deletion link was accessible only through its privacy policy. There were also inconsistencies on everything from registering as a user to changing personal information and sharing information with other users.

The researchers conclude that there is a “significant disconnect between policy statements and privacy controls,” which stems from the business models of social networking.

“Social networking users and their personal information are the products,” said co-author Pauline Anthonysamy, a Lancaster University PhD student. “If everything were private, the site would have no data on which to capitalise.”

The article, “Social Networking Privacy: Understanding the Disconnect from Policy to Controls, by Anthonysamy, Rashid, and Phil Greenwood, will be available in the June issue of Computer, which covers all aspects of computer science. For more than 40 years, developers, researchers, and managers have relied on Computer for timely, peer-reviewed information about research, trends, best practices, and changes in the profession.