The pros and cons of mass self-communication are linked to notions of "user empowerment" and "user disempowerment". Empowerment in the general sense is defined as "enabling people to control their own lives and to take advantage of opportunities" or in other words "a process, a mechanism by which people, organizations, and communities gain mastery over their affairs."
In order to be more empowered through social media, a user is already presupposed to have mastered these new empowering media technologies. The unprecedented autonomy of media consumers increases the chance of positive and negative consequences, and thus implies more responsibilities and capabilities to foster these new tools of (dis)empowerment.
There has been a transition from a classic perception of privacy, which is "the right to be left alone" to the notion of "dataveillance" – as the junction between "data" and "surveillance" – which is more prevalent in online environments.
When applying the notion of dataveillance to commercial online settings, some particular issues need to be stressed. Similar to the traditional media and their audiences, social media generate users that can be sold to advertisers. In more traditional formats of online display advertising, like banners on websites, it is quite obvious that one is approached as a consumer. But if somebody is sharing and tagging his pictures with friends on Facebook, this user will normally see himself as someone maintaining social relations with his friends and not as a consumer conveying (very) personal data and content to a US company in exchange for the "free" use of its social network services. In this way social relations are commodified intensively, by using this information for more personalized commercial communication and promotion of goods and services.
In this way personal identifiable information (PII) is the currency users pay to get access to social media applications like social network services (SNS). PII refers to information, which makes it possible to either directly or indirectly identify a person or what kind of data belong to that person. Indirectly identifiable information means that it is often still possible to identify users with anonymized PII, through the coupling with another piece of PII.
This commercial exchange does not have to be problematic. It can be a fair deal between the user and the digital service, as long as each party in the deal clearly understands the transactional terms. However users are often not fully aware about what kind of deal they have entered and how to possibly change the conditions.
Contextual integrity was designed to answer whether a situation contained a privacy breach or not. To achieve this, the situation is defined as a context with the following relevant entities: "the one from whom the information flows, the one to whom the information flows, and the one – the information subject – about whom the information is."
These entities perform roles in our society such as patients and physicians or students and teachers. A physician may ask about your health in his office and you may expect from him that he keeps this information to himself, unless he needs to share it with a colleague to help with a therapy. In this situation two sorts of information norms define the flow and content of the disclosed information. The relationship "physician-patient" defined what kind of information would be exchanged by whom. The norms that govern what is disclosed in a certain situation are norms of appropriateness, and they are context dependent.
Every situation contains a second set of norms which defines to what other contexts or persons this information may flow. These are the norms of distribution. This norm of information flow assesses the transfer of personal information from one party or context to another context. The question is which information from one context may be used in another context. Personal data that are revealed in one specific context will always carry a specific stamp from that context.
A good example is what happened with the social network site Buzz by Google. At the launch on 9 February 2010 Google Buzz automatically, without asking, published openly all personal networks of users based on the people they interact with via Gmail. However e-mail contact lists can hold very private information, like names of personal physicians, romantic relationships or the identities of anti-government activists. They wrongfully assumed that information in one context (of e-mail correspondence like Gmail) could be disclosed without any problem in another setting (of social network relationships like Buzz).
For demonstrating the risk of disempowerment on the level of privacy awareness, consider the most familiar online PII collecting tool, the Internet cookie. This is a little text file that is placed on the computer by visited websites. The http cookie was introduced in 1994 in the early browser Netscape Navigator with the purpose of user convenience, namely remembering contents of web shopping carts. Another important property of cookies is the fact that it is sent automatically, which makes it very unobtrusive.
First party http cookies
Cookies were first developed to give websites a memory. This memory is called a "state", and a state is a configuration last used by a user. To remember states, a cookie is able to store the interaction between the user and the website.
This type of information can be, for example, the user name, the ads clicked and the time spent on each web page. It is important to note that this information is usually encoded to keep the information safe from malicious parties. Therefore, it is impossible to know what kind of information is being communicated through a cookie.
Third party http cookies
Third party http cookies differ from first party cookies in two ways:
Third parties may also track users through one by one pixels. These pixels are called "beacons" or "gif/web/pixel bugs". Pixel bugs are impossible to spot for users because they are blank images. Third party cookies are not only used for advertising. Social media and other web applications that require much state information through different websites, such as social tagging, need third party cookies as well to ensure an optimal working service.
"The main advantage of cookies – its unobtrusive way to store states – enables a lot of positive and empowering uses when they are used to improve user browsing experience by adding a social or personalized layer."
Facebook gathers data in this way, and the Google Buzz plugin and Twitter's Tweet button are also used to track users. This is problematic because users do not expect to be tracked via the plugins when they are not using them.
Flash cookies or local shared objects (LSO)
Flash cookies were developed by Macromedia Flash, which became Adobe Flash after Abobe acquired its rival Macromedia in 2005. The first Flash cookie enabled Flash player was Flash Player 6, released in March 2002. This type of cookie was also made to remember states, but there are some important differences:
Flash cookies are installed via any Flash application on a website if the user installed the Flash player plug-in. All cookies are accepted by default and cookie preferences can be changed in the "Adobe Flash Player Settings Manager".
"Zombie cookies" were implemented by firms, such as United Virtualities, after they learned that 30 per cent of Internet users were deleting http cookies. The zombie cookie, or Persistent Identification Element (PIE), is tagged to the user's browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available adware, spyware or malware removal program. They will even function at the default security setting for Internet Explorer.
In order to achieve this kind of persistence the PIE is not one, but two cookies. The first one is the http cookie and the second one is the Flash cookie that revives the http cookie in case of deletion.
The main advantage of cookies – its unobtrusive way to store states – enables a lot of positive and empowering uses when they are used to improve user browsing experience by adding a social or personalized layer. Cookies are built in such a way that information sharing becomes less tedious by removing the need to (re)create and direct data. In this way the threshold to mass self-communicate has been lowered for users.
However, these forms of corporate dataveillance simultaneously incorporate a risk of user disempowerment. As the value of personal data (PII) grows in the realm of mass self-communication, they are increasingly used as a currency instead of being treated as personal property of the users. Hence, depending on the business model, this trend raises the pressure for Internet companies and advertisers to collect a maximum amount of personal data with the least possible threshold. The challenge is then to organize a fair exchange between users and suppliers of digital services.
The challenges of user disempowerment and online privacy can be addressed on different levels: on user level, on technology level, and on policy level:
In that way citizens and consumers would have the possibility to apply the notion of mass self-communication also on the disclosure of their own personal data. This means that users of social media can have control on the production of their personal data, on who potentially receives these data, and on what is exposed explicitly in their digital footprint or implicit via cookies and other collecting tools.
This is a shortened version of "Social media and cookies: challenges for online privacy", which originally appeared in Info, Volume 13 Number 6, 2011.
The authors are Jo Pierson and Rob Heyman.