A Taxonomy of Social Networking Data: Privacy Concerns

Amanda Carpenter is a JD Candidate at Osgoode Hall Law School. Many thanks to Bijan Soleymani, a M. Eng Candidate at McGill University.

In a recent post, the internationally renowned security technologist and author Bruce Schneier proposed a “taxonomy” of social networking data. In this taxonomy, he divides social networking data into five categories: Service data, disclosed data, entrusted data, incidental data, and behavioural data. Service data is the data you need to give to a social networking site in order to use it, such as your legal name. Disclosed data is the data you post to the site such as a picture. Entrusted data is the data you post on other people's sites that you have relinquished control over. Incidental data is data other people have posted about you that you have not created in the first place. Behavioural data is the data the site collects about your habits.

One can think of different privacy concerns in regards to each of these categories. If the service data category includes information that you need to give to a social networking site in order to use it, it might include usernames and passwords. That is, it would not just consist of personal information that is required to login such as a legal name. Strangely enough,  Mr. Schneier does not list usernames and passwords in this category. Since most people reuse usernames and passwords, a social networking site such as Facebook could use this data to log into your other services, such as your email account, competing social networking sites, and online banking. On the other hand, if you use that password on an untrustworthy site like a Russian hacker site, then that site can log into your social networking account on Facebook.

The disclosed data and entrusted data categories pose almost the same privacy concerns, in that whether you post a picture to your social networking site or you post it to someone else's site the consequences are very similar: the material has been published to the web. One difference however is that disclosed data is controlled by your privacy settings while entrusted data is governed by someone else's privacy settings. But if your privacy settings or their privacy settings let anyone see that image or document, then you have lost all technical control at that point. Whoever saw the picture can send it to the whole world.

The incidental category poses privacy concerns in that material involving you might be posted even if you don't participate in the social network. For instance, you might not even have a Facebook account, but people can post pictures of you or write about you on your friends' walls. The privacy concerns posed by the disclosed, entrusted, and incidental categories depends on the actions of individual users. To protect your privacy in regards to these categories you should act as though anything you post on the Internet can potentially be viewed by anyone in the entire world.  And don't forget to tell your friends if you don't want a certain photo of you posted online. Even if what you post can be deleted in 24 hours, if somebody saves a copy of that picture of you on their computer there is no way you can take it away from them, no matter how thoroughly you delete it from Facebook.

The behavioural data category poses other privacy concerns because this time it is data that can only be gathered by the social network operator, which is different from what your friends can see regarding your activities. The social network operator could see when you logged in, all the messages you sent and received, where you logged in from, and what photos you have viewed. This category shouldn’t pose too many problems as long as the site has a reasonable privacy policy.